Analysis

  • max time kernel
    149s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240419-en
  • resource tags

    arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
  • submitted
    13/05/2024, 10:25

General

  • Target

    b2739b7f6d1227761aefa9f256ed9970_NeikiAnalytics.exe

  • Size

    236KB

  • MD5

    b2739b7f6d1227761aefa9f256ed9970

  • SHA1

    9c3868075147e7815c13008b8e837a387387fa05

  • SHA256

    58676e386e9d85c29873f52a803cfff142d56820c9213ccf16c9de0170ace24d

  • SHA512

    cb9beebf23cad6e45c83de7251dd3bc5f655e0b69ba22d4d5041c0541ad873d3d05a5c279a14452cb0f543f27f32cec34986128c4a37bdaba5bf2c9476c152a5

  • SSDEEP

    1536:WDusHJo0IHgL2AHfb1mzaFXg+xsukl4Y17jsgS/jHagQNuXGpeV1eT92NdTy2OBn:1ox6AHjYzaFXg+w17jsgS/jHagQg1E5

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 12 IoCs
  • Modifies visibility of file extensions in Explorer 2 TTPs 6 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 6 IoCs
  • UAC bypass 3 TTPs 6 IoCs
  • Disables RegEdit via registry modification 6 IoCs
  • Disables use of System Restore points 1 TTPs
  • Drops file in Drivers directory 24 IoCs
  • Sets file execution options in registry 2 TTPs 64 IoCs
  • Executes dropped EXE 30 IoCs
  • Loads dropped DLL 63 IoCs
  • UPX packed file 58 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Adds Run key to start application 2 TTPs 24 IoCs
  • Checks whether UAC is enabled 1 TTPs 6 IoCs
  • Drops desktop.ini file(s) 64 IoCs
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops autorun.inf file 1 TTPs 64 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 38 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 6 IoCs
  • Drops file in Windows directory 64 IoCs
  • Modifies Control Panel 64 IoCs
  • Modifies Internet Explorer settings 1 TTPs 12 IoCs
  • Modifies registry class 48 IoCs
  • Runs ping.exe 1 TTPs 28 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 31 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b2739b7f6d1227761aefa9f256ed9970_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\b2739b7f6d1227761aefa9f256ed9970_NeikiAnalytics.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Modifies visibility of file extensions in Explorer
    • Modifies visiblity of hidden/system files in Explorer
    • UAC bypass
    • Disables RegEdit via registry modification
    • Drops file in Drivers directory
    • Sets file execution options in registry
    • Loads dropped DLL
    • Adds Run key to start application
    • Checks whether UAC is enabled
    • Drops desktop.ini file(s)
    • Enumerates connected drives
    • Drops autorun.inf file
    • Drops file in System32 directory
    • Sets desktop wallpaper using registry
    • Drops file in Windows directory
    • Modifies Control Panel
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2904
    • C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe
      "C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • UAC bypass
      • Disables RegEdit via registry modification
      • Drops file in Drivers directory
      • Sets file execution options in registry
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Drops desktop.ini file(s)
      • Enumerates connected drives
      • Drops autorun.inf file
      • Drops file in System32 directory
      • Sets desktop wallpaper using registry
      • Drops file in Windows directory
      • Modifies Control Panel
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:2676
      • C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe
        "C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetWindowsHookEx
        PID:2664
      • C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe
        "C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe"
        3⤵
        • Modifies WinLogon for persistence
        • Modifies visibility of file extensions in Explorer
        • Modifies visiblity of hidden/system files in Explorer
        • UAC bypass
        • Disables RegEdit via registry modification
        • Drops file in Drivers directory
        • Sets file execution options in registry
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • Checks whether UAC is enabled
        • Drops desktop.ini file(s)
        • Enumerates connected drives
        • Drops autorun.inf file
        • Drops file in System32 directory
        • Sets desktop wallpaper using registry
        • Drops file in Windows directory
        • Modifies Control Panel
        • Modifies Internet Explorer settings
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        • System policy modification
        PID:2488
        • C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe
          "C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe"
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of SetWindowsHookEx
          PID:1668
        • C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe
          "C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe"
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of SetWindowsHookEx
          PID:2776
        • C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe
          "C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe"
          4⤵
          • Modifies WinLogon for persistence
          • Modifies visibility of file extensions in Explorer
          • Modifies visiblity of hidden/system files in Explorer
          • UAC bypass
          • Disables RegEdit via registry modification
          • Drops file in Drivers directory
          • Sets file execution options in registry
          • Executes dropped EXE
          • Loads dropped DLL
          • Adds Run key to start application
          • Checks whether UAC is enabled
          • Drops desktop.ini file(s)
          • Enumerates connected drives
          • Drops autorun.inf file
          • Drops file in System32 directory
          • Sets desktop wallpaper using registry
          • Drops file in Windows directory
          • Modifies Control Panel
          • Modifies Internet Explorer settings
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:2580
          • C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe
            "C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe"
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Suspicious use of SetWindowsHookEx
            PID:1872
          • C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe
            "C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe"
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Suspicious use of SetWindowsHookEx
            PID:1284
          • C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe
            "C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe"
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Suspicious use of SetWindowsHookEx
            PID:2276
          • C:\Windows\SysWOW64\drivers\Kazekage.exe
            C:\Windows\system32\drivers\Kazekage.exe
            5⤵
            • Modifies WinLogon for persistence
            • Modifies visibility of file extensions in Explorer
            • Modifies visiblity of hidden/system files in Explorer
            • UAC bypass
            • Disables RegEdit via registry modification
            • Drops file in Drivers directory
            • Sets file execution options in registry
            • Executes dropped EXE
            • Loads dropped DLL
            • Adds Run key to start application
            • Checks whether UAC is enabled
            • Drops desktop.ini file(s)
            • Enumerates connected drives
            • Drops autorun.inf file
            • Drops file in System32 directory
            • Sets desktop wallpaper using registry
            • Drops file in Windows directory
            • Modifies Control Panel
            • Modifies Internet Explorer settings
            • Modifies registry class
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            • System policy modification
            PID:2236
            • C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe
              "C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe"
              6⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • Suspicious use of SetWindowsHookEx
              PID:480
            • C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe
              "C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe"
              6⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • Suspicious use of SetWindowsHookEx
              PID:1112
            • C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe
              "C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe"
              6⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • Suspicious use of SetWindowsHookEx
              PID:1488
            • C:\Windows\SysWOW64\drivers\Kazekage.exe
              C:\Windows\system32\drivers\Kazekage.exe
              6⤵
              • Executes dropped EXE
              • Suspicious use of SetWindowsHookEx
              PID:1088
            • C:\Windows\SysWOW64\drivers\system32.exe
              C:\Windows\system32\drivers\system32.exe
              6⤵
              • Modifies WinLogon for persistence
              • Modifies visibility of file extensions in Explorer
              • Modifies visiblity of hidden/system files in Explorer
              • UAC bypass
              • Disables RegEdit via registry modification
              • Drops file in Drivers directory
              • Sets file execution options in registry
              • Executes dropped EXE
              • Loads dropped DLL
              • Adds Run key to start application
              • Checks whether UAC is enabled
              • Drops desktop.ini file(s)
              • Enumerates connected drives
              • Drops autorun.inf file
              • Drops file in System32 directory
              • Sets desktop wallpaper using registry
              • Drops file in Windows directory
              • Modifies Control Panel
              • Modifies Internet Explorer settings
              • Modifies registry class
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              • System policy modification
              PID:1868
              • C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe
                "C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe"
                7⤵
                • Executes dropped EXE
                • Loads dropped DLL
                • Suspicious use of SetWindowsHookEx
                PID:2304
              • C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe
                "C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe"
                7⤵
                • Executes dropped EXE
                • Loads dropped DLL
                • Suspicious use of SetWindowsHookEx
                PID:2312
              • C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe
                "C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe"
                7⤵
                • Executes dropped EXE
                • Loads dropped DLL
                • Suspicious use of SetWindowsHookEx
                PID:1648
              • C:\Windows\SysWOW64\drivers\Kazekage.exe
                C:\Windows\system32\drivers\Kazekage.exe
                7⤵
                • Executes dropped EXE
                • Suspicious use of SetWindowsHookEx
                PID:1684
              • C:\Windows\SysWOW64\drivers\system32.exe
                C:\Windows\system32\drivers\system32.exe
                7⤵
                • Executes dropped EXE
                • Suspicious use of SetWindowsHookEx
                PID:2192
              • C:\Windows\SysWOW64\ping.exe
                ping -a -l www.rasasayang.com.my 65500
                7⤵
                • Runs ping.exe
                PID:1936
              • C:\Windows\SysWOW64\ping.exe
                ping -a -l www.duniasex.com 65500
                7⤵
                • Runs ping.exe
                PID:632
              • C:\Windows\SysWOW64\ping.exe
                ping -a -l www.rasasayang.com.my 65500
                7⤵
                • Runs ping.exe
                PID:2476
              • C:\Windows\SysWOW64\ping.exe
                ping -a -l www.duniasex.com 65500
                7⤵
                • Runs ping.exe
                PID:2784
              • C:\Windows\SysWOW64\ping.exe
                ping -a -l www.rasasayang.com.my 65500
                7⤵
                • Runs ping.exe
                PID:2656
              • C:\Windows\SysWOW64\ping.exe
                ping -a -l www.duniasex.com 65500
                7⤵
                • Runs ping.exe
                PID:656
            • C:\Windows\SysWOW64\ping.exe
              ping -a -l www.rasasayang.com.my 65500
              6⤵
              • Runs ping.exe
              PID:592
            • C:\Windows\SysWOW64\ping.exe
              ping -a -l www.duniasex.com 65500
              6⤵
              • Runs ping.exe
              PID:264
            • C:\Windows\SysWOW64\ping.exe
              ping -a -l www.rasasayang.com.my 65500
              6⤵
              • Runs ping.exe
              PID:2884
            • C:\Windows\SysWOW64\ping.exe
              ping -a -l www.duniasex.com 65500
              6⤵
              • Runs ping.exe
              PID:2540
          • C:\Windows\SysWOW64\drivers\system32.exe
            C:\Windows\system32\drivers\system32.exe
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            PID:668
          • C:\Windows\SysWOW64\ping.exe
            ping -a -l www.rasasayang.com.my 65500
            5⤵
            • Runs ping.exe
            PID:1328
          • C:\Windows\SysWOW64\ping.exe
            ping -a -l www.duniasex.com 65500
            5⤵
            • Runs ping.exe
            PID:1116
          • C:\Windows\SysWOW64\ping.exe
            ping -a -l www.rasasayang.com.my 65500
            5⤵
            • Runs ping.exe
            PID:1924
          • C:\Windows\SysWOW64\ping.exe
            ping -a -l www.duniasex.com 65500
            5⤵
            • Runs ping.exe
            PID:2176
        • C:\Windows\SysWOW64\drivers\Kazekage.exe
          C:\Windows\system32\drivers\Kazekage.exe
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetWindowsHookEx
          PID:2404
        • C:\Windows\SysWOW64\drivers\system32.exe
          C:\Windows\system32\drivers\system32.exe
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetWindowsHookEx
          PID:2092
        • C:\Windows\SysWOW64\ping.exe
          ping -a -l www.rasasayang.com.my 65500
          4⤵
          • Runs ping.exe
          PID:2536
        • C:\Windows\SysWOW64\ping.exe
          ping -a -l www.duniasex.com 65500
          4⤵
          • Runs ping.exe
          PID:2508
        • C:\Windows\SysWOW64\ping.exe
          ping -a -l www.rasasayang.com.my 65500
          4⤵
          • Runs ping.exe
          PID:2316
        • C:\Windows\SysWOW64\ping.exe
          ping -a -l www.duniasex.com 65500
          4⤵
          • Runs ping.exe
          PID:2592
        • C:\Windows\SysWOW64\ping.exe
          ping -a -l www.rasasayang.com.my 65500
          4⤵
          • Runs ping.exe
          PID:1624
        • C:\Windows\SysWOW64\ping.exe
          ping -a -l www.duniasex.com 65500
          4⤵
          • Runs ping.exe
          PID:1668
      • C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe
        "C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetWindowsHookEx
        PID:2008
      • C:\Windows\SysWOW64\drivers\Kazekage.exe
        C:\Windows\system32\drivers\Kazekage.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:2156
      • C:\Windows\SysWOW64\drivers\system32.exe
        C:\Windows\system32\drivers\system32.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:1704
      • C:\Windows\SysWOW64\ping.exe
        ping -a -l www.rasasayang.com.my 65500
        3⤵
        • Runs ping.exe
        PID:2804
      • C:\Windows\SysWOW64\ping.exe
        ping -a -l www.duniasex.com 65500
        3⤵
        • Runs ping.exe
        PID:2748
      • C:\Windows\SysWOW64\ping.exe
        ping -a -l www.rasasayang.com.my 65500
        3⤵
        • Runs ping.exe
        PID:1524
      • C:\Windows\SysWOW64\ping.exe
        ping -a -l www.duniasex.com 65500
        3⤵
        • Runs ping.exe
        PID:1508
      • C:\Windows\SysWOW64\ping.exe
        ping -a -l www.rasasayang.com.my 65500
        3⤵
        • Runs ping.exe
        PID:2640
      • C:\Windows\SysWOW64\ping.exe
        ping -a -l www.duniasex.com 65500
        3⤵
        • Runs ping.exe
        PID:996
    • C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe
      "C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of SetWindowsHookEx
      PID:812
    • C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe
      "C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of SetWindowsHookEx
      PID:2948
    • C:\Windows\SysWOW64\drivers\Kazekage.exe
      C:\Windows\system32\drivers\Kazekage.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:2220
    • C:\Windows\SysWOW64\drivers\system32.exe
      C:\Windows\system32\drivers\system32.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:1508
    • C:\Windows\SysWOW64\ping.exe
      ping -a -l www.rasasayang.com.my 65500
      2⤵
      • Runs ping.exe
      PID:2396
    • C:\Windows\SysWOW64\ping.exe
      ping -a -l www.duniasex.com 65500
      2⤵
      • Runs ping.exe
      PID:1048

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Admin Games\Readme.txt

          Filesize

          736B

          MD5

          bb5d6abdf8d0948ac6895ce7fdfbc151

          SHA1

          9266b7a247a4685892197194d2b9b86c8f6dddbd

          SHA256

          5db2e0915b5464d32e83484f8ae5e3c73d2c78f238fde5f58f9b40dbb5322de8

          SHA512

          878444760e8df878d65bb62b4798177e168eb099def58ad3634f4348e96705c83f74324f9fa358f0eff389991976698a233ca53e9b72034ae11c86d42322a76c

        • C:\Autorun.inf

          Filesize

          196B

          MD5

          1564dfe69ffed40950e5cb644e0894d1

          SHA1

          201b6f7a01cc49bb698bea6d4945a082ed454ce4

          SHA256

          be114a2dbcc08540b314b01882aa836a772a883322a77b67aab31233e26dc184

          SHA512

          72df187e39674b657974392cfa268e71ef86dc101ebd2303896381ca56d3c05aa9db3f0ab7d0e428d7436e0108c8f19e94c2013814d30b0b95a23a6b9e341097

        • C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe

          Filesize

          236KB

          MD5

          3412bfc1bb9be1f9e3b405f1661b18a9

          SHA1

          6104c05904cd57bf36b593ce338f1499fe5ef0e8

          SHA256

          f8e5e7efb8a1dc2f4aae56ab917c6665607af13b225ac96bcfc1819ad47ad1a4

          SHA512

          753f095295e936c4a4267e853869eeff525b21b3ff3caf39e6846b6d5039a79805d67260528fb4a7240c791cb591088bec3f158c3e0be3031c1ba28c2d242e17

        • C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe

          Filesize

          236KB

          MD5

          b2739b7f6d1227761aefa9f256ed9970

          SHA1

          9c3868075147e7815c13008b8e837a387387fa05

          SHA256

          58676e386e9d85c29873f52a803cfff142d56820c9213ccf16c9de0170ace24d

          SHA512

          cb9beebf23cad6e45c83de7251dd3bc5f655e0b69ba22d4d5041c0541ad873d3d05a5c279a14452cb0f543f27f32cec34986128c4a37bdaba5bf2c9476c152a5

        • C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe

          Filesize

          236KB

          MD5

          fee973f247e0bbe12884a4c170da8fe9

          SHA1

          ccf46679479f365db8e7531d829fa3c94e97518f

          SHA256

          fcd90c5f37b6952bd3f2495a13370cf332df40eb3274c6940bc68a4dc648800e

          SHA512

          25c8a7be74e14d647bc6f711fe72523f06b79fb00f466b35d00b5d99588cac98c6ee8e5b110d8032cdcf652b185d29308a799647f800f98ccfec15b4e892d4a2

        • C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe

          Filesize

          236KB

          MD5

          d68c0b7d15d2af8ace724b582cff672a

          SHA1

          5ba5d210d609677b4b86d326ccb939e6a3d74b56

          SHA256

          1139534ac62f937a0707e6200f953ed5e9098880845c569914238e614b69efca

          SHA512

          2e921ed66fc3f75916979e5c5559b2b0d3c37169a7b65d2bb64834de4315bb228669eb81bbfcd8b65c669039069daeb006ba686c664f4d8133571acb18a90b99

        • C:\Windows\Fonts\The Kazekage.jpg

          Filesize

          1.4MB

          MD5

          d6b05020d4a0ec2a3a8b687099e335df

          SHA1

          df239d830ebcd1cde5c68c46a7b76dad49d415f4

          SHA256

          9824b98dab6af65a9e84c2ea40e9df948f9766ce2096e81feecad7db8dd6080a

          SHA512

          78fd360faa4d34f5732056d6e9ad7b9930964441c69cf24535845d397de92179553b9377a25649c01eb5ac7d547c29cc964e69ede7f2af9fc677508a99251fff

        • C:\Windows\SysWOW64\13-5-2024.exe

          Filesize

          236KB

          MD5

          0207eec289123b5c7c4c6d23ba00c025

          SHA1

          a36fa3753817be724ad4d6e47a639e9f9cf1bb5b

          SHA256

          d08a100bdd7f577a41431481607943b884289daff678815e8efc71c387e4b1f8

          SHA512

          cd0740df6f6fbba200a3f89bac79353383d482d628ddde1dceaf04cd24e86ecb96a79a40182153d804157d2fe4248ea1bd94ddab47dd6a908ee9c016a650dc87

        • C:\Windows\SysWOW64\13-5-2024.exe

          Filesize

          63KB

          MD5

          93dd72a68fe11cf07935171703ffc367

          SHA1

          65ed0be76d9e5f4bb0e0a1b6434e20e7e05b4419

          SHA256

          f719bb8ac9caac4dc9ce44e641391a3516d7826596146d7496f27ed367b0fd94

          SHA512

          525621923e5db1532fa72cc3efb6346504fd005977ee43c9ec74763c6f65484f342305a00da91fb76addd9da5a76aa34c45c4963d490ee6a5577cd960a70fc1e

        • C:\Windows\SysWOW64\13-5-2024.exe

          Filesize

          236KB

          MD5

          59f40d4fe51a2d2431780f1354a9bf51

          SHA1

          79eec2a7c212d8e7bad704e6899db6e991615d3c

          SHA256

          3ed047e89bfcc268666682dc6eef25949a060d936b415d82cf3b0fab2348a5b4

          SHA512

          bcfcf5adabdae58eab6fd597dbf163e9fbea0313a192ee05d3a08bcafd56f4382ab6ea631cc08875f227de1a4c4094b7749c3a72687e56da36a214af4e09cb08

        • C:\Windows\SysWOW64\Desktop.ini

          Filesize

          65B

          MD5

          64acfa7e03b01f48294cf30d201a0026

          SHA1

          10facd995b38a095f30b4a800fa454c0bcbf8438

          SHA256

          ba8159d865d106e7b4d0043007a63d1541e1de455dc8d7ff0edd3013bd425c62

          SHA512

          65a9b2e639de74a2a7faa83463a03f5f5b526495e3c793ec1e144c422ed0b842dd304cd5ff4f8aec3d76d826507030c5916f70a231429cea636ec2d8ab43931a

        • C:\Windows\SysWOW64\drivers\Kazekage.exe

          Filesize

          236KB

          MD5

          af7c143227a33cec83212cde5ee7ac7c

          SHA1

          4e664c30655419af6272e5fc8bfd7902bc0aa621

          SHA256

          0c00311d49f0aceedd41e8598ef91848f2e2a2f7373a6cd40a99bcc14fe58aaa

          SHA512

          94a59d408be551f4f32b37ec98ca2880473f13f03aba4ee5973f1e09f2e9fc4e8794a66de32455ba1d547668f60a83dc92d45dac94825fbbd9c2273666c66caf

        • C:\Windows\SysWOW64\drivers\Kazekage.exe

          Filesize

          236KB

          MD5

          c320553ec5a98b19f78407f41be8d36d

          SHA1

          7972634ac99a73684288dad4d1482bdeb6ba6b1c

          SHA256

          8a2608da871830ce2b799951d0d208b82edff3a989735869cc32d32a842ce95d

          SHA512

          a40f2a93cbc1693a7d2beeb06753c04d5536483ab8017549d194906eac9b5ce8920677b4d454931689085736a55e4ad709a93314341c2df04fce3e50a796dcd5

        • C:\Windows\SysWOW64\drivers\system32.exe

          Filesize

          236KB

          MD5

          c2c313a0141172ae5df5d991b0040bed

          SHA1

          f5a7c12b93f5cf409ee4977ecdac5add8bcde533

          SHA256

          7c45ca8df08566c135e30dc1ccb127868270f92381e2f0488221a464408fb3d1

          SHA512

          397ad7cd7a24a35739fa223af49ddc5eaabf0a9c7637802c41854483b41b8352ffcb0fe4976cc08f68ccc1a20af0f14329add378ee2c59ba93d8265de306ddde

        • C:\Windows\SysWOW64\drivers\system32.exe

          Filesize

          236KB

          MD5

          7987b40ff701218579f7328c096842dc

          SHA1

          b72ecb91bf49140d4801ade8c083c3d65fb1f77c

          SHA256

          2b9769f8a86c506afa83e2ace724b4149cb86ef1269387c4346bfbf462cddace

          SHA512

          6af04a6b414b7a8d4ecb557fe5eb6c2b202acb7742043c47a4867a937871a01b541be557aa95d61582c7c93e6ba673db3eb783f00254c6b599d4d7c71ac209b6

        • C:\Windows\SysWOW64\drivers\system32.exe

          Filesize

          236KB

          MD5

          86bcafd8b4f12a22a7b333695f5aa11b

          SHA1

          0a3d3adb360bd5d3b7e5788177a6d2aa3cd2fd19

          SHA256

          97ccab657d668dbc8ef58f12b67daed7aaa0ad6de6c4fe67297a81fb1e26c3fe

          SHA512

          3da44e1ad0e0ca0c5123d954ab3181b1fa89b5c28d8873ce29baabf9062045c811cf52e940eb00c66b6f4e67777ea57dc1cce5222c1e24431b01dca2c2f153ab

        • C:\Windows\msvbvm60.dll

          Filesize

          762KB

          MD5

          0f5d2f66c4e06ebf95ac153f970c0b5a

          SHA1

          53de34a837cfeb95382c9c6ab709f08a2c76ccac

          SHA256

          5ef9079a0fd4feac911cfa17da29e339e1b7751772aced34a7edc04162df8918

          SHA512

          458c962ad4a13e7e3b23955c4195841b2046bd6acf78b51e4b9be62c43350bfa6057eb259d393495e65b07c631060d2d027a023165528b9c59fc9889c3fbe5b0

        • C:\Windows\system\msvbvm60.dll

          Filesize

          254KB

          MD5

          890dbc51ba4bded354d352e815c29b79

          SHA1

          92c776bf6e9654b90846bb90674e33f71b4a5544

          SHA256

          8680cc3bad912183370aed028c5b4f210ba346b013105b2334476e17197583f3

          SHA512

          edc9fb5d22c228347394e593ec4950aee949bce5f7a055e1ba0e3c3ee64d1377e732e139025ffbd2bd2f22759ea100f2df325080dcd3d4220d1602b716ac9e96

        • C:\Windows\system\msvbvm60.dll

          Filesize

          1.3MB

          MD5

          5343a19c618bc515ceb1695586c6c137

          SHA1

          4dedae8cbde066f31c8e6b52c0baa3f8b1117742

          SHA256

          2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

          SHA512

          708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

        • \Windows\Fonts\Admin 13 - 5 - 2024\smss.exe

          Filesize

          236KB

          MD5

          f3d4477cc0b336f0f6a71dfbeefdf5ec

          SHA1

          b998524e2a55a4edf14da3c15f8a551b3c000ed3

          SHA256

          465db24909448ebd7f283e4edbf025ba626ea97d8cbf517d4dbe8906c24bcec0

          SHA512

          250e5650d29084e7a3c4a8806d62d46139f8f04eddbc29989665ae639f0f613b405e72cc0c56c6dc9b9897c315e4bf7f77eed55534adb3b101be6490bd9622cd

        • \Windows\SysWOW64\drivers\Kazekage.exe

          Filesize

          236KB

          MD5

          eec64ee5175c599f800568f62ec93b00

          SHA1

          6046c5b9ae52821a00fdfb5e6dd4624c813534d5

          SHA256

          2421994bff990382f0b701ef31dca567aa1f4f9fe99d46c157504c079fc07f93

          SHA512

          7101761e2a51acb6ca8608470626e41cd4a4403c0d680fbc6b0fe0ed15d67eab832ed9beef3c4eb0bcedf5eec4dbb3cbce1bb0a4e72da85f0a33063f40012ebf

        • memory/480-226-0x0000000000400000-0x000000000043B000-memory.dmp

          Filesize

          236KB

        • memory/668-278-0x0000000000400000-0x000000000043B000-memory.dmp

          Filesize

          236KB

        • memory/668-279-0x0000000000400000-0x000000000043B000-memory.dmp

          Filesize

          236KB

        • memory/812-302-0x0000000000400000-0x000000000043B000-memory.dmp

          Filesize

          236KB

        • memory/812-303-0x0000000000400000-0x000000000043B000-memory.dmp

          Filesize

          236KB

        • memory/1088-235-0x0000000000400000-0x000000000043B000-memory.dmp

          Filesize

          236KB

        • memory/1088-240-0x0000000000400000-0x000000000043B000-memory.dmp

          Filesize

          236KB

        • memory/1112-230-0x0000000000400000-0x000000000043B000-memory.dmp

          Filesize

          236KB

        • memory/1284-189-0x0000000000400000-0x000000000043B000-memory.dmp

          Filesize

          236KB

        • memory/1488-234-0x0000000000400000-0x000000000043B000-memory.dmp

          Filesize

          236KB

        • memory/1508-312-0x0000000000400000-0x000000000043B000-memory.dmp

          Filesize

          236KB

        • memory/1648-267-0x0000000000400000-0x000000000043B000-memory.dmp

          Filesize

          236KB

        • memory/1668-129-0x0000000000400000-0x000000000043B000-memory.dmp

          Filesize

          236KB

        • memory/1668-126-0x0000000000400000-0x000000000043B000-memory.dmp

          Filesize

          236KB

        • memory/1684-270-0x0000000000400000-0x000000000043B000-memory.dmp

          Filesize

          236KB

        • memory/1704-299-0x0000000000400000-0x000000000043B000-memory.dmp

          Filesize

          236KB

        • memory/1868-277-0x0000000000400000-0x000000000043B000-memory.dmp

          Filesize

          236KB

        • memory/1868-245-0x0000000000400000-0x000000000043B000-memory.dmp

          Filesize

          236KB

        • memory/1872-175-0x0000000000400000-0x000000000043B000-memory.dmp

          Filesize

          236KB

        • memory/1872-179-0x0000000000400000-0x000000000043B000-memory.dmp

          Filesize

          236KB

        • memory/2092-286-0x0000000000400000-0x000000000043B000-memory.dmp

          Filesize

          236KB

        • memory/2092-287-0x0000000000400000-0x000000000043B000-memory.dmp

          Filesize

          236KB

        • memory/2156-295-0x0000000000400000-0x000000000043B000-memory.dmp

          Filesize

          236KB

        • memory/2192-274-0x0000000000400000-0x000000000043B000-memory.dmp

          Filesize

          236KB

        • memory/2220-309-0x0000000000400000-0x000000000043B000-memory.dmp

          Filesize

          236KB

        • memory/2236-236-0x0000000000390000-0x00000000003CB000-memory.dmp

          Filesize

          236KB

        • memory/2236-224-0x0000000000390000-0x00000000003CB000-memory.dmp

          Filesize

          236KB

        • memory/2236-201-0x0000000000400000-0x000000000043B000-memory.dmp

          Filesize

          236KB

        • memory/2236-271-0x0000000000390000-0x00000000003CB000-memory.dmp

          Filesize

          236KB

        • memory/2236-264-0x0000000000400000-0x000000000043B000-memory.dmp

          Filesize

          236KB

        • memory/2276-188-0x0000000000400000-0x000000000043B000-memory.dmp

          Filesize

          236KB

        • memory/2276-192-0x0000000000400000-0x000000000043B000-memory.dmp

          Filesize

          236KB

        • memory/2304-260-0x0000000000400000-0x000000000043B000-memory.dmp

          Filesize

          236KB

        • memory/2312-263-0x0000000000400000-0x000000000043B000-memory.dmp

          Filesize

          236KB

        • memory/2404-282-0x0000000000400000-0x000000000043B000-memory.dmp

          Filesize

          236KB

        • memory/2488-132-0x00000000003B0000-0x00000000003EB000-memory.dmp

          Filesize

          236KB

        • memory/2488-231-0x00000000003B0000-0x00000000003EB000-memory.dmp

          Filesize

          236KB

        • memory/2488-313-0x00000000003B0000-0x00000000003EB000-memory.dmp

          Filesize

          236KB

        • memory/2488-227-0x0000000000400000-0x000000000043B000-memory.dmp

          Filesize

          236KB

        • memory/2488-89-0x0000000000400000-0x000000000043B000-memory.dmp

          Filesize

          236KB

        • memory/2488-285-0x00000000003B0000-0x00000000003EB000-memory.dmp

          Filesize

          236KB

        • memory/2488-125-0x00000000003B0000-0x00000000003EB000-memory.dmp

          Filesize

          236KB

        • memory/2580-244-0x0000000000400000-0x000000000043B000-memory.dmp

          Filesize

          236KB

        • memory/2580-171-0x00000000003B0000-0x00000000003EB000-memory.dmp

          Filesize

          236KB

        • memory/2580-143-0x0000000000400000-0x000000000043B000-memory.dmp

          Filesize

          236KB

        • memory/2664-80-0x0000000000400000-0x000000000043B000-memory.dmp

          Filesize

          236KB

        • memory/2676-296-0x00000000002E0000-0x000000000031B000-memory.dmp

          Filesize

          236KB

        • memory/2676-187-0x0000000000400000-0x000000000043B000-memory.dmp

          Filesize

          236KB

        • memory/2676-200-0x00000000002E0000-0x000000000031B000-memory.dmp

          Filesize

          236KB

        • memory/2676-314-0x00000000002E0000-0x000000000031B000-memory.dmp

          Filesize

          236KB

        • memory/2676-75-0x00000000002E0000-0x000000000031B000-memory.dmp

          Filesize

          236KB

        • memory/2676-38-0x0000000000400000-0x000000000043B000-memory.dmp

          Filesize

          236KB

        • memory/2776-130-0x0000000000400000-0x000000000043B000-memory.dmp

          Filesize

          236KB

        • memory/2776-141-0x0000000000400000-0x000000000043B000-memory.dmp

          Filesize

          236KB

        • memory/2904-174-0x0000000000400000-0x000000000043B000-memory.dmp

          Filesize

          236KB

        • memory/2904-181-0x0000000000520000-0x000000000055B000-memory.dmp

          Filesize

          236KB

        • memory/2904-0-0x0000000000400000-0x000000000043B000-memory.dmp

          Filesize

          236KB

        • memory/2904-37-0x0000000000520000-0x000000000055B000-memory.dmp

          Filesize

          236KB

        • memory/2948-306-0x0000000000400000-0x000000000043B000-memory.dmp

          Filesize

          236KB