Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    80s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    09/05/2024, 16:13

General

  • Target

    84d77513ffcc3a3de1ee70285a5a2210_NeikiAnalytics.exe

  • Size

    236KB

  • MD5

    84d77513ffcc3a3de1ee70285a5a2210

  • SHA1

    fd0d2ab4d05c67862c3122ccb81541f2d44db19d

  • SHA256

    1d32beb2738933a0b21de3f776b04452b2a555d3435b998bb9020e395467cef9

  • SHA512

    5f0b6d7c1df05983b545c78b03a00eda154cdb7489b72959681a25d8b33d3cda35cf0286d4e3a9bec695c65c3bb4e52a51d45c72aaf0ec872cce4562bbf58cdd

  • SSDEEP

    3072:INx6AHjYzaFXg+w17jsgS/jHagQg19Vw+Hkaxu:INxzYzaFXi17jkw+E

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 12 IoCs
  • Modifies visibility of file extensions in Explorer 2 TTPs 6 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 6 IoCs
  • UAC bypass 3 TTPs 6 IoCs
  • Disables RegEdit via registry modification 6 IoCs
  • Disables use of System Restore points 1 TTPs
  • Drops file in Drivers directory 23 IoCs
  • Sets file execution options in registry 2 TTPs 64 IoCs
  • Executes dropped EXE 30 IoCs
  • Loads dropped DLL 61 IoCs
  • UPX packed file 52 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Adds Run key to start application 2 TTPs 24 IoCs
  • Checks whether UAC is enabled 1 TTPs 6 IoCs
  • Drops desktop.ini file(s) 64 IoCs
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops autorun.inf file 1 TTPs 64 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 34 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 6 IoCs
  • Drops file in Windows directory 64 IoCs
  • Modifies Control Panel 64 IoCs
  • Modifies Internet Explorer settings 1 TTPs 12 IoCs
  • Modifies registry class 48 IoCs
  • Runs ping.exe 1 TTPs 34 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 31 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\84d77513ffcc3a3de1ee70285a5a2210_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\84d77513ffcc3a3de1ee70285a5a2210_NeikiAnalytics.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Modifies visibility of file extensions in Explorer
    • Modifies visiblity of hidden/system files in Explorer
    • UAC bypass
    • Disables RegEdit via registry modification
    • Drops file in Drivers directory
    • Sets file execution options in registry
    • Loads dropped DLL
    • Adds Run key to start application
    • Checks whether UAC is enabled
    • Drops desktop.ini file(s)
    • Enumerates connected drives
    • Drops autorun.inf file
    • Drops file in System32 directory
    • Sets desktop wallpaper using registry
    • Drops file in Windows directory
    • Modifies Control Panel
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:1624
    • C:\Windows\Fonts\Admin 9 - 5 - 2024\smss.exe
      "C:\Windows\Fonts\Admin 9 - 5 - 2024\smss.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • UAC bypass
      • Disables RegEdit via registry modification
      • Drops file in Drivers directory
      • Sets file execution options in registry
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Drops desktop.ini file(s)
      • Enumerates connected drives
      • Drops autorun.inf file
      • Drops file in System32 directory
      • Sets desktop wallpaper using registry
      • Drops file in Windows directory
      • Modifies Control Panel
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:2640
      • C:\Windows\Fonts\Admin 9 - 5 - 2024\smss.exe
        "C:\Windows\Fonts\Admin 9 - 5 - 2024\smss.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetWindowsHookEx
        PID:2456
      • C:\Windows\Fonts\Admin 9 - 5 - 2024\Gaara.exe
        "C:\Windows\Fonts\Admin 9 - 5 - 2024\Gaara.exe"
        3⤵
        • Modifies WinLogon for persistence
        • Modifies visibility of file extensions in Explorer
        • Modifies visiblity of hidden/system files in Explorer
        • UAC bypass
        • Disables RegEdit via registry modification
        • Drops file in Drivers directory
        • Sets file execution options in registry
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • Checks whether UAC is enabled
        • Drops desktop.ini file(s)
        • Enumerates connected drives
        • Drops autorun.inf file
        • Drops file in System32 directory
        • Sets desktop wallpaper using registry
        • Drops file in Windows directory
        • Modifies Control Panel
        • Modifies Internet Explorer settings
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        • System policy modification
        PID:2460
        • C:\Windows\Fonts\Admin 9 - 5 - 2024\smss.exe
          "C:\Windows\Fonts\Admin 9 - 5 - 2024\smss.exe"
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of SetWindowsHookEx
          PID:1876
        • C:\Windows\Fonts\Admin 9 - 5 - 2024\Gaara.exe
          "C:\Windows\Fonts\Admin 9 - 5 - 2024\Gaara.exe"
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of SetWindowsHookEx
          PID:2004
        • C:\Windows\Fonts\Admin 9 - 5 - 2024\csrss.exe
          "C:\Windows\Fonts\Admin 9 - 5 - 2024\csrss.exe"
          4⤵
          • Modifies WinLogon for persistence
          • Modifies visibility of file extensions in Explorer
          • Modifies visiblity of hidden/system files in Explorer
          • UAC bypass
          • Disables RegEdit via registry modification
          • Drops file in Drivers directory
          • Sets file execution options in registry
          • Executes dropped EXE
          • Loads dropped DLL
          • Adds Run key to start application
          • Checks whether UAC is enabled
          • Drops desktop.ini file(s)
          • Enumerates connected drives
          • Drops autorun.inf file
          • Drops file in System32 directory
          • Sets desktop wallpaper using registry
          • Drops file in Windows directory
          • Modifies Control Panel
          • Modifies Internet Explorer settings
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:2648
          • C:\Windows\Fonts\Admin 9 - 5 - 2024\smss.exe
            "C:\Windows\Fonts\Admin 9 - 5 - 2024\smss.exe"
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Suspicious use of SetWindowsHookEx
            PID:1264
          • C:\Windows\Fonts\Admin 9 - 5 - 2024\Gaara.exe
            "C:\Windows\Fonts\Admin 9 - 5 - 2024\Gaara.exe"
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Suspicious use of SetWindowsHookEx
            PID:2044
          • C:\Windows\Fonts\Admin 9 - 5 - 2024\csrss.exe
            "C:\Windows\Fonts\Admin 9 - 5 - 2024\csrss.exe"
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Suspicious use of SetWindowsHookEx
            PID:2252
          • C:\Windows\SysWOW64\drivers\Kazekage.exe
            C:\Windows\system32\drivers\Kazekage.exe
            5⤵
            • Modifies WinLogon for persistence
            • Modifies visibility of file extensions in Explorer
            • Modifies visiblity of hidden/system files in Explorer
            • UAC bypass
            • Disables RegEdit via registry modification
            • Drops file in Drivers directory
            • Sets file execution options in registry
            • Executes dropped EXE
            • Loads dropped DLL
            • Adds Run key to start application
            • Checks whether UAC is enabled
            • Drops desktop.ini file(s)
            • Enumerates connected drives
            • Drops file in System32 directory
            • Sets desktop wallpaper using registry
            • Drops file in Windows directory
            • Modifies Control Panel
            • Modifies Internet Explorer settings
            • Modifies registry class
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            • System policy modification
            PID:1796
            • C:\Windows\Fonts\Admin 9 - 5 - 2024\smss.exe
              "C:\Windows\Fonts\Admin 9 - 5 - 2024\smss.exe"
              6⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • Suspicious use of SetWindowsHookEx
              PID:324
            • C:\Windows\Fonts\Admin 9 - 5 - 2024\Gaara.exe
              "C:\Windows\Fonts\Admin 9 - 5 - 2024\Gaara.exe"
              6⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • Suspicious use of SetWindowsHookEx
              PID:528
            • C:\Windows\Fonts\Admin 9 - 5 - 2024\csrss.exe
              "C:\Windows\Fonts\Admin 9 - 5 - 2024\csrss.exe"
              6⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • Suspicious use of SetWindowsHookEx
              PID:2588
            • C:\Windows\SysWOW64\drivers\Kazekage.exe
              C:\Windows\system32\drivers\Kazekage.exe
              6⤵
              • Executes dropped EXE
              • Suspicious use of SetWindowsHookEx
              PID:2088
            • C:\Windows\SysWOW64\drivers\system32.exe
              C:\Windows\system32\drivers\system32.exe
              6⤵
              • Modifies WinLogon for persistence
              • Modifies visibility of file extensions in Explorer
              • Modifies visiblity of hidden/system files in Explorer
              • UAC bypass
              • Disables RegEdit via registry modification
              • Drops file in Drivers directory
              • Sets file execution options in registry
              • Executes dropped EXE
              • Loads dropped DLL
              • Adds Run key to start application
              • Checks whether UAC is enabled
              • Drops desktop.ini file(s)
              • Enumerates connected drives
              • Drops autorun.inf file
              • Drops file in System32 directory
              • Sets desktop wallpaper using registry
              • Drops file in Windows directory
              • Modifies Control Panel
              • Modifies Internet Explorer settings
              • Modifies registry class
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              • System policy modification
              PID:1132
              • C:\Windows\Fonts\Admin 9 - 5 - 2024\smss.exe
                "C:\Windows\Fonts\Admin 9 - 5 - 2024\smss.exe"
                7⤵
                • Executes dropped EXE
                • Loads dropped DLL
                • Suspicious use of SetWindowsHookEx
                PID:1388
              • C:\Windows\Fonts\Admin 9 - 5 - 2024\Gaara.exe
                "C:\Windows\Fonts\Admin 9 - 5 - 2024\Gaara.exe"
                7⤵
                • Executes dropped EXE
                • Loads dropped DLL
                • Suspicious use of SetWindowsHookEx
                PID:2384
              • C:\Windows\Fonts\Admin 9 - 5 - 2024\csrss.exe
                "C:\Windows\Fonts\Admin 9 - 5 - 2024\csrss.exe"
                7⤵
                • Executes dropped EXE
                • Loads dropped DLL
                • Suspicious use of SetWindowsHookEx
                PID:1160
              • C:\Windows\SysWOW64\drivers\Kazekage.exe
                C:\Windows\system32\drivers\Kazekage.exe
                7⤵
                • Executes dropped EXE
                • Suspicious use of SetWindowsHookEx
                PID:1352
              • C:\Windows\SysWOW64\drivers\system32.exe
                C:\Windows\system32\drivers\system32.exe
                7⤵
                • Executes dropped EXE
                • Suspicious use of SetWindowsHookEx
                PID:1856
              • C:\Windows\SysWOW64\ping.exe
                ping -a -l www.rasasayang.com.my 65500
                7⤵
                • Runs ping.exe
                PID:948
              • C:\Windows\SysWOW64\ping.exe
                ping -a -l www.duniasex.com 65500
                7⤵
                • Runs ping.exe
                PID:1516
              • C:\Windows\SysWOW64\ping.exe
                ping -a -l www.rasasayang.com.my 65500
                7⤵
                • Runs ping.exe
                PID:1516
              • C:\Windows\SysWOW64\ping.exe
                ping -a -l www.duniasex.com 65500
                7⤵
                • Runs ping.exe
                PID:2024
              • C:\Windows\SysWOW64\ping.exe
                ping -a -l www.rasasayang.com.my 65500
                7⤵
                • Runs ping.exe
                PID:1780
              • C:\Windows\SysWOW64\ping.exe
                ping -a -l www.duniasex.com 65500
                7⤵
                • Runs ping.exe
                PID:1644
            • C:\Windows\SysWOW64\ping.exe
              ping -a -l www.rasasayang.com.my 65500
              6⤵
              • Runs ping.exe
              PID:2828
            • C:\Windows\SysWOW64\ping.exe
              ping -a -l www.duniasex.com 65500
              6⤵
              • Runs ping.exe
              PID:2768
            • C:\Windows\SysWOW64\ping.exe
              ping -a -l www.rasasayang.com.my 65500
              6⤵
              • Runs ping.exe
              PID:2436
            • C:\Windows\SysWOW64\ping.exe
              ping -a -l www.duniasex.com 65500
              6⤵
              • Runs ping.exe
              PID:2532
          • C:\Windows\SysWOW64\drivers\system32.exe
            C:\Windows\system32\drivers\system32.exe
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            PID:2128
          • C:\Windows\SysWOW64\ping.exe
            ping -a -l www.rasasayang.com.my 65500
            5⤵
            • Runs ping.exe
            PID:2812
          • C:\Windows\SysWOW64\ping.exe
            ping -a -l www.duniasex.com 65500
            5⤵
            • Runs ping.exe
            PID:2112
          • C:\Windows\SysWOW64\ping.exe
            ping -a -l www.rasasayang.com.my 65500
            5⤵
            • Runs ping.exe
            PID:2020
          • C:\Windows\SysWOW64\ping.exe
            ping -a -l www.duniasex.com 65500
            5⤵
            • Runs ping.exe
            PID:968
          • C:\Windows\SysWOW64\ping.exe
            ping -a -l www.rasasayang.com.my 65500
            5⤵
            • Runs ping.exe
            PID:1604
          • C:\Windows\SysWOW64\ping.exe
            ping -a -l www.duniasex.com 65500
            5⤵
            • Runs ping.exe
            PID:1500
        • C:\Windows\SysWOW64\drivers\Kazekage.exe
          C:\Windows\system32\drivers\Kazekage.exe
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetWindowsHookEx
          PID:2024
        • C:\Windows\SysWOW64\drivers\system32.exe
          C:\Windows\system32\drivers\system32.exe
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetWindowsHookEx
          PID:1524
        • C:\Windows\SysWOW64\ping.exe
          ping -a -l www.rasasayang.com.my 65500
          4⤵
          • Runs ping.exe
          PID:1672
        • C:\Windows\SysWOW64\ping.exe
          ping -a -l www.duniasex.com 65500
          4⤵
          • Runs ping.exe
          PID:1768
        • C:\Windows\SysWOW64\ping.exe
          ping -a -l www.rasasayang.com.my 65500
          4⤵
          • Runs ping.exe
          PID:1996
        • C:\Windows\SysWOW64\ping.exe
          ping -a -l www.duniasex.com 65500
          4⤵
          • Runs ping.exe
          PID:2508
        • C:\Windows\SysWOW64\ping.exe
          ping -a -l www.rasasayang.com.my 65500
          4⤵
          • Runs ping.exe
          PID:1248
        • C:\Windows\SysWOW64\ping.exe
          ping -a -l www.duniasex.com 65500
          4⤵
          • Runs ping.exe
          PID:1628
      • C:\Windows\Fonts\Admin 9 - 5 - 2024\csrss.exe
        "C:\Windows\Fonts\Admin 9 - 5 - 2024\csrss.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetWindowsHookEx
        PID:2880
      • C:\Windows\SysWOW64\drivers\Kazekage.exe
        C:\Windows\system32\drivers\Kazekage.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:2908
      • C:\Windows\SysWOW64\drivers\system32.exe
        C:\Windows\system32\drivers\system32.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:1520
      • C:\Windows\SysWOW64\ping.exe
        ping -a -l www.rasasayang.com.my 65500
        3⤵
        • Runs ping.exe
        PID:2732
      • C:\Windows\SysWOW64\ping.exe
        ping -a -l www.duniasex.com 65500
        3⤵
        • Runs ping.exe
        PID:2632
      • C:\Windows\SysWOW64\ping.exe
        ping -a -l www.rasasayang.com.my 65500
        3⤵
        • Runs ping.exe
        PID:1804
      • C:\Windows\SysWOW64\ping.exe
        ping -a -l www.duniasex.com 65500
        3⤵
        • Runs ping.exe
        PID:2376
      • C:\Windows\SysWOW64\ping.exe
        ping -a -l www.rasasayang.com.my 65500
        3⤵
        • Runs ping.exe
        PID:2080
      • C:\Windows\SysWOW64\ping.exe
        ping -a -l www.duniasex.com 65500
        3⤵
        • Runs ping.exe
        PID:528
    • C:\Windows\Fonts\Admin 9 - 5 - 2024\Gaara.exe
      "C:\Windows\Fonts\Admin 9 - 5 - 2024\Gaara.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of SetWindowsHookEx
      PID:2996
    • C:\Windows\Fonts\Admin 9 - 5 - 2024\csrss.exe
      "C:\Windows\Fonts\Admin 9 - 5 - 2024\csrss.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of SetWindowsHookEx
      PID:2312
    • C:\Windows\SysWOW64\drivers\Kazekage.exe
      C:\Windows\system32\drivers\Kazekage.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:2828
    • C:\Windows\SysWOW64\drivers\system32.exe
      C:\Windows\system32\drivers\system32.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:2940
    • C:\Windows\SysWOW64\ping.exe
      ping -a -l www.rasasayang.com.my 65500
      2⤵
      • Runs ping.exe
      PID:2072
    • C:\Windows\SysWOW64\ping.exe
      ping -a -l www.duniasex.com 65500
      2⤵
      • Runs ping.exe
      PID:2268
    • C:\Windows\SysWOW64\ping.exe
      ping -a -l www.rasasayang.com.my 65500
      2⤵
      • Runs ping.exe
      PID:2456
    • C:\Windows\SysWOW64\ping.exe
      ping -a -l www.duniasex.com 65500
      2⤵
      • Runs ping.exe
      PID:2856
    • C:\Windows\SysWOW64\ping.exe
      ping -a -l www.rasasayang.com.my 65500
      2⤵
      • Runs ping.exe
      PID:648
    • C:\Windows\SysWOW64\ping.exe
      ping -a -l www.duniasex.com 65500
      2⤵
      • Runs ping.exe
      PID:748

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Admin Games\Readme.txt

    Filesize

    736B

    MD5

    bb5d6abdf8d0948ac6895ce7fdfbc151

    SHA1

    9266b7a247a4685892197194d2b9b86c8f6dddbd

    SHA256

    5db2e0915b5464d32e83484f8ae5e3c73d2c78f238fde5f58f9b40dbb5322de8

    SHA512

    878444760e8df878d65bb62b4798177e168eb099def58ad3634f4348e96705c83f74324f9fa358f0eff389991976698a233ca53e9b72034ae11c86d42322a76c

  • C:\Autorun.inf

    Filesize

    196B

    MD5

    1564dfe69ffed40950e5cb644e0894d1

    SHA1

    201b6f7a01cc49bb698bea6d4945a082ed454ce4

    SHA256

    be114a2dbcc08540b314b01882aa836a772a883322a77b67aab31233e26dc184

    SHA512

    72df187e39674b657974392cfa268e71ef86dc101ebd2303896381ca56d3c05aa9db3f0ab7d0e428d7436e0108c8f19e94c2013814d30b0b95a23a6b9e341097

  • C:\Gaara.exe

    Filesize

    236KB

    MD5

    84d77513ffcc3a3de1ee70285a5a2210

    SHA1

    fd0d2ab4d05c67862c3122ccb81541f2d44db19d

    SHA256

    1d32beb2738933a0b21de3f776b04452b2a555d3435b998bb9020e395467cef9

    SHA512

    5f0b6d7c1df05983b545c78b03a00eda154cdb7489b72959681a25d8b33d3cda35cf0286d4e3a9bec695c65c3bb4e52a51d45c72aaf0ec872cce4562bbf58cdd

  • C:\Windows\Fonts\The Kazekage.jpg

    Filesize

    1.4MB

    MD5

    d6b05020d4a0ec2a3a8b687099e335df

    SHA1

    df239d830ebcd1cde5c68c46a7b76dad49d415f4

    SHA256

    9824b98dab6af65a9e84c2ea40e9df948f9766ce2096e81feecad7db8dd6080a

    SHA512

    78fd360faa4d34f5732056d6e9ad7b9930964441c69cf24535845d397de92179553b9377a25649c01eb5ac7d547c29cc964e69ede7f2af9fc677508a99251fff

  • C:\Windows\SysWOW64\9-5-2024.exe

    Filesize

    236KB

    MD5

    8f073bc2c1210a6845149c6a5e1eb9a5

    SHA1

    176a82ac43f88ec120c9782cc1775c2390e8d093

    SHA256

    d7d4bdf73782bf9b3580a8138c664e11b310960c05a21280f68d833ecb5ea84c

    SHA512

    84a512ea4f19ff05a2b8e38a4a0c842ed2803c531c78958a6545ad011f23f10362e664ff19f945c6dd04efa62e607aed6f49991ebf6f8a3e98eb0538317a4a98

  • C:\Windows\SysWOW64\Desktop.ini

    Filesize

    65B

    MD5

    64acfa7e03b01f48294cf30d201a0026

    SHA1

    10facd995b38a095f30b4a800fa454c0bcbf8438

    SHA256

    ba8159d865d106e7b4d0043007a63d1541e1de455dc8d7ff0edd3013bd425c62

    SHA512

    65a9b2e639de74a2a7faa83463a03f5f5b526495e3c793ec1e144c422ed0b842dd304cd5ff4f8aec3d76d826507030c5916f70a231429cea636ec2d8ab43931a

  • C:\Windows\SysWOW64\drivers\Kazekage.exe

    Filesize

    236KB

    MD5

    a6678c6d12624eda01835e3fe7087d54

    SHA1

    139207dd479f120b81cbad313d39082a21c129e1

    SHA256

    9ec2acd58d5e30de16b99d636c267756f981845cf5a942f06158ef62779634ed

    SHA512

    e13410a7d2b51471702b0b4ba39ff65521a05922026ea404e65d6f53388e1242ff91244aee6195df133e1f962e9087378dbb3b86d5e5651e570803eed7c9512c

  • C:\Windows\SysWOW64\drivers\system32.exe

    Filesize

    236KB

    MD5

    24e9e8667e802b1938ebfb70b3a6c980

    SHA1

    0d1e20727c5c00862367649a24153013c3b5b223

    SHA256

    df4571784d1509b0c76d23a37038a25c6dcc290a48a7f3a95f895b86ca6abe9e

    SHA512

    6ec7a4c67692e622d017a07f1dbb705b3e6190a80d3fef2affc597f14fb7d0c9b24349c425fb343dc65e5213ca9642e81d14aff5afcafe36465258d73a5db35a

  • C:\Windows\SysWOW64\drivers\system32.exe

    Filesize

    236KB

    MD5

    0cec3977a178b132f560013dc2ee58cc

    SHA1

    4dc43750ac059143d1d26cea2bf6fb31d2c0f702

    SHA256

    5b2b260d7d529b8bd79183812ba171594ccad5ffbb52869d3f0dd391e02d2db7

    SHA512

    b593152ee0fd4c05e0e34ef4c141b57b3c4277e5888413dcf6b4384d971699dc21789730678fbe13624b2681880f36338f0637d5713a4ce6592e347333de8c74

  • C:\Windows\system\msvbvm60.dll

    Filesize

    1.3MB

    MD5

    5343a19c618bc515ceb1695586c6c137

    SHA1

    4dedae8cbde066f31c8e6b52c0baa3f8b1117742

    SHA256

    2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

    SHA512

    708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

  • \Windows\Fonts\Admin 9 - 5 - 2024\Gaara.exe

    Filesize

    236KB

    MD5

    e2699572f18dc325f74f1ea9defa45ad

    SHA1

    35f9c44c0bfcd00d0e090c0fadf74b076fbd73f4

    SHA256

    07c689a47511f53541c36bae3d3308d858378e44d04a0ab7e6f5cc307209f28b

    SHA512

    c0df8f9c693624e0bf284fc0f7877d1958339b4a6e67a19ac1b93cd28c6eeeca212ec756998dbb453473a65cf32d86be3445586a2b44b249802915cdf1ed42f4

  • \Windows\Fonts\Admin 9 - 5 - 2024\csrss.exe

    Filesize

    236KB

    MD5

    dc989c9b11f7e98454b0118b2c56c763

    SHA1

    afc56e3630086f4d20f9b7b5179fb048dd87516b

    SHA256

    e4c4e53c2f7276853182e72b2723a3403cae7e45f5ec538d7e1ba0b2ed22914a

    SHA512

    8f4dbc8ee835b5f684bbccde837c6d36bdf071928358899a78232d1735416088dde2d74f552445e2f9647b9a57cbbf370ab0e90f9d0e140eccc39c14d22f16ae

  • \Windows\Fonts\Admin 9 - 5 - 2024\smss.exe

    Filesize

    236KB

    MD5

    9f81a34c59427605abea4e17658e0e32

    SHA1

    8243826994b35991ebb9093a7cb7f7b9476d3e49

    SHA256

    8d4fd42f71b361127b5869b419dbf16e86c712b8e74f5c04a4bc5f96a00b5e75

    SHA512

    4b9cf20db87d25ed3d642c3d7f5cabb9c1650a792643f8cd2443f84084ffd4eb6472405bf0446b2aa65f5a0f9a63a9c58387fbca933222cc77f8fb7dc38bf190

  • \Windows\SysWOW64\drivers\Kazekage.exe

    Filesize

    236KB

    MD5

    9865d69358acaf5683133e45fd4ff907

    SHA1

    07c1d64c92387d5dc4770121c150303fda4f0ebc

    SHA256

    5041f8d6471a70f2b87748ee3f59603158b4a56c691ef1189e1f13400561799d

    SHA512

    bfb340918adaa1843bb6051579bad2314d151c5a8941106a1c9fbaefdd2cb37bc5224c2e369b141128a98cfb0e1169cda5b2c09d551e4b3d63f179e3f7643a6a

  • memory/324-224-0x0000000000400000-0x000000000043B000-memory.dmp

    Filesize

    236KB

  • memory/324-223-0x0000000000400000-0x000000000043B000-memory.dmp

    Filesize

    236KB

  • memory/528-227-0x0000000000400000-0x000000000043B000-memory.dmp

    Filesize

    236KB

  • memory/1132-293-0x0000000000540000-0x000000000057B000-memory.dmp

    Filesize

    236KB

  • memory/1132-280-0x0000000000400000-0x000000000043B000-memory.dmp

    Filesize

    236KB

  • memory/1132-243-0x0000000000400000-0x000000000043B000-memory.dmp

    Filesize

    236KB

  • memory/1132-254-0x0000000000540000-0x000000000057B000-memory.dmp

    Filesize

    236KB

  • memory/1132-267-0x0000000000540000-0x000000000057B000-memory.dmp

    Filesize

    236KB

  • memory/1132-271-0x0000000000540000-0x000000000057B000-memory.dmp

    Filesize

    236KB

  • memory/1160-264-0x0000000000400000-0x000000000043B000-memory.dmp

    Filesize

    236KB

  • memory/1264-178-0x0000000000400000-0x000000000043B000-memory.dmp

    Filesize

    236KB

  • memory/1352-270-0x0000000000400000-0x000000000043B000-memory.dmp

    Filesize

    236KB

  • memory/1388-258-0x0000000000400000-0x000000000043B000-memory.dmp

    Filesize

    236KB

  • memory/1388-255-0x0000000000400000-0x000000000043B000-memory.dmp

    Filesize

    236KB

  • memory/1520-300-0x0000000000400000-0x000000000043B000-memory.dmp

    Filesize

    236KB

  • memory/1524-288-0x0000000000400000-0x000000000043B000-memory.dmp

    Filesize

    236KB

  • memory/1624-36-0x0000000000390000-0x00000000003CB000-memory.dmp

    Filesize

    236KB

  • memory/1624-134-0x0000000000400000-0x000000000043B000-memory.dmp

    Filesize

    236KB

  • memory/1624-135-0x0000000000390000-0x00000000003CB000-memory.dmp

    Filesize

    236KB

  • memory/1624-37-0x0000000000390000-0x00000000003CB000-memory.dmp

    Filesize

    236KB

  • memory/1624-317-0x0000000000390000-0x00000000003CB000-memory.dmp

    Filesize

    236KB

  • memory/1624-316-0x0000000000390000-0x00000000003CB000-memory.dmp

    Filesize

    236KB

  • memory/1624-0-0x0000000000400000-0x000000000043B000-memory.dmp

    Filesize

    236KB

  • memory/1624-307-0x0000000000390000-0x00000000003CB000-memory.dmp

    Filesize

    236KB

  • memory/1796-275-0x00000000023F0000-0x000000000242B000-memory.dmp

    Filesize

    236KB

  • memory/1796-266-0x0000000000400000-0x000000000043B000-memory.dmp

    Filesize

    236KB

  • memory/1796-233-0x00000000023F0000-0x000000000242B000-memory.dmp

    Filesize

    236KB

  • memory/1796-198-0x0000000000400000-0x000000000043B000-memory.dmp

    Filesize

    236KB

  • memory/1796-229-0x00000000023F0000-0x000000000242B000-memory.dmp

    Filesize

    236KB

  • memory/1856-274-0x0000000000400000-0x000000000043B000-memory.dmp

    Filesize

    236KB

  • memory/1876-126-0x0000000000400000-0x000000000043B000-memory.dmp

    Filesize

    236KB

  • memory/2004-131-0x0000000000400000-0x000000000043B000-memory.dmp

    Filesize

    236KB

  • memory/2044-183-0x0000000000400000-0x000000000043B000-memory.dmp

    Filesize

    236KB

  • memory/2088-236-0x0000000000400000-0x000000000043B000-memory.dmp

    Filesize

    236KB

  • memory/2128-279-0x0000000000400000-0x000000000043B000-memory.dmp

    Filesize

    236KB

  • memory/2128-276-0x0000000000400000-0x000000000043B000-memory.dmp

    Filesize

    236KB

  • memory/2252-186-0x0000000000400000-0x000000000043B000-memory.dmp

    Filesize

    236KB

  • memory/2312-306-0x0000000000400000-0x000000000043B000-memory.dmp

    Filesize

    236KB

  • memory/2384-261-0x0000000000400000-0x000000000043B000-memory.dmp

    Filesize

    236KB

  • memory/2456-80-0x0000000000400000-0x000000000043B000-memory.dmp

    Filesize

    236KB

  • memory/2460-122-0x0000000000510000-0x000000000054B000-memory.dmp

    Filesize

    236KB

  • memory/2460-142-0x0000000000510000-0x000000000054B000-memory.dmp

    Filesize

    236KB

  • memory/2460-90-0x0000000000400000-0x000000000043B000-memory.dmp

    Filesize

    236KB

  • memory/2460-195-0x0000000000400000-0x000000000043B000-memory.dmp

    Filesize

    236KB

  • memory/2460-311-0x0000000000510000-0x000000000054B000-memory.dmp

    Filesize

    236KB

  • memory/2588-232-0x0000000000400000-0x000000000043B000-memory.dmp

    Filesize

    236KB

  • memory/2640-315-0x00000000004B0000-0x00000000004EB000-memory.dmp

    Filesize

    236KB

  • memory/2640-171-0x0000000000400000-0x000000000043B000-memory.dmp

    Filesize

    236KB

  • memory/2640-83-0x00000000004B0000-0x00000000004EB000-memory.dmp

    Filesize

    236KB

  • memory/2640-296-0x00000000004B0000-0x00000000004EB000-memory.dmp

    Filesize

    236KB

  • memory/2640-297-0x00000000004B0000-0x00000000004EB000-memory.dmp

    Filesize

    236KB

  • memory/2640-39-0x0000000000400000-0x000000000043B000-memory.dmp

    Filesize

    236KB

  • memory/2648-189-0x00000000003B0000-0x00000000003EB000-memory.dmp

    Filesize

    236KB

  • memory/2648-143-0x0000000000400000-0x000000000043B000-memory.dmp

    Filesize

    236KB

  • memory/2648-265-0x00000000003B0000-0x00000000003EB000-memory.dmp

    Filesize

    236KB

  • memory/2648-197-0x00000000003B0000-0x00000000003EB000-memory.dmp

    Filesize

    236KB

  • memory/2648-228-0x0000000000400000-0x000000000043B000-memory.dmp

    Filesize

    236KB

  • memory/2828-310-0x0000000000400000-0x000000000043B000-memory.dmp

    Filesize

    236KB

  • memory/2908-294-0x0000000000400000-0x000000000043B000-memory.dmp

    Filesize

    236KB

  • memory/2908-295-0x0000000000400000-0x000000000043B000-memory.dmp

    Filesize

    236KB

  • memory/2940-314-0x0000000000400000-0x000000000043B000-memory.dmp

    Filesize

    236KB

  • memory/2996-305-0x0000000000400000-0x000000000043B000-memory.dmp

    Filesize

    236KB