Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
130s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
17/06/2024, 05:14
Behavioral task
behavioral1
Sample
4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe
Resource
win7-20240508-en
windows7-x64
27 signatures
150 seconds
Behavioral task
behavioral2
Sample
4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
27 signatures
150 seconds
General
-
Target
4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe
-
Size
66KB
-
MD5
4f638f90ece1cd2c4f8b10a792956d70
-
SHA1
ab95276f68053c4bdaea10975610dea6b0b042eb
-
SHA256
e70f2481aa838b9592454700e264c29acb17521fda0303adfbaac30963ec6a59
-
SHA512
e5801242754199a6ff77dc2d8ec266f2051971b8dc74f5f05108ecbdce2ab9346a2ab0bde9847ba075edfaf0ed5be88d380d89750e7cfe842caffd410f9a2bbb
-
SSDEEP
1536:37OE59Vyzrc8K3WgFtKhJP+tcrVOXKzaJThZfaKhQiSEKNJ:LV5998K3WQ8fjEXKgZfnhfxu
Score
10/10
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 12 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" 4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" 4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe -
Modifies visibility of file extensions in Explorer 2 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Gaara.exe Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" csrss.exe Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Kazekage.exe Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" system32.exe Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" smss.exe Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" 4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" smss.exe Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" 4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" Gaara.exe Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" csrss.exe Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" Kazekage.exe Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" system32.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Gaara.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Kazekage.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" system32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe -
Disables RegEdit via registry modification 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" 4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Gaara.exe Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" csrss.exe Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Kazekage.exe Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" system32.exe Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" smss.exe -
Disables use of System Restore points 1 TTPs
-
Drops file in Drivers directory 24 IoCs
description ioc Process File created C:\Windows\SysWOW64\drivers\Kazekage.exe system32.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe smss.exe File created C:\Windows\SysWOW64\drivers\system32.exe smss.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe Kazekage.exe File created C:\Windows\SysWOW64\drivers\system32.exe 4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe Gaara.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe csrss.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe Kazekage.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe system32.exe File created C:\Windows\SysWOW64\drivers\system32.exe system32.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe system32.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe 4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe File created C:\Windows\SysWOW64\drivers\system32.exe csrss.exe File created C:\Windows\SysWOW64\drivers\system32.exe Kazekage.exe File created C:\Windows\SysWOW64\drivers\system32.exe Gaara.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe Gaara.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe Gaara.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe csrss.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe 4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe smss.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe smss.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe csrss.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe Kazekage.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe 4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe -
Sets file execution options in registry 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe\Debugger = "cmd.exe /c del" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "drivers\\Kazekage.exe" 4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe\Debugger = "cmd.exe /c del" 4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe\Debugger = "cmd.exe /c del" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe 4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe\Debugger = "cmd.exe /c del" 4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "drivers\\Kazekage.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe\Debugger = "cmd.exe /c del" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe\Debugger = "cmd.exe /c del" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe\Debugger = "cmd.exe /c del" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe\Debugger = "drivers\\Kazekage.exe" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe 4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "drivers\\Kazekage.exe" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "drivers\\Kazekage.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe\Debugger = "drivers\\Kazekage.exe" 4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe\Debugger = "cmd.exe /c del" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe\Debugger = "cmd.exe /c del" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "drivers\\Kazekage.exe" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe 4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\Debugger = "cmd.exe /c del" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "drivers\\Kazekage.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com\Debugger = "cmd.exe /c del" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger = "drivers\\Kazekage.exe" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe 4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com 4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "drivers\\Kazekage.exe" 4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe 4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger = "drivers\\Kazekage.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "drivers\\Kazekage.exe" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe 4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe\Debugger = "drivers\\Kazekage.exe" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe 4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe\Debugger = "cmd.exe /c del" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe\Debugger = "drivers\\Kazekage.exe" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe 4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "drivers\\Kazekage.exe" 4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "drivers\\Kazekage.exe" 4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe\Debugger = "drivers\\Kazekage.exe" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe Gaara.exe -
Executes dropped EXE 30 IoCs
pid Process 2648 smss.exe 1964 smss.exe 2796 Gaara.exe 2872 smss.exe 1032 Gaara.exe 1248 csrss.exe 1768 smss.exe 1284 Gaara.exe 2068 csrss.exe 1712 Kazekage.exe 332 smss.exe 112 Gaara.exe 1104 csrss.exe 1668 Kazekage.exe 1784 system32.exe 2264 smss.exe 1732 Gaara.exe 1792 csrss.exe 952 Kazekage.exe 1940 system32.exe 2304 system32.exe 1620 Kazekage.exe 1716 system32.exe 1384 csrss.exe 2056 Kazekage.exe 3028 system32.exe 2344 Gaara.exe 2908 csrss.exe 1656 Kazekage.exe 2748 system32.exe -
Loads dropped DLL 64 IoCs
pid Process 2416 4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe 2416 4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe 2648 smss.exe 2648 smss.exe 1964 smss.exe 2648 smss.exe 2648 smss.exe 2796 Gaara.exe 2796 Gaara.exe 2796 Gaara.exe 2872 smss.exe 2796 Gaara.exe 1032 Gaara.exe 2796 Gaara.exe 2796 Gaara.exe 1248 csrss.exe 1248 csrss.exe 1248 csrss.exe 1768 smss.exe 1248 csrss.exe 1248 csrss.exe 1284 Gaara.exe 1248 csrss.exe 2068 csrss.exe 1248 csrss.exe 1248 csrss.exe 1712 Kazekage.exe 1712 Kazekage.exe 332 smss.exe 1712 Kazekage.exe 1712 Kazekage.exe 112 Gaara.exe 1712 Kazekage.exe 1712 Kazekage.exe 1104 csrss.exe 1712 Kazekage.exe 1712 Kazekage.exe 1712 Kazekage.exe 1712 Kazekage.exe 1784 system32.exe 1784 system32.exe 2264 smss.exe 1784 system32.exe 1784 system32.exe 1732 Gaara.exe 1784 system32.exe 1784 system32.exe 1792 csrss.exe 1784 system32.exe 1784 system32.exe 1784 system32.exe 1784 system32.exe 1248 csrss.exe 1248 csrss.exe 2796 Gaara.exe 2796 Gaara.exe 2796 Gaara.exe 2796 Gaara.exe 2648 smss.exe 2648 smss.exe 1384 csrss.exe 2648 smss.exe 2648 smss.exe 2648 smss.exe -
resource yara_rule behavioral1/memory/2416-0-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/files/0x0007000000015686-17.dat upx behavioral1/files/0x0007000000014531-30.dat upx behavioral1/memory/2648-40-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/files/0x00070000000145be-89.dat upx behavioral1/memory/1964-88-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2796-92-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1964-80-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/files/0x0006000000015693-112.dat upx behavioral1/files/0x0007000000015686-108.dat upx behavioral1/memory/1032-136-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2872-134-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/files/0x0007000000014691-139.dat upx behavioral1/memory/1284-192-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2068-198-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/files/0x0007000000015686-208.dat upx behavioral1/memory/1712-210-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2796-209-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/332-230-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/112-237-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/332-234-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1248-238-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1104-243-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1784-254-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2264-266-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2264-270-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1732-272-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1732-277-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1792-281-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/952-285-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1940-292-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1620-300-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1784-299-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1716-309-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2056-320-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2056-318-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2344-326-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2908-331-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2908-335-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2748-345-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2748-344-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1248-342-0x0000000000540000-0x000000000056A000-memory.dmp upx behavioral1/memory/1656-336-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1784-330-0x0000000002470000-0x000000000249A000-memory.dmp upx behavioral1/memory/2344-329-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3028-325-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3028-323-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1384-314-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1716-305-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1620-304-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2304-298-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2304-296-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1940-289-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/952-287-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1712-271-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/files/0x0006000000015693-250.dat upx behavioral1/memory/1668-246-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/112-240-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2068-201-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1284-194-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2648-186-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1768-184-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1248-149-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2416-147-0x0000000000400000-0x000000000042A000-memory.dmp upx -
Adds Run key to start application 2 TTPs 24 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "17-6-2024.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "17-6-2024.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 17 - 6 - 2024\\smss.exe" 4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "17-6-2024.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 17 - 6 - 2024\\Gaara.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "17-6-2024.exe" 4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 17 - 6 - 2024\\Gaara.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 17 - 6 - 2024\\smss.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 17 - 6 - 2024\\smss.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 17 - 6 - 2024\\Gaara.exe" 4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 17 - 6 - 2024\\smss.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 17 - 6 - 2024\\smss.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "17-6-2024.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 17 - 6 - 2024\\Gaara.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 17 - 6 - 2024\\Gaara.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "17-6-2024.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" 4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 17 - 6 - 2024\\smss.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 17 - 6 - 2024\\Gaara.exe" system32.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" system32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Gaara.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Kazekage.exe -
Drops desktop.ini file(s) 64 IoCs
description ioc Process File opened for modification \??\B:\Desktop.ini 4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe File opened for modification \??\H:\Desktop.ini 4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe File opened for modification \??\I:\Desktop.ini 4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe File opened for modification \??\T:\Desktop.ini smss.exe File opened for modification \??\M:\Desktop.ini Gaara.exe File opened for modification \??\Y:\Desktop.ini Kazekage.exe File opened for modification \??\H:\Desktop.ini smss.exe File opened for modification \??\S:\Desktop.ini smss.exe File opened for modification \??\X:\Desktop.ini 4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe File opened for modification D:\Desktop.ini Gaara.exe File opened for modification \??\V:\Desktop.ini Kazekage.exe File opened for modification \??\L:\Desktop.ini smss.exe File opened for modification \??\R:\Desktop.ini 4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe File opened for modification \??\Y:\Desktop.ini smss.exe File opened for modification \??\S:\Desktop.ini Gaara.exe File opened for modification \??\E:\Desktop.ini Kazekage.exe File opened for modification \??\G:\Desktop.ini Kazekage.exe File opened for modification \??\L:\Desktop.ini csrss.exe File opened for modification D:\Desktop.ini Kazekage.exe File opened for modification \??\Q:\Desktop.ini Kazekage.exe File opened for modification \??\A:\Desktop.ini 4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe File opened for modification D:\Desktop.ini 4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe File opened for modification \??\L:\Desktop.ini 4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe File opened for modification \??\P:\Desktop.ini 4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe File opened for modification \??\I:\Desktop.ini csrss.exe File opened for modification \??\R:\Desktop.ini system32.exe File opened for modification \??\W:\Desktop.ini system32.exe File opened for modification \??\E:\Desktop.ini 4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe File opened for modification \??\E:\Desktop.ini smss.exe File opened for modification \??\R:\Desktop.ini smss.exe File opened for modification \??\G:\Desktop.ini csrss.exe File opened for modification \??\V:\Desktop.ini csrss.exe File opened for modification \??\A:\Desktop.ini system32.exe File opened for modification \??\Q:\Desktop.ini system32.exe File opened for modification \??\K:\Desktop.ini 4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe File opened for modification \??\J:\Desktop.ini smss.exe File opened for modification \??\U:\Desktop.ini 4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe File opened for modification \??\B:\Desktop.ini Kazekage.exe File opened for modification \??\A:\Desktop.ini Gaara.exe File opened for modification \??\W:\Desktop.ini Gaara.exe File opened for modification \??\J:\Desktop.ini csrss.exe File opened for modification \??\R:\Desktop.ini Kazekage.exe File opened for modification C:\Desktop.ini system32.exe File opened for modification \??\S:\Desktop.ini system32.exe File opened for modification \??\G:\Desktop.ini smss.exe File opened for modification \??\O:\Desktop.ini smss.exe File opened for modification \??\X:\Desktop.ini csrss.exe File opened for modification \??\Z:\Desktop.ini Kazekage.exe File opened for modification \??\Z:\Desktop.ini csrss.exe File opened for modification \??\P:\Desktop.ini Kazekage.exe File opened for modification \??\P:\Desktop.ini Gaara.exe File opened for modification \??\A:\Desktop.ini csrss.exe File opened for modification \??\H:\Desktop.ini csrss.exe File opened for modification \??\K:\Desktop.ini csrss.exe File opened for modification C:\Desktop.ini 4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe File opened for modification \??\B:\Desktop.ini smss.exe File opened for modification \??\Z:\Desktop.ini 4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe File opened for modification \??\K:\Desktop.ini system32.exe File opened for modification \??\U:\Desktop.ini smss.exe File opened for modification \??\V:\Desktop.ini Gaara.exe File opened for modification \??\X:\Desktop.ini Gaara.exe File opened for modification C:\Desktop.ini Kazekage.exe File opened for modification \??\M:\Desktop.ini smss.exe File opened for modification \??\V:\Desktop.ini 4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\E: 4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe File opened (read-only) \??\Q: 4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe File opened (read-only) \??\N: csrss.exe File opened (read-only) \??\E: Kazekage.exe File opened (read-only) \??\V: Kazekage.exe File opened (read-only) \??\M: system32.exe File opened (read-only) \??\W: system32.exe File opened (read-only) \??\R: csrss.exe File opened (read-only) \??\S: Kazekage.exe File opened (read-only) \??\O: 4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe File opened (read-only) \??\M: csrss.exe File opened (read-only) \??\E: system32.exe File opened (read-only) \??\B: smss.exe File opened (read-only) \??\S: Gaara.exe File opened (read-only) \??\G: csrss.exe File opened (read-only) \??\I: Kazekage.exe File opened (read-only) \??\I: system32.exe File opened (read-only) \??\N: smss.exe File opened (read-only) \??\W: smss.exe File opened (read-only) \??\I: Gaara.exe File opened (read-only) \??\P: Gaara.exe File opened (read-only) \??\A: system32.exe File opened (read-only) \??\G: smss.exe File opened (read-only) \??\L: smss.exe File opened (read-only) \??\M: 4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe File opened (read-only) \??\S: smss.exe File opened (read-only) \??\Z: smss.exe File opened (read-only) \??\E: Gaara.exe File opened (read-only) \??\U: csrss.exe File opened (read-only) \??\S: system32.exe File opened (read-only) \??\J: 4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe File opened (read-only) \??\X: smss.exe File opened (read-only) \??\J: system32.exe File opened (read-only) \??\Q: system32.exe File opened (read-only) \??\X: system32.exe File opened (read-only) \??\P: system32.exe File opened (read-only) \??\R: smss.exe File opened (read-only) \??\R: 4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe File opened (read-only) \??\B: Gaara.exe File opened (read-only) \??\G: Gaara.exe File opened (read-only) \??\U: Gaara.exe File opened (read-only) \??\I: csrss.exe File opened (read-only) \??\Y: csrss.exe File opened (read-only) \??\E: smss.exe File opened (read-only) \??\H: smss.exe File opened (read-only) \??\S: csrss.exe File opened (read-only) \??\Z: system32.exe File opened (read-only) \??\H: 4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe File opened (read-only) \??\Y: 4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe File opened (read-only) \??\O: Gaara.exe File opened (read-only) \??\W: Gaara.exe File opened (read-only) \??\A: csrss.exe File opened (read-only) \??\B: csrss.exe File opened (read-only) \??\Z: csrss.exe File opened (read-only) \??\Q: smss.exe File opened (read-only) \??\N: Kazekage.exe File opened (read-only) \??\N: system32.exe File opened (read-only) \??\X: Gaara.exe File opened (read-only) \??\J: csrss.exe File opened (read-only) \??\A: Kazekage.exe File opened (read-only) \??\G: 4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe File opened (read-only) \??\I: smss.exe File opened (read-only) \??\Z: Gaara.exe File opened (read-only) \??\U: Kazekage.exe -
Drops autorun.inf file 1 TTPs 64 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File created \??\A:\Autorun.inf 4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe File opened for modification \??\T:\Autorun.inf 4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe File created \??\M:\Autorun.inf smss.exe File opened for modification \??\I:\Autorun.inf Gaara.exe File opened for modification \??\I:\Autorun.inf csrss.exe File created \??\Y:\Autorun.inf smss.exe File created \??\N:\Autorun.inf csrss.exe File opened for modification \??\U:\Autorun.inf csrss.exe File created \??\Z:\Autorun.inf smss.exe File opened for modification \??\R:\Autorun.inf Gaara.exe File created \??\S:\Autorun.inf Gaara.exe File created \??\I:\Autorun.inf csrss.exe File created \??\G:\Autorun.inf 4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe File opened for modification \??\K:\Autorun.inf Gaara.exe File opened for modification C:\Autorun.inf smss.exe File opened for modification \??\R:\Autorun.inf csrss.exe File opened for modification \??\Y:\Autorun.inf Kazekage.exe File created \??\V:\Autorun.inf 4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe File opened for modification \??\Z:\Autorun.inf Gaara.exe File opened for modification \??\O:\Autorun.inf csrss.exe File opened for modification \??\R:\Autorun.inf Kazekage.exe File created \??\V:\Autorun.inf smss.exe File opened for modification \??\N:\Autorun.inf csrss.exe File created \??\R:\Autorun.inf csrss.exe File opened for modification \??\L:\Autorun.inf system32.exe File opened for modification \??\U:\Autorun.inf Kazekage.exe File created \??\B:\Autorun.inf smss.exe File opened for modification \??\W:\Autorun.inf Gaara.exe File opened for modification \??\A:\Autorun.inf csrss.exe File created \??\L:\Autorun.inf csrss.exe File opened for modification \??\T:\Autorun.inf csrss.exe File created \??\B:\Autorun.inf Gaara.exe File created \??\Q:\Autorun.inf Gaara.exe File opened for modification \??\S:\Autorun.inf Gaara.exe File opened for modification \??\N:\Autorun.inf system32.exe File created \??\M:\Autorun.inf Kazekage.exe File opened for modification \??\X:\Autorun.inf 4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe File created \??\J:\Autorun.inf smss.exe File created \??\H:\Autorun.inf Kazekage.exe File opened for modification F:\Autorun.inf 4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe File opened for modification \??\B:\Autorun.inf Gaara.exe File created \??\A:\Autorun.inf system32.exe File created \??\T:\Autorun.inf system32.exe File opened for modification \??\Q:\Autorun.inf Kazekage.exe File opened for modification \??\W:\Autorun.inf Kazekage.exe File created \??\A:\Autorun.inf smss.exe File created \??\T:\Autorun.inf smss.exe File created \??\E:\Autorun.inf csrss.exe File opened for modification \??\U:\Autorun.inf 4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe File created \??\X:\Autorun.inf csrss.exe File created \??\G:\Autorun.inf Kazekage.exe File opened for modification F:\Autorun.inf system32.exe File opened for modification D:\Autorun.inf Gaara.exe File created \??\I:\Autorun.inf Gaara.exe File created \??\M:\Autorun.inf Gaara.exe File created \??\P:\Autorun.inf Gaara.exe File opened for modification \??\Q:\Autorun.inf Gaara.exe File opened for modification D:\Autorun.inf csrss.exe File opened for modification \??\I:\Autorun.inf 4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe File created \??\J:\Autorun.inf 4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe File opened for modification \??\R:\Autorun.inf 4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe File opened for modification \??\M:\Autorun.inf system32.exe File opened for modification \??\W:\Autorun.inf csrss.exe File created \??\M:\Autorun.inf system32.exe -
Drops file in System32 directory 38 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\ system32.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx Kazekage.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll 4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx Gaara.exe File created C:\Windows\SysWOW64\msvbvm60.dll system32.exe File opened for modification C:\Windows\SysWOW64\ 4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini Gaara.exe File opened for modification C:\Windows\SysWOW64\17-6-2024.exe Kazekage.exe File opened for modification C:\Windows\SysWOW64\17-6-2024.exe system32.exe File created C:\Windows\SysWOW64\msvbvm60.dll Kazekage.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini 4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe File created C:\Windows\SysWOW64\Desktop.ini 4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe File opened for modification C:\Windows\SysWOW64\ smss.exe File opened for modification C:\Windows\SysWOW64\ Gaara.exe File opened for modification C:\Windows\SysWOW64\ csrss.exe File opened for modification C:\Windows\SysWOW64\17-6-2024.exe 4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe File created C:\Windows\SysWOW64\msvbvm60.dll smss.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll system32.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll Kazekage.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini smss.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx system32.exe File opened for modification C:\Windows\SysWOW64\17-6-2024.exe csrss.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll smss.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll Gaara.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini csrss.exe File created C:\Windows\SysWOW64\17-6-2024.exe 4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe File opened for modification C:\Windows\SysWOW64\17-6-2024.exe smss.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx 4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe File opened for modification C:\Windows\SysWOW64\ Kazekage.exe File opened for modification C:\Windows\SysWOW64\17-6-2024.exe Gaara.exe File created C:\Windows\SysWOW64\msvbvm60.dll Gaara.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx csrss.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll csrss.exe File created C:\Windows\SysWOW64\msvbvm60.dll 4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx smss.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini Kazekage.exe File created C:\Windows\SysWOW64\msvbvm60.dll csrss.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini system32.exe -
Sets desktop wallpaper using registry 2 TTPs 6 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" 4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File created C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe 4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe File opened for modification C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe 4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe File opened for modification C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe smss.exe File opened for modification C:\Windows\mscomctl.ocx 4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe File opened for modification C:\Windows\Fonts\The Kazekage.jpg 4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe File created C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe 4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe File opened for modification C:\Windows\Fonts\The Kazekage.jpg smss.exe File opened for modification C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe smss.exe File opened for modification C:\Windows\ system32.exe File created C:\Windows\WBEM\msvbvm60.dll smss.exe File opened for modification C:\Windows\system\mscoree.dll csrss.exe File created C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe csrss.exe File opened for modification C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe csrss.exe File created C:\Windows\Fonts\Admin 17 - 6 - 2024\msvbvm60.dll csrss.exe File opened for modification C:\Windows\Fonts\The Kazekage.jpg system32.exe File opened for modification C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe system32.exe File opened for modification C:\Windows\mscomctl.ocx Kazekage.exe File opened for modification C:\Windows\Fonts\The Kazekage.jpg Gaara.exe File opened for modification C:\Windows\msvbvm60.dll Gaara.exe File opened for modification C:\Windows\msvbvm60.dll Kazekage.exe File opened for modification C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe 4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe File opened for modification C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe smss.exe File opened for modification C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe Gaara.exe File opened for modification C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe Kazekage.exe File created C:\Windows\Fonts\Admin 17 - 6 - 2024\msvbvm60.dll Kazekage.exe File created C:\Windows\Fonts\Admin 17 - 6 - 2024\msvbvm60.dll system32.exe File opened for modification C:\Windows\ 4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe File opened for modification C:\Windows\ smss.exe File opened for modification C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe Gaara.exe File opened for modification C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe Kazekage.exe File opened for modification C:\Windows\system\mscoree.dll system32.exe File opened for modification C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe system32.exe File opened for modification C:\Windows\msvbvm60.dll system32.exe File opened for modification C:\Windows\msvbvm60.dll 4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe File created C:\Windows\WBEM\msvbvm60.dll 4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe File created C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe Kazekage.exe File created C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe Kazekage.exe File created C:\Windows\Fonts\Admin 17 - 6 - 2024\msvbvm60.dll 4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe File opened for modification C:\Windows\Fonts\The Kazekage.jpg csrss.exe File opened for modification C:\Windows\system\msvbvm60.dll csrss.exe File opened for modification C:\Windows\Fonts\The Kazekage.jpg Kazekage.exe File created C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe Kazekage.exe File opened for modification C:\Windows\ Kazekage.exe File opened for modification C:\Windows\Fonts\Admin 17 - 6 - 2024\msvbvm60.dll 4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe File created C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe smss.exe File opened for modification C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe Kazekage.exe File created C:\Windows\mscomctl.ocx 4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe File opened for modification C:\Windows\mscomctl.ocx smss.exe File opened for modification C:\Windows\system\msvbvm60.dll smss.exe File created C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe Gaara.exe File opened for modification C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe Gaara.exe File created C:\Windows\WBEM\msvbvm60.dll system32.exe File created C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe smss.exe File created C:\Windows\Fonts\The Kazekage.jpg 4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe File opened for modification C:\Windows\system\mscoree.dll 4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe File created C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe csrss.exe File opened for modification C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe csrss.exe File created C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe system32.exe File created C:\Windows\WBEM\msvbvm60.dll Gaara.exe File opened for modification C:\Windows\system\mscoree.dll Kazekage.exe File opened for modification C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe system32.exe File created C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe system32.exe File created C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe smss.exe File created C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe Gaara.exe -
Modifies Control Panel 64 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Screen Saver.Marquee smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Screen Saver.Marquee\Size = "72" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Screen Saver.Marquee\Size = "72" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Screen Saver.Marquee\Speed = "4" csrss.exe Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Screen Saver.Marquee system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Desktop\WallpaperStyle = "2" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Screen Saver.Marquee\Size = "72" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" smss.exe Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Screen Saver.Marquee 4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Screen Saver.Marquee\Speed = "4" 4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Screen Saver.Marquee\Size = "72" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Screen Saver.Marquee\Speed = "4" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Desktop\WallpaperStyle = "2" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" 4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Desktop\WallpaperStyle = "2" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Desktop\WallpaperStyle = "2" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" 4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" Gaara.exe Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Desktop csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Desktop\WallpaperStyle = "2" 4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" 4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Screen Saver.Marquee Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Screen Saver.Marquee\Speed = "4" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" 4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" Kazekage.exe Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Desktop system32.exe Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Screen Saver.Marquee Kazekage.exe Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Desktop smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Screen Saver.Marquee\Speed = "4" smss.exe Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Desktop 4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" 4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" system32.exe Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Desktop Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Desktop\WallpaperStyle = "2" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" 4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" Kazekage.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" Kazekage.exe Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main system32.exe Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" csrss.exe Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main Kazekage.exe Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" smss.exe Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main 4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" 4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" system32.exe -
Modifies registry class 48 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" 4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" 4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command 4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command 4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" 4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command 4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" 4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command 4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" system32.exe -
Runs ping.exe 1 TTPs 32 IoCs
pid Process 2332 ping.exe 2508 ping.exe 2504 ping.exe 992 ping.exe 1312 ping.exe 1540 ping.exe 2808 ping.exe 1952 ping.exe 2052 ping.exe 2868 ping.exe 1032 ping.exe 1940 ping.exe 2992 ping.exe 2668 ping.exe 1920 ping.exe 2948 ping.exe 2600 ping.exe 2504 ping.exe 2624 ping.exe 1668 ping.exe 2832 ping.exe 1984 ping.exe 1600 ping.exe 912 ping.exe 2240 ping.exe 1036 ping.exe 1500 ping.exe 1944 ping.exe 316 ping.exe 1900 ping.exe 344 ping.exe 3016 ping.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2648 smss.exe 2648 smss.exe 2648 smss.exe 2648 smss.exe 2648 smss.exe 2648 smss.exe 2648 smss.exe 2648 smss.exe 2648 smss.exe 2648 smss.exe 2648 smss.exe 2648 smss.exe 2416 4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe 2416 4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe 2416 4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe 2416 4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe 2416 4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe 2416 4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe 2416 4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe 2416 4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe 2416 4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe 2416 4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe 2416 4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe 2416 4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe 2796 Gaara.exe 2796 Gaara.exe 2796 Gaara.exe 2796 Gaara.exe 2796 Gaara.exe 2796 Gaara.exe 2796 Gaara.exe 2796 Gaara.exe 2796 Gaara.exe 2796 Gaara.exe 2796 Gaara.exe 2796 Gaara.exe 1248 csrss.exe 1248 csrss.exe 1248 csrss.exe 1248 csrss.exe 1248 csrss.exe 1248 csrss.exe 1248 csrss.exe 1248 csrss.exe 1248 csrss.exe 1248 csrss.exe 1248 csrss.exe 1248 csrss.exe 1712 Kazekage.exe 1712 Kazekage.exe 1712 Kazekage.exe 1712 Kazekage.exe 1712 Kazekage.exe 1712 Kazekage.exe 1712 Kazekage.exe 1712 Kazekage.exe 1712 Kazekage.exe 1712 Kazekage.exe 1712 Kazekage.exe 1712 Kazekage.exe 2648 smss.exe 2648 smss.exe 2648 smss.exe 2648 smss.exe -
Suspicious use of SetWindowsHookEx 31 IoCs
pid Process 2416 4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe 2648 smss.exe 1964 smss.exe 2796 Gaara.exe 2872 smss.exe 1032 Gaara.exe 1248 csrss.exe 1768 smss.exe 1284 Gaara.exe 2068 csrss.exe 1712 Kazekage.exe 332 smss.exe 112 Gaara.exe 1104 csrss.exe 1668 Kazekage.exe 1784 system32.exe 2264 smss.exe 1732 Gaara.exe 1792 csrss.exe 952 Kazekage.exe 1940 system32.exe 2304 system32.exe 1620 Kazekage.exe 1716 system32.exe 1384 csrss.exe 2056 Kazekage.exe 3028 system32.exe 2344 Gaara.exe 2908 csrss.exe 1656 Kazekage.exe 2748 system32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2416 wrote to memory of 2648 2416 4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe 28 PID 2416 wrote to memory of 2648 2416 4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe 28 PID 2416 wrote to memory of 2648 2416 4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe 28 PID 2416 wrote to memory of 2648 2416 4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe 28 PID 2648 wrote to memory of 1964 2648 smss.exe 29 PID 2648 wrote to memory of 1964 2648 smss.exe 29 PID 2648 wrote to memory of 1964 2648 smss.exe 29 PID 2648 wrote to memory of 1964 2648 smss.exe 29 PID 2648 wrote to memory of 2796 2648 smss.exe 30 PID 2648 wrote to memory of 2796 2648 smss.exe 30 PID 2648 wrote to memory of 2796 2648 smss.exe 30 PID 2648 wrote to memory of 2796 2648 smss.exe 30 PID 2796 wrote to memory of 2872 2796 Gaara.exe 31 PID 2796 wrote to memory of 2872 2796 Gaara.exe 31 PID 2796 wrote to memory of 2872 2796 Gaara.exe 31 PID 2796 wrote to memory of 2872 2796 Gaara.exe 31 PID 2796 wrote to memory of 1032 2796 Gaara.exe 32 PID 2796 wrote to memory of 1032 2796 Gaara.exe 32 PID 2796 wrote to memory of 1032 2796 Gaara.exe 32 PID 2796 wrote to memory of 1032 2796 Gaara.exe 32 PID 2796 wrote to memory of 1248 2796 Gaara.exe 33 PID 2796 wrote to memory of 1248 2796 Gaara.exe 33 PID 2796 wrote to memory of 1248 2796 Gaara.exe 33 PID 2796 wrote to memory of 1248 2796 Gaara.exe 33 PID 1248 wrote to memory of 1768 1248 csrss.exe 34 PID 1248 wrote to memory of 1768 1248 csrss.exe 34 PID 1248 wrote to memory of 1768 1248 csrss.exe 34 PID 1248 wrote to memory of 1768 1248 csrss.exe 34 PID 1248 wrote to memory of 1284 1248 csrss.exe 35 PID 1248 wrote to memory of 1284 1248 csrss.exe 35 PID 1248 wrote to memory of 1284 1248 csrss.exe 35 PID 1248 wrote to memory of 1284 1248 csrss.exe 35 PID 1248 wrote to memory of 2068 1248 csrss.exe 36 PID 1248 wrote to memory of 2068 1248 csrss.exe 36 PID 1248 wrote to memory of 2068 1248 csrss.exe 36 PID 1248 wrote to memory of 2068 1248 csrss.exe 36 PID 1248 wrote to memory of 1712 1248 csrss.exe 37 PID 1248 wrote to memory of 1712 1248 csrss.exe 37 PID 1248 wrote to memory of 1712 1248 csrss.exe 37 PID 1248 wrote to memory of 1712 1248 csrss.exe 37 PID 1712 wrote to memory of 332 1712 Kazekage.exe 38 PID 1712 wrote to memory of 332 1712 Kazekage.exe 38 PID 1712 wrote to memory of 332 1712 Kazekage.exe 38 PID 1712 wrote to memory of 332 1712 Kazekage.exe 38 PID 1712 wrote to memory of 112 1712 Kazekage.exe 39 PID 1712 wrote to memory of 112 1712 Kazekage.exe 39 PID 1712 wrote to memory of 112 1712 Kazekage.exe 39 PID 1712 wrote to memory of 112 1712 Kazekage.exe 39 PID 1712 wrote to memory of 1104 1712 Kazekage.exe 40 PID 1712 wrote to memory of 1104 1712 Kazekage.exe 40 PID 1712 wrote to memory of 1104 1712 Kazekage.exe 40 PID 1712 wrote to memory of 1104 1712 Kazekage.exe 40 PID 1712 wrote to memory of 1668 1712 Kazekage.exe 41 PID 1712 wrote to memory of 1668 1712 Kazekage.exe 41 PID 1712 wrote to memory of 1668 1712 Kazekage.exe 41 PID 1712 wrote to memory of 1668 1712 Kazekage.exe 41 PID 1712 wrote to memory of 1784 1712 Kazekage.exe 42 PID 1712 wrote to memory of 1784 1712 Kazekage.exe 42 PID 1712 wrote to memory of 1784 1712 Kazekage.exe 42 PID 1712 wrote to memory of 1784 1712 Kazekage.exe 42 PID 1784 wrote to memory of 2264 1784 system32.exe 43 PID 1784 wrote to memory of 2264 1784 system32.exe 43 PID 1784 wrote to memory of 2264 1784 system32.exe 43 PID 1784 wrote to memory of 2264 1784 system32.exe 43 -
System policy modification 1 TTPs 12 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Kazekage.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System system32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System 4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Gaara.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Gaara.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe"C:\Users\Admin\AppData\Local\Temp\4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe"1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Sets file execution options in registry
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2416 -
C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe"C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe"2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Sets file execution options in registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2648 -
C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe"C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1964
-
-
C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe"C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe"3⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Sets file execution options in registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2796 -
C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe"C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2872
-
-
C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe"C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1032
-
-
C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe"C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe"4⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Sets file execution options in registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1248 -
C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe"C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1768
-
-
C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe"C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1284
-
-
C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe"C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2068
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe5⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Sets file execution options in registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1712 -
C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe"C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:332
-
-
C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe"C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:112
-
-
C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe"C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1104
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1668
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe6⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Sets file execution options in registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1784 -
C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe"C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2264
-
-
C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe"C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1732
-
-
C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe"C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1792
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe7⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:952
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe7⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1940
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655007⤵
- Runs ping.exe
PID:992
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655007⤵
- Runs ping.exe
PID:1600
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655007⤵
- Runs ping.exe
PID:1920
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655007⤵
- Runs ping.exe
PID:2992
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655007⤵
- Runs ping.exe
PID:2052
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655007⤵
- Runs ping.exe
PID:2868
-
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655006⤵
- Runs ping.exe
PID:2624
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655006⤵
- Runs ping.exe
PID:2508
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655006⤵
- Runs ping.exe
PID:1952
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655006⤵
- Runs ping.exe
PID:2504
-
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2304
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655005⤵
- Runs ping.exe
PID:1940
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655005⤵
- Runs ping.exe
PID:1984
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655005⤵
- Runs ping.exe
PID:3016
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655005⤵
- Runs ping.exe
PID:2240
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655005⤵
- Runs ping.exe
PID:2832
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655005⤵
- Runs ping.exe
PID:2808
-
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1620
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1716
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655004⤵
- Runs ping.exe
PID:1312
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655004⤵
- Runs ping.exe
PID:1540
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655004⤵
- Runs ping.exe
PID:2332
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655004⤵
- Runs ping.exe
PID:912
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655004⤵
- Runs ping.exe
PID:2668
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655004⤵
- Runs ping.exe
PID:2600
-
-
-
C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe"C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1384
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2056
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3028
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655003⤵
- Runs ping.exe
PID:2504
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655003⤵
- Runs ping.exe
PID:316
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655003⤵
- Runs ping.exe
PID:1500
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655003⤵
- Runs ping.exe
PID:1668
-
-
-
C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe"C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2344
-
-
C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe"C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2908
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1656
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2748
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655002⤵
- Runs ping.exe
PID:1944
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655002⤵
- Runs ping.exe
PID:1032
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655002⤵
- Runs ping.exe
PID:1900
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655002⤵
- Runs ping.exe
PID:344
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655002⤵
- Runs ping.exe
PID:1036
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655002⤵
- Runs ping.exe
PID:2948
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
1Disable or Modify Tools
1Modify Registry
9Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
736B
MD5bb5d6abdf8d0948ac6895ce7fdfbc151
SHA19266b7a247a4685892197194d2b9b86c8f6dddbd
SHA2565db2e0915b5464d32e83484f8ae5e3c73d2c78f238fde5f58f9b40dbb5322de8
SHA512878444760e8df878d65bb62b4798177e168eb099def58ad3634f4348e96705c83f74324f9fa358f0eff389991976698a233ca53e9b72034ae11c86d42322a76c
-
Filesize
196B
MD51564dfe69ffed40950e5cb644e0894d1
SHA1201b6f7a01cc49bb698bea6d4945a082ed454ce4
SHA256be114a2dbcc08540b314b01882aa836a772a883322a77b67aab31233e26dc184
SHA51272df187e39674b657974392cfa268e71ef86dc101ebd2303896381ca56d3c05aa9db3f0ab7d0e428d7436e0108c8f19e94c2013814d30b0b95a23a6b9e341097
-
Filesize
66KB
MD5a56111dc985a023d684af9a9ae112981
SHA1c4e7e68b067d011d4c83030736e0507343ba5da6
SHA256b133d74ce4162f3d7e2467c18182a646bec0ffdf146d8404c480a129ced3b25e
SHA5124393c2fa7131c0538a37617b858e7f43d60a489ca39c84e389f2686f89ee2bb9d50de91d551a19e8b726481888c62d00d580ad485639cf63c077d48a66a1979a
-
Filesize
1.4MB
MD5d6b05020d4a0ec2a3a8b687099e335df
SHA1df239d830ebcd1cde5c68c46a7b76dad49d415f4
SHA2569824b98dab6af65a9e84c2ea40e9df948f9766ce2096e81feecad7db8dd6080a
SHA51278fd360faa4d34f5732056d6e9ad7b9930964441c69cf24535845d397de92179553b9377a25649c01eb5ac7d547c29cc964e69ede7f2af9fc677508a99251fff
-
Filesize
65B
MD564acfa7e03b01f48294cf30d201a0026
SHA110facd995b38a095f30b4a800fa454c0bcbf8438
SHA256ba8159d865d106e7b4d0043007a63d1541e1de455dc8d7ff0edd3013bd425c62
SHA51265a9b2e639de74a2a7faa83463a03f5f5b526495e3c793ec1e144c422ed0b842dd304cd5ff4f8aec3d76d826507030c5916f70a231429cea636ec2d8ab43931a
-
Filesize
66KB
MD53c02e26e944908f6ede7e619bdceafb3
SHA11d6ae1a6a47907be95f83e76e5357c690ed2fe80
SHA2567a4c3d86b99887cccb051133e07b747e7793f481ef60e5647a73bf7792780a4e
SHA51273c9327383a9326db8e426dbfd62cd33a6a16c2d13cc582e34f64bdf9f792cd7e0eb773abe47011d177a89279ef119d1e1ca57be416522a4a118828c5a670080
-
Filesize
66KB
MD54f638f90ece1cd2c4f8b10a792956d70
SHA1ab95276f68053c4bdaea10975610dea6b0b042eb
SHA256e70f2481aa838b9592454700e264c29acb17521fda0303adfbaac30963ec6a59
SHA512e5801242754199a6ff77dc2d8ec266f2051971b8dc74f5f05108ecbdce2ab9346a2ab0bde9847ba075edfaf0ed5be88d380d89750e7cfe842caffd410f9a2bbb
-
Filesize
66KB
MD5c05db41de34cd32d667c3805a5f3dd5e
SHA1bef57144ad3d8ba9218e7ace31ae9a61e9eba5c3
SHA256dcb15b123582eb32d92e98db68a22e674511dc118381e4a5dc7e878132f3a1b7
SHA512596431d920698d8bffd0103ab1d9432c4575ab0fcc15411a834d01fbd2105d99feab6046bbb5ad32eeda3d0913f4c34c7160e44acdadc6e59df33184cafb844e
-
Filesize
66KB
MD523588ff63a8525558c0f783839612dab
SHA1854a5763eb864f3c15c3b9bc12d28274be53aff5
SHA2569133db91763b9500f5f4d7deb66846509405abb5d7a3d96d87b2384f6f9d4f81
SHA5120b4d1e52d28aa3beeff7bac758e7428d1452864c7a8549dc4f8a994a56ce44c44dc5bec9bd9400cfa68ab89688090fc60f3d76a0f52d2c6818438d081f517d4c
-
Filesize
66KB
MD560dafa79cbeddef47e65c85574d824f5
SHA1a75e1cdd387fcd9ce8613e8f632418015dc25354
SHA256ab0b8917c4fc97bdd2e6896bf88b55e8fae1dda154200512016ad5334cb9b044
SHA5128a98a710f259865abebd6c450de42cac7407004a3b12e8767671ac8160e48f1f2985abbe1356502aa88749cda9278d6e6fde3ad1567d23afc66902b7a200634f
-
Filesize
960KB
MD5d59546150d62ff1bd62f4d69b43a970a
SHA13688f73e9fd18e61df1d59f3153ce88a7f6b37c5
SHA2565cd7a9848fe89888e660b08c4e1b0169a43d99c8580206d16641f3cc3f097b71
SHA512d04c325c00b25c4ba2b4f818bd5525c78a085e8fac771f9f280714deac8a406cbaad49f347029be7abb1b65e35cbfdfc027ba7dfc729306e9db82d64294b3585
-
Filesize
1.3MB
MD5b905105a3b1b10882ba1a8544f7237fb
SHA104f234f902675b6bf434173e08d27a3df3e579ee
SHA25604d113b23c6be6d36201328504e7b9664471a121f81afc037f73e03a05d914d7
SHA5120d8b5c5027931e7525a3f08347605764358b617827f9a9782e36055268f6237b46136e1800791368cac6c279b85d1e7152d250894a72f0b27d6305940543b4e9
-
Filesize
1.3MB
MD55343a19c618bc515ceb1695586c6c137
SHA14dedae8cbde066f31c8e6b52c0baa3f8b1117742
SHA2562246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce
SHA512708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606
-
Filesize
768KB
MD509298236a9fd4b7d2450cf3538f16827
SHA11528d16de7f6aabde96ada46ae92452d84eb0bdf
SHA25683462cf5217c728d9370b9d8aedfadde8f1cefda3d17a148cbec5b231fc58b8c
SHA51264381995b720a633cefffa5400eb5cf7b320c26c57de105606450fd2e2254081ab9acd88c07281db7f222a4263c732123ce6fc720a4d99061bcd0345febafc1f
-
Filesize
66KB
MD55ac7618c3999a1933252ecbcd6d14109
SHA15834d5c5be08fd78557ec2f2c95e01923e8fa8f7
SHA256e440500d3ac82ece0142d2c3a6de4caebe92a15fb47bd655b51063183cdaf7d6
SHA5120d5d42ef92b3e41397c525f5865879fcb7a1ce323a669ab3cb2d8f6cbcfd7cb0e4d2f15589150eeaf38149c72b141078a8f78d63f57180fd14a1ddef250700f6
-
Filesize
66KB
MD53c14f46add7c22aa4a3fbc79e68ba8bb
SHA10a583f35e06d980c5e253251be7f6a47d2560142
SHA256320a4b20eae0e578f25cb7cf586e4ecaf5a05d45c8d80e7cb6f8dfffc3a57af8
SHA5129906b4fcc244d252d464705b6038a9839fb21eeaa4d2f991f0e52219541e299511f307b6dc409c783e81edab66d947d00fac3321ab5c4af7c30a5a5b42c96db6
