Malware Analysis Report

2025-01-03 08:25

Sample ID 240617-fxefeawcmc
Target 4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe
SHA256 e70f2481aa838b9592454700e264c29acb17521fda0303adfbaac30963ec6a59
Tags
upx evasion persistence ransomware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e70f2481aa838b9592454700e264c29acb17521fda0303adfbaac30963ec6a59

Threat Level: Known bad

The file 4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

upx evasion persistence ransomware trojan

UAC bypass

Modifies visibility of file extensions in Explorer

Modifies WinLogon for persistence

Modifies visiblity of hidden/system files in Explorer

Disables use of System Restore points

Drops file in Drivers directory

Sets file execution options in registry

Disables RegEdit via registry modification

Loads dropped DLL

UPX packed file

Executes dropped EXE

Adds Run key to start application

Drops desktop.ini file(s)

Enumerates connected drives

Checks whether UAC is enabled

Sets desktop wallpaper using registry

Drops file in System32 directory

Drops autorun.inf file

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

System policy modification

Suspicious behavior: EnumeratesProcesses

Modifies Internet Explorer settings

Runs ping.exe

Modifies registry class

Modifies Control Panel

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-17 05:14

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-17 05:14

Reported

2024-06-17 05:17

Platform

win7-20240508-en

Max time kernel

150s

Max time network

130s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" C:\Users\Admin\AppData\Local\Temp\4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" C:\Users\Admin\AppData\Local\Temp\4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe N/A

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Users\Admin\AppData\Local\Temp\4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\AppData\Local\Temp\4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\drivers\system32.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A

Disables use of System Restore points

evasion

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
File created C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\SysWOW64\drivers\system32.exe C:\Users\Admin\AppData\Local\Temp\4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Users\Admin\AppData\Local\Temp\4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe N/A
File created C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
File created C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
File created C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
File created C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\system32.exe C:\Users\Admin\AppData\Local\Temp\4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
File created C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Users\Admin\AppData\Local\Temp\4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe N/A

Sets file execution options in registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "drivers\\Kazekage.exe" C:\Users\Admin\AppData\Local\Temp\4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe\Debugger = "cmd.exe /c del" C:\Users\Admin\AppData\Local\Temp\4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe C:\Users\Admin\AppData\Local\Temp\4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe\Debugger = "cmd.exe /c del" C:\Users\Admin\AppData\Local\Temp\4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe C:\Users\Admin\AppData\Local\Temp\4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe\Debugger = "drivers\\Kazekage.exe" C:\Users\Admin\AppData\Local\Temp\4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe C:\Users\Admin\AppData\Local\Temp\4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe C:\Users\Admin\AppData\Local\Temp\4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com C:\Users\Admin\AppData\Local\Temp\4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "drivers\\Kazekage.exe" C:\Users\Admin\AppData\Local\Temp\4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe C:\Users\Admin\AppData\Local\Temp\4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe C:\Users\Admin\AppData\Local\Temp\4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe C:\Users\Admin\AppData\Local\Temp\4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe C:\Users\Admin\AppData\Local\Temp\4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "drivers\\Kazekage.exe" C:\Users\Admin\AppData\Local\Temp\4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "drivers\\Kazekage.exe" C:\Users\Admin\AppData\Local\Temp\4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "17-6-2024.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "17-6-2024.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 17 - 6 - 2024\\smss.exe" C:\Users\Admin\AppData\Local\Temp\4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "17-6-2024.exe" C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 17 - 6 - 2024\\Gaara.exe" C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "17-6-2024.exe" C:\Users\Admin\AppData\Local\Temp\4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 17 - 6 - 2024\\Gaara.exe" C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 17 - 6 - 2024\\smss.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 17 - 6 - 2024\\smss.exe" C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 17 - 6 - 2024\\Gaara.exe" C:\Users\Admin\AppData\Local\Temp\4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 17 - 6 - 2024\\smss.exe" C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 17 - 6 - 2024\\smss.exe" C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "17-6-2024.exe" C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 17 - 6 - 2024\\Gaara.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 17 - 6 - 2024\\Gaara.exe" C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "17-6-2024.exe" C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" C:\Users\Admin\AppData\Local\Temp\4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 17 - 6 - 2024\\smss.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 17 - 6 - 2024\\Gaara.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification \??\B:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe N/A
File opened for modification \??\H:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe N/A
File opened for modification \??\I:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe N/A
File opened for modification \??\T:\Desktop.ini C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
File opened for modification \??\M:\Desktop.ini C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
File opened for modification \??\Y:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\H:\Desktop.ini C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
File opened for modification \??\S:\Desktop.ini C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
File opened for modification \??\X:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe N/A
File opened for modification D:\Desktop.ini C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
File opened for modification \??\V:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\L:\Desktop.ini C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
File opened for modification \??\R:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe N/A
File opened for modification \??\Y:\Desktop.ini C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
File opened for modification \??\S:\Desktop.ini C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
File opened for modification \??\E:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\G:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\L:\Desktop.ini C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
File opened for modification D:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\Q:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\A:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe N/A
File opened for modification D:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe N/A
File opened for modification \??\L:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe N/A
File opened for modification \??\P:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe N/A
File opened for modification \??\I:\Desktop.ini C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
File opened for modification \??\R:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\W:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\E:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe N/A
File opened for modification \??\E:\Desktop.ini C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
File opened for modification \??\R:\Desktop.ini C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
File opened for modification \??\G:\Desktop.ini C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
File opened for modification \??\V:\Desktop.ini C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
File opened for modification \??\A:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\Q:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\K:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe N/A
File opened for modification \??\J:\Desktop.ini C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
File opened for modification \??\U:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe N/A
File opened for modification \??\B:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\A:\Desktop.ini C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
File opened for modification \??\W:\Desktop.ini C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
File opened for modification \??\J:\Desktop.ini C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
File opened for modification \??\R:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\S:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\G:\Desktop.ini C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
File opened for modification \??\O:\Desktop.ini C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
File opened for modification \??\X:\Desktop.ini C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
File opened for modification \??\Z:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\Z:\Desktop.ini C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
File opened for modification \??\P:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\P:\Desktop.ini C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
File opened for modification \??\A:\Desktop.ini C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
File opened for modification \??\H:\Desktop.ini C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
File opened for modification \??\K:\Desktop.ini C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
File opened for modification C:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe N/A
File opened for modification \??\B:\Desktop.ini C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
File opened for modification \??\Z:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe N/A
File opened for modification \??\K:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\U:\Desktop.ini C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
File opened for modification \??\V:\Desktop.ini C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
File opened for modification \??\X:\Desktop.ini C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
File opened for modification C:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\M:\Desktop.ini C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
File opened for modification \??\V:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe N/A
File opened (read-only) \??\N: C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\R: C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe N/A
File opened (read-only) \??\M: C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\B: C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
File opened (read-only) \??\S: C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
File opened (read-only) \??\G: C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\N: C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
File opened (read-only) \??\W: C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
File opened (read-only) \??\I: C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
File opened (read-only) \??\P: C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
File opened (read-only) \??\A: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\G: C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
File opened (read-only) \??\L: C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe N/A
File opened (read-only) \??\S: C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
File opened (read-only) \??\Z: C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
File opened (read-only) \??\E: C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
File opened (read-only) \??\U: C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe N/A
File opened (read-only) \??\X: C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\R: C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe N/A
File opened (read-only) \??\B: C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
File opened (read-only) \??\G: C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
File opened (read-only) \??\U: C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
File opened (read-only) \??\I: C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
File opened (read-only) \??\Y: C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
File opened (read-only) \??\E: C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
File opened (read-only) \??\H: C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
File opened (read-only) \??\S: C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe N/A
File opened (read-only) \??\O: C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
File opened (read-only) \??\W: C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
File opened (read-only) \??\A: C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
File opened (read-only) \??\B: C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
File opened (read-only) \??\Z: C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
File opened (read-only) \??\Q: C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\X: C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
File opened (read-only) \??\J: C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
File opened (read-only) \??\A: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe N/A
File opened (read-only) \??\I: C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
File opened (read-only) \??\Z: C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File created \??\A:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe N/A
File opened for modification \??\T:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe N/A
File created \??\M:\Autorun.inf C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
File opened for modification \??\I:\Autorun.inf C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
File opened for modification \??\I:\Autorun.inf C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
File created \??\Y:\Autorun.inf C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
File created \??\N:\Autorun.inf C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
File opened for modification \??\U:\Autorun.inf C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
File created \??\Z:\Autorun.inf C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
File opened for modification \??\R:\Autorun.inf C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
File created \??\S:\Autorun.inf C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
File created \??\I:\Autorun.inf C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
File created \??\G:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe N/A
File opened for modification \??\K:\Autorun.inf C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
File opened for modification C:\Autorun.inf C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
File opened for modification \??\R:\Autorun.inf C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
File opened for modification \??\Y:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created \??\V:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe N/A
File opened for modification \??\Z:\Autorun.inf C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
File opened for modification \??\O:\Autorun.inf C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
File opened for modification \??\R:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created \??\V:\Autorun.inf C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
File opened for modification \??\N:\Autorun.inf C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
File created \??\R:\Autorun.inf C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
File opened for modification \??\L:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\U:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created \??\B:\Autorun.inf C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
File opened for modification \??\W:\Autorun.inf C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
File opened for modification \??\A:\Autorun.inf C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
File created \??\L:\Autorun.inf C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
File opened for modification \??\T:\Autorun.inf C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
File created \??\B:\Autorun.inf C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
File created \??\Q:\Autorun.inf C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
File opened for modification \??\S:\Autorun.inf C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
File opened for modification \??\N:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File created \??\M:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\X:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe N/A
File created \??\J:\Autorun.inf C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
File created \??\H:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification F:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe N/A
File opened for modification \??\B:\Autorun.inf C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
File created \??\A:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File created \??\T:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\Q:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\W:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created \??\A:\Autorun.inf C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
File created \??\T:\Autorun.inf C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
File created \??\E:\Autorun.inf C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
File opened for modification \??\U:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe N/A
File created \??\X:\Autorun.inf C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
File created \??\G:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification F:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification D:\Autorun.inf C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
File created \??\I:\Autorun.inf C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
File created \??\M:\Autorun.inf C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
File created \??\P:\Autorun.inf C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
File opened for modification \??\Q:\Autorun.inf C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
File opened for modification D:\Autorun.inf C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
File opened for modification \??\I:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe N/A
File created \??\J:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe N/A
File opened for modification \??\R:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe N/A
File opened for modification \??\M:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\W:\Autorun.inf C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
File created \??\M:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\ C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\SysWOW64\mscomctl.ocx C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\SysWOW64\mscomctl.ocx C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Users\Admin\AppData\Local\Temp\4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\SysWOW64\Desktop.ini C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
File opened for modification C:\Windows\SysWOW64\17-6-2024.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\SysWOW64\17-6-2024.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\SysWOW64\Desktop.ini C:\Users\Admin\AppData\Local\Temp\4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe N/A
File created C:\Windows\SysWOW64\Desktop.ini C:\Users\Admin\AppData\Local\Temp\4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\17-6-2024.exe C:\Users\Admin\AppData\Local\Temp\4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\SysWOW64\Desktop.ini C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\mscomctl.ocx C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\SysWOW64\17-6-2024.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
File opened for modification C:\Windows\SysWOW64\Desktop.ini C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
File created C:\Windows\SysWOW64\17-6-2024.exe C:\Users\Admin\AppData\Local\Temp\4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\SysWOW64\17-6-2024.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\mscomctl.ocx C:\Users\Admin\AppData\Local\Temp\4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\SysWOW64\17-6-2024.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
File opened for modification C:\Windows\SysWOW64\mscomctl.ocx C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\SysWOW64\mscomctl.ocx C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Users\Admin\AppData\Local\Temp\4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe C:\Users\Admin\AppData\Local\Temp\4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe C:\Users\Admin\AppData\Local\Temp\4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
File opened for modification C:\Windows\mscomctl.ocx C:\Users\Admin\AppData\Local\Temp\4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\Fonts\The Kazekage.jpg C:\Users\Admin\AppData\Local\Temp\4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe N/A
File created C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe C:\Users\Admin\AppData\Local\Temp\4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\Fonts\The Kazekage.jpg C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
File opened for modification C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
File opened for modification C:\Windows\ C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\WBEM\msvbvm60.dll C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
File opened for modification C:\Windows\system\mscoree.dll C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
File created C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
File opened for modification C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
File created C:\Windows\Fonts\Admin 17 - 6 - 2024\msvbvm60.dll C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
File opened for modification C:\Windows\Fonts\The Kazekage.jpg C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\mscomctl.ocx C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\Fonts\The Kazekage.jpg C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe C:\Users\Admin\AppData\Local\Temp\4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
File opened for modification C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
File opened for modification C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\Fonts\Admin 17 - 6 - 2024\msvbvm60.dll C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\Fonts\Admin 17 - 6 - 2024\msvbvm60.dll C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\ C:\Users\Admin\AppData\Local\Temp\4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\ C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
File opened for modification C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
File opened for modification C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\system\mscoree.dll C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe N/A
File created C:\Windows\WBEM\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe N/A
File created C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\Fonts\Admin 17 - 6 - 2024\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\Fonts\The Kazekage.jpg C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
File opened for modification C:\Windows\system\msvbvm60.dll C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
File opened for modification C:\Windows\Fonts\The Kazekage.jpg C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\ C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\Fonts\Admin 17 - 6 - 2024\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe N/A
File created C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
File opened for modification C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\mscomctl.ocx C:\Users\Admin\AppData\Local\Temp\4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\mscomctl.ocx C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
File opened for modification C:\Windows\system\msvbvm60.dll C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
File created C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
File opened for modification C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
File created C:\Windows\WBEM\msvbvm60.dll C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
File created C:\Windows\Fonts\The Kazekage.jpg C:\Users\Admin\AppData\Local\Temp\4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\system\mscoree.dll C:\Users\Admin\AppData\Local\Temp\4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe N/A
File created C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
File opened for modification C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
File created C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\WBEM\msvbvm60.dll C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
File opened for modification C:\Windows\system\mscoree.dll C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
File created C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A

Modifies Control Panel

evasion
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Screen Saver.Marquee C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Screen Saver.Marquee\Size = "72" C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Screen Saver.Marquee\Size = "72" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Screen Saver.Marquee\Speed = "4" C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Screen Saver.Marquee C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Desktop\WallpaperStyle = "2" C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Screen Saver.Marquee\Size = "72" C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Screen Saver.Marquee C:\Users\Admin\AppData\Local\Temp\4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Screen Saver.Marquee\Speed = "4" C:\Users\Admin\AppData\Local\Temp\4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Screen Saver.Marquee\Size = "72" C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Screen Saver.Marquee\Speed = "4" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Desktop\WallpaperStyle = "2" C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" C:\Users\Admin\AppData\Local\Temp\4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Desktop\WallpaperStyle = "2" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Desktop\WallpaperStyle = "2" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" C:\Users\Admin\AppData\Local\Temp\4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Desktop C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Desktop\WallpaperStyle = "2" C:\Users\Admin\AppData\Local\Temp\4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" C:\Users\Admin\AppData\Local\Temp\4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Screen Saver.Marquee C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Screen Saver.Marquee\Speed = "4" C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" C:\Users\Admin\AppData\Local\Temp\4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Desktop C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Screen Saver.Marquee C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Desktop C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Screen Saver.Marquee\Speed = "4" C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Desktop C:\Users\Admin\AppData\Local\Temp\4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" C:\Users\Admin\AppData\Local\Temp\4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Desktop C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Desktop\WallpaperStyle = "2" C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Users\Admin\AppData\Local\Temp\4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main C:\Users\Admin\AppData\Local\Temp\4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" C:\Users\Admin\AppData\Local\Temp\4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" C:\Windows\SysWOW64\drivers\system32.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" C:\Users\Admin\AppData\Local\Temp\4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" C:\Users\Admin\AppData\Local\Temp\4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command C:\Users\Admin\AppData\Local\Temp\4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command C:\Users\Admin\AppData\Local\Temp\4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" C:\Users\Admin\AppData\Local\Temp\4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command C:\Users\Admin\AppData\Local\Temp\4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" C:\Users\Admin\AppData\Local\Temp\4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command C:\Users\Admin\AppData\Local\Temp\4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2416 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe
PID 2416 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe
PID 2416 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe
PID 2416 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe
PID 2648 wrote to memory of 1964 N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe
PID 2648 wrote to memory of 1964 N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe
PID 2648 wrote to memory of 1964 N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe
PID 2648 wrote to memory of 1964 N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe
PID 2648 wrote to memory of 2796 N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe
PID 2648 wrote to memory of 2796 N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe
PID 2648 wrote to memory of 2796 N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe
PID 2648 wrote to memory of 2796 N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe
PID 2796 wrote to memory of 2872 N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe
PID 2796 wrote to memory of 2872 N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe
PID 2796 wrote to memory of 2872 N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe
PID 2796 wrote to memory of 2872 N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe
PID 2796 wrote to memory of 1032 N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe
PID 2796 wrote to memory of 1032 N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe
PID 2796 wrote to memory of 1032 N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe
PID 2796 wrote to memory of 1032 N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe
PID 2796 wrote to memory of 1248 N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe
PID 2796 wrote to memory of 1248 N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe
PID 2796 wrote to memory of 1248 N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe
PID 2796 wrote to memory of 1248 N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe
PID 1248 wrote to memory of 1768 N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe
PID 1248 wrote to memory of 1768 N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe
PID 1248 wrote to memory of 1768 N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe
PID 1248 wrote to memory of 1768 N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe
PID 1248 wrote to memory of 1284 N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe
PID 1248 wrote to memory of 1284 N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe
PID 1248 wrote to memory of 1284 N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe
PID 1248 wrote to memory of 1284 N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe
PID 1248 wrote to memory of 2068 N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe
PID 1248 wrote to memory of 2068 N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe
PID 1248 wrote to memory of 2068 N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe
PID 1248 wrote to memory of 2068 N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe
PID 1248 wrote to memory of 1712 N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 1248 wrote to memory of 1712 N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 1248 wrote to memory of 1712 N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 1248 wrote to memory of 1712 N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 1712 wrote to memory of 332 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe
PID 1712 wrote to memory of 332 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe
PID 1712 wrote to memory of 332 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe
PID 1712 wrote to memory of 332 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe
PID 1712 wrote to memory of 112 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe
PID 1712 wrote to memory of 112 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe
PID 1712 wrote to memory of 112 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe
PID 1712 wrote to memory of 112 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe
PID 1712 wrote to memory of 1104 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe
PID 1712 wrote to memory of 1104 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe
PID 1712 wrote to memory of 1104 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe
PID 1712 wrote to memory of 1104 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe
PID 1712 wrote to memory of 1668 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 1712 wrote to memory of 1668 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 1712 wrote to memory of 1668 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 1712 wrote to memory of 1668 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 1712 wrote to memory of 1784 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 1712 wrote to memory of 1784 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 1712 wrote to memory of 1784 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 1712 wrote to memory of 1784 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 1784 wrote to memory of 2264 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe
PID 1784 wrote to memory of 2264 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe
PID 1784 wrote to memory of 2264 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe
PID 1784 wrote to memory of 2264 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe

System policy modification

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe"

C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe

"C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe"

C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe

"C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe"

C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe

"C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe"

C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe

"C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe"

C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe

"C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe"

C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe

"C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe"

C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe

"C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe"

C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe

"C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe"

C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe

"C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe"

C:\Windows\SysWOW64\drivers\Kazekage.exe

C:\Windows\system32\drivers\Kazekage.exe

C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe

"C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe"

C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe

"C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe"

C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe

"C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe"

C:\Windows\SysWOW64\drivers\Kazekage.exe

C:\Windows\system32\drivers\Kazekage.exe

C:\Windows\SysWOW64\drivers\system32.exe

C:\Windows\system32\drivers\system32.exe

C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe

"C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe"

C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe

"C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe"

C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe

"C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe"

C:\Windows\SysWOW64\drivers\Kazekage.exe

C:\Windows\system32\drivers\Kazekage.exe

C:\Windows\SysWOW64\drivers\system32.exe

C:\Windows\system32\drivers\system32.exe

C:\Windows\SysWOW64\drivers\system32.exe

C:\Windows\system32\drivers\system32.exe

C:\Windows\SysWOW64\drivers\Kazekage.exe

C:\Windows\system32\drivers\Kazekage.exe

C:\Windows\SysWOW64\drivers\system32.exe

C:\Windows\system32\drivers\system32.exe

C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe

"C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe"

C:\Windows\SysWOW64\drivers\Kazekage.exe

C:\Windows\system32\drivers\Kazekage.exe

C:\Windows\SysWOW64\drivers\system32.exe

C:\Windows\system32\drivers\system32.exe

C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe

"C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe"

C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe

"C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe"

C:\Windows\SysWOW64\drivers\Kazekage.exe

C:\Windows\system32\drivers\Kazekage.exe

C:\Windows\SysWOW64\drivers\system32.exe

C:\Windows\system32\drivers\system32.exe

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

Network

Country Destination Domain Proto
US 8.8.8.8:53 220.255.0.0.in-addr.arpa udp
US 8.8.8.8:53 220.255.0.0.in-addr.arpa udp
US 8.8.8.8:53 220.255.0.0.in-addr.arpa udp
US 8.8.8.8:53 220.255.0.0.in-addr.arpa udp
US 8.8.8.8:53 220.255.0.0.in-addr.arpa udp
US 8.8.8.8:53 220.255.0.0.in-addr.arpa udp
US 8.8.8.8:53 220.255.0.0.in-addr.arpa udp
US 8.8.8.8:53 220.255.0.0.in-addr.arpa udp
US 8.8.8.8:53 220.255.0.0.in-addr.arpa udp
US 8.8.8.8:53 220.255.0.0.in-addr.arpa udp
US 8.8.8.8:53 220.255.0.0.in-addr.arpa udp
US 8.8.8.8:53 220.255.0.0.in-addr.arpa udp
US 8.8.8.8:53 220.255.0.0.in-addr.arpa udp
US 8.8.8.8:53 220.255.0.0.in-addr.arpa udp
US 8.8.8.8:53 220.255.0.0.in-addr.arpa udp
US 8.8.8.8:53 220.255.0.0.in-addr.arpa udp
US 8.8.8.8:53 220.255.0.0.in-addr.arpa udp
US 8.8.8.8:53 220.255.0.0.in-addr.arpa udp
US 8.8.8.8:53 220.255.0.0.in-addr.arpa udp
US 8.8.8.8:53 220.255.0.0.in-addr.arpa udp
US 8.8.8.8:53 220.255.0.0.in-addr.arpa udp
US 8.8.8.8:53 220.255.0.0.in-addr.arpa udp
US 8.8.8.8:53 220.255.0.0.in-addr.arpa udp
US 8.8.8.8:53 220.255.0.0.in-addr.arpa udp
US 8.8.8.8:53 220.255.0.0.in-addr.arpa udp
US 8.8.8.8:53 220.255.0.0.in-addr.arpa udp
US 8.8.8.8:53 220.255.0.0.in-addr.arpa udp
US 8.8.8.8:53 220.255.0.0.in-addr.arpa udp
US 8.8.8.8:53 220.255.0.0.in-addr.arpa udp
US 8.8.8.8:53 220.255.0.0.in-addr.arpa udp
US 8.8.8.8:53 220.255.0.0.in-addr.arpa udp
US 8.8.8.8:53 220.255.0.0.in-addr.arpa udp

Files

memory/2416-0-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Windows\SysWOW64\drivers\Kazekage.exe

MD5 4f638f90ece1cd2c4f8b10a792956d70
SHA1 ab95276f68053c4bdaea10975610dea6b0b042eb
SHA256 e70f2481aa838b9592454700e264c29acb17521fda0303adfbaac30963ec6a59
SHA512 e5801242754199a6ff77dc2d8ec266f2051971b8dc74f5f05108ecbdce2ab9346a2ab0bde9847ba075edfaf0ed5be88d380d89750e7cfe842caffd410f9a2bbb

C:\Windows\system\msvbvm60.dll

MD5 5343a19c618bc515ceb1695586c6c137
SHA1 4dedae8cbde066f31c8e6b52c0baa3f8b1117742
SHA256 2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce
SHA512 708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe

MD5 3c14f46add7c22aa4a3fbc79e68ba8bb
SHA1 0a583f35e06d980c5e253251be7f6a47d2560142
SHA256 320a4b20eae0e578f25cb7cf586e4ecaf5a05d45c8d80e7cb6f8dfffc3a57af8
SHA512 9906b4fcc244d252d464705b6038a9839fb21eeaa4d2f991f0e52219541e299511f307b6dc409c783e81edab66d947d00fac3321ab5c4af7c30a5a5b42c96db6

memory/2416-37-0x0000000000430000-0x000000000045A000-memory.dmp

memory/2416-36-0x0000000000430000-0x000000000045A000-memory.dmp

memory/2648-40-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Windows\Fonts\The Kazekage.jpg

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Windows\msvbvm60.dll

MD5 b905105a3b1b10882ba1a8544f7237fb
SHA1 04f234f902675b6bf434173e08d27a3df3e579ee
SHA256 04d113b23c6be6d36201328504e7b9664471a121f81afc037f73e03a05d914d7
SHA512 0d8b5c5027931e7525a3f08347605764358b617827f9a9782e36055268f6237b46136e1800791368cac6c279b85d1e7152d250894a72f0b27d6305940543b4e9

C:\Windows\system\msvbvm60.dll

MD5 09298236a9fd4b7d2450cf3538f16827
SHA1 1528d16de7f6aabde96ada46ae92452d84eb0bdf
SHA256 83462cf5217c728d9370b9d8aedfadde8f1cefda3d17a148cbec5b231fc58b8c
SHA512 64381995b720a633cefffa5400eb5cf7b320c26c57de105606450fd2e2254081ab9acd88c07281db7f222a4263c732123ce6fc720a4d99061bcd0345febafc1f

C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe

MD5 a56111dc985a023d684af9a9ae112981
SHA1 c4e7e68b067d011d4c83030736e0507343ba5da6
SHA256 b133d74ce4162f3d7e2467c18182a646bec0ffdf146d8404c480a129ced3b25e
SHA512 4393c2fa7131c0538a37617b858e7f43d60a489ca39c84e389f2686f89ee2bb9d50de91d551a19e8b726481888c62d00d580ad485639cf63c077d48a66a1979a

memory/1964-88-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2648-91-0x0000000000390000-0x00000000003BA000-memory.dmp

memory/2796-92-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2648-90-0x0000000000390000-0x00000000003BA000-memory.dmp

memory/1964-80-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Windows\msvbvm60.dll

MD5 d59546150d62ff1bd62f4d69b43a970a
SHA1 3688f73e9fd18e61df1d59f3153ce88a7f6b37c5
SHA256 5cd7a9848fe89888e660b08c4e1b0169a43d99c8580206d16641f3cc3f097b71
SHA512 d04c325c00b25c4ba2b4f818bd5525c78a085e8fac771f9f280714deac8a406cbaad49f347029be7abb1b65e35cbfdfc027ba7dfc729306e9db82d64294b3585

C:\Windows\SysWOW64\drivers\system32.exe

MD5 23588ff63a8525558c0f783839612dab
SHA1 854a5763eb864f3c15c3b9bc12d28274be53aff5
SHA256 9133db91763b9500f5f4d7deb66846509405abb5d7a3d96d87b2384f6f9d4f81
SHA512 0b4d1e52d28aa3beeff7bac758e7428d1452864c7a8549dc4f8a994a56ce44c44dc5bec9bd9400cfa68ab89688090fc60f3d76a0f52d2c6818438d081f517d4c

C:\Windows\SysWOW64\drivers\Kazekage.exe

MD5 3c02e26e944908f6ede7e619bdceafb3
SHA1 1d6ae1a6a47907be95f83e76e5357c690ed2fe80
SHA256 7a4c3d86b99887cccb051133e07b747e7793f481ef60e5647a73bf7792780a4e
SHA512 73c9327383a9326db8e426dbfd62cd33a6a16c2d13cc582e34f64bdf9f792cd7e0eb773abe47011d177a89279ef119d1e1ca57be416522a4a118828c5a670080

C:\Windows\Fonts\The Kazekage.jpg

MD5 d6b05020d4a0ec2a3a8b687099e335df
SHA1 df239d830ebcd1cde5c68c46a7b76dad49d415f4
SHA256 9824b98dab6af65a9e84c2ea40e9df948f9766ce2096e81feecad7db8dd6080a
SHA512 78fd360faa4d34f5732056d6e9ad7b9930964441c69cf24535845d397de92179553b9377a25649c01eb5ac7d547c29cc964e69ede7f2af9fc677508a99251fff

memory/2796-127-0x0000000000300000-0x000000000032A000-memory.dmp

memory/2796-124-0x0000000000300000-0x000000000032A000-memory.dmp

memory/1032-136-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2872-134-0x0000000000400000-0x000000000042A000-memory.dmp

\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe

MD5 5ac7618c3999a1933252ecbcd6d14109
SHA1 5834d5c5be08fd78557ec2f2c95e01923e8fa8f7
SHA256 e440500d3ac82ece0142d2c3a6de4caebe92a15fb47bd655b51063183cdaf7d6
SHA512 0d5d42ef92b3e41397c525f5865879fcb7a1ce323a669ab3cb2d8f6cbcfd7cb0e4d2f15589150eeaf38149c72b141078a8f78d63f57180fd14a1ddef250700f6

memory/2416-179-0x0000000000430000-0x000000000045A000-memory.dmp

memory/1284-192-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2068-198-0x0000000000400000-0x000000000042A000-memory.dmp

memory/1248-197-0x0000000000540000-0x000000000056A000-memory.dmp

C:\Windows\SysWOW64\drivers\Kazekage.exe

MD5 c05db41de34cd32d667c3805a5f3dd5e
SHA1 bef57144ad3d8ba9218e7ace31ae9a61e9eba5c3
SHA256 dcb15b123582eb32d92e98db68a22e674511dc118381e4a5dc7e878132f3a1b7
SHA512 596431d920698d8bffd0103ab1d9432c4575ab0fcc15411a834d01fbd2105d99feab6046bbb5ad32eeda3d0913f4c34c7160e44acdadc6e59df33184cafb844e

memory/1712-210-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2796-209-0x0000000000400000-0x000000000042A000-memory.dmp

memory/332-230-0x0000000000400000-0x000000000042A000-memory.dmp

memory/112-237-0x0000000000400000-0x000000000042A000-memory.dmp

memory/332-234-0x0000000000400000-0x000000000042A000-memory.dmp

memory/1248-238-0x0000000000400000-0x000000000042A000-memory.dmp

memory/1104-243-0x0000000000400000-0x000000000042A000-memory.dmp

memory/1784-254-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2264-266-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2264-270-0x0000000000400000-0x000000000042A000-memory.dmp

memory/1732-272-0x0000000000400000-0x000000000042A000-memory.dmp

memory/1732-277-0x0000000000400000-0x000000000042A000-memory.dmp

memory/1792-281-0x0000000000400000-0x000000000042A000-memory.dmp

memory/952-285-0x0000000000400000-0x000000000042A000-memory.dmp

memory/1712-284-0x0000000000370000-0x000000000039A000-memory.dmp

memory/1940-292-0x0000000000400000-0x000000000042A000-memory.dmp

memory/1620-300-0x0000000000400000-0x000000000042A000-memory.dmp

memory/1784-299-0x0000000000400000-0x000000000042A000-memory.dmp

memory/1784-310-0x0000000002470000-0x000000000249A000-memory.dmp

memory/1716-309-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2056-320-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2056-318-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2648-315-0x0000000000390000-0x00000000003BA000-memory.dmp

memory/2344-326-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2908-331-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2908-335-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2748-345-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2748-344-0x0000000000400000-0x000000000042A000-memory.dmp

memory/1248-343-0x0000000000540000-0x000000000056A000-memory.dmp

memory/1248-342-0x0000000000540000-0x000000000056A000-memory.dmp

memory/1656-336-0x0000000000400000-0x000000000042A000-memory.dmp

memory/1784-330-0x0000000002470000-0x000000000249A000-memory.dmp

memory/2344-329-0x0000000000400000-0x000000000042A000-memory.dmp

memory/3028-325-0x0000000000400000-0x000000000042A000-memory.dmp

memory/3028-323-0x0000000000400000-0x000000000042A000-memory.dmp

memory/1384-314-0x0000000000400000-0x000000000042A000-memory.dmp

memory/1716-305-0x0000000000400000-0x000000000042A000-memory.dmp

memory/1620-304-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2304-298-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2304-296-0x0000000000400000-0x000000000042A000-memory.dmp

memory/1248-295-0x0000000000540000-0x000000000056A000-memory.dmp

memory/1940-289-0x0000000000400000-0x000000000042A000-memory.dmp

memory/952-287-0x0000000000400000-0x000000000042A000-memory.dmp

memory/1712-276-0x0000000000370000-0x000000000039A000-memory.dmp

memory/1712-271-0x0000000000400000-0x000000000042A000-memory.dmp

memory/1248-265-0x0000000000540000-0x000000000056A000-memory.dmp

memory/1248-252-0x0000000000540000-0x000000000056A000-memory.dmp

C:\Windows\SysWOW64\drivers\system32.exe

MD5 60dafa79cbeddef47e65c85574d824f5
SHA1 a75e1cdd387fcd9ce8613e8f632418015dc25354
SHA256 ab0b8917c4fc97bdd2e6896bf88b55e8fae1dda154200512016ad5334cb9b044
SHA512 8a98a710f259865abebd6c450de42cac7407004a3b12e8767671ac8160e48f1f2985abbe1356502aa88749cda9278d6e6fde3ad1567d23afc66902b7a200634f

memory/1668-246-0x0000000000400000-0x000000000042A000-memory.dmp

memory/112-240-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2796-229-0x0000000000300000-0x000000000032A000-memory.dmp

memory/2068-201-0x0000000000400000-0x000000000042A000-memory.dmp

memory/1284-194-0x0000000000400000-0x000000000042A000-memory.dmp

memory/1248-187-0x0000000000540000-0x000000000056A000-memory.dmp

memory/2648-186-0x0000000000400000-0x000000000042A000-memory.dmp

memory/1768-184-0x0000000000400000-0x000000000042A000-memory.dmp

memory/1248-149-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2416-148-0x0000000000430000-0x000000000045A000-memory.dmp

memory/2416-147-0x0000000000400000-0x000000000042A000-memory.dmp

memory/1032-141-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2648-349-0x0000000000390000-0x00000000003BA000-memory.dmp

memory/2648-351-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2416-350-0x0000000000400000-0x000000000042A000-memory.dmp

memory/1784-355-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2648-356-0x0000000000390000-0x00000000003BA000-memory.dmp

memory/1712-354-0x0000000000400000-0x000000000042A000-memory.dmp

memory/1248-353-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2796-352-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2648-357-0x0000000000390000-0x00000000003BA000-memory.dmp

C:\Autorun.inf

MD5 1564dfe69ffed40950e5cb644e0894d1
SHA1 201b6f7a01cc49bb698bea6d4945a082ed454ce4
SHA256 be114a2dbcc08540b314b01882aa836a772a883322a77b67aab31233e26dc184
SHA512 72df187e39674b657974392cfa268e71ef86dc101ebd2303896381ca56d3c05aa9db3f0ab7d0e428d7436e0108c8f19e94c2013814d30b0b95a23a6b9e341097

C:\Admin Games\Readme.txt

MD5 bb5d6abdf8d0948ac6895ce7fdfbc151
SHA1 9266b7a247a4685892197194d2b9b86c8f6dddbd
SHA256 5db2e0915b5464d32e83484f8ae5e3c73d2c78f238fde5f58f9b40dbb5322de8
SHA512 878444760e8df878d65bb62b4798177e168eb099def58ad3634f4348e96705c83f74324f9fa358f0eff389991976698a233ca53e9b72034ae11c86d42322a76c

C:\Windows\SysWOW64\Desktop.ini

MD5 64acfa7e03b01f48294cf30d201a0026
SHA1 10facd995b38a095f30b4a800fa454c0bcbf8438
SHA256 ba8159d865d106e7b4d0043007a63d1541e1de455dc8d7ff0edd3013bd425c62
SHA512 65a9b2e639de74a2a7faa83463a03f5f5b526495e3c793ec1e144c422ed0b842dd304cd5ff4f8aec3d76d826507030c5916f70a231429cea636ec2d8ab43931a

memory/1784-588-0x0000000000400000-0x000000000042A000-memory.dmp

memory/1248-586-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2796-585-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2648-584-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2416-583-0x0000000000400000-0x000000000042A000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-17 05:14

Reported

2024-06-17 05:17

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" C:\Users\Admin\AppData\Local\Temp\4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" C:\Users\Admin\AppData\Local\Temp\4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A

Modifies visibility of file extensions in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Users\Admin\AppData\Local\Temp\4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\AppData\Local\Temp\4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\drivers\system32.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\drivers\system32.exe N/A

Disables use of System Restore points

evasion

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
File created C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Users\Admin\AppData\Local\Temp\4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
File created C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\system32.exe C:\Users\Admin\AppData\Local\Temp\4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
File created C:\Windows\SysWOW64\drivers\system32.exe C:\Users\Admin\AppData\Local\Temp\4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
File created C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
File created C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
File created C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Users\Admin\AppData\Local\Temp\4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
File created C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A

Sets file execution options in registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe C:\Users\Admin\AppData\Local\Temp\4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "drivers\\Kazekage.exe" C:\Users\Admin\AppData\Local\Temp\4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com C:\Users\Admin\AppData\Local\Temp\4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe\Debugger = "cmd.exe /c del" C:\Users\Admin\AppData\Local\Temp\4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe\Debugger = "drivers\\Kazekage.exe" C:\Users\Admin\AppData\Local\Temp\4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe C:\Users\Admin\AppData\Local\Temp\4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe C:\Users\Admin\AppData\Local\Temp\4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe C:\Users\Admin\AppData\Local\Temp\4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe\Debugger = "cmd.exe /c del" C:\Users\Admin\AppData\Local\Temp\4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 17 - 6 - 2024\\Gaara.exe" C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 17 - 6 - 2024\\smss.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "17-6-2024.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "17-6-2024.exe" C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 17 - 6 - 2024\\Gaara.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "17-6-2024.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 17 - 6 - 2024\\smss.exe" C:\Users\Admin\AppData\Local\Temp\4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 17 - 6 - 2024\\smss.exe" C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 17 - 6 - 2024\\Gaara.exe" C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 17 - 6 - 2024\\smss.exe" C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 17 - 6 - 2024\\Gaara.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 17 - 6 - 2024\\Gaara.exe" C:\Users\Admin\AppData\Local\Temp\4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" C:\Users\Admin\AppData\Local\Temp\4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "17-6-2024.exe" C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 17 - 6 - 2024\\smss.exe" C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 17 - 6 - 2024\\Gaara.exe" C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 17 - 6 - 2024\\smss.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "17-6-2024.exe" C:\Users\Admin\AppData\Local\Temp\4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "17-6-2024.exe" C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification \??\P:\Desktop.ini C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
File opened for modification \??\Z:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\Y:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\T:\Desktop.ini C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
File opened for modification \??\T:\Desktop.ini C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
File opened for modification \??\J:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe N/A
File opened for modification F:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\T:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\J:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\L:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\X:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe N/A
File opened for modification \??\H:\Desktop.ini C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
File opened for modification \??\Q:\Desktop.ini C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
File opened for modification \??\U:\Desktop.ini C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
File opened for modification \??\X:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\E:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\G:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\Y:\Desktop.ini C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
File opened for modification C:\Desktop.ini C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
File opened for modification \??\E:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\R:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\H:\Desktop.ini C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
File opened for modification \??\J:\Desktop.ini C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
File opened for modification \??\I:\Desktop.ini C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
File opened for modification \??\A:\Desktop.ini C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
File opened for modification \??\A:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\M:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\P:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\V:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\A:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe N/A
File opened for modification \??\M:\Desktop.ini C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
File opened for modification \??\P:\Desktop.ini C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
File opened for modification D:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\W:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\B:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe N/A
File opened for modification \??\O:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe N/A
File opened for modification \??\T:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe N/A
File opened for modification \??\G:\Desktop.ini C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
File opened for modification D:\Desktop.ini C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
File opened for modification \??\O:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\X:\Desktop.ini C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
File opened for modification \??\H:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\K:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe N/A
File opened for modification \??\L:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe N/A
File opened for modification \??\M:\Desktop.ini C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
File opened for modification \??\K:\Desktop.ini C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
File opened for modification F:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\W:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\O:\Desktop.ini C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
File opened for modification \??\T:\Desktop.ini C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
File opened for modification \??\Z:\Desktop.ini C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
File opened for modification \??\L:\Desktop.ini C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
File opened for modification \??\W:\Desktop.ini C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
File opened for modification \??\O:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\K:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\P:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\R:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe N/A
File opened for modification \??\H:\Desktop.ini C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
File opened for modification \??\R:\Desktop.ini C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
File opened for modification C:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\Z:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe N/A
File opened for modification F:\Desktop.ini C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
File opened for modification \??\J:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\N:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\Q: C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
File opened (read-only) \??\Y: C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\A: C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
File opened (read-only) \??\M: C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe N/A
File opened (read-only) \??\J: C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
File opened (read-only) \??\A: C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
File opened (read-only) \??\X: C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe N/A
File opened (read-only) \??\T: C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\U: C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe N/A
File opened (read-only) \??\L: C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
File opened (read-only) \??\G: C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
File opened (read-only) \??\J: C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\V: C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
File opened (read-only) \??\O: C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\Z: C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe N/A
File opened (read-only) \??\G: C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe N/A
File opened (read-only) \??\R: C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
File opened (read-only) \??\L: C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
File opened (read-only) \??\W: C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe N/A
File opened (read-only) \??\A: C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
File opened (read-only) \??\E: C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe N/A
File opened (read-only) \??\O: C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
File opened (read-only) \??\S: C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\V: C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe N/A
File opened (read-only) \??\H: C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
File opened (read-only) \??\P: C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
File opened (read-only) \??\I: C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
File opened (read-only) \??\T: C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\J: C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
File opened (read-only) \??\U: C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
File opened (read-only) \??\X: C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
File opened (read-only) \??\Y: C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File created \??\S:\Autorun.inf C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
File created \??\R:\Autorun.inf C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
File created \??\T:\Autorun.inf C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
File created \??\G:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created \??\H:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created \??\K:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe N/A
File opened for modification \??\G:\Autorun.inf C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
File created \??\R:\Autorun.inf C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
File opened for modification D:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\E:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\T:\Autorun.inf C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
File created \??\L:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\G:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File created \??\L:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File created \??\X:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\R:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe N/A
File opened for modification \??\V:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe N/A
File opened for modification \??\H:\Autorun.inf C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
File created \??\H:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe N/A
File opened for modification \??\H:\Autorun.inf C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
File created \??\R:\Autorun.inf C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
File opened for modification \??\Y:\Autorun.inf C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
File opened for modification \??\V:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created \??\X:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe N/A
File created \??\A:\Autorun.inf C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
File created \??\N:\Autorun.inf C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
File created \??\X:\Autorun.inf C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
File opened for modification \??\Z:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe N/A
File opened for modification \??\X:\Autorun.inf C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
File opened for modification \??\A:\Autorun.inf C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
File created \??\U:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\T:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\Z:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\N:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\Z:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created \??\U:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\N:\Autorun.inf C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
File opened for modification \??\P:\Autorun.inf C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
File opened for modification \??\E:\Autorun.inf C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
File created \??\S:\Autorun.inf C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
File created \??\W:\Autorun.inf C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
File opened for modification \??\S:\Autorun.inf C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
File opened for modification \??\U:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe N/A
File created \??\U:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe N/A
File created \??\G:\Autorun.inf C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
File opened for modification \??\W:\Autorun.inf C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
File created \??\B:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\K:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created \??\O:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\X:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created D:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe N/A
File created \??\P:\Autorun.inf C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
File opened for modification D:\Autorun.inf C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
File created \??\S:\Autorun.inf C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
File created \??\J:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\T:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created \??\E:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File created \??\E:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe N/A
File created F:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe N/A
File created \??\H:\Autorun.inf C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
File created \??\U:\Autorun.inf C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
File opened for modification \??\A:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created \??\I:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\E:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
File opened for modification C:\Windows\SysWOW64\17-6-2024.exe C:\Users\Admin\AppData\Local\Temp\4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\SysWOW64\mscomctl.ocx C:\Users\Admin\AppData\Local\Temp\4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\SysWOW64\17-6-2024.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Users\Admin\AppData\Local\Temp\4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\SysWOW64\mscomctl.ocx C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\Desktop.ini C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\mscomctl.ocx C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\17-6-2024.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\SysWOW64\Desktop.ini C:\Users\Admin\AppData\Local\Temp\4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\SysWOW64\Desktop.ini C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\mscomctl.ocx C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\SysWOW64\mscomctl.ocx C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
File opened for modification C:\Windows\SysWOW64\mscomctl.ocx C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\SysWOW64\17-6-2024.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\Desktop.ini C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\SysWOW64\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\SysWOW64\Desktop.ini C:\Users\Admin\AppData\Local\Temp\4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\SysWOW64\17-6-2024.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
File opened for modification C:\Windows\SysWOW64\17-6-2024.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\SysWOW64\mscomctl.ocx C:\Users\Admin\AppData\Local\Temp\4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
File created C:\Windows\SysWOW64\17-6-2024.exe C:\Users\Admin\AppData\Local\Temp\4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Users\Admin\AppData\Local\Temp\4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\SysWOW64\drivers\system32.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Fonts\Admin 17 - 6 - 2024\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
File opened for modification C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
File opened for modification C:\Windows\system\msvbvm60.dll C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\ C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\mscomctl.ocx C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
File created C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe C:\Users\Admin\AppData\Local\Temp\4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe C:\Users\Admin\AppData\Local\Temp\4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe N/A
File created C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
File opened for modification C:\Windows\Fonts\The Kazekage.jpg C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
File created C:\Windows\Fonts\Admin 17 - 6 - 2024\msvbvm60.dll C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\system\msvbvm60.dll C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\WBEM\msvbvm60.dll C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
File created C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
File opened for modification C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
File opened for modification C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\ C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe N/A
File created C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
File opened for modification C:\Windows\system\msvbvm60.dll C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
File opened for modification C:\Windows\system\mscoree.dll C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\Fonts\Admin 17 - 6 - 2024\msvbvm60.dll C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\mscomctl.ocx C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
File created C:\Windows\Fonts\Admin 17 - 6 - 2024\msvbvm60.dll C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
File created C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
File opened for modification C:\Windows\system\mscoree.dll C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\mscomctl.ocx C:\Users\Admin\AppData\Local\Temp\4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\mscomctl.ocx C:\Users\Admin\AppData\Local\Temp\4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe N/A
File created C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
File opened for modification C:\Windows\mscomctl.ocx C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe C:\Users\Admin\AppData\Local\Temp\4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\Fonts\The Kazekage.jpg C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
File opened for modification C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
File created C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
File created C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\mscomctl.ocx C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe C:\Users\Admin\AppData\Local\Temp\4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe N/A
File created C:\Windows\WBEM\msvbvm60.dll C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
File opened for modification C:\Windows\ C:\Users\Admin\AppData\Local\Temp\4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe N/A
File created C:\Windows\Fonts\Admin 17 - 6 - 2024\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe N/A
File created C:\Windows\WBEM\msvbvm60.dll C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
File opened for modification C:\Windows\system\mscoree.dll C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
File opened for modification C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\system\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\ C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
File created C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe C:\Users\Admin\AppData\Local\Temp\4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\system\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe N/A
File created C:\Windows\Fonts\Admin 17 - 6 - 2024\msvbvm60.dll C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
File opened for modification C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
File opened for modification C:\Windows\Fonts\The Kazekage.jpg C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\ C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\Fonts\The Kazekage.jpg C:\Users\Admin\AppData\Local\Temp\4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe N/A
File created C:\Windows\WBEM\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
File opened for modification C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\WBEM\msvbvm60.dll C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
File opened for modification C:\Windows\system\msvbvm60.dll C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
File opened for modification C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A

Modifies Control Panel

evasion
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Users\Admin\AppData\Local\Temp\4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Desktop C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Screen Saver.Marquee C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Screen Saver.Marquee C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Screen Saver.Marquee C:\Users\Admin\AppData\Local\Temp\4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Screen Saver.Marquee\Speed = "4" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Desktop\WallpaperStyle = "2" C:\Users\Admin\AppData\Local\Temp\4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" C:\Users\Admin\AppData\Local\Temp\4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Screen Saver.Marquee C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" C:\Users\Admin\AppData\Local\Temp\4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Screen Saver.Marquee C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Screen Saver.Marquee\Size = "72" C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Desktop\WallpaperStyle = "2" C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Screen Saver.Marquee\Speed = "4" C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" C:\Users\Admin\AppData\Local\Temp\4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" C:\Users\Admin\AppData\Local\Temp\4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Screen Saver.Marquee C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Desktop C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Screen Saver.Marquee\Size = "72" C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Desktop\WallpaperStyle = "2" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Screen Saver.Marquee\Speed = "4" C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Desktop C:\Users\Admin\AppData\Local\Temp\4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Desktop C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Screen Saver.Marquee\Size = "72" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Desktop C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Desktop C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Screen Saver.Marquee\Size = "72" C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Screen Saver.Marquee\Size = "72" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Desktop\WallpaperStyle = "2" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Screen Saver.Marquee\Speed = "4" C:\Users\Admin\AppData\Local\Temp\4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\Screen Saver.Marquee\Size = "72" C:\Users\Admin\AppData\Local\Temp\4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" C:\Users\Admin\AppData\Local\Temp\4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\Internet Explorer\Main C:\Users\Admin\AppData\Local\Temp\4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" C:\Users\Admin\AppData\Local\Temp\4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command C:\Users\Admin\AppData\Local\Temp\4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command C:\Users\Admin\AppData\Local\Temp\4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" C:\Users\Admin\AppData\Local\Temp\4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command C:\Users\Admin\AppData\Local\Temp\4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" C:\Users\Admin\AppData\Local\Temp\4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" C:\Users\Admin\AppData\Local\Temp\4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command C:\Users\Admin\AppData\Local\Temp\4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1544 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe
PID 1544 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe
PID 1544 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe
PID 2360 wrote to memory of 2380 N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe
PID 2360 wrote to memory of 2380 N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe
PID 2360 wrote to memory of 2380 N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe
PID 2360 wrote to memory of 3112 N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe
PID 2360 wrote to memory of 3112 N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe
PID 2360 wrote to memory of 3112 N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe
PID 3112 wrote to memory of 4140 N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe
PID 3112 wrote to memory of 4140 N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe
PID 3112 wrote to memory of 4140 N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe
PID 3112 wrote to memory of 5060 N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe
PID 3112 wrote to memory of 5060 N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe
PID 3112 wrote to memory of 5060 N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe
PID 3112 wrote to memory of 520 N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe
PID 3112 wrote to memory of 520 N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe
PID 3112 wrote to memory of 520 N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe
PID 520 wrote to memory of 3028 N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe
PID 520 wrote to memory of 3028 N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe
PID 520 wrote to memory of 3028 N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe
PID 520 wrote to memory of 3712 N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe
PID 520 wrote to memory of 3712 N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe
PID 520 wrote to memory of 3712 N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe
PID 520 wrote to memory of 1444 N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe
PID 520 wrote to memory of 1444 N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe
PID 520 wrote to memory of 1444 N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe
PID 520 wrote to memory of 3100 N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 520 wrote to memory of 3100 N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 520 wrote to memory of 3100 N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 3100 wrote to memory of 1232 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe
PID 3100 wrote to memory of 1232 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe
PID 3100 wrote to memory of 1232 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe
PID 3100 wrote to memory of 4652 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe
PID 3100 wrote to memory of 4652 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe
PID 3100 wrote to memory of 4652 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe
PID 3100 wrote to memory of 4408 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe
PID 3100 wrote to memory of 4408 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe
PID 3100 wrote to memory of 4408 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe
PID 3100 wrote to memory of 2396 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 3100 wrote to memory of 2396 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 3100 wrote to memory of 2396 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 3100 wrote to memory of 2032 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 3100 wrote to memory of 2032 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 3100 wrote to memory of 2032 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 2032 wrote to memory of 2648 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe
PID 2032 wrote to memory of 2648 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe
PID 2032 wrote to memory of 2648 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe
PID 2032 wrote to memory of 3740 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe
PID 2032 wrote to memory of 3740 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe
PID 2032 wrote to memory of 3740 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe
PID 2032 wrote to memory of 628 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe
PID 2032 wrote to memory of 628 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe
PID 2032 wrote to memory of 628 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe
PID 2032 wrote to memory of 3792 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 2032 wrote to memory of 3792 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 2032 wrote to memory of 3792 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 2032 wrote to memory of 800 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 2032 wrote to memory of 800 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 2032 wrote to memory of 800 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 520 wrote to memory of 3388 N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 520 wrote to memory of 3388 N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 520 wrote to memory of 3388 N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 3112 wrote to memory of 112 N/A C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe C:\Windows\SysWOW64\drivers\Kazekage.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe

"C:\Users\Admin\AppData\Local\Temp\4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe"

C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe

"C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe"

C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe

"C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe"

C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe

"C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe"

C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe

"C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe"

C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe

"C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe"

C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe

"C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe"

C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe

"C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe"

C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe

"C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe"

C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe

"C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe"

C:\Windows\SysWOW64\drivers\Kazekage.exe

C:\Windows\system32\drivers\Kazekage.exe

C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe

"C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe"

C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe

"C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe"

C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe

"C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe"

C:\Windows\SysWOW64\drivers\Kazekage.exe

C:\Windows\system32\drivers\Kazekage.exe

C:\Windows\SysWOW64\drivers\system32.exe

C:\Windows\system32\drivers\system32.exe

C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe

"C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe"

C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe

"C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe"

C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe

"C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe"

C:\Windows\SysWOW64\drivers\Kazekage.exe

C:\Windows\system32\drivers\Kazekage.exe

C:\Windows\SysWOW64\drivers\system32.exe

C:\Windows\system32\drivers\system32.exe

C:\Windows\SysWOW64\drivers\system32.exe

C:\Windows\system32\drivers\system32.exe

C:\Windows\SysWOW64\drivers\Kazekage.exe

C:\Windows\system32\drivers\Kazekage.exe

C:\Windows\SysWOW64\drivers\system32.exe

C:\Windows\system32\drivers\system32.exe

C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe

"C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe"

C:\Windows\SysWOW64\drivers\Kazekage.exe

C:\Windows\system32\drivers\Kazekage.exe

C:\Windows\SysWOW64\drivers\system32.exe

C:\Windows\system32\drivers\system32.exe

C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe

"C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe"

C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe

"C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe"

C:\Windows\SysWOW64\drivers\Kazekage.exe

C:\Windows\system32\drivers\Kazekage.exe

C:\Windows\SysWOW64\drivers\system32.exe

C:\Windows\system32\drivers\system32.exe

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

Network

Country Destination Domain Proto
US 8.8.8.8:53 220.255.0.0.in-addr.arpa udp
US 8.8.8.8:53 193.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 220.255.0.0.in-addr.arpa udp
US 8.8.8.8:53 220.255.0.0.in-addr.arpa udp

Files

memory/1544-0-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Windows\System\msvbvm60.dll

MD5 25f62c02619174b35851b0e0455b3d94
SHA1 4e8ee85157f1769f6e3f61c0acbe59072209da71
SHA256 898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2
SHA512 f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe

MD5 26cd74cfefe4c844efcb6aa1c609f010
SHA1 4e0631f8612d3748bb1d0d1a2422eb3f1e88d642
SHA256 f94236012479ff7c0d8bc3871cc3fff3199f2006c414de346c7a9634b723fed7
SHA512 b5abc5235a4d8ce222886cb4909882e04c3997c5e11e05ad9f63df51669ff2dec4d8ec9489c483f84e700c4243421e769b6794d18bc070d25a3acafc81e4225a

memory/2360-34-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Windows\Fonts\The Kazekage.jpg

MD5 d6b05020d4a0ec2a3a8b687099e335df
SHA1 df239d830ebcd1cde5c68c46a7b76dad49d415f4
SHA256 9824b98dab6af65a9e84c2ea40e9df948f9766ce2096e81feecad7db8dd6080a
SHA512 78fd360faa4d34f5732056d6e9ad7b9930964441c69cf24535845d397de92179553b9377a25649c01eb5ac7d547c29cc964e69ede7f2af9fc677508a99251fff

C:\Windows\SysWOW64\drivers\system32.exe

MD5 7973b7409af7c2f4805111f5aa45d7c3
SHA1 3b9f10e678f929c513b850879d843cd75face745
SHA256 5f336127806f983c22ecc8648f2f1b4dbe2cff58fed9f808bb800f5fa089bd46
SHA512 633697bcceed4e8738b347c303bb4da9adec817611da9afef67ff096a150398c064de20dd6caed03fa12caf26868f643508e03422fe2629a413f4c610488b896

C:\Windows\SysWOW64\drivers\Kazekage.exe

MD5 c05db41de34cd32d667c3805a5f3dd5e
SHA1 bef57144ad3d8ba9218e7ace31ae9a61e9eba5c3
SHA256 dcb15b123582eb32d92e98db68a22e674511dc118381e4a5dc7e878132f3a1b7
SHA512 596431d920698d8bffd0103ab1d9432c4575ab0fcc15411a834d01fbd2105d99feab6046bbb5ad32eeda3d0913f4c34c7160e44acdadc6e59df33184cafb844e

C:\Windows\SysWOW64\17-6-2024.exe

MD5 92eb068d9fc062130e70a586734e2484
SHA1 afe7d503097524ef6909df54bfa62a204079e11a
SHA256 6dae946ae709486f556084211202f6b9e0fb5708182d14495fe9b16f248687ee
SHA512 8fc100014db57e2cd6ea215eb16f44d28733c5293e7377f5a3deeb7237f33327aa7a8e9061ecd526ce0a42ba529222d7237013561b51bf6dabdedb99a5eefcab

C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe

MD5 ade08a217229b2b8ecf6098e6d877616
SHA1 435f31d0ed6e307f094bc1728a4d2f3805f189f4
SHA256 d92dbdef131aa74be5094416a44f8e0808d1277483eb4efccee6785373499c70
SHA512 c79b3c22bef2182ab2e617ccc43b8c45fb38cbfde739d319adc67f7f9ef836018860217a9efdd22013f50e1896fc02502dfad3c38c5319ee079dce2ce6ed3370

C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe

MD5 f8e6acd8e3507d1a8e7cbd9e10bcb748
SHA1 5b7bb8a950ea4c2fe570d89855ead987f5db0296
SHA256 539c8227be47cb3dc67bc467dc389773ac53913606af7f31306e62e7a7d1998c
SHA512 03db1711cf6b2fd8ff0c34bc4a329937e8f4798895a683fef4cfc7c6243a174bcdbe16e68a560eb510b01e79fe4777ad0ce7998e12b7be0390aa2fd2af93b5ce

memory/2380-70-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2380-79-0x0000000000400000-0x000000000042A000-memory.dmp

memory/3112-78-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Windows\SysWOW64\drivers\system32.exe

MD5 1723fcc62611bc8dc57aa9fab5594b84
SHA1 3350a562942099a383b0c8f4bf529baf22c4c7be
SHA256 d7f1f6a574249a285d0ded959013a694ce1ad98f1fa68cf3ae01afea97f264c2
SHA512 6a38b45f072cf8f5ee9179d6b8c3b49c16f33ee842dbe490e87b0300e5e95460f9b9263de6dc782ae423f04a232be091251b85756df44210d63a7fbc35f1ed1f

C:\Windows\SysWOW64\drivers\Kazekage.exe

MD5 e24b28a9d1d9f2b22501f3b455a4feae
SHA1 630561059e67708faa0c8016a92e718c0735391e
SHA256 815f39d4961e918aeeaab920006e70905b38854ef9728ddb4ad64d94bbbf5560
SHA512 c631b172ed557736d845ebe0eea7502ffba24d843b0baf57663e375a68038e06b9536d6dd29a8a4943772da9c0fd0f3b4c302efa2675f4e7e712113eded39502

C:\Windows\SysWOW64\17-6-2024.exe

MD5 2aef202d213a5b3d0cdd09df686b8bcb
SHA1 da0d3f4e0751b1a13d0449d95196f8b9071c0fbe
SHA256 f43771c56df95d507eff4f8f569db96dd42a423fac45336bf9be8788797ff459
SHA512 1ff05f9c07c8be1db3e46a586de10e033f6e68f43b4255989b11ab1bae3ae380e2921e07bba8af22df411020066f83ad618568f0b02c202252f9a5ca1097c75c

C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe

MD5 58dc751be7925f6c269bdf1cb3314136
SHA1 650311b4875e4f19f392b1b792fe83087b03714d
SHA256 177b23be6f4351a12374bf4f281f007e3d605b64667bad760c53ce4face4eb66
SHA512 ba1a2a801b18ebb09a5b1086e279ce93ffdb63652ecd61154eafeb43ef25449860ea52f9e64f95e4af5741f7ad71cb98628962cb11f75a9428bdea4b3e899990

memory/4140-116-0x0000000000400000-0x000000000042A000-memory.dmp

memory/5060-114-0x0000000000400000-0x000000000042A000-memory.dmp

memory/5060-125-0x0000000000400000-0x000000000042A000-memory.dmp

memory/520-121-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Windows\Fonts\The Kazekage.jpg

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Windows\SysWOW64\drivers\system32.exe

MD5 240c92251cfb8a75ce3c31647e532073
SHA1 3d04dbe66d1a6eefd84fbbde1c49c7af49fd5189
SHA256 bc3fb974a239527a192583e45459020c5b1528a977e3f88d528757f6f21ad635
SHA512 a737c1240ac30646b99cdbfb52062392bb7c509ab38c1ebfbdbf391975ae79b467ab5274d28b685dced5632a66925da31556b4c27585830624a8be8406a82bb7

C:\Windows\SysWOW64\drivers\Kazekage.exe

MD5 71c393886944cfbabd173fef7c1703c0
SHA1 17e6b1d588c76c6cbb515d156e507c32bb160a36
SHA256 a3fe481defc9565201417d35eeb1d4d895924e2b63f961eddadf98843d0de2cd
SHA512 bae215867d6d108f61adbb8359d4c6fd9fc9c769d8ea84f6aa0642aba8a1e740f93c35bb94a0feb56dd45c0bb41f147ca87cad27090ec09f0af9f791b41d8659

memory/3712-156-0x0000000000400000-0x000000000042A000-memory.dmp

memory/3028-158-0x0000000000400000-0x000000000042A000-memory.dmp

memory/3712-164-0x0000000000400000-0x000000000042A000-memory.dmp

memory/1444-165-0x0000000000400000-0x000000000042A000-memory.dmp

memory/3100-174-0x0000000000400000-0x000000000042A000-memory.dmp

memory/1544-173-0x0000000000400000-0x000000000042A000-memory.dmp

memory/1444-172-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Windows\SysWOW64\17-6-2024.exe

MD5 ad38cb6a7dee2e98601bfb01f4ad23da
SHA1 b662b00cf35d992f1e7c991f934d03d89722db1d
SHA256 ea379a7314945019f0af152d1b3aa867e8286d6de4f5f484f8e11a7a950c8b15
SHA512 71ed2411b53b4635497b111363cc527a19db9286f2fdcaffb3d3697fbd06aad8a926f6d5ead774cb075eaa894a49dba95f98a6e097fca984a5f87b9597b2239f

C:\Windows\SysWOW64\drivers\system32.exe

MD5 9d3a531e0dc899c3853498eb276aa4e9
SHA1 aa515978a20600cf3943f4cee51288790953382c
SHA256 8750fefd816d2ea1a5ce95c15b69a26823570635a7da409bf11422b453919d4b
SHA512 e0eae0fe80188f4e8ab84d16d1b6e9eeceb56b7da885e68cd87778935bf8980daaec75a4828a1a64a209b08a11b0ae329755c84e755125cecdaf75fd980779e9

memory/2360-197-0x0000000000400000-0x000000000042A000-memory.dmp

memory/1232-204-0x0000000000400000-0x000000000042A000-memory.dmp

memory/3112-208-0x0000000000400000-0x000000000042A000-memory.dmp

memory/4652-211-0x0000000000400000-0x000000000042A000-memory.dmp

memory/4408-209-0x0000000000400000-0x000000000042A000-memory.dmp

memory/4408-216-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2032-223-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2396-221-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2648-243-0x0000000000400000-0x000000000042A000-memory.dmp

memory/520-242-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2648-246-0x0000000000400000-0x000000000042A000-memory.dmp

memory/3740-250-0x0000000000400000-0x000000000042A000-memory.dmp

memory/628-255-0x0000000000400000-0x000000000042A000-memory.dmp

memory/3792-253-0x0000000000400000-0x000000000042A000-memory.dmp

memory/3100-260-0x0000000000400000-0x000000000042A000-memory.dmp

memory/800-261-0x0000000000400000-0x000000000042A000-memory.dmp

memory/3792-259-0x0000000000400000-0x000000000042A000-memory.dmp

memory/800-265-0x0000000000400000-0x000000000042A000-memory.dmp

memory/3388-269-0x0000000000400000-0x000000000042A000-memory.dmp

memory/112-275-0x0000000000400000-0x000000000042A000-memory.dmp

memory/3556-279-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2032-284-0x0000000000400000-0x000000000042A000-memory.dmp

memory/1988-283-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2960-288-0x0000000000400000-0x000000000042A000-memory.dmp

memory/456-292-0x0000000000400000-0x000000000042A000-memory.dmp

memory/4332-295-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2948-298-0x0000000000400000-0x000000000042A000-memory.dmp

memory/3436-299-0x0000000000400000-0x000000000042A000-memory.dmp

memory/3436-303-0x0000000000400000-0x000000000042A000-memory.dmp

memory/3480-307-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2360-309-0x0000000000400000-0x000000000042A000-memory.dmp

memory/520-311-0x0000000000400000-0x000000000042A000-memory.dmp

memory/1544-308-0x0000000000400000-0x000000000042A000-memory.dmp

memory/3112-310-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2032-313-0x0000000000400000-0x000000000042A000-memory.dmp

memory/3100-312-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Autorun.inf

MD5 1564dfe69ffed40950e5cb644e0894d1
SHA1 201b6f7a01cc49bb698bea6d4945a082ed454ce4
SHA256 be114a2dbcc08540b314b01882aa836a772a883322a77b67aab31233e26dc184
SHA512 72df187e39674b657974392cfa268e71ef86dc101ebd2303896381ca56d3c05aa9db3f0ab7d0e428d7436e0108c8f19e94c2013814d30b0b95a23a6b9e341097

C:\Admin Games\Readme.txt

MD5 bb5d6abdf8d0948ac6895ce7fdfbc151
SHA1 9266b7a247a4685892197194d2b9b86c8f6dddbd
SHA256 5db2e0915b5464d32e83484f8ae5e3c73d2c78f238fde5f58f9b40dbb5322de8
SHA512 878444760e8df878d65bb62b4798177e168eb099def58ad3634f4348e96705c83f74324f9fa358f0eff389991976698a233ca53e9b72034ae11c86d42322a76c

F:\Gaara.exe

MD5 4f638f90ece1cd2c4f8b10a792956d70
SHA1 ab95276f68053c4bdaea10975610dea6b0b042eb
SHA256 e70f2481aa838b9592454700e264c29acb17521fda0303adfbaac30963ec6a59
SHA512 e5801242754199a6ff77dc2d8ec266f2051971b8dc74f5f05108ecbdce2ab9346a2ab0bde9847ba075edfaf0ed5be88d380d89750e7cfe842caffd410f9a2bbb

memory/2360-417-0x0000000000400000-0x000000000042A000-memory.dmp

memory/1544-416-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Windows\SysWOW64\Desktop.ini

MD5 64acfa7e03b01f48294cf30d201a0026
SHA1 10facd995b38a095f30b4a800fa454c0bcbf8438
SHA256 ba8159d865d106e7b4d0043007a63d1541e1de455dc8d7ff0edd3013bd425c62
SHA512 65a9b2e639de74a2a7faa83463a03f5f5b526495e3c793ec1e144c422ed0b842dd304cd5ff4f8aec3d76d826507030c5916f70a231429cea636ec2d8ab43931a

memory/3112-541-0x0000000000400000-0x000000000042A000-memory.dmp

memory/520-542-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2032-585-0x0000000000400000-0x000000000042A000-memory.dmp