Malware Analysis Report

2025-01-03 08:27

Sample ID 240617-b8kdksyemb
Target 311b2a84aff1540faf22e408c3dfb2d0_NeikiAnalytics.exe
SHA256 daada888d24a596d4633a77fb3b9537efc18ae18b9537ad13bf3885259e1ff79
Tags
upx evasion persistence ransomware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

daada888d24a596d4633a77fb3b9537efc18ae18b9537ad13bf3885259e1ff79

Threat Level: Known bad

The file 311b2a84aff1540faf22e408c3dfb2d0_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

upx evasion persistence ransomware trojan

Modifies visiblity of hidden/system files in Explorer

Modifies WinLogon for persistence

UAC bypass

Modifies visibility of file extensions in Explorer

Disables use of System Restore points

Disables RegEdit via registry modification

Sets file execution options in registry

Drops file in Drivers directory

Executes dropped EXE

Loads dropped DLL

UPX packed file

Checks whether UAC is enabled

Enumerates connected drives

Drops desktop.ini file(s)

Adds Run key to start application

Drops file in System32 directory

Drops autorun.inf file

Sets desktop wallpaper using registry

Drops file in Windows directory

Unsigned PE

Suspicious use of SetWindowsHookEx

System policy modification

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Runs ping.exe

Modifies Control Panel

Modifies registry class

Modifies Internet Explorer settings

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-17 01:48

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-17 01:48

Reported

2024-06-17 01:51

Platform

win7-20240508-en

Max time kernel

150s

Max time network

131s

Command Line

"C:\Users\Admin\AppData\Local\Temp\311b2a84aff1540faf22e408c3dfb2d0_NeikiAnalytics.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" C:\Users\Admin\AppData\Local\Temp\311b2a84aff1540faf22e408c3dfb2d0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" C:\Users\Admin\AppData\Local\Temp\311b2a84aff1540faf22e408c3dfb2d0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Users\Admin\AppData\Local\Temp\311b2a84aff1540faf22e408c3dfb2d0_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\AppData\Local\Temp\311b2a84aff1540faf22e408c3dfb2d0_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\311b2a84aff1540faf22e408c3dfb2d0_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\311b2a84aff1540faf22e408c3dfb2d0_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A

Disables use of System Restore points

evasion

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
File created C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
File created C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
File created C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Users\Admin\AppData\Local\Temp\311b2a84aff1540faf22e408c3dfb2d0_NeikiAnalytics.exe N/A
File created C:\Windows\SysWOW64\drivers\system32.exe C:\Users\Admin\AppData\Local\Temp\311b2a84aff1540faf22e408c3dfb2d0_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
File created C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
File created C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
File created C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Users\Admin\AppData\Local\Temp\311b2a84aff1540faf22e408c3dfb2d0_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\system32.exe C:\Users\Admin\AppData\Local\Temp\311b2a84aff1540faf22e408c3dfb2d0_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
File created C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
File created C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A

Sets file execution options in registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe C:\Users\Admin\AppData\Local\Temp\311b2a84aff1540faf22e408c3dfb2d0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe C:\Users\Admin\AppData\Local\Temp\311b2a84aff1540faf22e408c3dfb2d0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe C:\Users\Admin\AppData\Local\Temp\311b2a84aff1540faf22e408c3dfb2d0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com\Debugger = "cmd.exe /c del" C:\Users\Admin\AppData\Local\Temp\311b2a84aff1540faf22e408c3dfb2d0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com C:\Users\Admin\AppData\Local\Temp\311b2a84aff1540faf22e408c3dfb2d0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe\Debugger = "cmd.exe /c del" C:\Users\Admin\AppData\Local\Temp\311b2a84aff1540faf22e408c3dfb2d0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe C:\Users\Admin\AppData\Local\Temp\311b2a84aff1540faf22e408c3dfb2d0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe\Debugger = "drivers\\Kazekage.exe" C:\Users\Admin\AppData\Local\Temp\311b2a84aff1540faf22e408c3dfb2d0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe C:\Users\Admin\AppData\Local\Temp\311b2a84aff1540faf22e408c3dfb2d0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe\Debugger = "drivers\\Kazekage.exe" C:\Users\Admin\AppData\Local\Temp\311b2a84aff1540faf22e408c3dfb2d0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe C:\Users\Admin\AppData\Local\Temp\311b2a84aff1540faf22e408c3dfb2d0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe C:\Users\Admin\AppData\Local\Temp\311b2a84aff1540faf22e408c3dfb2d0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe C:\Users\Admin\AppData\Local\Temp\311b2a84aff1540faf22e408c3dfb2d0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "drivers\\Kazekage.exe" C:\Users\Admin\AppData\Local\Temp\311b2a84aff1540faf22e408c3dfb2d0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\311b2a84aff1540faf22e408c3dfb2d0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\311b2a84aff1540faf22e408c3dfb2d0_NeikiAnalytics.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\311b2a84aff1540faf22e408c3dfb2d0_NeikiAnalytics.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 17 - 6 - 2024\\Gaara.exe" C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "17-6-2024.exe" C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 17 - 6 - 2024\\smss.exe" C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "17-6-2024.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 17 - 6 - 2024\\smss.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 17 - 6 - 2024\\Gaara.exe" C:\Users\Admin\AppData\Local\Temp\311b2a84aff1540faf22e408c3dfb2d0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "17-6-2024.exe" C:\Users\Admin\AppData\Local\Temp\311b2a84aff1540faf22e408c3dfb2d0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 17 - 6 - 2024\\smss.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" C:\Users\Admin\AppData\Local\Temp\311b2a84aff1540faf22e408c3dfb2d0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "17-6-2024.exe" C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 17 - 6 - 2024\\smss.exe" C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 17 - 6 - 2024\\Gaara.exe" C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 17 - 6 - 2024\\Gaara.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "17-6-2024.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 17 - 6 - 2024\\smss.exe" C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 17 - 6 - 2024\\Gaara.exe" C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 17 - 6 - 2024\\Gaara.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 17 - 6 - 2024\\smss.exe" C:\Users\Admin\AppData\Local\Temp\311b2a84aff1540faf22e408c3dfb2d0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "17-6-2024.exe" C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\311b2a84aff1540faf22e408c3dfb2d0_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification \??\O:\Desktop.ini C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
File opened for modification C:\Desktop.ini C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
File opened for modification \??\V:\Desktop.ini C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
File opened for modification \??\V:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\T:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\G:\Desktop.ini C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
File opened for modification \??\E:\Desktop.ini C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
File opened for modification C:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\G:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification F:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\311b2a84aff1540faf22e408c3dfb2d0_NeikiAnalytics.exe N/A
File opened for modification \??\W:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\311b2a84aff1540faf22e408c3dfb2d0_NeikiAnalytics.exe N/A
File opened for modification \??\K:\Desktop.ini C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
File opened for modification \??\P:\Desktop.ini C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
File opened for modification \??\B:\Desktop.ini C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
File opened for modification \??\X:\Desktop.ini C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
File opened for modification F:\Desktop.ini C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
File opened for modification \??\S:\Desktop.ini C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
File opened for modification \??\L:\Desktop.ini C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
File opened for modification \??\O:\Desktop.ini C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
File opened for modification \??\P:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\V:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\G:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\311b2a84aff1540faf22e408c3dfb2d0_NeikiAnalytics.exe N/A
File opened for modification \??\N:\Desktop.ini C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
File opened for modification \??\X:\Desktop.ini C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
File opened for modification \??\A:\Desktop.ini C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
File opened for modification \??\H:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\E:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\311b2a84aff1540faf22e408c3dfb2d0_NeikiAnalytics.exe N/A
File opened for modification \??\M:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\311b2a84aff1540faf22e408c3dfb2d0_NeikiAnalytics.exe N/A
File opened for modification \??\E:\Desktop.ini C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
File opened for modification \??\T:\Desktop.ini C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
File opened for modification \??\W:\Desktop.ini C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
File opened for modification \??\K:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\A:\Desktop.ini C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
File opened for modification \??\A:\Desktop.ini C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
File opened for modification \??\H:\Desktop.ini C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
File opened for modification \??\N:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\S:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\X:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification D:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\311b2a84aff1540faf22e408c3dfb2d0_NeikiAnalytics.exe N/A
File opened for modification \??\U:\Desktop.ini C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
File opened for modification C:\Desktop.ini C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
File opened for modification \??\N:\Desktop.ini C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
File opened for modification \??\R:\Desktop.ini C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
File opened for modification D:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\I:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\L:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\311b2a84aff1540faf22e408c3dfb2d0_NeikiAnalytics.exe N/A
File opened for modification D:\Desktop.ini C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
File opened for modification \??\E:\Desktop.ini C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
File opened for modification \??\Q:\Desktop.ini C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
File opened for modification F:\Desktop.ini C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
File opened for modification \??\H:\Desktop.ini C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
File opened for modification \??\Z:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\R:\Desktop.ini C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
File opened for modification \??\U:\Desktop.ini C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
File opened for modification \??\G:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\M:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\R:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\Y:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\A:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\L:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\S:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\311b2a84aff1540faf22e408c3dfb2d0_NeikiAnalytics.exe N/A
File opened for modification \??\Z:\Desktop.ini C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
File opened for modification \??\E:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\Q:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\311b2a84aff1540faf22e408c3dfb2d0_NeikiAnalytics.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\K: C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
File opened (read-only) \??\T: C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\P: C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\311b2a84aff1540faf22e408c3dfb2d0_NeikiAnalytics.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\311b2a84aff1540faf22e408c3dfb2d0_NeikiAnalytics.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\311b2a84aff1540faf22e408c3dfb2d0_NeikiAnalytics.exe N/A
File opened (read-only) \??\G: C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
File opened (read-only) \??\T: C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\311b2a84aff1540faf22e408c3dfb2d0_NeikiAnalytics.exe N/A
File opened (read-only) \??\M: C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
File opened (read-only) \??\S: C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
File opened (read-only) \??\Q: C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\I: C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
File opened (read-only) \??\V: C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\311b2a84aff1540faf22e408c3dfb2d0_NeikiAnalytics.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\311b2a84aff1540faf22e408c3dfb2d0_NeikiAnalytics.exe N/A
File opened (read-only) \??\S: C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
File opened (read-only) \??\Z: C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
File opened (read-only) \??\I: C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
File opened (read-only) \??\B: C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
File opened (read-only) \??\Q: C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
File opened (read-only) \??\W: C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
File opened (read-only) \??\Z: C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
File opened (read-only) \??\X: C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\311b2a84aff1540faf22e408c3dfb2d0_NeikiAnalytics.exe N/A
File opened (read-only) \??\G: C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\E: C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
File opened (read-only) \??\N: C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\Y: C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\H: C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
File opened (read-only) \??\L: C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
File opened (read-only) \??\R: C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
File opened (read-only) \??\W: C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
File opened (read-only) \??\Z: C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\311b2a84aff1540faf22e408c3dfb2d0_NeikiAnalytics.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\311b2a84aff1540faf22e408c3dfb2d0_NeikiAnalytics.exe N/A
File opened (read-only) \??\K: C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
File opened (read-only) \??\O: C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\311b2a84aff1540faf22e408c3dfb2d0_NeikiAnalytics.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\311b2a84aff1540faf22e408c3dfb2d0_NeikiAnalytics.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\311b2a84aff1540faf22e408c3dfb2d0_NeikiAnalytics.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\311b2a84aff1540faf22e408c3dfb2d0_NeikiAnalytics.exe N/A
File opened (read-only) \??\J: C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
File opened (read-only) \??\W: C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\B: C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File created \??\R:\Autorun.inf C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
File created \??\Y:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\Z:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\311b2a84aff1540faf22e408c3dfb2d0_NeikiAnalytics.exe N/A
File opened for modification \??\G:\Autorun.inf C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
File opened for modification \??\M:\Autorun.inf C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
File opened for modification \??\A:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created \??\J:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File created \??\A:\Autorun.inf C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
File opened for modification \??\K:\Autorun.inf C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
File created \??\A:\Autorun.inf C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
File created \??\E:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\M:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\E:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File created \??\G:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File created \??\E:\Autorun.inf C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
File opened for modification D:\Autorun.inf C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
File created \??\O:\Autorun.inf C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
File created \??\T:\Autorun.inf C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
File created \??\H:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\311b2a84aff1540faf22e408c3dfb2d0_NeikiAnalytics.exe N/A
File created \??\I:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\311b2a84aff1540faf22e408c3dfb2d0_NeikiAnalytics.exe N/A
File opened for modification \??\B:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created \??\H:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\G:\Autorun.inf C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
File opened for modification \??\B:\Autorun.inf C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
File created \??\H:\Autorun.inf C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
File opened for modification \??\O:\Autorun.inf C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
File created \??\K:\Autorun.inf C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
File created \??\B:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\311b2a84aff1540faf22e408c3dfb2d0_NeikiAnalytics.exe N/A
File opened for modification \??\B:\Autorun.inf C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
File opened for modification C:\Autorun.inf C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
File opened for modification \??\H:\Autorun.inf C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
File opened for modification \??\P:\Autorun.inf C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
File opened for modification \??\G:\Autorun.inf C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
File created \??\I:\Autorun.inf C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
File created \??\T:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\G:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\311b2a84aff1540faf22e408c3dfb2d0_NeikiAnalytics.exe N/A
File created \??\N:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\311b2a84aff1540faf22e408c3dfb2d0_NeikiAnalytics.exe N/A
File created \??\Z:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\311b2a84aff1540faf22e408c3dfb2d0_NeikiAnalytics.exe N/A
File opened for modification C:\Autorun.inf C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
File opened for modification \??\G:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\P:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\311b2a84aff1540faf22e408c3dfb2d0_NeikiAnalytics.exe N/A
File opened for modification \??\Q:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\311b2a84aff1540faf22e408c3dfb2d0_NeikiAnalytics.exe N/A
File created \??\N:\Autorun.inf C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
File opened for modification \??\Y:\Autorun.inf C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
File created \??\P:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created \??\Q:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\V:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\311b2a84aff1540faf22e408c3dfb2d0_NeikiAnalytics.exe N/A
File created \??\J:\Autorun.inf C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
File created \??\W:\Autorun.inf C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
File created \??\O:\Autorun.inf C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
File created \??\W:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\311b2a84aff1540faf22e408c3dfb2d0_NeikiAnalytics.exe N/A
File opened for modification \??\O:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\R:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File created \??\U:\Autorun.inf C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
File created \??\E:\Autorun.inf C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
File opened for modification C:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File created \??\N:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\Z:\Autorun.inf C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
File opened for modification \??\J:\Autorun.inf C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
File created \??\M:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\311b2a84aff1540faf22e408c3dfb2d0_NeikiAnalytics.exe N/A
File opened for modification \??\J:\Autorun.inf C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
File created \??\K:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created \??\R:\Autorun.inf C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
File opened for modification \??\U:\Autorun.inf C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\ C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\SysWOW64\17-6-2024.exe C:\Users\Admin\AppData\Local\Temp\311b2a84aff1540faf22e408c3dfb2d0_NeikiAnalytics.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
File opened for modification C:\Windows\SysWOW64\mscomctl.ocx C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\mscomctl.ocx C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\SysWOW64\17-6-2024.exe C:\Users\Admin\AppData\Local\Temp\311b2a84aff1540faf22e408c3dfb2d0_NeikiAnalytics.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
File created C:\Windows\SysWOW64\Desktop.ini C:\Users\Admin\AppData\Local\Temp\311b2a84aff1540faf22e408c3dfb2d0_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Users\Admin\AppData\Local\Temp\311b2a84aff1540faf22e408c3dfb2d0_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
File opened for modification C:\Windows\SysWOW64\17-6-2024.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\SysWOW64\Desktop.ini C:\Users\Admin\AppData\Local\Temp\311b2a84aff1540faf22e408c3dfb2d0_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\SysWOW64\mscomctl.ocx C:\Users\Admin\AppData\Local\Temp\311b2a84aff1540faf22e408c3dfb2d0_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\311b2a84aff1540faf22e408c3dfb2d0_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\SysWOW64\mscomctl.ocx C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\SysWOW64\17-6-2024.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\SysWOW64\mscomctl.ocx C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\Desktop.ini C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\Desktop.ini C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\SysWOW64\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\SysWOW64\17-6-2024.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
File opened for modification C:\Windows\SysWOW64\Desktop.ini C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\311b2a84aff1540faf22e408c3dfb2d0_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\SysWOW64\17-6-2024.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\17-6-2024.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\SysWOW64\mscomctl.ocx C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Users\Admin\AppData\Local\Temp\311b2a84aff1540faf22e408c3dfb2d0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\SysWOW64\drivers\system32.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\ C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
File opened for modification C:\Windows\ C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\system\msvbvm60.dll C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
File opened for modification C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
File opened for modification C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\ C:\Users\Admin\AppData\Local\Temp\311b2a84aff1540faf22e408c3dfb2d0_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe C:\Users\Admin\AppData\Local\Temp\311b2a84aff1540faf22e408c3dfb2d0_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\Fonts\The Kazekage.jpg C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
File created C:\Windows\WBEM\msvbvm60.dll C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
File opened for modification C:\Windows\ C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
File created C:\Windows\Fonts\Admin 17 - 6 - 2024\msvbvm60.dll C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\ C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
File created C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
File created C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\Fonts\Admin 17 - 6 - 2024\msvbvm60.dll C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\mscomctl.ocx C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
File created C:\Windows\WBEM\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\311b2a84aff1540faf22e408c3dfb2d0_NeikiAnalytics.exe N/A
File created C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
File opened for modification C:\Windows\system\mscoree.dll C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
File created C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
File opened for modification C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
File created C:\Windows\WBEM\msvbvm60.dll C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
File opened for modification C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe C:\Users\Admin\AppData\Local\Temp\311b2a84aff1540faf22e408c3dfb2d0_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
File created C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
File opened for modification C:\Windows\system\msvbvm60.dll C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
File created C:\Windows\system\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\311b2a84aff1540faf22e408c3dfb2d0_NeikiAnalytics.exe N/A
File created C:\Windows\Fonts\Admin 17 - 6 - 2024\msvbvm60.dll C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
File opened for modification C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
File opened for modification C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
File opened for modification C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe C:\Users\Admin\AppData\Local\Temp\311b2a84aff1540faf22e408c3dfb2d0_NeikiAnalytics.exe N/A
File created C:\Windows\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\311b2a84aff1540faf22e408c3dfb2d0_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
File opened for modification C:\Windows\Fonts\The Kazekage.jpg C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\mscomctl.ocx C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
File created C:\Windows\Fonts\The Kazekage.jpg C:\Users\Admin\AppData\Local\Temp\311b2a84aff1540faf22e408c3dfb2d0_NeikiAnalytics.exe N/A
File created C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe C:\Users\Admin\AppData\Local\Temp\311b2a84aff1540faf22e408c3dfb2d0_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\311b2a84aff1540faf22e408c3dfb2d0_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\Fonts\The Kazekage.jpg C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
File opened for modification C:\Windows\system\msvbvm60.dll C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
File opened for modification C:\Windows\mscomctl.ocx C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\Fonts\Admin 17 - 6 - 2024\msvbvm60.dll C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
File opened for modification C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\system\mscoree.dll C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\system\msvbvm60.dll C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\mscomctl.ocx C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\system\msvbvm60.dll C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\Fonts\The Kazekage.jpg C:\Users\Admin\AppData\Local\Temp\311b2a84aff1540faf22e408c3dfb2d0_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\system\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\311b2a84aff1540faf22e408c3dfb2d0_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\system\mscoree.dll C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
File created C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
File created C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\mscomctl.ocx C:\Users\Admin\AppData\Local\Temp\311b2a84aff1540faf22e408c3dfb2d0_NeikiAnalytics.exe N/A
File created C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A

Modifies Control Panel

evasion
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Control Panel\Desktop\WallpaperStyle = "2" C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" C:\Users\Admin\AppData\Local\Temp\311b2a84aff1540faf22e408c3dfb2d0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Control Panel\Desktop C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Control Panel\Screen Saver.Marquee C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Control Panel\Desktop\WallpaperStyle = "2" C:\Users\Admin\AppData\Local\Temp\311b2a84aff1540faf22e408c3dfb2d0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Control Panel\Screen Saver.Marquee\Speed = "4" C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Control Panel\Screen Saver.Marquee\Size = "72" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Control Panel\Desktop C:\Users\Admin\AppData\Local\Temp\311b2a84aff1540faf22e408c3dfb2d0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Control Panel\Desktop\WallpaperStyle = "2" C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Control Panel\Screen Saver.Marquee\Size = "72" C:\Users\Admin\AppData\Local\Temp\311b2a84aff1540faf22e408c3dfb2d0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Control Panel\Screen Saver.Marquee\Size = "72" C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Control Panel\Screen Saver.Marquee\Speed = "4" C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Control Panel\Screen Saver.Marquee\Speed = "4" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Control Panel\Desktop C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" C:\Users\Admin\AppData\Local\Temp\311b2a84aff1540faf22e408c3dfb2d0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Control Panel\Screen Saver.Marquee\Size = "72" C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" C:\Users\Admin\AppData\Local\Temp\311b2a84aff1540faf22e408c3dfb2d0_NeikiAnalytics.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Control Panel\Screen Saver.Marquee C:\Users\Admin\AppData\Local\Temp\311b2a84aff1540faf22e408c3dfb2d0_NeikiAnalytics.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Control Panel\Screen Saver.Marquee C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Control Panel\Desktop\WallpaperStyle = "2" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Control Panel\Desktop C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" C:\Users\Admin\AppData\Local\Temp\311b2a84aff1540faf22e408c3dfb2d0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Control Panel\Screen Saver.Marquee\Speed = "4" C:\Users\Admin\AppData\Local\Temp\311b2a84aff1540faf22e408c3dfb2d0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" C:\Users\Admin\AppData\Local\Temp\311b2a84aff1540faf22e408c3dfb2d0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Control Panel\Desktop C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Control Panel\Desktop C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" C:\Users\Admin\AppData\Local\Temp\311b2a84aff1540faf22e408c3dfb2d0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Control Panel\Screen Saver.Marquee\Speed = "4" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Control Panel\Desktop\WallpaperStyle = "2" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" C:\Users\Admin\AppData\Local\Temp\311b2a84aff1540faf22e408c3dfb2d0_NeikiAnalytics.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" C:\Users\Admin\AppData\Local\Temp\311b2a84aff1540faf22e408c3dfb2d0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main C:\Users\Admin\AppData\Local\Temp\311b2a84aff1540faf22e408c3dfb2d0_NeikiAnalytics.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\drivers\Kazekage.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" C:\Users\Admin\AppData\Local\Temp\311b2a84aff1540faf22e408c3dfb2d0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" C:\Users\Admin\AppData\Local\Temp\311b2a84aff1540faf22e408c3dfb2d0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command C:\Users\Admin\AppData\Local\Temp\311b2a84aff1540faf22e408c3dfb2d0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command C:\Users\Admin\AppData\Local\Temp\311b2a84aff1540faf22e408c3dfb2d0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" C:\Users\Admin\AppData\Local\Temp\311b2a84aff1540faf22e408c3dfb2d0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command C:\Users\Admin\AppData\Local\Temp\311b2a84aff1540faf22e408c3dfb2d0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command C:\Users\Admin\AppData\Local\Temp\311b2a84aff1540faf22e408c3dfb2d0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" C:\Users\Admin\AppData\Local\Temp\311b2a84aff1540faf22e408c3dfb2d0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\311b2a84aff1540faf22e408c3dfb2d0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\311b2a84aff1540faf22e408c3dfb2d0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\311b2a84aff1540faf22e408c3dfb2d0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\311b2a84aff1540faf22e408c3dfb2d0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\311b2a84aff1540faf22e408c3dfb2d0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\311b2a84aff1540faf22e408c3dfb2d0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\311b2a84aff1540faf22e408c3dfb2d0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\311b2a84aff1540faf22e408c3dfb2d0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\311b2a84aff1540faf22e408c3dfb2d0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\311b2a84aff1540faf22e408c3dfb2d0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\311b2a84aff1540faf22e408c3dfb2d0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\311b2a84aff1540faf22e408c3dfb2d0_NeikiAnalytics.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\311b2a84aff1540faf22e408c3dfb2d0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\311b2a84aff1540faf22e408c3dfb2d0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\311b2a84aff1540faf22e408c3dfb2d0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\311b2a84aff1540faf22e408c3dfb2d0_NeikiAnalytics.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\311b2a84aff1540faf22e408c3dfb2d0_NeikiAnalytics.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2548 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\311b2a84aff1540faf22e408c3dfb2d0_NeikiAnalytics.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe
PID 2548 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\311b2a84aff1540faf22e408c3dfb2d0_NeikiAnalytics.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe
PID 2548 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\311b2a84aff1540faf22e408c3dfb2d0_NeikiAnalytics.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe
PID 2548 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\311b2a84aff1540faf22e408c3dfb2d0_NeikiAnalytics.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe
PID 2612 wrote to memory of 2640 N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe
PID 2612 wrote to memory of 2640 N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe
PID 2612 wrote to memory of 2640 N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe
PID 2612 wrote to memory of 2640 N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe
PID 2612 wrote to memory of 2476 N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe
PID 2612 wrote to memory of 2476 N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe
PID 2612 wrote to memory of 2476 N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe
PID 2612 wrote to memory of 2476 N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe
PID 2476 wrote to memory of 2924 N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe
PID 2476 wrote to memory of 2924 N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe
PID 2476 wrote to memory of 2924 N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe
PID 2476 wrote to memory of 2924 N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe
PID 2476 wrote to memory of 3020 N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe
PID 2476 wrote to memory of 3020 N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe
PID 2476 wrote to memory of 3020 N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe
PID 2476 wrote to memory of 3020 N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe
PID 2476 wrote to memory of 756 N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe
PID 2476 wrote to memory of 756 N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe
PID 2476 wrote to memory of 756 N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe
PID 2476 wrote to memory of 756 N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe
PID 756 wrote to memory of 664 N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe
PID 756 wrote to memory of 664 N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe
PID 756 wrote to memory of 664 N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe
PID 756 wrote to memory of 664 N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe
PID 756 wrote to memory of 2764 N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe
PID 756 wrote to memory of 2764 N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe
PID 756 wrote to memory of 2764 N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe
PID 756 wrote to memory of 2764 N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe
PID 756 wrote to memory of 1076 N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe
PID 756 wrote to memory of 1076 N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe
PID 756 wrote to memory of 1076 N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe
PID 756 wrote to memory of 1076 N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe
PID 756 wrote to memory of 1780 N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 756 wrote to memory of 1780 N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 756 wrote to memory of 1780 N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 756 wrote to memory of 1780 N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 1780 wrote to memory of 2192 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe
PID 1780 wrote to memory of 2192 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe
PID 1780 wrote to memory of 2192 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe
PID 1780 wrote to memory of 2192 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe
PID 1780 wrote to memory of 2076 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe
PID 1780 wrote to memory of 2076 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe
PID 1780 wrote to memory of 2076 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe
PID 1780 wrote to memory of 2076 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe
PID 1780 wrote to memory of 2884 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe
PID 1780 wrote to memory of 2884 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe
PID 1780 wrote to memory of 2884 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe
PID 1780 wrote to memory of 2884 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe
PID 1780 wrote to memory of 2064 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 1780 wrote to memory of 2064 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 1780 wrote to memory of 2064 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 1780 wrote to memory of 2064 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 1780 wrote to memory of 968 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 1780 wrote to memory of 968 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 1780 wrote to memory of 968 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 1780 wrote to memory of 968 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 968 wrote to memory of 2260 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe
PID 968 wrote to memory of 2260 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe
PID 968 wrote to memory of 2260 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe
PID 968 wrote to memory of 2260 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe

System policy modification

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\311b2a84aff1540faf22e408c3dfb2d0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\311b2a84aff1540faf22e408c3dfb2d0_NeikiAnalytics.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\311b2a84aff1540faf22e408c3dfb2d0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\311b2a84aff1540faf22e408c3dfb2d0_NeikiAnalytics.exe"

C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe

"C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe"

C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe

"C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe"

C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe

"C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe"

C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe

"C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe"

C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe

"C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe"

C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe

"C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe"

C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe

"C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe"

C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe

"C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe"

C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe

"C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe"

C:\Windows\SysWOW64\drivers\Kazekage.exe

C:\Windows\system32\drivers\Kazekage.exe

C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe

"C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe"

C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe

"C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe"

C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe

"C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe"

C:\Windows\SysWOW64\drivers\Kazekage.exe

C:\Windows\system32\drivers\Kazekage.exe

C:\Windows\SysWOW64\drivers\system32.exe

C:\Windows\system32\drivers\system32.exe

C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe

"C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe"

C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe

"C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe"

C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe

"C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe"

C:\Windows\SysWOW64\drivers\Kazekage.exe

C:\Windows\system32\drivers\Kazekage.exe

C:\Windows\SysWOW64\drivers\system32.exe

C:\Windows\system32\drivers\system32.exe

C:\Windows\SysWOW64\drivers\system32.exe

C:\Windows\system32\drivers\system32.exe

C:\Windows\SysWOW64\drivers\Kazekage.exe

C:\Windows\system32\drivers\Kazekage.exe

C:\Windows\SysWOW64\drivers\system32.exe

C:\Windows\system32\drivers\system32.exe

C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe

"C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe"

C:\Windows\SysWOW64\drivers\Kazekage.exe

C:\Windows\system32\drivers\Kazekage.exe

C:\Windows\SysWOW64\drivers\system32.exe

C:\Windows\system32\drivers\system32.exe

C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe

"C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe"

C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe

"C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe"

C:\Windows\SysWOW64\drivers\Kazekage.exe

C:\Windows\system32\drivers\Kazekage.exe

C:\Windows\SysWOW64\drivers\system32.exe

C:\Windows\system32\drivers\system32.exe

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

Network

Country Destination Domain Proto
US 8.8.8.8:53 220.255.0.0.in-addr.arpa udp
US 8.8.8.8:53 220.255.0.0.in-addr.arpa udp
US 8.8.8.8:53 220.255.0.0.in-addr.arpa udp
US 8.8.8.8:53 220.255.0.0.in-addr.arpa udp
US 8.8.8.8:53 220.255.0.0.in-addr.arpa udp
US 8.8.8.8:53 220.255.0.0.in-addr.arpa udp
US 8.8.8.8:53 220.255.0.0.in-addr.arpa udp
US 8.8.8.8:53 220.255.0.0.in-addr.arpa udp
US 8.8.8.8:53 220.255.0.0.in-addr.arpa udp
US 8.8.8.8:53 220.255.0.0.in-addr.arpa udp
US 8.8.8.8:53 220.255.0.0.in-addr.arpa udp
US 8.8.8.8:53 220.255.0.0.in-addr.arpa udp
US 8.8.8.8:53 220.255.0.0.in-addr.arpa udp
US 8.8.8.8:53 220.255.0.0.in-addr.arpa udp
US 8.8.8.8:53 220.255.0.0.in-addr.arpa udp
US 8.8.8.8:53 220.255.0.0.in-addr.arpa udp
US 8.8.8.8:53 220.255.0.0.in-addr.arpa udp
US 8.8.8.8:53 220.255.0.0.in-addr.arpa udp
US 8.8.8.8:53 220.255.0.0.in-addr.arpa udp
US 8.8.8.8:53 220.255.0.0.in-addr.arpa udp
US 8.8.8.8:53 220.255.0.0.in-addr.arpa udp
US 8.8.8.8:53 220.255.0.0.in-addr.arpa udp
US 8.8.8.8:53 220.255.0.0.in-addr.arpa udp
US 8.8.8.8:53 220.255.0.0.in-addr.arpa udp
US 8.8.8.8:53 220.255.0.0.in-addr.arpa udp
US 8.8.8.8:53 220.255.0.0.in-addr.arpa udp
US 8.8.8.8:53 220.255.0.0.in-addr.arpa udp
US 8.8.8.8:53 220.255.0.0.in-addr.arpa udp
US 8.8.8.8:53 220.255.0.0.in-addr.arpa udp
US 8.8.8.8:53 220.255.0.0.in-addr.arpa udp
US 8.8.8.8:53 220.255.0.0.in-addr.arpa udp
US 8.8.8.8:53 220.255.0.0.in-addr.arpa udp
US 8.8.8.8:53 220.255.0.0.in-addr.arpa udp
US 8.8.8.8:53 220.255.0.0.in-addr.arpa udp

Files

memory/2548-0-0x0000000000400000-0x000000000043B000-memory.dmp

C:\Windows\SysWOW64\drivers\Kazekage.exe

MD5 311b2a84aff1540faf22e408c3dfb2d0
SHA1 e53a15fc3603bb1cf198c7453be0ecf0d2904b27
SHA256 daada888d24a596d4633a77fb3b9537efc18ae18b9537ad13bf3885259e1ff79
SHA512 cbbca26eb2c9a13d8234ef58cb2ca68de97ddfe77e02d70209a11b3b9efbdf76b20ca5a9e23543ba83181a48f053b953be9124e4e7f9b115579b2673e8949c7f

C:\Windows\system\msvbvm60.dll

MD5 c86fd6f9f58f0a35a7e6aa32f1798ada
SHA1 807222b73c41847ba9953751161f80b016677945
SHA256 5fc9a4ddc55b36290a94ac10eb8a2b1c00cddf1dd7be76d4f6a85f62c6787aed
SHA512 cba06ed200962bc61e6fe9475873ebcd2fe06a274b8f789d47fcd66ce06efd70812ebe9dbfd7ab1b87e843cec13170dccd6eba4c31efdd8fbcbf72164011a1c4

C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe

MD5 7909335e6f79304fe1e35396a85108dc
SHA1 18db7ffc65dfa769b01fb202ae5b7593d4213f45
SHA256 dac442a88a1abff3d6314d043abea5c6a3daa57b1d7e179ac3413c321f7784f2
SHA512 3ab0b9e81e13e5e79695a1fddf1327c6a3a5571a9f29c68e35db8a7fe88248f80438a7e684d6f7d04ad12f59250d77238b50e07e07e9b38368f91683dc25220b

\Windows\Fonts\Admin 17 - 6 - 2024\msvbvm60.dll

MD5 5343a19c618bc515ceb1695586c6c137
SHA1 4dedae8cbde066f31c8e6b52c0baa3f8b1117742
SHA256 2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce
SHA512 708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

memory/2612-40-0x0000000000400000-0x000000000043B000-memory.dmp

memory/2548-38-0x0000000000390000-0x00000000003CB000-memory.dmp

memory/2548-37-0x0000000000390000-0x00000000003CB000-memory.dmp

memory/2640-81-0x0000000000400000-0x000000000043B000-memory.dmp

memory/2612-79-0x0000000002420000-0x000000000245B000-memory.dmp

memory/2640-82-0x0000000000400000-0x000000000043B000-memory.dmp

memory/2476-91-0x0000000000400000-0x000000000043B000-memory.dmp

C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe

MD5 7aa071df1fa21fde59f0f427aecafe52
SHA1 f5b95d9d6db91a6ab694f16da39fbc0138943cf5
SHA256 36f88d9870b34c6dddf92ea92bcc9bba04443846ccd46597a8be63822b86adb9
SHA512 fbec5600ed48deca2404ade531fef2536e02e0965faca2ada9b1228bd6f430149e1a5b920ec112c312f9260d80022fc2e82d0498c85c5c7016fc736247f419f2

C:\Windows\Fonts\The Kazekage.jpg

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/2924-127-0x0000000000400000-0x000000000043B000-memory.dmp

memory/3020-133-0x0000000000400000-0x000000000043B000-memory.dmp

memory/3020-136-0x0000000000400000-0x000000000043B000-memory.dmp

memory/756-147-0x0000000000400000-0x000000000043B000-memory.dmp

C:\Windows\SysWOW64\drivers\Kazekage.exe

MD5 e57133ac0af84de09a586e46b107404f
SHA1 d0ac403ecd8bf9820138139a6a149ce452b9cbc3
SHA256 5e920e328b7d5c619edb37331feda48e368c7bfa92e53f5b1840ce2a1ca8054d
SHA512 3cfe02f5d76213d0bb7a0add742fed64789bde89ec0f8d3bbd01e2f0163f3c062431ca86e9ad17002a7484f97e6a2cbd5cd670fb90ec622d27f3100dfcc923e3

memory/2548-175-0x0000000000400000-0x000000000043B000-memory.dmp

memory/756-187-0x0000000000290000-0x00000000002CB000-memory.dmp

memory/2612-195-0x0000000002420000-0x000000000245B000-memory.dmp

memory/1076-194-0x0000000000400000-0x000000000043B000-memory.dmp

memory/1780-208-0x0000000000400000-0x000000000043B000-memory.dmp

memory/2884-237-0x0000000000400000-0x000000000043B000-memory.dmp

memory/968-247-0x0000000000400000-0x000000000043B000-memory.dmp

memory/1780-246-0x00000000004C0000-0x00000000004FB000-memory.dmp

memory/2260-263-0x0000000000400000-0x000000000043B000-memory.dmp

memory/2280-268-0x0000000000400000-0x000000000043B000-memory.dmp

memory/2280-269-0x0000000000400000-0x000000000043B000-memory.dmp

memory/968-275-0x00000000002D0000-0x000000000030B000-memory.dmp

memory/968-279-0x00000000002D0000-0x000000000030B000-memory.dmp

memory/1728-278-0x0000000000400000-0x000000000043B000-memory.dmp

memory/3032-294-0x0000000000400000-0x000000000043B000-memory.dmp

memory/968-298-0x0000000000400000-0x000000000043B000-memory.dmp

memory/968-304-0x00000000002D0000-0x000000000030B000-memory.dmp

memory/2364-310-0x0000000000400000-0x000000000043B000-memory.dmp

memory/2364-311-0x0000000000400000-0x000000000043B000-memory.dmp

memory/2032-314-0x0000000000400000-0x000000000043B000-memory.dmp

memory/1572-321-0x0000000000400000-0x000000000043B000-memory.dmp

memory/1576-326-0x0000000000400000-0x000000000043B000-memory.dmp

memory/1576-325-0x0000000000400000-0x000000000043B000-memory.dmp

memory/2548-324-0x0000000000390000-0x00000000003CB000-memory.dmp

memory/1572-320-0x0000000000400000-0x000000000043B000-memory.dmp

memory/1304-317-0x0000000000400000-0x000000000043B000-memory.dmp

memory/2252-307-0x0000000000400000-0x000000000043B000-memory.dmp

memory/968-303-0x00000000002D0000-0x000000000030B000-memory.dmp

memory/968-302-0x00000000002D0000-0x000000000030B000-memory.dmp

memory/348-301-0x0000000000400000-0x000000000043B000-memory.dmp

memory/2404-297-0x0000000000400000-0x000000000043B000-memory.dmp

memory/3032-293-0x0000000000400000-0x000000000043B000-memory.dmp

memory/2476-292-0x00000000005D0000-0x000000000060B000-memory.dmp

memory/936-289-0x0000000000400000-0x000000000043B000-memory.dmp

memory/936-288-0x0000000000400000-0x000000000043B000-memory.dmp

memory/756-287-0x0000000000290000-0x00000000002CB000-memory.dmp

memory/2064-286-0x0000000000400000-0x000000000043B000-memory.dmp

memory/1780-285-0x00000000004C0000-0x00000000004FB000-memory.dmp

memory/1740-282-0x0000000000400000-0x000000000043B000-memory.dmp

memory/1780-274-0x0000000000400000-0x000000000043B000-memory.dmp

memory/756-273-0x0000000000290000-0x00000000002CB000-memory.dmp

memory/1592-272-0x0000000000400000-0x000000000043B000-memory.dmp

memory/968-267-0x00000000002D0000-0x000000000030B000-memory.dmp

memory/2260-264-0x0000000000400000-0x000000000043B000-memory.dmp

memory/968-262-0x00000000002D0000-0x000000000030B000-memory.dmp

C:\Windows\SysWOW64\drivers\system32.exe

MD5 76740763caa4be8e45d1625370a94bcb
SHA1 7ed9f8ec26369c52011d0de5db6128aad7b1f605
SHA256 42da963bde9806d968dcdb56c5e4aaf62d51d4e62f806c39951eee25e9cffe31
SHA512 542d8198afe7e63249e4d204a6756ffdd8b766f6e703cde79d4148b00684efeb04a2a9d5953d90536c48b0b898f34a2db8192f718f4b3da6bb398dcde69cc362

memory/2064-242-0x0000000000400000-0x000000000043B000-memory.dmp

memory/756-240-0x0000000000400000-0x000000000043B000-memory.dmp

memory/2076-234-0x0000000000400000-0x000000000043B000-memory.dmp

memory/2192-231-0x0000000000400000-0x000000000043B000-memory.dmp

memory/2192-230-0x0000000000400000-0x000000000043B000-memory.dmp

memory/1780-229-0x00000000004C0000-0x00000000004FB000-memory.dmp

C:\Windows\SysWOW64\17-6-2024.exe

MD5 dbe1d641a4a522c6502d0d3e6de1929e
SHA1 43092ad2a695be82a9a4963848084a703aab1e77
SHA256 5f542bb43235f881fd95dad31ca6210cf27983d1302b8138f2f331b2800b904f
SHA512 42b2afc65497241100a28c05dbc6ed67701a4e5568ea11d546d2dd4cad5796ad31848f6bcadeff0cb9ef5c600125c8e45f7f4863ed5f0162140fdf09a22ab313

memory/756-206-0x0000000000290000-0x00000000002CB000-memory.dmp

memory/2476-205-0x0000000000400000-0x000000000043B000-memory.dmp

memory/1076-198-0x0000000000400000-0x000000000043B000-memory.dmp

memory/2612-192-0x0000000002420000-0x000000000245B000-memory.dmp

memory/2764-190-0x0000000000400000-0x000000000043B000-memory.dmp

memory/2764-188-0x0000000000400000-0x000000000043B000-memory.dmp

memory/2612-186-0x0000000000400000-0x000000000043B000-memory.dmp

memory/2548-185-0x0000000000390000-0x00000000003CB000-memory.dmp

memory/664-182-0x0000000000400000-0x000000000043B000-memory.dmp

C:\Windows\SysWOW64\drivers\system32.exe

MD5 6488b37ec03cfd6c317b81ee0d5b3ba3
SHA1 de257f12093111541f9f032ed8f924287cdd207b
SHA256 c3fcd3f1659b02c3a10dee1bc90568cf0bf49f3db72239564c71372baaa47f4d
SHA512 066fc81ebdd860918114725d181a821d05421a247bc7cee01cc2c2f41205e51efaa35f52fad0d7e798d5dab1fe0bdf4e05e090e62b73abbca7649928318c1067

memory/2924-132-0x0000000000400000-0x000000000043B000-memory.dmp

memory/2476-131-0x00000000005D0000-0x000000000060B000-memory.dmp

C:\Windows\Fonts\The Kazekage.jpg

MD5 d6b05020d4a0ec2a3a8b687099e335df
SHA1 df239d830ebcd1cde5c68c46a7b76dad49d415f4
SHA256 9824b98dab6af65a9e84c2ea40e9df948f9766ce2096e81feecad7db8dd6080a
SHA512 78fd360faa4d34f5732056d6e9ad7b9930964441c69cf24535845d397de92179553b9377a25649c01eb5ac7d547c29cc964e69ede7f2af9fc677508a99251fff

C:\Windows\msvbvm60.dll

MD5 09298236a9fd4b7d2450cf3538f16827
SHA1 1528d16de7f6aabde96ada46ae92452d84eb0bdf
SHA256 83462cf5217c728d9370b9d8aedfadde8f1cefda3d17a148cbec5b231fc58b8c
SHA512 64381995b720a633cefffa5400eb5cf7b320c26c57de105606450fd2e2254081ab9acd88c07281db7f222a4263c732123ce6fc720a4d99061bcd0345febafc1f

memory/2476-330-0x00000000005D0000-0x000000000060B000-memory.dmp

memory/2612-331-0x0000000002420000-0x000000000245B000-memory.dmp

C:\Autorun.inf

MD5 1564dfe69ffed40950e5cb644e0894d1
SHA1 201b6f7a01cc49bb698bea6d4945a082ed454ce4
SHA256 be114a2dbcc08540b314b01882aa836a772a883322a77b67aab31233e26dc184
SHA512 72df187e39674b657974392cfa268e71ef86dc101ebd2303896381ca56d3c05aa9db3f0ab7d0e428d7436e0108c8f19e94c2013814d30b0b95a23a6b9e341097

C:\Admin Games\Readme.txt

MD5 bb5d6abdf8d0948ac6895ce7fdfbc151
SHA1 9266b7a247a4685892197194d2b9b86c8f6dddbd
SHA256 5db2e0915b5464d32e83484f8ae5e3c73d2c78f238fde5f58f9b40dbb5322de8
SHA512 878444760e8df878d65bb62b4798177e168eb099def58ad3634f4348e96705c83f74324f9fa358f0eff389991976698a233ca53e9b72034ae11c86d42322a76c

C:\Windows\SysWOW64\Desktop.ini

MD5 64acfa7e03b01f48294cf30d201a0026
SHA1 10facd995b38a095f30b4a800fa454c0bcbf8438
SHA256 ba8159d865d106e7b4d0043007a63d1541e1de455dc8d7ff0edd3013bd425c62
SHA512 65a9b2e639de74a2a7faa83463a03f5f5b526495e3c793ec1e144c422ed0b842dd304cd5ff4f8aec3d76d826507030c5916f70a231429cea636ec2d8ab43931a

F:\Admin Games\Kazekage.exe

MD5 601c31f7135aff6e1a422e8a8f8ad1be
SHA1 7e14b3f6a9cd9e37d66ea10a2c9455781fe946ab
SHA256 ba36845836e58ff1fbc9d4df39fb4c87a9f38fd52776a704b74ef7590bfc6057
SHA512 92de0bae43dba2efc013c74ef9b0ae22d90e0e5c4e59a445d53359b51566bd125fbb11611b7ab9118c9837aad5a858db574842a90508fb60a1a52b7bd5ff0e2f

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-17 01:48

Reported

2024-06-17 01:51

Platform

win10v2004-20240508-en

Max time kernel

150s

Max time network

129s

Command Line

"C:\Users\Admin\AppData\Local\Temp\311b2a84aff1540faf22e408c3dfb2d0_NeikiAnalytics.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" C:\Users\Admin\AppData\Local\Temp\311b2a84aff1540faf22e408c3dfb2d0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" C:\Users\Admin\AppData\Local\Temp\311b2a84aff1540faf22e408c3dfb2d0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Users\Admin\AppData\Local\Temp\311b2a84aff1540faf22e408c3dfb2d0_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\AppData\Local\Temp\311b2a84aff1540faf22e408c3dfb2d0_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\311b2a84aff1540faf22e408c3dfb2d0_NeikiAnalytics.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\311b2a84aff1540faf22e408c3dfb2d0_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A

Disables use of System Restore points

evasion

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
File created C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
File created C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Users\Admin\AppData\Local\Temp\311b2a84aff1540faf22e408c3dfb2d0_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Users\Admin\AppData\Local\Temp\311b2a84aff1540faf22e408c3dfb2d0_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
File created C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\SysWOW64\drivers\system32.exe C:\Users\Admin\AppData\Local\Temp\311b2a84aff1540faf22e408c3dfb2d0_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\system32.exe C:\Users\Admin\AppData\Local\Temp\311b2a84aff1540faf22e408c3dfb2d0_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
File created C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
File created C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A

Sets file execution options in registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe\Debugger = "cmd.exe /c del" C:\Users\Admin\AppData\Local\Temp\311b2a84aff1540faf22e408c3dfb2d0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe\Debugger = "cmd.exe /c del" C:\Users\Admin\AppData\Local\Temp\311b2a84aff1540faf22e408c3dfb2d0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe\Debugger = "drivers\\Kazekage.exe" C:\Users\Admin\AppData\Local\Temp\311b2a84aff1540faf22e408c3dfb2d0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe C:\Users\Admin\AppData\Local\Temp\311b2a84aff1540faf22e408c3dfb2d0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com C:\Users\Admin\AppData\Local\Temp\311b2a84aff1540faf22e408c3dfb2d0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe C:\Users\Admin\AppData\Local\Temp\311b2a84aff1540faf22e408c3dfb2d0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "drivers\\Kazekage.exe" C:\Users\Admin\AppData\Local\Temp\311b2a84aff1540faf22e408c3dfb2d0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "drivers\\Kazekage.exe" C:\Users\Admin\AppData\Local\Temp\311b2a84aff1540faf22e408c3dfb2d0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe C:\Users\Admin\AppData\Local\Temp\311b2a84aff1540faf22e408c3dfb2d0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 17 - 6 - 2024\\smss.exe" C:\Users\Admin\AppData\Local\Temp\311b2a84aff1540faf22e408c3dfb2d0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "17-6-2024.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 17 - 6 - 2024\\smss.exe" C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "17-6-2024.exe" C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 17 - 6 - 2024\\smss.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 17 - 6 - 2024\\Gaara.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 17 - 6 - 2024\\Gaara.exe" C:\Users\Admin\AppData\Local\Temp\311b2a84aff1540faf22e408c3dfb2d0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "17-6-2024.exe" C:\Users\Admin\AppData\Local\Temp\311b2a84aff1540faf22e408c3dfb2d0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 17 - 6 - 2024\\smss.exe" C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 17 - 6 - 2024\\Gaara.exe" C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" C:\Users\Admin\AppData\Local\Temp\311b2a84aff1540faf22e408c3dfb2d0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 17 - 6 - 2024\\Gaara.exe" C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "17-6-2024.exe" C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 17 - 6 - 2024\\Gaara.exe" C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "17-6-2024.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 17 - 6 - 2024\\smss.exe" C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "17-6-2024.exe" C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 17 - 6 - 2024\\smss.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 17 - 6 - 2024\\Gaara.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\311b2a84aff1540faf22e408c3dfb2d0_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification F:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\311b2a84aff1540faf22e408c3dfb2d0_NeikiAnalytics.exe N/A
File opened for modification \??\W:\Desktop.ini C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
File opened for modification \??\S:\Desktop.ini C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
File opened for modification \??\A:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\I:\Desktop.ini C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
File opened for modification \??\N:\Desktop.ini C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
File opened for modification \??\G:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\E:\Desktop.ini C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
File opened for modification \??\L:\Desktop.ini C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
File opened for modification \??\R:\Desktop.ini C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
File opened for modification \??\N:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\Q:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\G:\Desktop.ini C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
File opened for modification \??\W:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification D:\Desktop.ini C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
File opened for modification \??\V:\Desktop.ini C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
File opened for modification C:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\O:\Desktop.ini C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
File opened for modification \??\P:\Desktop.ini C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
File opened for modification \??\I:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\L:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\B:\Desktop.ini C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
File opened for modification \??\G:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\311b2a84aff1540faf22e408c3dfb2d0_NeikiAnalytics.exe N/A
File opened for modification \??\L:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\311b2a84aff1540faf22e408c3dfb2d0_NeikiAnalytics.exe N/A
File opened for modification \??\Y:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\311b2a84aff1540faf22e408c3dfb2d0_NeikiAnalytics.exe N/A
File opened for modification \??\R:\Desktop.ini C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
File opened for modification \??\R:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\W:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification D:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\311b2a84aff1540faf22e408c3dfb2d0_NeikiAnalytics.exe N/A
File opened for modification \??\X:\Desktop.ini C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
File opened for modification \??\Q:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\K:\Desktop.ini C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
File opened for modification \??\R:\Desktop.ini C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
File opened for modification \??\E:\Desktop.ini C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
File opened for modification \??\I:\Desktop.ini C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
File opened for modification \??\A:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\311b2a84aff1540faf22e408c3dfb2d0_NeikiAnalytics.exe N/A
File opened for modification \??\T:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\L:\Desktop.ini C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
File opened for modification \??\U:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\311b2a84aff1540faf22e408c3dfb2d0_NeikiAnalytics.exe N/A
File opened for modification C:\Desktop.ini C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
File opened for modification C:\Desktop.ini C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
File opened for modification \??\T:\Desktop.ini C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
File opened for modification \??\M:\Desktop.ini C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
File opened for modification F:\Desktop.ini C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
File opened for modification \??\M:\Desktop.ini C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
File opened for modification \??\T:\Desktop.ini C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
File opened for modification \??\T:\Desktop.ini C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
File opened for modification \??\M:\Desktop.ini C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
File opened for modification \??\Q:\Desktop.ini C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
File opened for modification \??\J:\Desktop.ini C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
File opened for modification \??\P:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification D:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\S:\Desktop.ini C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
File opened for modification \??\O:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\A:\Desktop.ini C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
File opened for modification D:\Desktop.ini C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
File opened for modification \??\B:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\N:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\311b2a84aff1540faf22e408c3dfb2d0_NeikiAnalytics.exe N/A
File opened for modification \??\B:\Desktop.ini C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
File opened for modification \??\I:\Desktop.ini C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
File opened for modification \??\U:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\J:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\G:\Desktop.ini C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
File opened for modification \??\K:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\311b2a84aff1540faf22e408c3dfb2d0_NeikiAnalytics.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\A: C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\311b2a84aff1540faf22e408c3dfb2d0_NeikiAnalytics.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\G: C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
File opened (read-only) \??\R: C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\311b2a84aff1540faf22e408c3dfb2d0_NeikiAnalytics.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\311b2a84aff1540faf22e408c3dfb2d0_NeikiAnalytics.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\311b2a84aff1540faf22e408c3dfb2d0_NeikiAnalytics.exe N/A
File opened (read-only) \??\V: C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
File opened (read-only) \??\A: C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\311b2a84aff1540faf22e408c3dfb2d0_NeikiAnalytics.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\311b2a84aff1540faf22e408c3dfb2d0_NeikiAnalytics.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\311b2a84aff1540faf22e408c3dfb2d0_NeikiAnalytics.exe N/A
File opened (read-only) \??\M: C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
File opened (read-only) \??\N: C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
File opened (read-only) \??\Z: C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\311b2a84aff1540faf22e408c3dfb2d0_NeikiAnalytics.exe N/A
File opened (read-only) \??\L: C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
File opened (read-only) \??\R: C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\311b2a84aff1540faf22e408c3dfb2d0_NeikiAnalytics.exe N/A
File opened (read-only) \??\J: C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
File opened (read-only) \??\E: C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
File opened (read-only) \??\M: C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
File opened (read-only) \??\U: C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\311b2a84aff1540faf22e408c3dfb2d0_NeikiAnalytics.exe N/A
File opened (read-only) \??\J: C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
File opened (read-only) \??\Z: C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
File opened (read-only) \??\I: C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\311b2a84aff1540faf22e408c3dfb2d0_NeikiAnalytics.exe N/A
File opened (read-only) \??\S: C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
File opened (read-only) \??\B: C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\311b2a84aff1540faf22e408c3dfb2d0_NeikiAnalytics.exe N/A
File opened (read-only) \??\K: C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\N: C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\311b2a84aff1540faf22e408c3dfb2d0_NeikiAnalytics.exe N/A
File opened (read-only) \??\Z: C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\X: C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
File opened (read-only) \??\A: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\311b2a84aff1540faf22e408c3dfb2d0_NeikiAnalytics.exe N/A
File opened (read-only) \??\N: C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\O: C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\311b2a84aff1540faf22e408c3dfb2d0_NeikiAnalytics.exe N/A
File opened (read-only) \??\M: C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\311b2a84aff1540faf22e408c3dfb2d0_NeikiAnalytics.exe N/A
File opened (read-only) \??\A: C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
File opened (read-only) \??\X: C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
File opened (read-only) \??\O: C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
File opened (read-only) \??\P: C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
File opened (read-only) \??\Y: C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification \??\L:\Autorun.inf C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
File opened for modification F:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\Q:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created \??\E:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\311b2a84aff1540faf22e408c3dfb2d0_NeikiAnalytics.exe N/A
File created \??\B:\Autorun.inf C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
File opened for modification \??\W:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created \??\N:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\A:\Autorun.inf C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
File created \??\Z:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\311b2a84aff1540faf22e408c3dfb2d0_NeikiAnalytics.exe N/A
File created \??\Q:\Autorun.inf C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
File opened for modification \??\S:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File created \??\K:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\311b2a84aff1540faf22e408c3dfb2d0_NeikiAnalytics.exe N/A
File opened for modification \??\J:\Autorun.inf C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
File opened for modification \??\O:\Autorun.inf C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
File opened for modification \??\X:\Autorun.inf C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
File created \??\T:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\R:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File created \??\W:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\311b2a84aff1540faf22e408c3dfb2d0_NeikiAnalytics.exe N/A
File opened for modification \??\B:\Autorun.inf C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
File opened for modification \??\T:\Autorun.inf C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
File opened for modification \??\B:\Autorun.inf C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
File created \??\I:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\A:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File created \??\Z:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\311b2a84aff1540faf22e408c3dfb2d0_NeikiAnalytics.exe N/A
File created F:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\311b2a84aff1540faf22e408c3dfb2d0_NeikiAnalytics.exe N/A
File created \??\Q:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\311b2a84aff1540faf22e408c3dfb2d0_NeikiAnalytics.exe N/A
File opened for modification \??\T:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\311b2a84aff1540faf22e408c3dfb2d0_NeikiAnalytics.exe N/A
File opened for modification \??\U:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\E:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\311b2a84aff1540faf22e408c3dfb2d0_NeikiAnalytics.exe N/A
File opened for modification \??\M:\Autorun.inf C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
File opened for modification \??\V:\Autorun.inf C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
File opened for modification \??\K:\Autorun.inf C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
File created \??\P:\Autorun.inf C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
File created \??\U:\Autorun.inf C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
File opened for modification \??\S:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification F:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\A:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\311b2a84aff1540faf22e408c3dfb2d0_NeikiAnalytics.exe N/A
File opened for modification \??\J:\Autorun.inf C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
File opened for modification \??\B:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\K:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\311b2a84aff1540faf22e408c3dfb2d0_NeikiAnalytics.exe N/A
File opened for modification \??\Q:\Autorun.inf C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
File created \??\A:\Autorun.inf C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
File opened for modification \??\E:\Autorun.inf C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
File created \??\G:\Autorun.inf C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
File created \??\Y:\Autorun.inf C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
File opened for modification \??\G:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created \??\Y:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File created \??\A:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\311b2a84aff1540faf22e408c3dfb2d0_NeikiAnalytics.exe N/A
File created \??\S:\Autorun.inf C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
File created \??\H:\Autorun.inf C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
File opened for modification \??\N:\Autorun.inf C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
File opened for modification \??\H:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created \??\H:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created \??\K:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created \??\L:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\A:\Autorun.inf C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
File opened for modification \??\U:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\S:\Autorun.inf C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
File created \??\E:\Autorun.inf C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
File opened for modification \??\T:\Autorun.inf C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
File opened for modification \??\U:\Autorun.inf C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
File opened for modification \??\V:\Autorun.inf C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
File opened for modification \??\Z:\Autorun.inf C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\17-6-2024.exe C:\Users\Admin\AppData\Local\Temp\311b2a84aff1540faf22e408c3dfb2d0_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\SysWOW64\mscomctl.ocx C:\Users\Admin\AppData\Local\Temp\311b2a84aff1540faf22e408c3dfb2d0_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Users\Admin\AppData\Local\Temp\311b2a84aff1540faf22e408c3dfb2d0_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\SysWOW64\mscomctl.ocx C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\311b2a84aff1540faf22e408c3dfb2d0_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\SysWOW64\17-6-2024.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\311b2a84aff1540faf22e408c3dfb2d0_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\SysWOW64\Desktop.ini C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\SysWOW64\17-6-2024.exe C:\Users\Admin\AppData\Local\Temp\311b2a84aff1540faf22e408c3dfb2d0_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\SysWOW64\17-6-2024.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\SysWOW64\mscomctl.ocx C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\SysWOW64\17-6-2024.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
File created C:\Windows\SysWOW64\mscomctl.ocx C:\Users\Admin\AppData\Local\Temp\311b2a84aff1540faf22e408c3dfb2d0_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
File opened for modification C:\Windows\SysWOW64\mscomctl.ocx C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\mscomctl.ocx C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\SysWOW64\Desktop.ini C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
File opened for modification C:\Windows\SysWOW64\mscomctl.ocx C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\SysWOW64\Desktop.ini C:\Users\Admin\AppData\Local\Temp\311b2a84aff1540faf22e408c3dfb2d0_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\SysWOW64\17-6-2024.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\17-6-2024.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\SysWOW64\Desktop.ini C:\Users\Admin\AppData\Local\Temp\311b2a84aff1540faf22e408c3dfb2d0_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\SysWOW64\Desktop.ini C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Users\Admin\AppData\Local\Temp\311b2a84aff1540faf22e408c3dfb2d0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Fonts\The Kazekage.jpg C:\Users\Admin\AppData\Local\Temp\311b2a84aff1540faf22e408c3dfb2d0_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\system\mscoree.dll C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
File created C:\Windows\Fonts\Admin 17 - 6 - 2024\msvbvm60.dll C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
File created C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
File created C:\Windows\WBEM\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\311b2a84aff1540faf22e408c3dfb2d0_NeikiAnalytics.exe N/A
File created C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
File created C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
File opened for modification C:\Windows\ C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\311b2a84aff1540faf22e408c3dfb2d0_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\system\msvbvm60.dll C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
File opened for modification C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\WBEM\msvbvm60.dll C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\mscomctl.ocx C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
File opened for modification C:\Windows\ C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
File created C:\Windows\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\311b2a84aff1540faf22e408c3dfb2d0_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\system\mscoree.dll C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
File created C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
File opened for modification C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
File created C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
File opened for modification C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
File opened for modification C:\Windows\system\mscoree.dll C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\WBEM\msvbvm60.dll C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
File opened for modification C:\Windows\ C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
File opened for modification C:\Windows\mscomctl.ocx C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe C:\Users\Admin\AppData\Local\Temp\311b2a84aff1540faf22e408c3dfb2d0_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
File created C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
File created C:\Windows\WBEM\msvbvm60.dll C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\Fonts\The Kazekage.jpg C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
File opened for modification C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
File opened for modification C:\Windows\Fonts\The Kazekage.jpg C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
File opened for modification C:\Windows\system\mscoree.dll C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
File created C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\Fonts\Admin 17 - 6 - 2024\msvbvm60.dll C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\ C:\Users\Admin\AppData\Local\Temp\311b2a84aff1540faf22e408c3dfb2d0_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\ C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
File opened for modification C:\Windows\Fonts\The Kazekage.jpg C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
File created C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\Fonts\Admin 17 - 6 - 2024\msvbvm60.dll C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe C:\Users\Admin\AppData\Local\Temp\311b2a84aff1540faf22e408c3dfb2d0_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe C:\Users\Admin\AppData\Local\Temp\311b2a84aff1540faf22e408c3dfb2d0_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\system\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\311b2a84aff1540faf22e408c3dfb2d0_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\Fonts\The Kazekage.jpg C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\mscomctl.ocx C:\Users\Admin\AppData\Local\Temp\311b2a84aff1540faf22e408c3dfb2d0_NeikiAnalytics.exe N/A
File created C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
File opened for modification C:\Windows\system\mscoree.dll C:\Users\Admin\AppData\Local\Temp\311b2a84aff1540faf22e408c3dfb2d0_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe C:\Users\Admin\AppData\Local\Temp\311b2a84aff1540faf22e408c3dfb2d0_NeikiAnalytics.exe N/A
File created C:\Windows\Fonts\Admin 17 - 6 - 2024\msvbvm60.dll C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
File opened for modification C:\Windows\system\mscoree.dll C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\Fonts\The Kazekage.jpg C:\Users\Admin\AppData\Local\Temp\311b2a84aff1540faf22e408c3dfb2d0_NeikiAnalytics.exe N/A
File created C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe C:\Users\Admin\AppData\Local\Temp\311b2a84aff1540faf22e408c3dfb2d0_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
File opened for modification C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
File opened for modification C:\Windows\Fonts\The Kazekage.jpg C:\Windows\SysWOW64\drivers\system32.exe N/A

Modifies Control Panel

evasion
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\Screen Saver.Marquee\Size = "72" C:\Users\Admin\AppData\Local\Temp\311b2a84aff1540faf22e408c3dfb2d0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\Screen Saver.Marquee\Speed = "4" C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\Screen Saver.Marquee C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\Screen Saver.Marquee\Speed = "4" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\Desktop C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" C:\Users\Admin\AppData\Local\Temp\311b2a84aff1540faf22e408c3dfb2d0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" C:\Users\Admin\AppData\Local\Temp\311b2a84aff1540faf22e408c3dfb2d0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\Desktop\WallpaperStyle = "2" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\Screen Saver.Marquee\Speed = "4" C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\Desktop C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\Screen Saver.Marquee C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\Desktop\WallpaperStyle = "2" C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\Desktop\WallpaperStyle = "2" C:\Users\Admin\AppData\Local\Temp\311b2a84aff1540faf22e408c3dfb2d0_NeikiAnalytics.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\Desktop C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" C:\Users\Admin\AppData\Local\Temp\311b2a84aff1540faf22e408c3dfb2d0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\Screen Saver.Marquee\Speed = "4" C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Users\Admin\AppData\Local\Temp\311b2a84aff1540faf22e408c3dfb2d0_NeikiAnalytics.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\Screen Saver.Marquee C:\Users\Admin\AppData\Local\Temp\311b2a84aff1540faf22e408c3dfb2d0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" C:\Users\Admin\AppData\Local\Temp\311b2a84aff1540faf22e408c3dfb2d0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\Screen Saver.Marquee C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\Screen Saver.Marquee\Speed = "4" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\Desktop\WallpaperStyle = "2" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\Desktop C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" C:\Users\Admin\AppData\Local\Temp\311b2a84aff1540faf22e408c3dfb2d0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\Screen Saver.Marquee\Size = "72" C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\Screen Saver.Marquee\Size = "72" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\Screen Saver.Marquee\Size = "72" C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\Screen Saver.Marquee C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\Desktop C:\Users\Admin\AppData\Local\Temp\311b2a84aff1540faf22e408c3dfb2d0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" C:\Users\Admin\AppData\Local\Temp\311b2a84aff1540faf22e408c3dfb2d0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" C:\Users\Admin\AppData\Local\Temp\311b2a84aff1540faf22e408c3dfb2d0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\Screen Saver.Marquee\Size = "72" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\Desktop C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\Desktop\WallpaperStyle = "2" C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Software\Microsoft\Internet Explorer\Main C:\Users\Admin\AppData\Local\Temp\311b2a84aff1540faf22e408c3dfb2d0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" C:\Users\Admin\AppData\Local\Temp\311b2a84aff1540faf22e408c3dfb2d0_NeikiAnalytics.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" C:\Windows\SysWOW64\drivers\system32.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" C:\Users\Admin\AppData\Local\Temp\311b2a84aff1540faf22e408c3dfb2d0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command C:\Users\Admin\AppData\Local\Temp\311b2a84aff1540faf22e408c3dfb2d0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command C:\Users\Admin\AppData\Local\Temp\311b2a84aff1540faf22e408c3dfb2d0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" C:\Users\Admin\AppData\Local\Temp\311b2a84aff1540faf22e408c3dfb2d0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install C:\Users\Admin\AppData\Local\Temp\311b2a84aff1540faf22e408c3dfb2d0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command C:\Users\Admin\AppData\Local\Temp\311b2a84aff1540faf22e408c3dfb2d0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell C:\Users\Admin\AppData\Local\Temp\311b2a84aff1540faf22e408c3dfb2d0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" C:\Users\Admin\AppData\Local\Temp\311b2a84aff1540faf22e408c3dfb2d0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" C:\Users\Admin\AppData\Local\Temp\311b2a84aff1540faf22e408c3dfb2d0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command C:\Users\Admin\AppData\Local\Temp\311b2a84aff1540faf22e408c3dfb2d0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile C:\Users\Admin\AppData\Local\Temp\311b2a84aff1540faf22e408c3dfb2d0_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" C:\Windows\SysWOW64\drivers\system32.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\311b2a84aff1540faf22e408c3dfb2d0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\311b2a84aff1540faf22e408c3dfb2d0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\311b2a84aff1540faf22e408c3dfb2d0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\311b2a84aff1540faf22e408c3dfb2d0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\311b2a84aff1540faf22e408c3dfb2d0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\311b2a84aff1540faf22e408c3dfb2d0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\311b2a84aff1540faf22e408c3dfb2d0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\311b2a84aff1540faf22e408c3dfb2d0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\311b2a84aff1540faf22e408c3dfb2d0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\311b2a84aff1540faf22e408c3dfb2d0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\311b2a84aff1540faf22e408c3dfb2d0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\311b2a84aff1540faf22e408c3dfb2d0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\311b2a84aff1540faf22e408c3dfb2d0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\311b2a84aff1540faf22e408c3dfb2d0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\311b2a84aff1540faf22e408c3dfb2d0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\311b2a84aff1540faf22e408c3dfb2d0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\311b2a84aff1540faf22e408c3dfb2d0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\311b2a84aff1540faf22e408c3dfb2d0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\311b2a84aff1540faf22e408c3dfb2d0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\311b2a84aff1540faf22e408c3dfb2d0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\311b2a84aff1540faf22e408c3dfb2d0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\311b2a84aff1540faf22e408c3dfb2d0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\311b2a84aff1540faf22e408c3dfb2d0_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\311b2a84aff1540faf22e408c3dfb2d0_NeikiAnalytics.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\311b2a84aff1540faf22e408c3dfb2d0_NeikiAnalytics.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3856 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\311b2a84aff1540faf22e408c3dfb2d0_NeikiAnalytics.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe
PID 3856 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\311b2a84aff1540faf22e408c3dfb2d0_NeikiAnalytics.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe
PID 3856 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Local\Temp\311b2a84aff1540faf22e408c3dfb2d0_NeikiAnalytics.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe
PID 1616 wrote to memory of 4792 N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe
PID 1616 wrote to memory of 4792 N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe
PID 1616 wrote to memory of 4792 N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe
PID 1616 wrote to memory of 2596 N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe
PID 1616 wrote to memory of 2596 N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe
PID 1616 wrote to memory of 2596 N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe
PID 2596 wrote to memory of 3348 N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe
PID 2596 wrote to memory of 3348 N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe
PID 2596 wrote to memory of 3348 N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe
PID 2596 wrote to memory of 5104 N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe
PID 2596 wrote to memory of 5104 N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe
PID 2596 wrote to memory of 5104 N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe
PID 2596 wrote to memory of 2296 N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe
PID 2596 wrote to memory of 2296 N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe
PID 2596 wrote to memory of 2296 N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe
PID 2296 wrote to memory of 2240 N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe
PID 2296 wrote to memory of 2240 N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe
PID 2296 wrote to memory of 2240 N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe
PID 2296 wrote to memory of 448 N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe
PID 2296 wrote to memory of 448 N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe
PID 2296 wrote to memory of 448 N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe
PID 2296 wrote to memory of 2580 N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe
PID 2296 wrote to memory of 2580 N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe
PID 2296 wrote to memory of 2580 N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe
PID 2296 wrote to memory of 1404 N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 2296 wrote to memory of 1404 N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 2296 wrote to memory of 1404 N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 1404 wrote to memory of 2528 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe
PID 1404 wrote to memory of 2528 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe
PID 1404 wrote to memory of 2528 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe
PID 1404 wrote to memory of 1432 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe
PID 1404 wrote to memory of 1432 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe
PID 1404 wrote to memory of 1432 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe
PID 1404 wrote to memory of 2756 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe
PID 1404 wrote to memory of 2756 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe
PID 1404 wrote to memory of 2756 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe
PID 1404 wrote to memory of 3032 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 1404 wrote to memory of 3032 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 1404 wrote to memory of 3032 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 1404 wrote to memory of 2816 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 1404 wrote to memory of 2816 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 1404 wrote to memory of 2816 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 2816 wrote to memory of 4064 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe
PID 2816 wrote to memory of 4064 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe
PID 2816 wrote to memory of 4064 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe
PID 2816 wrote to memory of 2256 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe
PID 2816 wrote to memory of 2256 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe
PID 2816 wrote to memory of 2256 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe
PID 2816 wrote to memory of 5044 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe
PID 2816 wrote to memory of 5044 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe
PID 2816 wrote to memory of 5044 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe
PID 2816 wrote to memory of 2680 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 2816 wrote to memory of 2680 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 2816 wrote to memory of 2680 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 2816 wrote to memory of 4388 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 2816 wrote to memory of 4388 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 2816 wrote to memory of 4388 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 2296 wrote to memory of 1396 N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 2296 wrote to memory of 1396 N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 2296 wrote to memory of 1396 N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 2596 wrote to memory of 4484 N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe C:\Windows\SysWOW64\drivers\Kazekage.exe

System policy modification

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\311b2a84aff1540faf22e408c3dfb2d0_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\311b2a84aff1540faf22e408c3dfb2d0_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\311b2a84aff1540faf22e408c3dfb2d0_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\311b2a84aff1540faf22e408c3dfb2d0_NeikiAnalytics.exe"

C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe

"C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe"

C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe

"C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe"

C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe

"C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe"

C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe

"C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe"

C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe

"C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe"

C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe

"C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe"

C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe

"C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe"

C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe

"C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe"

C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe

"C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe"

C:\Windows\SysWOW64\drivers\Kazekage.exe

C:\Windows\system32\drivers\Kazekage.exe

C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe

"C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe"

C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe

"C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe"

C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe

"C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe"

C:\Windows\SysWOW64\drivers\Kazekage.exe

C:\Windows\system32\drivers\Kazekage.exe

C:\Windows\SysWOW64\drivers\system32.exe

C:\Windows\system32\drivers\system32.exe

C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe

"C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe"

C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe

"C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe"

C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe

"C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe"

C:\Windows\SysWOW64\drivers\Kazekage.exe

C:\Windows\system32\drivers\Kazekage.exe

C:\Windows\SysWOW64\drivers\system32.exe

C:\Windows\system32\drivers\system32.exe

C:\Windows\SysWOW64\drivers\system32.exe

C:\Windows\system32\drivers\system32.exe

C:\Windows\SysWOW64\drivers\Kazekage.exe

C:\Windows\system32\drivers\Kazekage.exe

C:\Windows\SysWOW64\drivers\system32.exe

C:\Windows\system32\drivers\system32.exe

C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe

"C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe"

C:\Windows\SysWOW64\drivers\Kazekage.exe

C:\Windows\system32\drivers\Kazekage.exe

C:\Windows\SysWOW64\drivers\system32.exe

C:\Windows\system32\drivers\system32.exe

C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe

"C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe"

C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe

"C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe"

C:\Windows\SysWOW64\drivers\Kazekage.exe

C:\Windows\system32\drivers\Kazekage.exe

C:\Windows\SysWOW64\drivers\system32.exe

C:\Windows\system32\drivers\system32.exe

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

Network

Country Destination Domain Proto
US 8.8.8.8:53 220.255.0.0.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 220.255.0.0.in-addr.arpa udp
US 8.8.8.8:53 220.255.0.0.in-addr.arpa udp

Files

memory/3856-0-0x0000000000400000-0x000000000043B000-memory.dmp

C:\Windows\System\msvbvm60.dll

MD5 25f62c02619174b35851b0e0455b3d94
SHA1 4e8ee85157f1769f6e3f61c0acbe59072209da71
SHA256 898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2
SHA512 f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe

MD5 7909335e6f79304fe1e35396a85108dc
SHA1 18db7ffc65dfa769b01fb202ae5b7593d4213f45
SHA256 dac442a88a1abff3d6314d043abea5c6a3daa57b1d7e179ac3413c321f7784f2
SHA512 3ab0b9e81e13e5e79695a1fddf1327c6a3a5571a9f29c68e35db8a7fe88248f80438a7e684d6f7d04ad12f59250d77238b50e07e07e9b38368f91683dc25220b

memory/1616-32-0x0000000000400000-0x000000000043B000-memory.dmp

C:\Windows\Fonts\The Kazekage.jpg

MD5 d6b05020d4a0ec2a3a8b687099e335df
SHA1 df239d830ebcd1cde5c68c46a7b76dad49d415f4
SHA256 9824b98dab6af65a9e84c2ea40e9df948f9766ce2096e81feecad7db8dd6080a
SHA512 78fd360faa4d34f5732056d6e9ad7b9930964441c69cf24535845d397de92179553b9377a25649c01eb5ac7d547c29cc964e69ede7f2af9fc677508a99251fff

C:\Windows\SysWOW64\drivers\system32.exe

MD5 d2f6b71574335f2c0cba0a70fcdcfe93
SHA1 f5c9bebdb56adb9279d53d7d150134590518c33a
SHA256 6d656fc1b34c2673d6ad0411d170ddc24ae0901618113e6bc0be4562f6f35d59
SHA512 c77a13381d256e2c70eb68cbd471995d92b8604cb85914198036ab5121e4bc09e9257bab2d533600eb5d73e9cd277b3a3f8501319d105fec38a1f7b4147d637e

C:\Windows\SysWOW64\drivers\Kazekage.exe

MD5 e6ccc36046158b34234223cdb45a7746
SHA1 2a6906a560f5693f4664a8b66d8c45a032c7a845
SHA256 e7c8c973b1423d65f144e3a89bae93c1a8ab8881226a92e669072a5fd111d480
SHA512 601a388076fff2c397868afea77aac7e6b92dd83cd66aa419d279524230da374b417eb6928c482fd31f7442e958efa97c3e0193bbfa5892bddc947b9c6267bcd

C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe

MD5 3253b5c7776897af4495b220d1c349c6
SHA1 269c0bad44c8a41aaf01d01fb9235a8349a5da01
SHA256 60997e07b34ebbd1c525648c2029e3ac31d982e19089b44cadcbb0a99ae95371
SHA512 038fca7cd004c0beeba93efd831f6140ec2ace84ba2495fc870b975621535e6e624e8651862f9a2482cf59b7348fe80ecf8583a386b46f5e9f2f5ab9567ad985

memory/4792-70-0x0000000000400000-0x000000000043B000-memory.dmp

C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe

MD5 7aa071df1fa21fde59f0f427aecafe52
SHA1 f5b95d9d6db91a6ab694f16da39fbc0138943cf5
SHA256 36f88d9870b34c6dddf92ea92bcc9bba04443846ccd46597a8be63822b86adb9
SHA512 fbec5600ed48deca2404ade531fef2536e02e0965faca2ada9b1228bd6f430149e1a5b920ec112c312f9260d80022fc2e82d0498c85c5c7016fc736247f419f2

memory/2596-76-0x0000000000400000-0x000000000043B000-memory.dmp

memory/4792-75-0x0000000000400000-0x000000000043B000-memory.dmp

C:\Windows\Fonts\The Kazekage.jpg

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Windows\SysWOW64\drivers\system32.exe

MD5 47b5e0feb323c02e7de17488cc09f75c
SHA1 0325fe3a1ff70e871cbe5b83fd8afbd9afa84033
SHA256 a17b8b30ba2618d3f75722d8f4468d3f77c142cd090a26924dcd39844df86827
SHA512 ee39f8aa49454d8dca5ed16325bf865ae8a48c705a36123893d547fc9599bd48a6c5a72feb70717f05622d540bc0592a8f771fe83acaf1a6e7a97d0b836ae7a3

C:\Windows\SysWOW64\drivers\Kazekage.exe

MD5 1639d95c0872e423a8021659bc79fcac
SHA1 0c9561e644edc1fb36eef5ffd393e7ce8ea75da5
SHA256 59b5112887600ddbb2fec226442c536014be3f8f5ca1aaadb89a28f2237a7a31
SHA512 dd4d04f117d553820e3cf3ef1db2582cb92466db65f583876ccff08767f1639ea64cfee1590db7df774574f1773c4bee32be427ff455c1bb4f08e4c36eedc4af

memory/5104-114-0x0000000000400000-0x000000000043B000-memory.dmp

memory/3348-113-0x0000000000400000-0x000000000043B000-memory.dmp

C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe

MD5 1d9dbe30ec06424da1a85b0a12ea2c65
SHA1 b5fb8a494405db85bd2c3690bc5c6df6190edd67
SHA256 3a2106952cec3c69a3fee1fc835d198fcd07e9dc2f99a21abd2be38527933626
SHA512 f307b6ac72302e80ec982f16261be6fd274b9d446bbdbd92316b866dd563d31ac555fb7122f35f084dee96bd0dc228d4afc97a38c1c7b22d29d2225e1e140244

memory/2296-122-0x0000000000400000-0x000000000043B000-memory.dmp

memory/5104-121-0x0000000000400000-0x000000000043B000-memory.dmp

memory/2240-153-0x0000000000400000-0x000000000043B000-memory.dmp

memory/448-158-0x0000000000400000-0x000000000043B000-memory.dmp

memory/3856-164-0x0000000000400000-0x000000000043B000-memory.dmp

C:\Windows\SysWOW64\drivers\Kazekage.exe

MD5 dbe1d641a4a522c6502d0d3e6de1929e
SHA1 43092ad2a695be82a9a4963848084a703aab1e77
SHA256 5f542bb43235f881fd95dad31ca6210cf27983d1302b8138f2f331b2800b904f
SHA512 42b2afc65497241100a28c05dbc6ed67701a4e5568ea11d546d2dd4cad5796ad31848f6bcadeff0cb9ef5c600125c8e45f7f4863ed5f0162140fdf09a22ab313

memory/1404-165-0x0000000000400000-0x000000000043B000-memory.dmp

memory/1616-189-0x0000000000400000-0x000000000043B000-memory.dmp

memory/2528-194-0x0000000000400000-0x000000000043B000-memory.dmp

memory/1432-200-0x0000000000400000-0x000000000043B000-memory.dmp

memory/3032-205-0x0000000000400000-0x000000000043B000-memory.dmp

memory/2756-204-0x0000000000400000-0x000000000043B000-memory.dmp

memory/3032-212-0x0000000000400000-0x000000000043B000-memory.dmp

memory/2816-211-0x0000000000400000-0x000000000043B000-memory.dmp

memory/2296-230-0x0000000000400000-0x000000000043B000-memory.dmp

memory/4064-233-0x0000000000400000-0x000000000043B000-memory.dmp

memory/5044-236-0x0000000000400000-0x000000000043B000-memory.dmp

memory/2256-237-0x0000000000400000-0x000000000043B000-memory.dmp

memory/5044-240-0x0000000000400000-0x000000000043B000-memory.dmp

memory/1404-245-0x0000000000400000-0x000000000043B000-memory.dmp

memory/2680-243-0x0000000000400000-0x000000000043B000-memory.dmp

memory/4388-247-0x0000000000400000-0x000000000043B000-memory.dmp

memory/1396-250-0x0000000000400000-0x000000000043B000-memory.dmp

memory/1396-251-0x0000000000400000-0x000000000043B000-memory.dmp

memory/4484-257-0x0000000000400000-0x000000000043B000-memory.dmp

memory/4596-260-0x0000000000400000-0x000000000043B000-memory.dmp

memory/2816-264-0x0000000000400000-0x000000000043B000-memory.dmp

memory/1232-263-0x0000000000400000-0x000000000043B000-memory.dmp

memory/3572-267-0x0000000000400000-0x000000000043B000-memory.dmp

memory/1392-270-0x0000000000400000-0x000000000043B000-memory.dmp

memory/4636-273-0x0000000000400000-0x000000000043B000-memory.dmp

memory/1120-276-0x0000000000400000-0x000000000043B000-memory.dmp

memory/4292-280-0x0000000000400000-0x000000000043B000-memory.dmp

memory/4752-279-0x0000000000400000-0x000000000043B000-memory.dmp

memory/4752-283-0x0000000000400000-0x000000000043B000-memory.dmp

C:\Windows\SysWOW64\17-6-2024.exe

MD5 4d7d59ac1475c1db5f96e4ff0c90dc6f
SHA1 09c0096020de770c3d3f03118d751e3b8dfaf421
SHA256 1499cde50c9243f36b2222a307f8231c3120f79138fc091011e837d348b7bd7f
SHA512 f3483cb9ce1b80f03967a0f6cbf9acf8d6218a1d51bb45a9b980b280c20502091b8b25b0ecd6ec40a4f1768f43af135d442f1bebd3fb1dce4babd35c5dadff77

memory/2596-199-0x0000000000400000-0x000000000043B000-memory.dmp

C:\Windows\SysWOW64\17-6-2024.exe

MD5 5a31b883e5a31422566c00ea6a1f7649
SHA1 487dc5a271df469a81983b7e7726adbbfe670a54
SHA256 0ac2d745b2adb8baebe30e53cb77d890ae9a2e55499a9ffea3261507f7a673f2
SHA512 598540c4e329165a22ed8a8ab51313fa2e5758b31e475c044e9581df0afefa0963c854233957856fbe526f1231009f68e45c8433466b33170adabc09a5809bcf

memory/2580-161-0x0000000000400000-0x000000000043B000-memory.dmp

C:\Windows\SysWOW64\drivers\system32.exe

MD5 6488b37ec03cfd6c317b81ee0d5b3ba3
SHA1 de257f12093111541f9f032ed8f924287cdd207b
SHA256 c3fcd3f1659b02c3a10dee1bc90568cf0bf49f3db72239564c71372baaa47f4d
SHA512 066fc81ebdd860918114725d181a821d05421a247bc7cee01cc2c2f41205e51efaa35f52fad0d7e798d5dab1fe0bdf4e05e090e62b73abbca7649928318c1067

C:\Windows\SysWOW64\17-6-2024.exe

MD5 b0cca6eaedb472cd1a964ed29d7e623e
SHA1 b5410228dc3f9af91b5f5474ef4ecb305eddf960
SHA256 bab1014096eec582638d15899288af8de40c6a3480c463802e3ca7768ea419ce
SHA512 47d0a10c18a5702eaaa1e5bc02fb0e1265ba004a53ff6ebf1ea8821c6ed0dcb0d6517d4da7d81e430aed32b746dbf05764954bf370493cb7fbc1efa457cd4970

F:\Gaara.exe

MD5 311b2a84aff1540faf22e408c3dfb2d0
SHA1 e53a15fc3603bb1cf198c7453be0ecf0d2904b27
SHA256 daada888d24a596d4633a77fb3b9537efc18ae18b9537ad13bf3885259e1ff79
SHA512 cbbca26eb2c9a13d8234ef58cb2ca68de97ddfe77e02d70209a11b3b9efbdf76b20ca5a9e23543ba83181a48f053b953be9124e4e7f9b115579b2673e8949c7f

C:\Autorun.inf

MD5 1564dfe69ffed40950e5cb644e0894d1
SHA1 201b6f7a01cc49bb698bea6d4945a082ed454ce4
SHA256 be114a2dbcc08540b314b01882aa836a772a883322a77b67aab31233e26dc184
SHA512 72df187e39674b657974392cfa268e71ef86dc101ebd2303896381ca56d3c05aa9db3f0ab7d0e428d7436e0108c8f19e94c2013814d30b0b95a23a6b9e341097

C:\Admin Games\Readme.txt

MD5 bb5d6abdf8d0948ac6895ce7fdfbc151
SHA1 9266b7a247a4685892197194d2b9b86c8f6dddbd
SHA256 5db2e0915b5464d32e83484f8ae5e3c73d2c78f238fde5f58f9b40dbb5322de8
SHA512 878444760e8df878d65bb62b4798177e168eb099def58ad3634f4348e96705c83f74324f9fa358f0eff389991976698a233ca53e9b72034ae11c86d42322a76c

C:\Windows\SysWOW64\Desktop.ini

MD5 64acfa7e03b01f48294cf30d201a0026
SHA1 10facd995b38a095f30b4a800fa454c0bcbf8438
SHA256 ba8159d865d106e7b4d0043007a63d1541e1de455dc8d7ff0edd3013bd425c62
SHA512 65a9b2e639de74a2a7faa83463a03f5f5b526495e3c793ec1e144c422ed0b842dd304cd5ff4f8aec3d76d826507030c5916f70a231429cea636ec2d8ab43931a