Malware Analysis Report

2025-01-06 08:10

Sample ID 240604-bjef2agf83
Target 1b271ffcd9dc2a6f0dcaa7b67f254910_NeikiAnalytics.exe
SHA256 ea5c7f2d1953332f252007b13c373e4b7fe386b05cb090fa78562b541a503a9f
Tags
evasion persistence ransomware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ea5c7f2d1953332f252007b13c373e4b7fe386b05cb090fa78562b541a503a9f

Threat Level: Known bad

The file 1b271ffcd9dc2a6f0dcaa7b67f254910_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

evasion persistence ransomware trojan

Modifies visiblity of hidden/system files in Explorer

Modifies visibility of file extensions in Explorer

UAC bypass

Modifies WinLogon for persistence

Drops file in Drivers directory

Disables RegEdit via registry modification

Sets file execution options in registry

Disables use of System Restore points

Executes dropped EXE

Loads dropped DLL

Enumerates connected drives

Drops desktop.ini file(s)

Adds Run key to start application

Checks whether UAC is enabled

Sets desktop wallpaper using registry

Drops file in System32 directory

Drops autorun.inf file

Drops file in Windows directory

Unsigned PE

Modifies Internet Explorer settings

Modifies registry class

Modifies Control Panel

Suspicious use of SetWindowsHookEx

System policy modification

Suspicious use of WriteProcessMemory

Runs ping.exe

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-04 01:10

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-04 01:10

Reported

2024-06-04 01:12

Platform

win10v2004-20240508-en

Max time kernel

150s

Max time network

133s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1b271ffcd9dc2a6f0dcaa7b67f254910_NeikiAnalytics.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" C:\Users\Admin\AppData\Local\Temp\1b271ffcd9dc2a6f0dcaa7b67f254910_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" C:\Users\Admin\AppData\Local\Temp\1b271ffcd9dc2a6f0dcaa7b67f254910_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe N/A

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Users\Admin\AppData\Local\Temp\1b271ffcd9dc2a6f0dcaa7b67f254910_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\drivers\system32.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\AppData\Local\Temp\1b271ffcd9dc2a6f0dcaa7b67f254910_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\1b271ffcd9dc2a6f0dcaa7b67f254910_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\1b271ffcd9dc2a6f0dcaa7b67f254910_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe N/A

Disables use of System Restore points

evasion

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe N/A
File created C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe N/A
File created C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Users\Admin\AppData\Local\Temp\1b271ffcd9dc2a6f0dcaa7b67f254910_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\system32.exe C:\Users\Admin\AppData\Local\Temp\1b271ffcd9dc2a6f0dcaa7b67f254910_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe N/A
File created C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Users\Admin\AppData\Local\Temp\1b271ffcd9dc2a6f0dcaa7b67f254910_NeikiAnalytics.exe N/A
File created C:\Windows\SysWOW64\drivers\system32.exe C:\Users\Admin\AppData\Local\Temp\1b271ffcd9dc2a6f0dcaa7b67f254910_NeikiAnalytics.exe N/A
File created C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe N/A
File created C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe N/A
File created C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\system32.exe N/A

Sets file execution options in registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe C:\Users\Admin\AppData\Local\Temp\1b271ffcd9dc2a6f0dcaa7b67f254910_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe C:\Users\Admin\AppData\Local\Temp\1b271ffcd9dc2a6f0dcaa7b67f254910_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe C:\Users\Admin\AppData\Local\Temp\1b271ffcd9dc2a6f0dcaa7b67f254910_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe\Debugger = "cmd.exe /c del" C:\Users\Admin\AppData\Local\Temp\1b271ffcd9dc2a6f0dcaa7b67f254910_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com C:\Users\Admin\AppData\Local\Temp\1b271ffcd9dc2a6f0dcaa7b67f254910_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe\Debugger = "drivers\\Kazekage.exe" C:\Users\Admin\AppData\Local\Temp\1b271ffcd9dc2a6f0dcaa7b67f254910_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe C:\Users\Admin\AppData\Local\Temp\1b271ffcd9dc2a6f0dcaa7b67f254910_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\drivers\system32.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 4 - 6 - 2024\\smss.exe" C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 4 - 6 - 2024\\smss.exe" C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 4 - 6 - 2024\\Gaara.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "4-6-2024.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 4 - 6 - 2024\\smss.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 4 - 6 - 2024\\Gaara.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "4-6-2024.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "4-6-2024.exe" C:\Users\Admin\AppData\Local\Temp\1b271ffcd9dc2a6f0dcaa7b67f254910_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" C:\Users\Admin\AppData\Local\Temp\1b271ffcd9dc2a6f0dcaa7b67f254910_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 4 - 6 - 2024\\smss.exe" C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 4 - 6 - 2024\\Gaara.exe" C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "4-6-2024.exe" C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 4 - 6 - 2024\\smss.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "4-6-2024.exe" C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 4 - 6 - 2024\\smss.exe" C:\Users\Admin\AppData\Local\Temp\1b271ffcd9dc2a6f0dcaa7b67f254910_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 4 - 6 - 2024\\Gaara.exe" C:\Users\Admin\AppData\Local\Temp\1b271ffcd9dc2a6f0dcaa7b67f254910_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 4 - 6 - 2024\\Gaara.exe" C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "4-6-2024.exe" C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 4 - 6 - 2024\\Gaara.exe" C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\1b271ffcd9dc2a6f0dcaa7b67f254910_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification \??\N:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\V:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\S:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\1b271ffcd9dc2a6f0dcaa7b67f254910_NeikiAnalytics.exe N/A
File opened for modification \??\Q:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\Y:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\M:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\W:\Desktop.ini C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe N/A
File opened for modification \??\O:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\1b271ffcd9dc2a6f0dcaa7b67f254910_NeikiAnalytics.exe N/A
File opened for modification \??\Z:\Desktop.ini C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe N/A
File opened for modification \??\V:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\T:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\G:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\1b271ffcd9dc2a6f0dcaa7b67f254910_NeikiAnalytics.exe N/A
File opened for modification \??\M:\Desktop.ini C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe N/A
File opened for modification \??\T:\Desktop.ini C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe N/A
File opened for modification \??\E:\Desktop.ini C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe N/A
File opened for modification \??\H:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\1b271ffcd9dc2a6f0dcaa7b67f254910_NeikiAnalytics.exe N/A
File opened for modification \??\P:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\1b271ffcd9dc2a6f0dcaa7b67f254910_NeikiAnalytics.exe N/A
File opened for modification \??\W:\Desktop.ini C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe N/A
File opened for modification \??\H:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\U:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\A:\Desktop.ini C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe N/A
File opened for modification C:\Desktop.ini C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe N/A
File opened for modification \??\O:\Desktop.ini C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe N/A
File opened for modification \??\S:\Desktop.ini C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe N/A
File opened for modification \??\S:\Desktop.ini C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe N/A
File opened for modification \??\N:\Desktop.ini C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe N/A
File opened for modification F:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\R:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\1b271ffcd9dc2a6f0dcaa7b67f254910_NeikiAnalytics.exe N/A
File opened for modification \??\K:\Desktop.ini C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe N/A
File opened for modification \??\Z:\Desktop.ini C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe N/A
File opened for modification \??\G:\Desktop.ini C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe N/A
File opened for modification \??\U:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\V:\Desktop.ini C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe N/A
File opened for modification \??\W:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\W:\Desktop.ini C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe N/A
File opened for modification \??\L:\Desktop.ini C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe N/A
File opened for modification \??\N:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\S:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification D:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\P:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\H:\Desktop.ini C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe N/A
File opened for modification \??\Q:\Desktop.ini C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe N/A
File opened for modification \??\H:\Desktop.ini C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe N/A
File opened for modification F:\Desktop.ini C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe N/A
File opened for modification \??\B:\Desktop.ini C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe N/A
File opened for modification \??\B:\Desktop.ini C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe N/A
File opened for modification C:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification F:\Desktop.ini C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe N/A
File opened for modification \??\G:\Desktop.ini C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe N/A
File opened for modification \??\R:\Desktop.ini C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe N/A
File opened for modification \??\A:\Desktop.ini C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe N/A
File opened for modification D:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\1b271ffcd9dc2a6f0dcaa7b67f254910_NeikiAnalytics.exe N/A
File opened for modification \??\X:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\1b271ffcd9dc2a6f0dcaa7b67f254910_NeikiAnalytics.exe N/A
File opened for modification \??\K:\Desktop.ini C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe N/A
File opened for modification \??\X:\Desktop.ini C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe N/A
File opened for modification C:\Desktop.ini C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe N/A
File opened for modification \??\K:\Desktop.ini C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe N/A
File opened for modification \??\U:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\1b271ffcd9dc2a6f0dcaa7b67f254910_NeikiAnalytics.exe N/A
File opened for modification \??\E:\Desktop.ini C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe N/A
File opened for modification F:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\Y:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\G:\Desktop.ini C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe N/A
File opened for modification \??\N:\Desktop.ini C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe N/A
File opened for modification \??\P:\Desktop.ini C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\B: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\P: C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe N/A
File opened (read-only) \??\V: C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe N/A
File opened (read-only) \??\G: C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe N/A
File opened (read-only) \??\V: C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\1b271ffcd9dc2a6f0dcaa7b67f254910_NeikiAnalytics.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\Q: C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe N/A
File opened (read-only) \??\E: C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\1b271ffcd9dc2a6f0dcaa7b67f254910_NeikiAnalytics.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\1b271ffcd9dc2a6f0dcaa7b67f254910_NeikiAnalytics.exe N/A
File opened (read-only) \??\J: C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe N/A
File opened (read-only) \??\N: C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe N/A
File opened (read-only) \??\Y: C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\A: C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe N/A
File opened (read-only) \??\W: C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\Y: C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe N/A
File opened (read-only) \??\Z: C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\1b271ffcd9dc2a6f0dcaa7b67f254910_NeikiAnalytics.exe N/A
File opened (read-only) \??\X: C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\1b271ffcd9dc2a6f0dcaa7b67f254910_NeikiAnalytics.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\1b271ffcd9dc2a6f0dcaa7b67f254910_NeikiAnalytics.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\1b271ffcd9dc2a6f0dcaa7b67f254910_NeikiAnalytics.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\1b271ffcd9dc2a6f0dcaa7b67f254910_NeikiAnalytics.exe N/A
File opened (read-only) \??\A: C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe N/A
File opened (read-only) \??\E: C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe N/A
File opened (read-only) \??\U: C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe N/A
File opened (read-only) \??\L: C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe N/A
File opened (read-only) \??\I: C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\1b271ffcd9dc2a6f0dcaa7b67f254910_NeikiAnalytics.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\E: C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe N/A
File opened (read-only) \??\O: C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe N/A
File opened (read-only) \??\L: C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\1b271ffcd9dc2a6f0dcaa7b67f254910_NeikiAnalytics.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\1b271ffcd9dc2a6f0dcaa7b67f254910_NeikiAnalytics.exe N/A
File opened (read-only) \??\T: C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\1b271ffcd9dc2a6f0dcaa7b67f254910_NeikiAnalytics.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\1b271ffcd9dc2a6f0dcaa7b67f254910_NeikiAnalytics.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\P: C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe N/A
File opened (read-only) \??\V: C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\P: C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\1b271ffcd9dc2a6f0dcaa7b67f254910_NeikiAnalytics.exe N/A
File opened (read-only) \??\O: C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe N/A
File opened (read-only) \??\Q: C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File created \??\V:\Autorun.inf C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe N/A
File created \??\G:\Autorun.inf C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe N/A
File created \??\O:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\L:\Autorun.inf C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe N/A
File opened for modification \??\L:\Autorun.inf C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe N/A
File created D:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\N:\Autorun.inf C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe N/A
File opened for modification \??\I:\Autorun.inf C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe N/A
File opened for modification \??\J:\Autorun.inf C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe N/A
File opened for modification \??\Z:\Autorun.inf C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe N/A
File created \??\E:\Autorun.inf C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe N/A
File created \??\A:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\J:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File created \??\N:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File created \??\Z:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\1b271ffcd9dc2a6f0dcaa7b67f254910_NeikiAnalytics.exe N/A
File opened for modification \??\V:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\1b271ffcd9dc2a6f0dcaa7b67f254910_NeikiAnalytics.exe N/A
File created D:\Autorun.inf C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe N/A
File created \??\Q:\Autorun.inf C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe N/A
File created D:\Autorun.inf C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe N/A
File opened for modification \??\J:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created D:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File created \??\J:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\1b271ffcd9dc2a6f0dcaa7b67f254910_NeikiAnalytics.exe N/A
File opened for modification \??\P:\Autorun.inf C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe N/A
File opened for modification \??\U:\Autorun.inf C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe N/A
File opened for modification C:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\S:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\O:\Autorun.inf C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe N/A
File created \??\W:\Autorun.inf C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe N/A
File created \??\B:\Autorun.inf C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe N/A
File opened for modification \??\I:\Autorun.inf C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe N/A
File opened for modification \??\E:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\Z:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\G:\Autorun.inf C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe N/A
File created \??\V:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\1b271ffcd9dc2a6f0dcaa7b67f254910_NeikiAnalytics.exe N/A
File created \??\A:\Autorun.inf C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe N/A
File created \??\Z:\Autorun.inf C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe N/A
File opened for modification \??\X:\Autorun.inf C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe N/A
File created \??\E:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created \??\J:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\J:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\1b271ffcd9dc2a6f0dcaa7b67f254910_NeikiAnalytics.exe N/A
File created \??\B:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\1b271ffcd9dc2a6f0dcaa7b67f254910_NeikiAnalytics.exe N/A
File created \??\G:\Autorun.inf C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe N/A
File opened for modification \??\T:\Autorun.inf C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe N/A
File opened for modification \??\R:\Autorun.inf C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe N/A
File opened for modification \??\Z:\Autorun.inf C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe N/A
File opened for modification \??\A:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\1b271ffcd9dc2a6f0dcaa7b67f254910_NeikiAnalytics.exe N/A
File created \??\L:\Autorun.inf C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe N/A
File created \??\R:\Autorun.inf C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe N/A
File opened for modification \??\V:\Autorun.inf C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe N/A
File opened for modification \??\G:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created \??\U:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File created \??\Y:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\1b271ffcd9dc2a6f0dcaa7b67f254910_NeikiAnalytics.exe N/A
File created \??\S:\Autorun.inf C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe N/A
File opened for modification \??\N:\Autorun.inf C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe N/A
File created \??\U:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Autorun.inf C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe N/A
File created \??\T:\Autorun.inf C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe N/A
File opened for modification \??\N:\Autorun.inf C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe N/A
File opened for modification \??\Y:\Autorun.inf C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe N/A
File opened for modification \??\N:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification D:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\1b271ffcd9dc2a6f0dcaa7b67f254910_NeikiAnalytics.exe N/A
File created \??\H:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\1b271ffcd9dc2a6f0dcaa7b67f254910_NeikiAnalytics.exe N/A
File created \??\P:\Autorun.inf C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\ C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\SysWOW64\4-6-2024.exe C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\4-6-2024.exe C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\4-6-2024.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\SysWOW64\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\Desktop.ini C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe N/A
File opened for modification C:\Windows\SysWOW64\Desktop.ini C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\Desktop.ini C:\Users\Admin\AppData\Local\Temp\1b271ffcd9dc2a6f0dcaa7b67f254910_NeikiAnalytics.exe N/A
File created C:\Windows\SysWOW64\Desktop.ini C:\Users\Admin\AppData\Local\Temp\1b271ffcd9dc2a6f0dcaa7b67f254910_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\SysWOW64\Desktop.ini C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\SysWOW64\mscomctl.ocx C:\Users\Admin\AppData\Local\Temp\1b271ffcd9dc2a6f0dcaa7b67f254910_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Users\Admin\AppData\Local\Temp\1b271ffcd9dc2a6f0dcaa7b67f254910_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\4-6-2024.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\1b271ffcd9dc2a6f0dcaa7b67f254910_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\SysWOW64\mscomctl.ocx C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\mscomctl.ocx C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\SysWOW64\mscomctl.ocx C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\SysWOW64\4-6-2024.exe C:\Users\Admin\AppData\Local\Temp\1b271ffcd9dc2a6f0dcaa7b67f254910_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\SysWOW64\4-6-2024.exe C:\Users\Admin\AppData\Local\Temp\1b271ffcd9dc2a6f0dcaa7b67f254910_NeikiAnalytics.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\SysWOW64\mscomctl.ocx C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\1b271ffcd9dc2a6f0dcaa7b67f254910_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\SysWOW64\mscomctl.ocx C:\Users\Admin\AppData\Local\Temp\1b271ffcd9dc2a6f0dcaa7b67f254910_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\SysWOW64\mscomctl.ocx C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\4-6-2024.exe C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Users\Admin\AppData\Local\Temp\1b271ffcd9dc2a6f0dcaa7b67f254910_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Fonts\The Kazekage.jpg C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe N/A
File opened for modification C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe N/A
File created C:\Windows\WBEM\msvbvm60.dll C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe N/A
File opened for modification C:\Windows\ C:\Users\Admin\AppData\Local\Temp\1b271ffcd9dc2a6f0dcaa7b67f254910_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\system\mscoree.dll C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe C:\Users\Admin\AppData\Local\Temp\1b271ffcd9dc2a6f0dcaa7b67f254910_NeikiAnalytics.exe N/A
File created C:\Windows\system\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\1b271ffcd9dc2a6f0dcaa7b67f254910_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe N/A
File opened for modification C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe N/A
File opened for modification C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe N/A
File created C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe N/A
File created C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe N/A
File opened for modification C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\system\msvbvm60.dll C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe C:\Users\Admin\AppData\Local\Temp\1b271ffcd9dc2a6f0dcaa7b67f254910_NeikiAnalytics.exe N/A
File created C:\Windows\Fonts\Admin 4 - 6 - 2024\msvbvm60.dll C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe N/A
File opened for modification C:\Windows\system\mscoree.dll C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\mscomctl.ocx C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe N/A
File opened for modification C:\Windows\ C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe N/A
File opened for modification C:\Windows\mscomctl.ocx C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\Fonts\The Kazekage.jpg C:\Users\Admin\AppData\Local\Temp\1b271ffcd9dc2a6f0dcaa7b67f254910_NeikiAnalytics.exe N/A
File created C:\Windows\Fonts\Admin 4 - 6 - 2024\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\1b271ffcd9dc2a6f0dcaa7b67f254910_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe N/A
File opened for modification C:\Windows\system\msvbvm60.dll C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe N/A
File opened for modification C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe N/A
File created C:\Windows\Fonts\Admin 4 - 6 - 2024\msvbvm60.dll C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe N/A
File created C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe N/A
File opened for modification C:\Windows\ C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe N/A
File opened for modification C:\Windows\system\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\1b271ffcd9dc2a6f0dcaa7b67f254910_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\Fonts\The Kazekage.jpg C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe N/A
File created C:\Windows\Fonts\Admin 4 - 6 - 2024\msvbvm60.dll C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\mscomctl.ocx C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe N/A
File created C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe C:\Users\Admin\AppData\Local\Temp\1b271ffcd9dc2a6f0dcaa7b67f254910_NeikiAnalytics.exe N/A
File created C:\Windows\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\1b271ffcd9dc2a6f0dcaa7b67f254910_NeikiAnalytics.exe N/A
File created C:\Windows\WBEM\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\1b271ffcd9dc2a6f0dcaa7b67f254910_NeikiAnalytics.exe N/A
File created C:\Windows\WBEM\msvbvm60.dll C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe N/A
File created C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe N/A
File opened for modification C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe N/A
File opened for modification C:\Windows\Fonts\The Kazekage.jpg C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe N/A
File opened for modification C:\Windows\ C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe N/A
File created C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe N/A
File created C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe N/A
File opened for modification C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\Fonts\The Kazekage.jpg C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\ C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\system\mscoree.dll C:\Users\Admin\AppData\Local\Temp\1b271ffcd9dc2a6f0dcaa7b67f254910_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\system\mscoree.dll C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe N/A
File opened for modification C:\Windows\system\mscoree.dll C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe N/A
File created C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\Fonts\Admin 4 - 6 - 2024\msvbvm60.dll C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe C:\Users\Admin\AppData\Local\Temp\1b271ffcd9dc2a6f0dcaa7b67f254910_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\1b271ffcd9dc2a6f0dcaa7b67f254910_NeikiAnalytics.exe N/A
File created C:\Windows\WBEM\msvbvm60.dll C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe N/A
File opened for modification C:\Windows\system\msvbvm60.dll C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe N/A
File opened for modification C:\Windows\Fonts\The Kazekage.jpg C:\Windows\SysWOW64\drivers\Kazekage.exe N/A

Modifies Control Panel

evasion
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" C:\Users\Admin\AppData\Local\Temp\1b271ffcd9dc2a6f0dcaa7b67f254910_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\Desktop\WallpaperStyle = "2" C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\Desktop C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\Desktop C:\Users\Admin\AppData\Local\Temp\1b271ffcd9dc2a6f0dcaa7b67f254910_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\Screen Saver.Marquee\Size = "72" C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\Screen Saver.Marquee\Speed = "4" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\Screen Saver.Marquee\Speed = "4" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\Screen Saver.Marquee\Speed = "4" C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\Screen Saver.Marquee\Size = "72" C:\Users\Admin\AppData\Local\Temp\1b271ffcd9dc2a6f0dcaa7b67f254910_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\Screen Saver.Marquee\Size = "72" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\Screen Saver.Marquee C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\Screen Saver.Marquee C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" C:\Users\Admin\AppData\Local\Temp\1b271ffcd9dc2a6f0dcaa7b67f254910_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\Screen Saver.Marquee C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" C:\Users\Admin\AppData\Local\Temp\1b271ffcd9dc2a6f0dcaa7b67f254910_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\Desktop\WallpaperStyle = "2" C:\Users\Admin\AppData\Local\Temp\1b271ffcd9dc2a6f0dcaa7b67f254910_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\Desktop\WallpaperStyle = "2" C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\Desktop C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\Screen Saver.Marquee\Speed = "4" C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\Screen Saver.Marquee C:\Users\Admin\AppData\Local\Temp\1b271ffcd9dc2a6f0dcaa7b67f254910_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" C:\Users\Admin\AppData\Local\Temp\1b271ffcd9dc2a6f0dcaa7b67f254910_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Users\Admin\AppData\Local\Temp\1b271ffcd9dc2a6f0dcaa7b67f254910_NeikiAnalytics.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\Desktop C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\Desktop\WallpaperStyle = "2" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\Desktop C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\Desktop\WallpaperStyle = "2" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\Screen Saver.Marquee C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\Screen Saver.Marquee C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" C:\Users\Admin\AppData\Local\Temp\1b271ffcd9dc2a6f0dcaa7b67f254910_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\Screen Saver.Marquee\Size = "72" C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" C:\Users\Admin\AppData\Local\Temp\1b271ffcd9dc2a6f0dcaa7b67f254910_NeikiAnalytics.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\Desktop C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\Desktop\WallpaperStyle = "2" C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\Internet Explorer\Main C:\Users\Admin\AppData\Local\Temp\1b271ffcd9dc2a6f0dcaa7b67f254910_NeikiAnalytics.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" C:\Users\Admin\AppData\Local\Temp\1b271ffcd9dc2a6f0dcaa7b67f254910_NeikiAnalytics.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\drivers\system32.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command C:\Users\Admin\AppData\Local\Temp\1b271ffcd9dc2a6f0dcaa7b67f254910_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command C:\Users\Admin\AppData\Local\Temp\1b271ffcd9dc2a6f0dcaa7b67f254910_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command C:\Users\Admin\AppData\Local\Temp\1b271ffcd9dc2a6f0dcaa7b67f254910_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command C:\Users\Admin\AppData\Local\Temp\1b271ffcd9dc2a6f0dcaa7b67f254910_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" C:\Users\Admin\AppData\Local\Temp\1b271ffcd9dc2a6f0dcaa7b67f254910_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" C:\Users\Admin\AppData\Local\Temp\1b271ffcd9dc2a6f0dcaa7b67f254910_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" C:\Users\Admin\AppData\Local\Temp\1b271ffcd9dc2a6f0dcaa7b67f254910_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" C:\Users\Admin\AppData\Local\Temp\1b271ffcd9dc2a6f0dcaa7b67f254910_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b271ffcd9dc2a6f0dcaa7b67f254910_NeikiAnalytics.exe N/A
N/A N/A C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1724 wrote to memory of 3976 N/A C:\Users\Admin\AppData\Local\Temp\1b271ffcd9dc2a6f0dcaa7b67f254910_NeikiAnalytics.exe C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe
PID 1724 wrote to memory of 3976 N/A C:\Users\Admin\AppData\Local\Temp\1b271ffcd9dc2a6f0dcaa7b67f254910_NeikiAnalytics.exe C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe
PID 1724 wrote to memory of 3976 N/A C:\Users\Admin\AppData\Local\Temp\1b271ffcd9dc2a6f0dcaa7b67f254910_NeikiAnalytics.exe C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe
PID 3976 wrote to memory of 4596 N/A C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe
PID 3976 wrote to memory of 4596 N/A C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe
PID 3976 wrote to memory of 4596 N/A C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe
PID 3976 wrote to memory of 4956 N/A C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe
PID 3976 wrote to memory of 4956 N/A C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe
PID 3976 wrote to memory of 4956 N/A C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe
PID 4956 wrote to memory of 4784 N/A C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe
PID 4956 wrote to memory of 4784 N/A C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe
PID 4956 wrote to memory of 4784 N/A C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe
PID 4956 wrote to memory of 1236 N/A C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe
PID 4956 wrote to memory of 1236 N/A C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe
PID 4956 wrote to memory of 1236 N/A C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe
PID 4956 wrote to memory of 4452 N/A C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe
PID 4956 wrote to memory of 4452 N/A C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe
PID 4956 wrote to memory of 4452 N/A C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe
PID 4452 wrote to memory of 5008 N/A C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe
PID 4452 wrote to memory of 5008 N/A C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe
PID 4452 wrote to memory of 5008 N/A C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe
PID 4452 wrote to memory of 3204 N/A C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe
PID 4452 wrote to memory of 3204 N/A C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe
PID 4452 wrote to memory of 3204 N/A C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe
PID 4452 wrote to memory of 3584 N/A C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe
PID 4452 wrote to memory of 3584 N/A C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe
PID 4452 wrote to memory of 3584 N/A C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe
PID 4452 wrote to memory of 3276 N/A C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 4452 wrote to memory of 3276 N/A C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 4452 wrote to memory of 3276 N/A C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 3276 wrote to memory of 452 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe
PID 3276 wrote to memory of 452 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe
PID 3276 wrote to memory of 452 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe
PID 3276 wrote to memory of 2396 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe
PID 3276 wrote to memory of 2396 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe
PID 3276 wrote to memory of 2396 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe
PID 3276 wrote to memory of 1560 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe
PID 3276 wrote to memory of 1560 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe
PID 3276 wrote to memory of 1560 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe
PID 3276 wrote to memory of 4160 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 3276 wrote to memory of 4160 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 3276 wrote to memory of 4160 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 3276 wrote to memory of 3124 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 3276 wrote to memory of 3124 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 3276 wrote to memory of 3124 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 3124 wrote to memory of 4004 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe
PID 3124 wrote to memory of 4004 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe
PID 3124 wrote to memory of 4004 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe
PID 3124 wrote to memory of 1436 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe
PID 3124 wrote to memory of 1436 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe
PID 3124 wrote to memory of 1436 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe
PID 3124 wrote to memory of 3960 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe
PID 3124 wrote to memory of 3960 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe
PID 3124 wrote to memory of 3960 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe
PID 3124 wrote to memory of 3228 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 3124 wrote to memory of 3228 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 3124 wrote to memory of 3228 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 3124 wrote to memory of 4132 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 3124 wrote to memory of 4132 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 3124 wrote to memory of 4132 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 4452 wrote to memory of 348 N/A C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 4452 wrote to memory of 348 N/A C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 4452 wrote to memory of 348 N/A C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 4956 wrote to memory of 4872 N/A C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe C:\Windows\SysWOW64\drivers\Kazekage.exe

System policy modification

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\1b271ffcd9dc2a6f0dcaa7b67f254910_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\1b271ffcd9dc2a6f0dcaa7b67f254910_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\SysWOW64\drivers\system32.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\1b271ffcd9dc2a6f0dcaa7b67f254910_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\1b271ffcd9dc2a6f0dcaa7b67f254910_NeikiAnalytics.exe"

C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe

"C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe"

C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe

"C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe"

C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe

"C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe"

C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe

"C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe"

C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe

"C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe"

C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe

"C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe"

C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe

"C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe"

C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe

"C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe"

C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe

"C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe"

C:\Windows\SysWOW64\drivers\Kazekage.exe

C:\Windows\system32\drivers\Kazekage.exe

C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe

"C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe"

C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe

"C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe"

C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe

"C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe"

C:\Windows\SysWOW64\drivers\Kazekage.exe

C:\Windows\system32\drivers\Kazekage.exe

C:\Windows\SysWOW64\drivers\system32.exe

C:\Windows\system32\drivers\system32.exe

C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe

"C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe"

C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe

"C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe"

C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe

"C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe"

C:\Windows\SysWOW64\drivers\Kazekage.exe

C:\Windows\system32\drivers\Kazekage.exe

C:\Windows\SysWOW64\drivers\system32.exe

C:\Windows\system32\drivers\system32.exe

C:\Windows\SysWOW64\drivers\system32.exe

C:\Windows\system32\drivers\system32.exe

C:\Windows\SysWOW64\drivers\Kazekage.exe

C:\Windows\system32\drivers\Kazekage.exe

C:\Windows\SysWOW64\drivers\system32.exe

C:\Windows\system32\drivers\system32.exe

C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe

"C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe"

C:\Windows\SysWOW64\drivers\Kazekage.exe

C:\Windows\system32\drivers\Kazekage.exe

C:\Windows\SysWOW64\drivers\system32.exe

C:\Windows\system32\drivers\system32.exe

C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe

"C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe"

C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe

"C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe"

C:\Windows\SysWOW64\drivers\Kazekage.exe

C:\Windows\system32\drivers\Kazekage.exe

C:\Windows\SysWOW64\drivers\system32.exe

C:\Windows\system32\drivers\system32.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=1304,i,2607710392823067546,4648797561512801463,262144 --variations-seed-version --mojo-platform-channel-handle=4456 /prefetch:8

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 220.255.0.0.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 220.255.0.0.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 220.255.0.0.in-addr.arpa udp

Files

memory/1724-0-0x0000000000400000-0x0000000000425000-memory.dmp

C:\Windows\System\msvbvm60.dll

MD5 25f62c02619174b35851b0e0455b3d94
SHA1 4e8ee85157f1769f6e3f61c0acbe59072209da71
SHA256 898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2
SHA512 f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

memory/3976-32-0x0000000000400000-0x0000000000425000-memory.dmp

C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe

MD5 d8ca1598aaae521f8ddc18e4c0939b48
SHA1 e47ba4da2b1d30dd245af5bdb0598bbc094d5384
SHA256 104daa436803175f5d5abc54aad5e52885dd9543f3d9e680ef5b1be18f57413b
SHA512 f93c8cb202737c2d2e7af7f859f984b6ec5d2573aaa12b8718cc152c87ee3e7db6fd76703a70ad5c81d631404fc9d3710ad330262a86e525672c427350f3618f

C:\Windows\Fonts\The Kazekage.jpg

MD5 d6b05020d4a0ec2a3a8b687099e335df
SHA1 df239d830ebcd1cde5c68c46a7b76dad49d415f4
SHA256 9824b98dab6af65a9e84c2ea40e9df948f9766ce2096e81feecad7db8dd6080a
SHA512 78fd360faa4d34f5732056d6e9ad7b9930964441c69cf24535845d397de92179553b9377a25649c01eb5ac7d547c29cc964e69ede7f2af9fc677508a99251fff

memory/4596-72-0x0000000000400000-0x0000000000425000-memory.dmp

C:\Windows\SysWOW64\drivers\system32.exe

MD5 ef5080c55880a7dcd62a098481b21d82
SHA1 23b1719edb03f4808b2fcc157456665d087795af
SHA256 1ec191ad918e40226076080560894e0165e102b4a649a14a8afe617806014d08
SHA512 33b50bb0f470174782f7ee63bdc2ff210cb6b2479150e8d63944e395f19fe58a5be2cb7a3c8a954061f7ebb7c4d9cd5821c8b6c81fa53468e16c4b08add5aadf

C:\Windows\SysWOW64\drivers\Kazekage.exe

MD5 8934655aca458a95f325481221dcd2fa
SHA1 1eb1fe06a37e3d888487065cfa74742e4e168a0b
SHA256 966f2cb0ba04901a0750f6ac577f2b07baf60d95d4da418d93731caa395cc519
SHA512 78ca16f30c70c303a6f663da242f6f381a38e3286160d6e9a41c46099447060edb08ba237748f969850218562bacf0917a77c861259f86f3bd1f4dd63e1db26e

C:\Windows\SysWOW64\4-6-2024.exe

MD5 f70b9de863fc7be66838ce85577e5aa7
SHA1 60d8eebedb90048a8cab189308c0eee2f38fea84
SHA256 7fd23f25d6aa2d46be613774090118aed575fb7ae7fb44e4e71f3313542c45d8
SHA512 1a1466cd035e5c421671747c7167f5c0e545e5e0c45d003f0b5f4c1278e9113d900a249693cf7a0756e6020386bfd52bdc9eb34a993bf6ce4368f1afdefe1479

C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe

MD5 d25f7689a0710a82822a85cc4f30ca95
SHA1 6592630777d13e5f774ccba45ea87ac642b8de7a
SHA256 067301925e3b96489f8bcd2402155b13499dde21bff2900c829b0a79e4d1377a
SHA512 b7f7cd355eb14c4d247ac83bedd684518d1838aea43234ef8283d836dfafda38f6e2f7049fbc7aefde34c071f8eefba142dcbddaf18b156e552d92f1be3d9bce

C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe

MD5 f38263de727905e1dc47af04a3a108cf
SHA1 a3e5d4449e9f6d597156db05b8a290198d314dab
SHA256 4a54f316a8c394be1932eb2c54c5f501a286cedca58de93130fff8da29932e71
SHA512 9bc293715abe7b1ee10df1114c2823340c5ee52e528c16a75aa0d5441c321033b56519a3ea62b22c1b91cbd1f2d954c8a1b5b7c5a8bf836d86dd648a98f5dbda

memory/4596-74-0x0000000000400000-0x0000000000425000-memory.dmp

memory/4956-76-0x0000000000400000-0x0000000000425000-memory.dmp

C:\Windows\Fonts\The Kazekage.jpg

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Windows\SysWOW64\drivers\system32.exe

MD5 c184e7035f60dbeb94c4f18d3798f309
SHA1 4fcaa81438f55a7a3e6166ad4d14c504af21e8a3
SHA256 00838d4bb3ec27f4b64704d4226ff28a0d61066a5da8e68423948c64e6c29159
SHA512 dec7535f751a8d969d8f6239f9105df595ed00d98529bc00176b724b5117b95324a5bb7ac5e87bb949b215664df280a9daa3e0c96d97b4572a263a23c68390cf

C:\Windows\SysWOW64\drivers\Kazekage.exe

MD5 a0670b22caa9d370643ffba544391106
SHA1 45bb08b765d02ed4b97bb585832d7be55cc94cf5
SHA256 e47f5d64588f482d61f916bde7d6ae5a34a083684064c7ba58a1318270b453f5
SHA512 0a54b79f9e8051c1b179ed2eb6af22c2c728241727b76d8cfbadb3a9daf6620f7382032e715f16b4a197ac47cee0dd6cd390c25421624feda0de838807cf9d17

C:\Windows\SysWOW64\4-6-2024.exe

MD5 c89adbec80047bc47ada47288a85c2b6
SHA1 538cab2e9cf6c620137fdd218c601a7bed81718d
SHA256 8c1d7ced501d352b23cde41d504e0761c96c59989b08fa78a7597f24557a5a22
SHA512 b6bc3ec53b775ba754cc73b06f08064af3f1ac10c0da525e244af6adc708183ff316e3e07198118cefd5bb70afd68c5074d8d856987cdffcb5b3d23d43431889

C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe

MD5 5aa3cbbf335ce4756df5e48288c34763
SHA1 23db020d936a7e4d51d6579541e2370fdf7ff22c
SHA256 4cb9656791e32a0681a29854bf6e3f35fc5f47ca568b39f86243509c1c84b9e2
SHA512 d1de2e5da330d0b487107caa101700b80e2d344ba8d3d979a9d19c198dcbadb29894c4b5ffc7da871f6bae2e8ada6d69e3987fd5899763352349c8fe7f4dbea9

memory/4784-109-0x0000000000400000-0x0000000000425000-memory.dmp

memory/1236-119-0x0000000000400000-0x0000000000425000-memory.dmp

memory/4452-118-0x0000000000400000-0x0000000000425000-memory.dmp

C:\Windows\SysWOW64\drivers\system32.exe

MD5 911f0cd143b80797af76a59073328a87
SHA1 0dce4c82bb10d46e0625368d6d2c2d1f926b9afc
SHA256 2c93426762d50748ad1e5d48e7db52a1ba3679d7c966e8ff7fc539715dd1a0d3
SHA512 f8fa341cf27f4e05420798b8b589368f613b85e3e3c8f21d67ce09c50d3c5bb37df70b83e0efa36a80c09d394c9961ab737072dded154f3f1c3b58453d0755e8

C:\Windows\SysWOW64\drivers\Kazekage.exe

MD5 d5e4f133dff59a08b6fe4262e2b46930
SHA1 e795c0e39297356764073c573b9afee79c211127
SHA256 af5dc07bc657dc938807bdbd8e6fb6dcef81cec195eca2b9973a2056f0c346d6
SHA512 f66bdeec5339e5cc931fe14b77cdf4183191b39e5008d87d0ab09c62833eef07be56c1355b0c5adf031d7ec18fe991e28acf38e82a2af4bd672fd01764256a17

C:\Windows\SysWOW64\4-6-2024.exe

MD5 aa8dccbe820cb7f35503c049faf862e0
SHA1 dee80839334202a1870b64f4685d57e965871618
SHA256 c8ccf2471f8fad663b5a1cc01f002e5274891c5a17f2383ff1019549a32be111
SHA512 c881e52abddaee1385782f7a23a8984f8acd4c217094c9ddef856ddfece85904302cbbf470bb3b16a6592944e2e14f268584cefbaad3d74cc3e4bf52717e2ee3

memory/5008-150-0x0000000000400000-0x0000000000425000-memory.dmp

memory/5008-154-0x0000000000400000-0x0000000000425000-memory.dmp

memory/3204-153-0x0000000000400000-0x0000000000425000-memory.dmp

memory/3584-159-0x0000000000400000-0x0000000000425000-memory.dmp

memory/3204-160-0x0000000000400000-0x0000000000425000-memory.dmp

memory/3584-167-0x0000000000400000-0x0000000000425000-memory.dmp

memory/3276-165-0x0000000000400000-0x0000000000425000-memory.dmp

C:\Windows\SysWOW64\drivers\system32.exe

MD5 d05c1eeebfb68110dbc66fac88ced3fb
SHA1 50f49a3aefd3323d7a6bd2181aa7023423192e28
SHA256 7fab2411c56ab89d7752f64d7d835cd083cb99748b4a170f23b647ae8e31f30d
SHA512 b3559b7c0372c49c408deb5edef5cc8cdd2f3e7977c9ab4d8592ac68f49f9473ebf7832aaed9f1c28c7509c7da335a68d521152793493de6bea3158be94baa15

C:\Windows\SysWOW64\4-6-2024.exe

MD5 aa2a2a23312d5bd001614ba9fc0bca5e
SHA1 c0c5453513e4415bb0aae978c379469e1532ea55
SHA256 266b64597753b63baf08388cfbc2b85f9137098801e56b74fbcc67cb8b794b6a
SHA512 dea0e74b440dd977543e314d4b4a5ebcade623cdb2e1df87713b30c1c552f3467a2a053dc892af5557179eb32548329316d862a6e6c2985fe2a64c8ad0a721c8

memory/452-194-0x0000000000400000-0x0000000000425000-memory.dmp

memory/2396-199-0x0000000000400000-0x0000000000425000-memory.dmp

memory/4160-204-0x0000000000400000-0x0000000000425000-memory.dmp

memory/1560-203-0x0000000000400000-0x0000000000425000-memory.dmp

memory/4160-208-0x0000000000400000-0x0000000000425000-memory.dmp

memory/3124-210-0x0000000000400000-0x0000000000425000-memory.dmp

C:\Windows\SysWOW64\4-6-2024.exe

MD5 39d82313fd6086639fa75cd9fe289c4e
SHA1 346159cb4e31b5ddc7cacf1cb714106a1624845d
SHA256 3a5753ce9ee0ad99a314433dfbf4dab7f7fa5e1362b937d78884dbf6c59b7396
SHA512 4b0bb6955c703ef9f4e6e6a27f1763e7474ed25ca92a1f11bb36f128a667f81b1b52f005f1190fbb2bafd9bbe164ae81862db3985bfc93dc26ccdb873428f911

memory/1436-233-0x0000000000400000-0x0000000000425000-memory.dmp

memory/3960-236-0x0000000000400000-0x0000000000425000-memory.dmp

memory/3228-239-0x0000000000400000-0x0000000000425000-memory.dmp

memory/4132-242-0x0000000000400000-0x0000000000425000-memory.dmp

memory/348-243-0x0000000000400000-0x0000000000425000-memory.dmp

memory/348-246-0x0000000000400000-0x0000000000425000-memory.dmp

memory/4872-252-0x0000000000400000-0x0000000000425000-memory.dmp

memory/3712-255-0x0000000000400000-0x0000000000425000-memory.dmp

memory/4480-260-0x0000000000400000-0x0000000000425000-memory.dmp

memory/3688-263-0x0000000000400000-0x0000000000425000-memory.dmp

memory/4516-266-0x0000000000400000-0x0000000000425000-memory.dmp

memory/4436-269-0x0000000000400000-0x0000000000425000-memory.dmp

memory/3964-272-0x0000000000400000-0x0000000000425000-memory.dmp

memory/4952-275-0x0000000000400000-0x0000000000425000-memory.dmp

C:\Gaara.exe

MD5 1b271ffcd9dc2a6f0dcaa7b67f254910
SHA1 e41b82837b585247a07285df61e22682698dcb8b
SHA256 ea5c7f2d1953332f252007b13c373e4b7fe386b05cb090fa78562b541a503a9f
SHA512 304984ae9b60253d7038ad207dbaf4dfda32c61be95afe4cebe77cbdf9bc9ba86e3988e3afdca072dc04d29a29e5470c6425605a7198addc9aa0de26c3642ce8

C:\Admin Games\Readme.txt

MD5 bb5d6abdf8d0948ac6895ce7fdfbc151
SHA1 9266b7a247a4685892197194d2b9b86c8f6dddbd
SHA256 5db2e0915b5464d32e83484f8ae5e3c73d2c78f238fde5f58f9b40dbb5322de8
SHA512 878444760e8df878d65bb62b4798177e168eb099def58ad3634f4348e96705c83f74324f9fa358f0eff389991976698a233ca53e9b72034ae11c86d42322a76c

C:\Autorun.inf

MD5 1564dfe69ffed40950e5cb644e0894d1
SHA1 201b6f7a01cc49bb698bea6d4945a082ed454ce4
SHA256 be114a2dbcc08540b314b01882aa836a772a883322a77b67aab31233e26dc184
SHA512 72df187e39674b657974392cfa268e71ef86dc101ebd2303896381ca56d3c05aa9db3f0ab7d0e428d7436e0108c8f19e94c2013814d30b0b95a23a6b9e341097

C:\Windows\SysWOW64\Desktop.ini

MD5 64acfa7e03b01f48294cf30d201a0026
SHA1 10facd995b38a095f30b4a800fa454c0bcbf8438
SHA256 ba8159d865d106e7b4d0043007a63d1541e1de455dc8d7ff0edd3013bd425c62
SHA512 65a9b2e639de74a2a7faa83463a03f5f5b526495e3c793ec1e144c422ed0b842dd304cd5ff4f8aec3d76d826507030c5916f70a231429cea636ec2d8ab43931a

memory/1724-1022-0x0000000000400000-0x0000000000425000-memory.dmp

memory/3976-1023-0x0000000000400000-0x0000000000425000-memory.dmp

memory/4956-1024-0x0000000000400000-0x0000000000425000-memory.dmp

memory/4452-1025-0x0000000000400000-0x0000000000425000-memory.dmp

memory/3276-1026-0x0000000000400000-0x0000000000425000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-04 01:10

Reported

2024-06-04 01:12

Platform

win7-20240221-en

Max time kernel

80s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1b271ffcd9dc2a6f0dcaa7b67f254910_NeikiAnalytics.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" C:\Users\Admin\AppData\Local\Temp\1b271ffcd9dc2a6f0dcaa7b67f254910_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" C:\Users\Admin\AppData\Local\Temp\1b271ffcd9dc2a6f0dcaa7b67f254910_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Users\Admin\AppData\Local\Temp\1b271ffcd9dc2a6f0dcaa7b67f254910_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\drivers\system32.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\AppData\Local\Temp\1b271ffcd9dc2a6f0dcaa7b67f254910_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\1b271ffcd9dc2a6f0dcaa7b67f254910_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\1b271ffcd9dc2a6f0dcaa7b67f254910_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe N/A

Disables use of System Restore points

evasion

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe N/A
File created C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Users\Admin\AppData\Local\Temp\1b271ffcd9dc2a6f0dcaa7b67f254910_NeikiAnalytics.exe N/A
File created C:\Windows\SysWOW64\drivers\system32.exe C:\Users\Admin\AppData\Local\Temp\1b271ffcd9dc2a6f0dcaa7b67f254910_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe N/A
File created C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe N/A
File created C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe N/A
File created C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe N/A
File created C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe N/A
File created C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Users\Admin\AppData\Local\Temp\1b271ffcd9dc2a6f0dcaa7b67f254910_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\system32.exe C:\Users\Admin\AppData\Local\Temp\1b271ffcd9dc2a6f0dcaa7b67f254910_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe N/A

Sets file execution options in registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe C:\Users\Admin\AppData\Local\Temp\1b271ffcd9dc2a6f0dcaa7b67f254910_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com C:\Users\Admin\AppData\Local\Temp\1b271ffcd9dc2a6f0dcaa7b67f254910_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe C:\Users\Admin\AppData\Local\Temp\1b271ffcd9dc2a6f0dcaa7b67f254910_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe C:\Users\Admin\AppData\Local\Temp\1b271ffcd9dc2a6f0dcaa7b67f254910_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe C:\Users\Admin\AppData\Local\Temp\1b271ffcd9dc2a6f0dcaa7b67f254910_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe C:\Users\Admin\AppData\Local\Temp\1b271ffcd9dc2a6f0dcaa7b67f254910_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe C:\Users\Admin\AppData\Local\Temp\1b271ffcd9dc2a6f0dcaa7b67f254910_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "drivers\\Kazekage.exe" C:\Users\Admin\AppData\Local\Temp\1b271ffcd9dc2a6f0dcaa7b67f254910_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger = "drivers\\Kazekage.exe" C:\Users\Admin\AppData\Local\Temp\1b271ffcd9dc2a6f0dcaa7b67f254910_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe\Debugger = "cmd.exe /c del" C:\Users\Admin\AppData\Local\Temp\1b271ffcd9dc2a6f0dcaa7b67f254910_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe\Debugger = "cmd.exe /c del" C:\Users\Admin\AppData\Local\Temp\1b271ffcd9dc2a6f0dcaa7b67f254910_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe\Debugger = "drivers\\Kazekage.exe" C:\Users\Admin\AppData\Local\Temp\1b271ffcd9dc2a6f0dcaa7b67f254910_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe\Debugger = "cmd.exe /c del" C:\Users\Admin\AppData\Local\Temp\1b271ffcd9dc2a6f0dcaa7b67f254910_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b271ffcd9dc2a6f0dcaa7b67f254910_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b271ffcd9dc2a6f0dcaa7b67f254910_NeikiAnalytics.exe N/A
N/A N/A C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b271ffcd9dc2a6f0dcaa7b67f254910_NeikiAnalytics.exe N/A
N/A N/A C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b271ffcd9dc2a6f0dcaa7b67f254910_NeikiAnalytics.exe N/A
N/A N/A C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b271ffcd9dc2a6f0dcaa7b67f254910_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b271ffcd9dc2a6f0dcaa7b67f254910_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b271ffcd9dc2a6f0dcaa7b67f254910_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b271ffcd9dc2a6f0dcaa7b67f254910_NeikiAnalytics.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 4 - 6 - 2024\\Gaara.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "4-6-2024.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 4 - 6 - 2024\\Gaara.exe" C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 4 - 6 - 2024\\smss.exe" C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "4-6-2024.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "4-6-2024.exe" C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 4 - 6 - 2024\\smss.exe" C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "4-6-2024.exe" C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "4-6-2024.exe" C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 4 - 6 - 2024\\smss.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 4 - 6 - 2024\\Gaara.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "4-6-2024.exe" C:\Users\Admin\AppData\Local\Temp\1b271ffcd9dc2a6f0dcaa7b67f254910_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" C:\Users\Admin\AppData\Local\Temp\1b271ffcd9dc2a6f0dcaa7b67f254910_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 4 - 6 - 2024\\smss.exe" C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 4 - 6 - 2024\\Gaara.exe" C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 4 - 6 - 2024\\smss.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 4 - 6 - 2024\\smss.exe" C:\Users\Admin\AppData\Local\Temp\1b271ffcd9dc2a6f0dcaa7b67f254910_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 4 - 6 - 2024\\Gaara.exe" C:\Users\Admin\AppData\Local\Temp\1b271ffcd9dc2a6f0dcaa7b67f254910_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 4 - 6 - 2024\\Gaara.exe" C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\1b271ffcd9dc2a6f0dcaa7b67f254910_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification \??\K:\Desktop.ini C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe N/A
File opened for modification \??\J:\Desktop.ini C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe N/A
File opened for modification \??\J:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\1b271ffcd9dc2a6f0dcaa7b67f254910_NeikiAnalytics.exe N/A
File opened for modification \??\Y:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\G:\Desktop.ini C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe N/A
File opened for modification \??\W:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\U:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\1b271ffcd9dc2a6f0dcaa7b67f254910_NeikiAnalytics.exe N/A
File opened for modification \??\Y:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\H:\Desktop.ini C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe N/A
File opened for modification \??\O:\Desktop.ini C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe N/A
File opened for modification \??\A:\Desktop.ini C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe N/A
File opened for modification \??\B:\Desktop.ini C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe N/A
File opened for modification \??\V:\Desktop.ini C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe N/A
File opened for modification \??\Y:\Desktop.ini C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe N/A
File opened for modification \??\R:\Desktop.ini C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe N/A
File opened for modification \??\R:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\G:\Desktop.ini C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe N/A
File opened for modification \??\B:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification D:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\L:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\1b271ffcd9dc2a6f0dcaa7b67f254910_NeikiAnalytics.exe N/A
File opened for modification \??\G:\Desktop.ini C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe N/A
File opened for modification \??\L:\Desktop.ini C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe N/A
File opened for modification \??\N:\Desktop.ini C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe N/A
File opened for modification \??\B:\Desktop.ini C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe N/A
File opened for modification \??\O:\Desktop.ini C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe N/A
File opened for modification F:\Desktop.ini C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe N/A
File opened for modification \??\S:\Desktop.ini C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe N/A
File opened for modification \??\N:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification F:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\K:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\1b271ffcd9dc2a6f0dcaa7b67f254910_NeikiAnalytics.exe N/A
File opened for modification \??\J:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\O:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification D:\Desktop.ini C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe N/A
File opened for modification \??\B:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\1b271ffcd9dc2a6f0dcaa7b67f254910_NeikiAnalytics.exe N/A
File opened for modification \??\E:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\R:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\1b271ffcd9dc2a6f0dcaa7b67f254910_NeikiAnalytics.exe N/A
File opened for modification C:\Desktop.ini C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe N/A
File opened for modification \??\Q:\Desktop.ini C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe N/A
File opened for modification \??\G:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\T:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification F:\Desktop.ini C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe N/A
File opened for modification \??\L:\Desktop.ini C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe N/A
File opened for modification \??\Z:\Desktop.ini C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe N/A
File opened for modification F:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\1b271ffcd9dc2a6f0dcaa7b67f254910_NeikiAnalytics.exe N/A
File opened for modification \??\W:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\1b271ffcd9dc2a6f0dcaa7b67f254910_NeikiAnalytics.exe N/A
File opened for modification \??\E:\Desktop.ini C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe N/A
File opened for modification \??\H:\Desktop.ini C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe N/A
File opened for modification \??\M:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\W:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\S:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\1b271ffcd9dc2a6f0dcaa7b67f254910_NeikiAnalytics.exe N/A
File opened for modification C:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\1b271ffcd9dc2a6f0dcaa7b67f254910_NeikiAnalytics.exe N/A
File opened for modification \??\N:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\1b271ffcd9dc2a6f0dcaa7b67f254910_NeikiAnalytics.exe N/A
File opened for modification \??\P:\Desktop.ini C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe N/A
File opened for modification \??\I:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\M:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\1b271ffcd9dc2a6f0dcaa7b67f254910_NeikiAnalytics.exe N/A
File opened for modification \??\V:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\Q:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\1b271ffcd9dc2a6f0dcaa7b67f254910_NeikiAnalytics.exe N/A
File opened for modification \??\X:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Desktop.ini C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe N/A
File opened for modification D:\Desktop.ini C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe N/A
File opened for modification \??\T:\Desktop.ini C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe N/A
File opened for modification \??\P:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\H:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\T: C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\E: C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe N/A
File opened (read-only) \??\G: C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\1b271ffcd9dc2a6f0dcaa7b67f254910_NeikiAnalytics.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\1b271ffcd9dc2a6f0dcaa7b67f254910_NeikiAnalytics.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\1b271ffcd9dc2a6f0dcaa7b67f254910_NeikiAnalytics.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\1b271ffcd9dc2a6f0dcaa7b67f254910_NeikiAnalytics.exe N/A
File opened (read-only) \??\N: C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe N/A
File opened (read-only) \??\Q: C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe N/A
File opened (read-only) \??\P: C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe N/A
File opened (read-only) \??\A: C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe N/A
File opened (read-only) \??\N: C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe N/A
File opened (read-only) \??\U: C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe N/A
File opened (read-only) \??\I: C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe N/A
File opened (read-only) \??\W: C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\1b271ffcd9dc2a6f0dcaa7b67f254910_NeikiAnalytics.exe N/A
File opened (read-only) \??\Y: C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe N/A
File opened (read-only) \??\U: C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe N/A
File opened (read-only) \??\R: C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\S: C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\1b271ffcd9dc2a6f0dcaa7b67f254910_NeikiAnalytics.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\1b271ffcd9dc2a6f0dcaa7b67f254910_NeikiAnalytics.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\1b271ffcd9dc2a6f0dcaa7b67f254910_NeikiAnalytics.exe N/A
File opened (read-only) \??\J: C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe N/A
File opened (read-only) \??\I: C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe N/A
File opened (read-only) \??\Q: C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\B: C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe N/A
File opened (read-only) \??\J: C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe N/A
File opened (read-only) \??\Z: C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe N/A
File opened (read-only) \??\J: C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\M: C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\1b271ffcd9dc2a6f0dcaa7b67f254910_NeikiAnalytics.exe N/A
File opened (read-only) \??\T: C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\P: C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\1b271ffcd9dc2a6f0dcaa7b67f254910_NeikiAnalytics.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\E: C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe N/A
File opened (read-only) \??\K: C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe N/A
File opened (read-only) \??\X: C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\Q: C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\1b271ffcd9dc2a6f0dcaa7b67f254910_NeikiAnalytics.exe N/A
File opened (read-only) \??\A: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\1b271ffcd9dc2a6f0dcaa7b67f254910_NeikiAnalytics.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\1b271ffcd9dc2a6f0dcaa7b67f254910_NeikiAnalytics.exe N/A
File opened (read-only) \??\V: C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe N/A
File opened (read-only) \??\H: C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification \??\J:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\1b271ffcd9dc2a6f0dcaa7b67f254910_NeikiAnalytics.exe N/A
File opened for modification \??\A:\Autorun.inf C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe N/A
File created \??\K:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created \??\Z:\Autorun.inf C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe N/A
File opened for modification \??\Y:\Autorun.inf C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe N/A
File created \??\B:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\1b271ffcd9dc2a6f0dcaa7b67f254910_NeikiAnalytics.exe N/A
File opened for modification \??\L:\Autorun.inf C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe N/A
File created \??\L:\Autorun.inf C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe N/A
File opened for modification \??\S:\Autorun.inf C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe N/A
File opened for modification \??\K:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\1b271ffcd9dc2a6f0dcaa7b67f254910_NeikiAnalytics.exe N/A
File opened for modification \??\L:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\1b271ffcd9dc2a6f0dcaa7b67f254910_NeikiAnalytics.exe N/A
File created \??\G:\Autorun.inf C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe N/A
File opened for modification \??\I:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created \??\M:\Autorun.inf C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe N/A
File opened for modification \??\G:\Autorun.inf C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe N/A
File created \??\P:\Autorun.inf C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe N/A
File opened for modification \??\L:\Autorun.inf C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe N/A
File created \??\N:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created \??\Z:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\1b271ffcd9dc2a6f0dcaa7b67f254910_NeikiAnalytics.exe N/A
File opened for modification \??\Y:\Autorun.inf C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe N/A
File created \??\V:\Autorun.inf C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe N/A
File created \??\J:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\R:\Autorun.inf C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe N/A
File opened for modification \??\A:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created \??\M:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\U:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File created \??\Y:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File created \??\T:\Autorun.inf C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe N/A
File created \??\X:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\1b271ffcd9dc2a6f0dcaa7b67f254910_NeikiAnalytics.exe N/A
File opened for modification C:\Autorun.inf C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe N/A
File created \??\E:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\I:\Autorun.inf C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe N/A
File opened for modification \??\P:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File created \??\P:\Autorun.inf C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe N/A
File opened for modification \??\U:\Autorun.inf C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe N/A
File opened for modification \??\V:\Autorun.inf C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe N/A
File opened for modification F:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\1b271ffcd9dc2a6f0dcaa7b67f254910_NeikiAnalytics.exe N/A
File created \??\B:\Autorun.inf C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe N/A
File opened for modification \??\U:\Autorun.inf C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe N/A
File opened for modification \??\J:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File created \??\H:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\1b271ffcd9dc2a6f0dcaa7b67f254910_NeikiAnalytics.exe N/A
File created \??\B:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\H:\Autorun.inf C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe N/A
File created \??\S:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\X:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\Q:\Autorun.inf C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe N/A
File created \??\T:\Autorun.inf C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe N/A
File opened for modification \??\R:\Autorun.inf C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe N/A
File created \??\E:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File created \??\U:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File created \??\W:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\1b271ffcd9dc2a6f0dcaa7b67f254910_NeikiAnalytics.exe N/A
File created \??\Y:\Autorun.inf C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe N/A
File created \??\J:\Autorun.inf C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe N/A
File created \??\S:\Autorun.inf C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe N/A
File created \??\I:\Autorun.inf C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe N/A
File created \??\U:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\Y:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created \??\Q:\Autorun.inf C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe N/A
File opened for modification \??\X:\Autorun.inf C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe N/A
File opened for modification \??\V:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\1b271ffcd9dc2a6f0dcaa7b67f254910_NeikiAnalytics.exe N/A
File created \??\R:\Autorun.inf C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe N/A
File opened for modification \??\E:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created \??\L:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\O:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\ C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\SysWOW64\4-6-2024.exe C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\Desktop.ini C:\Users\Admin\AppData\Local\Temp\1b271ffcd9dc2a6f0dcaa7b67f254910_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Users\Admin\AppData\Local\Temp\1b271ffcd9dc2a6f0dcaa7b67f254910_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\SysWOW64\mscomctl.ocx C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\SysWOW64\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\SysWOW64\4-6-2024.exe C:\Users\Admin\AppData\Local\Temp\1b271ffcd9dc2a6f0dcaa7b67f254910_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\SysWOW64\4-6-2024.exe C:\Users\Admin\AppData\Local\Temp\1b271ffcd9dc2a6f0dcaa7b67f254910_NeikiAnalytics.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\1b271ffcd9dc2a6f0dcaa7b67f254910_NeikiAnalytics.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\1b271ffcd9dc2a6f0dcaa7b67f254910_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\SysWOW64\4-6-2024.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\mscomctl.ocx C:\Users\Admin\AppData\Local\Temp\1b271ffcd9dc2a6f0dcaa7b67f254910_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe N/A
File opened for modification C:\Windows\SysWOW64\mscomctl.ocx C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\SysWOW64\mscomctl.ocx C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\SysWOW64\4-6-2024.exe C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\4-6-2024.exe C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\4-6-2024.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\SysWOW64\mscomctl.ocx C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe N/A
File opened for modification C:\Windows\SysWOW64\Desktop.ini C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe N/A
File created C:\Windows\SysWOW64\Desktop.ini C:\Users\Admin\AppData\Local\Temp\1b271ffcd9dc2a6f0dcaa7b67f254910_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\SysWOW64\Desktop.ini C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\Desktop.ini C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe N/A
File opened for modification C:\Windows\SysWOW64\mscomctl.ocx C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Users\Admin\AppData\Local\Temp\1b271ffcd9dc2a6f0dcaa7b67f254910_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\SysWOW64\drivers\system32.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\system\mscoree.dll C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe N/A
File created C:\Windows\Fonts\Admin 4 - 6 - 2024\msvbvm60.dll C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe N/A
File created C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\Fonts\Admin 4 - 6 - 2024\msvbvm60.dll C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\ C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe N/A
File opened for modification C:\Windows\mscomctl.ocx C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe N/A
File opened for modification C:\Windows\system\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\1b271ffcd9dc2a6f0dcaa7b67f254910_NeikiAnalytics.exe N/A
File created C:\Windows\Fonts\Admin 4 - 6 - 2024\msvbvm60.dll C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe N/A
File opened for modification C:\Windows\Fonts\The Kazekage.jpg C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\Fonts\Admin 4 - 6 - 2024\msvbvm60.dll C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\WBEM\msvbvm60.dll C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe C:\Users\Admin\AppData\Local\Temp\1b271ffcd9dc2a6f0dcaa7b67f254910_NeikiAnalytics.exe N/A
File created C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe N/A
File opened for modification C:\Windows\system\mscoree.dll C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe N/A
File opened for modification C:\Windows\mscomctl.ocx C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\ C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe N/A
File opened for modification C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe C:\Users\Admin\AppData\Local\Temp\1b271ffcd9dc2a6f0dcaa7b67f254910_NeikiAnalytics.exe N/A
File created C:\Windows\Fonts\Admin 4 - 6 - 2024\msvbvm60.dll C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe N/A
File created C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\ C:\Users\Admin\AppData\Local\Temp\1b271ffcd9dc2a6f0dcaa7b67f254910_NeikiAnalytics.exe N/A
File created C:\Windows\system\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\1b271ffcd9dc2a6f0dcaa7b67f254910_NeikiAnalytics.exe N/A
File created C:\Windows\WBEM\msvbvm60.dll C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe N/A
File created C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe C:\Users\Admin\AppData\Local\Temp\1b271ffcd9dc2a6f0dcaa7b67f254910_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\system\msvbvm60.dll C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe N/A
File opened for modification C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe N/A
File opened for modification C:\Windows\system\msvbvm60.dll C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe N/A
File opened for modification C:\Windows\system\msvbvm60.dll C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\Fonts\The Kazekage.jpg C:\Users\Admin\AppData\Local\Temp\1b271ffcd9dc2a6f0dcaa7b67f254910_NeikiAnalytics.exe N/A
File created C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe C:\Users\Admin\AppData\Local\Temp\1b271ffcd9dc2a6f0dcaa7b67f254910_NeikiAnalytics.exe N/A
File created C:\Windows\Fonts\Admin 4 - 6 - 2024\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\1b271ffcd9dc2a6f0dcaa7b67f254910_NeikiAnalytics.exe N/A
File created C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe N/A
File created C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe N/A
File opened for modification C:\Windows\ C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe N/A
File opened for modification C:\Windows\mscomctl.ocx C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\1b271ffcd9dc2a6f0dcaa7b67f254910_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe N/A
File opened for modification C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe N/A
File opened for modification C:\Windows\system\msvbvm60.dll C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe N/A
File created C:\Windows\WBEM\msvbvm60.dll C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\WBEM\msvbvm60.dll C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe N/A
File created C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe N/A
File opened for modification C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe N/A
File created C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe N/A
File created C:\Windows\WBEM\msvbvm60.dll C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\mscomctl.ocx C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe N/A
File opened for modification C:\Windows\mscomctl.ocx C:\Users\Admin\AppData\Local\Temp\1b271ffcd9dc2a6f0dcaa7b67f254910_NeikiAnalytics.exe N/A
File created C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\Fonts\The Kazekage.jpg C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\ C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\Fonts\The Kazekage.jpg C:\Users\Admin\AppData\Local\Temp\1b271ffcd9dc2a6f0dcaa7b67f254910_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\Fonts\The Kazekage.jpg C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe N/A
File opened for modification C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe N/A
File opened for modification C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe N/A
File opened for modification C:\Windows\system\mscoree.dll C:\Windows\SysWOW64\drivers\Kazekage.exe N/A

Modifies Control Panel

evasion
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" C:\Users\Admin\AppData\Local\Temp\1b271ffcd9dc2a6f0dcaa7b67f254910_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" C:\Users\Admin\AppData\Local\Temp\1b271ffcd9dc2a6f0dcaa7b67f254910_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\WallpaperStyle = "2" C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" C:\Users\Admin\AppData\Local\Temp\1b271ffcd9dc2a6f0dcaa7b67f254910_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Screen Saver.Marquee\Speed = "4" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Screen Saver.Marquee C:\Users\Admin\AppData\Local\Temp\1b271ffcd9dc2a6f0dcaa7b67f254910_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Screen Saver.Marquee\Size = "72" C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\WallpaperStyle = "2" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\WallpaperStyle = "2" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Screen Saver.Marquee C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Screen Saver.Marquee\Speed = "4" C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Screen Saver.Marquee\Speed = "4" C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\WallpaperStyle = "2" C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" C:\Users\Admin\AppData\Local\Temp\1b271ffcd9dc2a6f0dcaa7b67f254910_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Screen Saver.Marquee C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Screen Saver.Marquee\Size = "72" C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Screen Saver.Marquee C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Screen Saver.Marquee\Speed = "4" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Screen Saver.Marquee\Size = "72" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\WallpaperStyle = "2" C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Screen Saver.Marquee C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Screen Saver.Marquee\Size = "72" C:\Users\Admin\AppData\Local\Temp\1b271ffcd9dc2a6f0dcaa7b67f254910_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Screen Saver.Marquee\Speed = "4" C:\Users\Admin\AppData\Local\Temp\1b271ffcd9dc2a6f0dcaa7b67f254910_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Desktop\WallpaperStyle = "2" C:\Users\Admin\AppData\Local\Temp\1b271ffcd9dc2a6f0dcaa7b67f254910_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Screen Saver.Marquee\Speed = "4" C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Screen Saver.Marquee\Size = "72" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main C:\Users\Admin\AppData\Local\Temp\1b271ffcd9dc2a6f0dcaa7b67f254910_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" C:\Users\Admin\AppData\Local\Temp\1b271ffcd9dc2a6f0dcaa7b67f254910_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command C:\Users\Admin\AppData\Local\Temp\1b271ffcd9dc2a6f0dcaa7b67f254910_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command C:\Users\Admin\AppData\Local\Temp\1b271ffcd9dc2a6f0dcaa7b67f254910_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command C:\Users\Admin\AppData\Local\Temp\1b271ffcd9dc2a6f0dcaa7b67f254910_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" C:\Users\Admin\AppData\Local\Temp\1b271ffcd9dc2a6f0dcaa7b67f254910_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command C:\Users\Admin\AppData\Local\Temp\1b271ffcd9dc2a6f0dcaa7b67f254910_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" C:\Users\Admin\AppData\Local\Temp\1b271ffcd9dc2a6f0dcaa7b67f254910_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" C:\Users\Admin\AppData\Local\Temp\1b271ffcd9dc2a6f0dcaa7b67f254910_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" C:\Users\Admin\AppData\Local\Temp\1b271ffcd9dc2a6f0dcaa7b67f254910_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b271ffcd9dc2a6f0dcaa7b67f254910_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b271ffcd9dc2a6f0dcaa7b67f254910_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b271ffcd9dc2a6f0dcaa7b67f254910_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b271ffcd9dc2a6f0dcaa7b67f254910_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b271ffcd9dc2a6f0dcaa7b67f254910_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b271ffcd9dc2a6f0dcaa7b67f254910_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b271ffcd9dc2a6f0dcaa7b67f254910_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b271ffcd9dc2a6f0dcaa7b67f254910_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b271ffcd9dc2a6f0dcaa7b67f254910_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b271ffcd9dc2a6f0dcaa7b67f254910_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b271ffcd9dc2a6f0dcaa7b67f254910_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b271ffcd9dc2a6f0dcaa7b67f254910_NeikiAnalytics.exe N/A
N/A N/A C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1b271ffcd9dc2a6f0dcaa7b67f254910_NeikiAnalytics.exe N/A
N/A N/A C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3036 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\1b271ffcd9dc2a6f0dcaa7b67f254910_NeikiAnalytics.exe C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe
PID 3036 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\1b271ffcd9dc2a6f0dcaa7b67f254910_NeikiAnalytics.exe C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe
PID 3036 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\1b271ffcd9dc2a6f0dcaa7b67f254910_NeikiAnalytics.exe C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe
PID 3036 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\1b271ffcd9dc2a6f0dcaa7b67f254910_NeikiAnalytics.exe C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe
PID 2888 wrote to memory of 2476 N/A C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe
PID 2888 wrote to memory of 2476 N/A C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe
PID 2888 wrote to memory of 2476 N/A C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe
PID 2888 wrote to memory of 2476 N/A C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe
PID 2888 wrote to memory of 2980 N/A C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe
PID 2888 wrote to memory of 2980 N/A C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe
PID 2888 wrote to memory of 2980 N/A C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe
PID 2888 wrote to memory of 2980 N/A C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe
PID 2980 wrote to memory of 2848 N/A C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe
PID 2980 wrote to memory of 2848 N/A C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe
PID 2980 wrote to memory of 2848 N/A C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe
PID 2980 wrote to memory of 2848 N/A C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe
PID 2980 wrote to memory of 2944 N/A C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe
PID 2980 wrote to memory of 2944 N/A C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe
PID 2980 wrote to memory of 2944 N/A C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe
PID 2980 wrote to memory of 2944 N/A C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe
PID 2980 wrote to memory of 2112 N/A C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe
PID 2980 wrote to memory of 2112 N/A C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe
PID 2980 wrote to memory of 2112 N/A C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe
PID 2980 wrote to memory of 2112 N/A C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe
PID 2112 wrote to memory of 1480 N/A C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe
PID 2112 wrote to memory of 1480 N/A C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe
PID 2112 wrote to memory of 1480 N/A C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe
PID 2112 wrote to memory of 1480 N/A C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe
PID 2112 wrote to memory of 816 N/A C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe
PID 2112 wrote to memory of 816 N/A C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe
PID 2112 wrote to memory of 816 N/A C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe
PID 2112 wrote to memory of 816 N/A C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe
PID 2112 wrote to memory of 2760 N/A C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe
PID 2112 wrote to memory of 2760 N/A C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe
PID 2112 wrote to memory of 2760 N/A C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe
PID 2112 wrote to memory of 2760 N/A C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe
PID 2112 wrote to memory of 1736 N/A C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 2112 wrote to memory of 1736 N/A C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 2112 wrote to memory of 1736 N/A C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 2112 wrote to memory of 1736 N/A C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 1736 wrote to memory of 2220 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe
PID 1736 wrote to memory of 2220 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe
PID 1736 wrote to memory of 2220 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe
PID 1736 wrote to memory of 2220 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe
PID 1736 wrote to memory of 1188 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe
PID 1736 wrote to memory of 1188 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe
PID 1736 wrote to memory of 1188 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe
PID 1736 wrote to memory of 1188 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe
PID 1736 wrote to memory of 2900 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe
PID 1736 wrote to memory of 2900 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe
PID 1736 wrote to memory of 2900 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe
PID 1736 wrote to memory of 2900 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe
PID 1736 wrote to memory of 1732 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 1736 wrote to memory of 1732 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 1736 wrote to memory of 1732 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 1736 wrote to memory of 1732 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 1736 wrote to memory of 2904 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 1736 wrote to memory of 2904 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 1736 wrote to memory of 2904 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 1736 wrote to memory of 2904 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 2904 wrote to memory of 1056 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe
PID 2904 wrote to memory of 1056 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe
PID 2904 wrote to memory of 1056 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe
PID 2904 wrote to memory of 1056 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\1b271ffcd9dc2a6f0dcaa7b67f254910_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\1b271ffcd9dc2a6f0dcaa7b67f254910_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\SysWOW64\drivers\system32.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\1b271ffcd9dc2a6f0dcaa7b67f254910_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\1b271ffcd9dc2a6f0dcaa7b67f254910_NeikiAnalytics.exe"

C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe

"C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe"

C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe

"C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe"

C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe

"C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe"

C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe

"C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe"

C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe

"C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe"

C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe

"C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe"

C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe

"C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe"

C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe

"C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe"

C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe

"C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe"

C:\Windows\SysWOW64\drivers\Kazekage.exe

C:\Windows\system32\drivers\Kazekage.exe

C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe

"C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe"

C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe

"C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe"

C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe

"C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe"

C:\Windows\SysWOW64\drivers\Kazekage.exe

C:\Windows\system32\drivers\Kazekage.exe

C:\Windows\SysWOW64\drivers\system32.exe

C:\Windows\system32\drivers\system32.exe

C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe

"C:\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe"

C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe

"C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe"

C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe

"C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe"

C:\Windows\SysWOW64\drivers\Kazekage.exe

C:\Windows\system32\drivers\Kazekage.exe

C:\Windows\SysWOW64\drivers\system32.exe

C:\Windows\system32\drivers\system32.exe

C:\Windows\SysWOW64\drivers\system32.exe

C:\Windows\system32\drivers\system32.exe

C:\Windows\SysWOW64\drivers\Kazekage.exe

C:\Windows\system32\drivers\Kazekage.exe

C:\Windows\SysWOW64\drivers\system32.exe

C:\Windows\system32\drivers\system32.exe

C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe

"C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe"

C:\Windows\SysWOW64\drivers\Kazekage.exe

C:\Windows\system32\drivers\Kazekage.exe

C:\Windows\SysWOW64\drivers\system32.exe

C:\Windows\system32\drivers\system32.exe

C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe

"C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe"

C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe

"C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe"

C:\Windows\SysWOW64\drivers\Kazekage.exe

C:\Windows\system32\drivers\Kazekage.exe

C:\Windows\SysWOW64\drivers\system32.exe

C:\Windows\system32\drivers\system32.exe

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

Network

Country Destination Domain Proto
US 8.8.8.8:53 220.255.0.0.in-addr.arpa udp
US 8.8.8.8:53 220.255.0.0.in-addr.arpa udp

Files

memory/3036-0-0x0000000000400000-0x0000000000425000-memory.dmp

C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe

MD5 1b271ffcd9dc2a6f0dcaa7b67f254910
SHA1 e41b82837b585247a07285df61e22682698dcb8b
SHA256 ea5c7f2d1953332f252007b13c373e4b7fe386b05cb090fa78562b541a503a9f
SHA512 304984ae9b60253d7038ad207dbaf4dfda32c61be95afe4cebe77cbdf9bc9ba86e3988e3afdca072dc04d29a29e5470c6425605a7198addc9aa0de26c3642ce8

C:\Windows\system\msvbvm60.dll

MD5 5343a19c618bc515ceb1695586c6c137
SHA1 4dedae8cbde066f31c8e6b52c0baa3f8b1117742
SHA256 2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce
SHA512 708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

\Windows\Fonts\Admin 4 - 6 - 2024\smss.exe

MD5 16fd1c9596beb6ad4a9efde062d11301
SHA1 9dbd43b303dc3199ae18176fbdcc06720e6db3a2
SHA256 35a3f94efce8bfb5125f684bfd792da529f12482dbd6c59ebf13d2eec93436d8
SHA512 e5807d00529f303fbd5525580683ac699ea92c68cd46ebda842a04201f538e5a2ec197a1f2b2428f6d87f7105cfb171520416c74095dfaddc044b3b454fd6ab8

memory/3036-31-0x00000000004D0000-0x00000000004F5000-memory.dmp

C:\Windows\Fonts\The Kazekage.jpg

MD5 d6b05020d4a0ec2a3a8b687099e335df
SHA1 df239d830ebcd1cde5c68c46a7b76dad49d415f4
SHA256 9824b98dab6af65a9e84c2ea40e9df948f9766ce2096e81feecad7db8dd6080a
SHA512 78fd360faa4d34f5732056d6e9ad7b9930964441c69cf24535845d397de92179553b9377a25649c01eb5ac7d547c29cc964e69ede7f2af9fc677508a99251fff

C:\Windows\SysWOW64\4-6-2024.exe

MD5 f473eec938fe2cbdac6bacabe32c6f4a
SHA1 b758933846e04d4920b62800d0a712c8857eae04
SHA256 983e4ece74302a42e51aedda986c232ce754d898f3108be1dcbca7b6eee72c2e
SHA512 fd845cd2781ee7f67c421488716cbc35ee9c474580418fd497eb2e33914c6dea511e620d5f0ef80f90ea2092474ccaf805637c7bb10db738fa27c193982d2ccc

C:\Windows\SysWOW64\drivers\system32.exe

MD5 fc07772ddce86784e6409bb5811f104e
SHA1 803d5b5d3a831a222dbfb690259276411f40fc15
SHA256 04fba0b0abb330b75d8e8003b967e151768f88ff954b7972a89861d53fac9f70
SHA512 ddbd88d5d449ff82ed81ed41a1a80e03ae261e2a5f55f5934e8490ef4c124bec2fde681fc61da605aac0e4b2f39089ba19436eff720c87d60266e98019620222

C:\Windows\SysWOW64\drivers\Kazekage.exe

MD5 79569fe173a4783ee847748221eb83ee
SHA1 897fe6c00fed592e59ce477fadcedf4153ddcf86
SHA256 8da5e6de08950f55d21c519d032fb86c0bfdbe0d24396f3a5f629e1b426c2c3e
SHA512 bb4bd4840b0129cb6c42ae19a1056639e2c5bfabb3c78b829754f08f5e0eddf63e7237ff862ddcdf47e0de7c431d70a1ab4d565da3b9d514eaf02151649254c3

C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe

MD5 418c5b1c0be0a024d72ccbb189f0caff
SHA1 4e8696c9b35855468cf485593733a63cf17b897a
SHA256 2e5ab72af6a1f7c23ea7a280ea379118c75ab587502da215458ff358719ffcc0
SHA512 9f309bd7c161645cf12dcb5c8d62ede7f171a29b163be2f3ac8bc18a12424f75104fa112415b05bc3558933425b38e9e860e61f3ee483fa9c3b6bd69433d0233

C:\Windows\Fonts\Admin 4 - 6 - 2024\Gaara.exe

MD5 b8b78357e2f70311a172bf6c39e134fd
SHA1 ad50e82b8826ddc92534fcd7b54688aacbb7595b
SHA256 ab4be1a79c95915c8a181f3014e8ea0862dc2c753fb8eee40e4d06696b69d44e
SHA512 a1d87bee079ec16f810b01e3c989dab3d25dcc27283899581fa6761d1f5a7f709617a572d5e96c26fe9003bb16ff0ccc56cb6701d2a16879104c40aa218019f5

memory/2888-76-0x0000000000310000-0x0000000000335000-memory.dmp

memory/2476-79-0x0000000000400000-0x0000000000425000-memory.dmp

memory/2980-90-0x0000000000400000-0x0000000000425000-memory.dmp

memory/2888-89-0x0000000000310000-0x0000000000335000-memory.dmp

memory/2888-88-0x0000000000310000-0x0000000000335000-memory.dmp

C:\Windows\SysWOW64\drivers\system32.exe

MD5 fab959ba3e52b6c20e65d7bd4d816348
SHA1 0c9284316d358f2e85bf0d53f1bcb16889aaab60
SHA256 b7688bf533ab092707c253945fe9108cfad6584bea90450795f778284869a1d3
SHA512 375c7fee29600d6819826c9d75debf823b4e34b2f072fcb5fdca0f03a063a4f742555fba6ba08a88a8754b7fae1096d97ba52fa7ca8d6b3fa7a81e5cb89dfdd6

C:\Windows\SysWOW64\drivers\Kazekage.exe

MD5 0cda5e6ed1878126026d1e42449373f5
SHA1 9fd42bbabe6c23439ac50a11193b241649e6870f
SHA256 16b6e611911a2fa2314aa79d367f7f70c669cfb3421220fb9f7e71ff558d4242
SHA512 7529eec9ab791ed52794cc66274b1530639db73c72a1dfc29e10233042af2ad039b7e89aa4a73fc53e187f8af2a7816004e72fa90f15e0d768df733cfabe7eec

C:\Windows\SysWOW64\4-6-2024.exe

MD5 4d67d720811cab2458e84fa4efb5f5a3
SHA1 1c607e60969d944993a20e9755534198817d6662
SHA256 318c83a958757071ced5315adddbfe6ef56a64278bc869f96d2dc1b84ab1619a
SHA512 4b9399466f7c4991d75a5f41c651d9af2917d068fbca622a73ef334b9a63c0d61fa928181b31bff9f46486db9c11444b0298d35ce1d6594c715dea7f59a0aac3

C:\Windows\Fonts\Admin 4 - 6 - 2024\csrss.exe

MD5 3c62a79008182a05785259646f0e3307
SHA1 07625f02c31ad19205bf82f7e92cbcfe617ed4df
SHA256 39606b63d70d70a6f0ad5c165fe1a79909a0b83a17a2ba8fe7287e2d73e1bd30
SHA512 93bc75746c440c22617c067b991c0632d70a8275bfcffbe77dd4355fd24d17e3cd7f7cccc50b270b1abdecc22f32a812d7cfe955a68c480b58ad39de1e5fc819

C:\Windows\Fonts\The Kazekage.jpg

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/2980-122-0x00000000007B0000-0x00000000007D5000-memory.dmp

memory/2944-129-0x0000000000400000-0x0000000000425000-memory.dmp

memory/2848-127-0x0000000000400000-0x0000000000425000-memory.dmp

memory/2944-139-0x0000000000400000-0x0000000000425000-memory.dmp

memory/2980-138-0x00000000007B0000-0x00000000007D5000-memory.dmp

memory/2112-142-0x0000000000400000-0x0000000000425000-memory.dmp

C:\Windows\SysWOW64\drivers\system32.exe

MD5 98740fa2cf954b2d8f8a803a5e9010ea
SHA1 320421b52b308a7d75872cca3ff095bd1836fe20
SHA256 794c9fe681c335922a9d08136a719ceb461d052a826d1a51e00d33ee4978cd4a
SHA512 70ef14fbc72c32f945872fbe8b6863e9515768ca9b1f3763d37c41322c78c137a6d8ee70434c6d0849a8b03fa328d10e054c8055e666b7d737703c6ebe872337

memory/1480-172-0x0000000000400000-0x0000000000425000-memory.dmp

memory/2112-171-0x0000000000370000-0x0000000000395000-memory.dmp

memory/1480-176-0x0000000000400000-0x0000000000425000-memory.dmp

memory/816-182-0x0000000000400000-0x0000000000425000-memory.dmp

memory/2760-186-0x0000000000400000-0x0000000000425000-memory.dmp

memory/2112-189-0x0000000000370000-0x0000000000395000-memory.dmp

\Windows\SysWOW64\drivers\Kazekage.exe

MD5 5a69461a752bf967d1856114ef139e9a
SHA1 3e36c410ab0bcf074748a316ce074997df78a47d
SHA256 0c107f40f656333ae1119ba051c3f8b49e74d4d758c847334eb9b021ac5978fc
SHA512 4937bf552cce89f6352dca9bfaa2458cd19873f51503d5e8d8c193305680c9d254a08869f6d4a5e834c6439fbec9b11513179693258589fcd7aa1d3fdbc66f4a

memory/1736-195-0x0000000000400000-0x0000000000425000-memory.dmp

memory/1736-218-0x00000000003A0000-0x00000000003C5000-memory.dmp

memory/2220-222-0x0000000000400000-0x0000000000425000-memory.dmp

memory/1188-225-0x0000000000400000-0x0000000000425000-memory.dmp

memory/2900-229-0x0000000000400000-0x0000000000425000-memory.dmp

memory/2900-226-0x0000000000400000-0x0000000000425000-memory.dmp

memory/1736-230-0x00000000003A0000-0x00000000003C5000-memory.dmp

memory/1732-233-0x0000000000400000-0x0000000000425000-memory.dmp

memory/2904-238-0x0000000000400000-0x0000000000425000-memory.dmp

C:\Windows\SysWOW64\drivers\system32.exe

MD5 a22776ae761f816478da7853230447e3
SHA1 97f045072d0184307fc2d60bf662f0c09b0d1267
SHA256 2fe1d98126208aebed7474432e75ee47c3cc46b09a09f4098859e2df79132076
SHA512 dcbb735ca07bc7d8d49159cc983cdb261acd1197d674664b91633b58c37d2ab188696143b5cc31e27d4fb794523cd960687bf95c6d7d1adc507561bac8cb034c

memory/1056-253-0x0000000000400000-0x0000000000425000-memory.dmp

memory/1944-256-0x0000000000400000-0x0000000000425000-memory.dmp

memory/1796-259-0x0000000000400000-0x0000000000425000-memory.dmp

memory/2904-260-0x00000000002A0000-0x00000000002C5000-memory.dmp

memory/1456-263-0x0000000000400000-0x0000000000425000-memory.dmp

memory/1804-265-0x0000000000400000-0x0000000000425000-memory.dmp

memory/1456-267-0x0000000000400000-0x0000000000425000-memory.dmp

memory/2112-268-0x0000000000370000-0x0000000000395000-memory.dmp

memory/1152-274-0x0000000000400000-0x0000000000425000-memory.dmp

memory/744-277-0x0000000000400000-0x0000000000425000-memory.dmp

memory/1540-280-0x0000000000400000-0x0000000000425000-memory.dmp

memory/1648-283-0x0000000000400000-0x0000000000425000-memory.dmp

memory/1764-286-0x0000000000400000-0x0000000000425000-memory.dmp

memory/1996-289-0x0000000000400000-0x0000000000425000-memory.dmp

memory/2008-292-0x0000000000400000-0x0000000000425000-memory.dmp

memory/864-295-0x0000000000400000-0x0000000000425000-memory.dmp

memory/2172-298-0x0000000000400000-0x0000000000425000-memory.dmp

C:\Admin Games\Readme.txt

MD5 bb5d6abdf8d0948ac6895ce7fdfbc151
SHA1 9266b7a247a4685892197194d2b9b86c8f6dddbd
SHA256 5db2e0915b5464d32e83484f8ae5e3c73d2c78f238fde5f58f9b40dbb5322de8
SHA512 878444760e8df878d65bb62b4798177e168eb099def58ad3634f4348e96705c83f74324f9fa358f0eff389991976698a233ca53e9b72034ae11c86d42322a76c

C:\Autorun.inf

MD5 1564dfe69ffed40950e5cb644e0894d1
SHA1 201b6f7a01cc49bb698bea6d4945a082ed454ce4
SHA256 be114a2dbcc08540b314b01882aa836a772a883322a77b67aab31233e26dc184
SHA512 72df187e39674b657974392cfa268e71ef86dc101ebd2303896381ca56d3c05aa9db3f0ab7d0e428d7436e0108c8f19e94c2013814d30b0b95a23a6b9e341097

C:\Windows\SysWOW64\Desktop.ini

MD5 64acfa7e03b01f48294cf30d201a0026
SHA1 10facd995b38a095f30b4a800fa454c0bcbf8438
SHA256 ba8159d865d106e7b4d0043007a63d1541e1de455dc8d7ff0edd3013bd425c62
SHA512 65a9b2e639de74a2a7faa83463a03f5f5b526495e3c793ec1e144c422ed0b842dd304cd5ff4f8aec3d76d826507030c5916f70a231429cea636ec2d8ab43931a

memory/3036-671-0x0000000000400000-0x0000000000425000-memory.dmp

memory/2888-681-0x0000000000400000-0x0000000000425000-memory.dmp

memory/2980-793-0x0000000000400000-0x0000000000425000-memory.dmp

memory/2888-792-0x0000000000310000-0x0000000000335000-memory.dmp

memory/2980-796-0x00000000007B0000-0x00000000007D5000-memory.dmp

memory/2888-795-0x0000000000310000-0x0000000000335000-memory.dmp

memory/2888-794-0x0000000000310000-0x0000000000335000-memory.dmp

memory/2980-797-0x00000000007B0000-0x00000000007D5000-memory.dmp

memory/2112-798-0x0000000000400000-0x0000000000425000-memory.dmp

memory/1736-922-0x0000000000400000-0x0000000000425000-memory.dmp

C:\Windows\mscomctl.ocx

MD5 5c1d148c85922e1e9057537a5653ab3f
SHA1 a96302bdb7cafb53fb5f2afb00ca51b9462c70b2
SHA256 16d5501a494bb95646c7b529d078b18b161d0dbe9032706b08ff2301d0760b17
SHA512 26a3af4eaff329f68c72bd6b8146385b7ce8f0ff12db6c25a39d290b788563397c9ee52b3e8bb82ff253452411a0acff6a41eca1e501a5c38402ae98687be25d

C:\Windows\SysWOW64\MSCOMCTL.OCX

MD5 8a3931b77f9074e0e1bb483cc15054c9
SHA1 451e741133e82fa0abc747219a68c815fc0d2524
SHA256 466c9bfb516b3d071115f0c5baf51b905b13d3d76f35d1cba940e4109827b801
SHA512 58e36f5d5379aade846a383fba4cb36a865f268cf7c36db6e82cc965ef6dd16fc5bff883971f895d68297e045ff0f430360b8b47770766acb9c354adc45800b6

C:\Windows\SysWOW64\4-6-2024.exe

MD5 9d92c7e7929e3fab892e6b4af8757b41
SHA1 112ea9a2598a75cbd974d58d0bf494f1587416cc
SHA256 fb0ada59a8725855635bc463871a9c7b083ed1b4c5f238808dcf09758faa4c96
SHA512 f32546b40a0260503acb3a22019b8026b5af5ca15ab0b2e2fdd7d4b3d11b7e1ef833799f9ea04564fbbed20ddf2a7b381c0b7ddf44d7607100280175177f3167

memory/2904-1043-0x0000000000400000-0x0000000000425000-memory.dmp