Analysis

  • max time kernel
    149s
  • max time network
    128s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13/05/2024, 10:25

General

  • Target

    b2739b7f6d1227761aefa9f256ed9970_NeikiAnalytics.exe

  • Size

    236KB

  • MD5

    b2739b7f6d1227761aefa9f256ed9970

  • SHA1

    9c3868075147e7815c13008b8e837a387387fa05

  • SHA256

    58676e386e9d85c29873f52a803cfff142d56820c9213ccf16c9de0170ace24d

  • SHA512

    cb9beebf23cad6e45c83de7251dd3bc5f655e0b69ba22d4d5041c0541ad873d3d05a5c279a14452cb0f543f27f32cec34986128c4a37bdaba5bf2c9476c152a5

  • SSDEEP

    1536:WDusHJo0IHgL2AHfb1mzaFXg+xsukl4Y17jsgS/jHagQNuXGpeV1eT92NdTy2OBn:1ox6AHjYzaFXg+w17jsgS/jHagQg1E5

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 12 IoCs
  • Modifies visibility of file extensions in Explorer 2 TTPs 6 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 6 IoCs
  • UAC bypass 3 TTPs 6 IoCs
  • Disables RegEdit via registry modification 6 IoCs
  • Disables use of System Restore points 1 TTPs
  • Drops file in Drivers directory 24 IoCs
  • Sets file execution options in registry 2 TTPs 64 IoCs
  • Executes dropped EXE 30 IoCs
  • Loads dropped DLL 18 IoCs
  • UPX packed file 58 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Adds Run key to start application 2 TTPs 24 IoCs
  • Checks whether UAC is enabled 1 TTPs 6 IoCs
  • Drops desktop.ini file(s) 64 IoCs
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops autorun.inf file 1 TTPs 64 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 39 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 6 IoCs
  • Drops file in Windows directory 64 IoCs
  • Modifies Control Panel 64 IoCs
  • Modifies Internet Explorer settings 1 TTPs 12 IoCs
  • Modifies registry class 51 IoCs
  • Runs ping.exe 1 TTPs 34 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 31 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b2739b7f6d1227761aefa9f256ed9970_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\b2739b7f6d1227761aefa9f256ed9970_NeikiAnalytics.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Modifies visibility of file extensions in Explorer
    • Modifies visiblity of hidden/system files in Explorer
    • UAC bypass
    • Disables RegEdit via registry modification
    • Drops file in Drivers directory
    • Sets file execution options in registry
    • Adds Run key to start application
    • Checks whether UAC is enabled
    • Drops desktop.ini file(s)
    • Enumerates connected drives
    • Drops autorun.inf file
    • Drops file in System32 directory
    • Sets desktop wallpaper using registry
    • Drops file in Windows directory
    • Modifies Control Panel
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:1980
    • C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe
      "C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • UAC bypass
      • Disables RegEdit via registry modification
      • Drops file in Drivers directory
      • Sets file execution options in registry
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Drops desktop.ini file(s)
      • Enumerates connected drives
      • Drops autorun.inf file
      • Drops file in System32 directory
      • Sets desktop wallpaper using registry
      • Drops file in Windows directory
      • Modifies Control Panel
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:1860
      • C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe
        "C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetWindowsHookEx
        PID:3300
      • C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe
        "C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe"
        3⤵
        • Modifies WinLogon for persistence
        • Modifies visibility of file extensions in Explorer
        • Modifies visiblity of hidden/system files in Explorer
        • UAC bypass
        • Disables RegEdit via registry modification
        • Drops file in Drivers directory
        • Sets file execution options in registry
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • Checks whether UAC is enabled
        • Drops desktop.ini file(s)
        • Enumerates connected drives
        • Drops autorun.inf file
        • Drops file in System32 directory
        • Sets desktop wallpaper using registry
        • Drops file in Windows directory
        • Modifies Control Panel
        • Modifies Internet Explorer settings
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        • System policy modification
        PID:3676
        • C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe
          "C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe"
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of SetWindowsHookEx
          PID:4152
        • C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe
          "C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe"
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of SetWindowsHookEx
          PID:1912
        • C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe
          "C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe"
          4⤵
          • Modifies WinLogon for persistence
          • Modifies visibility of file extensions in Explorer
          • Modifies visiblity of hidden/system files in Explorer
          • UAC bypass
          • Disables RegEdit via registry modification
          • Drops file in Drivers directory
          • Sets file execution options in registry
          • Executes dropped EXE
          • Loads dropped DLL
          • Adds Run key to start application
          • Checks whether UAC is enabled
          • Drops desktop.ini file(s)
          • Enumerates connected drives
          • Drops autorun.inf file
          • Drops file in System32 directory
          • Sets desktop wallpaper using registry
          • Drops file in Windows directory
          • Modifies Control Panel
          • Modifies Internet Explorer settings
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:3044
          • C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe
            "C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe"
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Suspicious use of SetWindowsHookEx
            PID:2520
          • C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe
            "C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe"
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Suspicious use of SetWindowsHookEx
            PID:1576
          • C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe
            "C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe"
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Suspicious use of SetWindowsHookEx
            PID:1512
          • C:\Windows\SysWOW64\drivers\Kazekage.exe
            C:\Windows\system32\drivers\Kazekage.exe
            5⤵
            • Modifies WinLogon for persistence
            • Modifies visibility of file extensions in Explorer
            • Modifies visiblity of hidden/system files in Explorer
            • UAC bypass
            • Disables RegEdit via registry modification
            • Drops file in Drivers directory
            • Sets file execution options in registry
            • Executes dropped EXE
            • Adds Run key to start application
            • Checks whether UAC is enabled
            • Drops desktop.ini file(s)
            • Enumerates connected drives
            • Drops autorun.inf file
            • Drops file in System32 directory
            • Sets desktop wallpaper using registry
            • Drops file in Windows directory
            • Modifies Control Panel
            • Modifies Internet Explorer settings
            • Modifies registry class
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            • System policy modification
            PID:5048
            • C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe
              "C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe"
              6⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • Suspicious use of SetWindowsHookEx
              PID:1632
            • C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe
              "C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe"
              6⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • Suspicious use of SetWindowsHookEx
              PID:392
            • C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe
              "C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe"
              6⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • Suspicious use of SetWindowsHookEx
              PID:864
            • C:\Windows\SysWOW64\drivers\Kazekage.exe
              C:\Windows\system32\drivers\Kazekage.exe
              6⤵
              • Executes dropped EXE
              • Suspicious use of SetWindowsHookEx
              PID:2996
            • C:\Windows\SysWOW64\drivers\system32.exe
              C:\Windows\system32\drivers\system32.exe
              6⤵
              • Modifies WinLogon for persistence
              • Modifies visibility of file extensions in Explorer
              • Modifies visiblity of hidden/system files in Explorer
              • UAC bypass
              • Disables RegEdit via registry modification
              • Drops file in Drivers directory
              • Sets file execution options in registry
              • Executes dropped EXE
              • Adds Run key to start application
              • Checks whether UAC is enabled
              • Drops desktop.ini file(s)
              • Enumerates connected drives
              • Drops autorun.inf file
              • Drops file in System32 directory
              • Sets desktop wallpaper using registry
              • Drops file in Windows directory
              • Modifies Control Panel
              • Modifies Internet Explorer settings
              • Modifies registry class
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              • System policy modification
              PID:3004
              • C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe
                "C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe"
                7⤵
                • Executes dropped EXE
                • Loads dropped DLL
                • Suspicious use of SetWindowsHookEx
                PID:1292
              • C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe
                "C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe"
                7⤵
                • Executes dropped EXE
                • Loads dropped DLL
                • Suspicious use of SetWindowsHookEx
                PID:2468
              • C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe
                "C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe"
                7⤵
                • Executes dropped EXE
                • Loads dropped DLL
                • Suspicious use of SetWindowsHookEx
                PID:976
              • C:\Windows\SysWOW64\drivers\Kazekage.exe
                C:\Windows\system32\drivers\Kazekage.exe
                7⤵
                • Executes dropped EXE
                • Suspicious use of SetWindowsHookEx
                PID:1204
              • C:\Windows\SysWOW64\drivers\system32.exe
                C:\Windows\system32\drivers\system32.exe
                7⤵
                • Executes dropped EXE
                • Suspicious use of SetWindowsHookEx
                PID:3860
              • C:\Windows\SysWOW64\ping.exe
                ping -a -l www.rasasayang.com.my 65500
                7⤵
                • Runs ping.exe
                PID:4308
              • C:\Windows\SysWOW64\ping.exe
                ping -a -l www.duniasex.com 65500
                7⤵
                • Runs ping.exe
                PID:4772
              • C:\Windows\SysWOW64\ping.exe
                ping -a -l www.rasasayang.com.my 65500
                7⤵
                • Runs ping.exe
                PID:3620
              • C:\Windows\SysWOW64\ping.exe
                ping -a -l www.duniasex.com 65500
                7⤵
                • Runs ping.exe
                PID:1104
              • C:\Windows\SysWOW64\ping.exe
                ping -a -l www.rasasayang.com.my 65500
                7⤵
                • Runs ping.exe
                PID:1032
              • C:\Windows\SysWOW64\ping.exe
                ping -a -l www.duniasex.com 65500
                7⤵
                • Runs ping.exe
                PID:4480
            • C:\Windows\SysWOW64\ping.exe
              ping -a -l www.rasasayang.com.my 65500
              6⤵
              • Runs ping.exe
              PID:3180
            • C:\Windows\SysWOW64\ping.exe
              ping -a -l www.duniasex.com 65500
              6⤵
              • Runs ping.exe
              PID:2976
            • C:\Windows\SysWOW64\ping.exe
              ping -a -l www.rasasayang.com.my 65500
              6⤵
              • Runs ping.exe
              PID:2496
            • C:\Windows\SysWOW64\ping.exe
              ping -a -l www.duniasex.com 65500
              6⤵
              • Runs ping.exe
              PID:4592
            • C:\Windows\SysWOW64\ping.exe
              ping -a -l www.rasasayang.com.my 65500
              6⤵
              • Runs ping.exe
              PID:840
            • C:\Windows\SysWOW64\ping.exe
              ping -a -l www.duniasex.com 65500
              6⤵
              • Runs ping.exe
              PID:4808
          • C:\Windows\SysWOW64\drivers\system32.exe
            C:\Windows\system32\drivers\system32.exe
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            PID:1288
          • C:\Windows\SysWOW64\ping.exe
            ping -a -l www.rasasayang.com.my 65500
            5⤵
            • Runs ping.exe
            PID:1420
          • C:\Windows\SysWOW64\ping.exe
            ping -a -l www.duniasex.com 65500
            5⤵
            • Runs ping.exe
            PID:2024
          • C:\Windows\SysWOW64\ping.exe
            ping -a -l www.rasasayang.com.my 65500
            5⤵
            • Runs ping.exe
            PID:4072
          • C:\Windows\SysWOW64\ping.exe
            ping -a -l www.duniasex.com 65500
            5⤵
            • Runs ping.exe
            PID:1108
          • C:\Windows\SysWOW64\ping.exe
            ping -a -l www.rasasayang.com.my 65500
            5⤵
            • Runs ping.exe
            PID:3612
          • C:\Windows\SysWOW64\ping.exe
            ping -a -l www.duniasex.com 65500
            5⤵
            • Runs ping.exe
            PID:2300
        • C:\Windows\SysWOW64\drivers\Kazekage.exe
          C:\Windows\system32\drivers\Kazekage.exe
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetWindowsHookEx
          PID:4428
        • C:\Windows\SysWOW64\drivers\system32.exe
          C:\Windows\system32\drivers\system32.exe
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetWindowsHookEx
          PID:820
        • C:\Windows\SysWOW64\ping.exe
          ping -a -l www.rasasayang.com.my 65500
          4⤵
          • Runs ping.exe
          PID:4356
        • C:\Windows\SysWOW64\ping.exe
          ping -a -l www.duniasex.com 65500
          4⤵
          • Runs ping.exe
          PID:3600
        • C:\Windows\SysWOW64\ping.exe
          ping -a -l www.rasasayang.com.my 65500
          4⤵
          • Runs ping.exe
          PID:2272
        • C:\Windows\SysWOW64\ping.exe
          ping -a -l www.duniasex.com 65500
          4⤵
          • Runs ping.exe
          PID:3588
        • C:\Windows\SysWOW64\ping.exe
          ping -a -l www.rasasayang.com.my 65500
          4⤵
          • Runs ping.exe
          PID:4588
        • C:\Windows\SysWOW64\ping.exe
          ping -a -l www.duniasex.com 65500
          4⤵
          • Runs ping.exe
          PID:4432
      • C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe
        "C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetWindowsHookEx
        PID:4040
      • C:\Windows\SysWOW64\drivers\Kazekage.exe
        C:\Windows\system32\drivers\Kazekage.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:5000
      • C:\Windows\SysWOW64\drivers\system32.exe
        C:\Windows\system32\drivers\system32.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:4408
      • C:\Windows\SysWOW64\ping.exe
        ping -a -l www.rasasayang.com.my 65500
        3⤵
        • Runs ping.exe
        PID:4404
      • C:\Windows\SysWOW64\ping.exe
        ping -a -l www.duniasex.com 65500
        3⤵
        • Runs ping.exe
        PID:1288
      • C:\Windows\SysWOW64\ping.exe
        ping -a -l www.rasasayang.com.my 65500
        3⤵
        • Runs ping.exe
        PID:1488
      • C:\Windows\SysWOW64\ping.exe
        ping -a -l www.duniasex.com 65500
        3⤵
        • Runs ping.exe
        PID:4616
    • C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe
      "C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of SetWindowsHookEx
      PID:1892
    • C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe
      "C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of SetWindowsHookEx
      PID:2476
    • C:\Windows\SysWOW64\drivers\Kazekage.exe
      C:\Windows\system32\drivers\Kazekage.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:1200
    • C:\Windows\SysWOW64\drivers\system32.exe
      C:\Windows\system32\drivers\system32.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:5072
    • C:\Windows\SysWOW64\ping.exe
      ping -a -l www.rasasayang.com.my 65500
      2⤵
      • Runs ping.exe
      PID:4304
    • C:\Windows\SysWOW64\ping.exe
      ping -a -l www.duniasex.com 65500
      2⤵
      • Runs ping.exe
      PID:4532
    • C:\Windows\SysWOW64\ping.exe
      ping -a -l www.rasasayang.com.my 65500
      2⤵
      • Runs ping.exe
      PID:1996
    • C:\Windows\SysWOW64\ping.exe
      ping -a -l www.duniasex.com 65500
      2⤵
      • Runs ping.exe
      PID:4920
    • C:\Windows\SysWOW64\ping.exe
      ping -a -l www.rasasayang.com.my 65500
      2⤵
      • Runs ping.exe
      PID:4984
    • C:\Windows\SysWOW64\ping.exe
      ping -a -l www.duniasex.com 65500
      2⤵
      • Runs ping.exe
      PID:2964
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4244,i,13035806169561352434,1332896185314862791,262144 --variations-seed-version --mojo-platform-channel-handle=4200 /prefetch:8
    1⤵
      PID:1064

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Admin Games\Readme.txt

            Filesize

            736B

            MD5

            bb5d6abdf8d0948ac6895ce7fdfbc151

            SHA1

            9266b7a247a4685892197194d2b9b86c8f6dddbd

            SHA256

            5db2e0915b5464d32e83484f8ae5e3c73d2c78f238fde5f58f9b40dbb5322de8

            SHA512

            878444760e8df878d65bb62b4798177e168eb099def58ad3634f4348e96705c83f74324f9fa358f0eff389991976698a233ca53e9b72034ae11c86d42322a76c

          • C:\Autorun.inf

            Filesize

            196B

            MD5

            1564dfe69ffed40950e5cb644e0894d1

            SHA1

            201b6f7a01cc49bb698bea6d4945a082ed454ce4

            SHA256

            be114a2dbcc08540b314b01882aa836a772a883322a77b67aab31233e26dc184

            SHA512

            72df187e39674b657974392cfa268e71ef86dc101ebd2303896381ca56d3c05aa9db3f0ab7d0e428d7436e0108c8f19e94c2013814d30b0b95a23a6b9e341097

          • C:\Windows\Fonts\Admin 13 - 5 - 2024\Gaara.exe

            Filesize

            236KB

            MD5

            fa4d516270abf380423c8e3520597775

            SHA1

            94ed2ed01408c8d8193dabdebae246090a41bd13

            SHA256

            c1659bad99d3de2d7bff99a1a02b9ae3fe8269b7e495f35d849ba3d654f80488

            SHA512

            24d3934e33dd2ec58d611035acf4148ebc5948b81b72bec91a9eb7404b53a3a0300693a93b97b61e9196d04d04ec8a0dfec23e06f30ec669f5221e764194f1bb

          • C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe

            Filesize

            236KB

            MD5

            ecbd72e83c6526f8b04c7499c3e063c9

            SHA1

            2c36e51dc6d655c98463b6b9171f040506ecfdc2

            SHA256

            73050ecb18a3899ee43081ba6f4aa7556647c6bfbf186fc147f9ed584d103b3e

            SHA512

            972d7634427234f625c2bc8b75f6848c4b6310f9f7ba77e984490698f922b5b4c6f4b0ebfc93aec4cf7cb1f91bad4612507f6e4051fcfefd626a18dd4c73d924

          • C:\Windows\Fonts\Admin 13 - 5 - 2024\csrss.exe

            Filesize

            236KB

            MD5

            fe32c87dfb13528bb8befa1edcfcd4e4

            SHA1

            a817c88790c85184f122d9091ca16f57fc0dfdb3

            SHA256

            3008c6068b2f99c38dc5c26cef3f72f490e3de9ca47a6e8be32e31e9c269decf

            SHA512

            0bc22664fa8bdd069681792e4c3b445d50ff161eb8207ff81149c1e971d756ae2fc596782e5021e9af15e0d17ab150bb8b6e2f986e8687824f1bf5f34ddb3e4e

          • C:\Windows\Fonts\Admin 13 - 5 - 2024\smss.exe

            Filesize

            236KB

            MD5

            aef2ed7d07d9c6ec77422f17a9ad84ce

            SHA1

            ba5fa17c159b27fc9762b1632d082a9c96306feb

            SHA256

            a5bfd4b66dcdfe1a370f1416c8c29883ada56a80a71220b89351e35e867c9665

            SHA512

            df435998e9b42821c9c8137e871079152521d9ffca316e4feee5f604b060e7dc69c78b708763d4366c79ae5c22cfe4ee3124dc2f45980e3be2c1ef8b73b782e3

          • C:\Windows\Fonts\The Kazekage.jpg

            Filesize

            1.4MB

            MD5

            d6b05020d4a0ec2a3a8b687099e335df

            SHA1

            df239d830ebcd1cde5c68c46a7b76dad49d415f4

            SHA256

            9824b98dab6af65a9e84c2ea40e9df948f9766ce2096e81feecad7db8dd6080a

            SHA512

            78fd360faa4d34f5732056d6e9ad7b9930964441c69cf24535845d397de92179553b9377a25649c01eb5ac7d547c29cc964e69ede7f2af9fc677508a99251fff

          • C:\Windows\SysWOW64\13-5-2024.exe

            Filesize

            236KB

            MD5

            1cf439ee0548aebc9508337d4f27c170

            SHA1

            c2cbcf4c4ad37850dbcc40c8b49a9266deccd3a0

            SHA256

            3c3b3b16fd964743a83f3c0f22617184bcde80e89e4649c7ba8fa1cfe9b5d920

            SHA512

            a528c4b58e3f473def09f98bdd9b9d285b3dcb7eda69b8c1a9bbf7704d7e68e07d351ae857119e0d111ab08621031be75377cfb01b267163741859c05105a7d3

          • C:\Windows\SysWOW64\13-5-2024.exe

            Filesize

            236KB

            MD5

            a35d894e122d876b6c4cb7805ff63d44

            SHA1

            71bb98d70826372fd13435d296328811ddc74f27

            SHA256

            2b82f98f439c4c8b1aaadabf65efc0c7a85965565941b6fceb4d16bd8641bf06

            SHA512

            bcf8e628c5fb3b61108a328f0914579a02cd95e0a311da18b99f92a1b1bbf3ead6c170be8d8b83183bd8000c3ba8815f98642a910309bcf346b3932a39757108

          • C:\Windows\SysWOW64\13-5-2024.exe

            Filesize

            236KB

            MD5

            fda515d9a49cbe696bf31c76b3c8999d

            SHA1

            ca00877268d2b048eec820685d45898f73c38fbf

            SHA256

            6bf56dc0d66b90c9944850f4dc7a55e11655faef443d247b03b477a1024b4759

            SHA512

            916dc635c7140c5468a198f105d4459cc439a84a41f4f6264c41f008e41b908adb8e21a111b1a477da388615ce3442522ad7127ee65db512aff84b95fc528163

          • C:\Windows\SysWOW64\13-5-2024.exe

            Filesize

            236KB

            MD5

            f38b1e193390c463ca2ab3c6a149b034

            SHA1

            d467ad54d7ad482413f22543442696d6936b1bc5

            SHA256

            4072fe1c253d8d02dbdd58435d28f208d96a29a1c50c79dc10499e9b3fe06278

            SHA512

            bd9367a379a30748202bf9e13825d48e247277608020506b0fc69aeb28edc8892eed8350f053cae86f8c82f8bda77741ac999de4d6059fcc589d23e45ddb5dbe

          • C:\Windows\SysWOW64\13-5-2024.exe

            Filesize

            236KB

            MD5

            4245607b10555ae6dc2a09c393c24570

            SHA1

            5c469a3cd6252cdbbfd12601a58cf7295a91ad36

            SHA256

            4090c7bcae7b528ac496c02390988bc7d88cc37d236fe1eea1d9009d4f3d1944

            SHA512

            bcecf6b57195428d7b4865d193425b32ac57306fd4f6497df90cb3b6fae53aa890ac341b319045d2bb4b9787bb05827242b82e42b04fc31bdaecc1114e337e89

          • C:\Windows\SysWOW64\Desktop.ini

            Filesize

            65B

            MD5

            64acfa7e03b01f48294cf30d201a0026

            SHA1

            10facd995b38a095f30b4a800fa454c0bcbf8438

            SHA256

            ba8159d865d106e7b4d0043007a63d1541e1de455dc8d7ff0edd3013bd425c62

            SHA512

            65a9b2e639de74a2a7faa83463a03f5f5b526495e3c793ec1e144c422ed0b842dd304cd5ff4f8aec3d76d826507030c5916f70a231429cea636ec2d8ab43931a

          • C:\Windows\SysWOW64\drivers\Kazekage.exe

            Filesize

            236KB

            MD5

            2e4fb84b11fdefca70dde890e60baa9c

            SHA1

            a2f4d9d079fe3a69fbc004b953a65f3065f36e88

            SHA256

            1e5b2c8c11cfae0bb53be7fbda633778c6efecd6e18eb368c7bb40b3fc4066b0

            SHA512

            488acc2a2c28c4b4ee7aa208ea2bce30125e53a635efa16de0f8a6c5589602701f4445155bfaa607784deebf8e844ceaac86022a6cd28a6cfc21f3064929e190

          • C:\Windows\SysWOW64\drivers\Kazekage.exe

            Filesize

            236KB

            MD5

            6f3e0050880d6525738710a877727b05

            SHA1

            9356ee27a9d08c50120428b5692d186e91e438e6

            SHA256

            5130857d2c72e3832b77a88096c4c6c4065d518876883575f677f151f90b349d

            SHA512

            d2575a0e8e12c3421c410abff4007c49fc53ea7975fd2312962157a87a3471bdd9b84c4ab05f58bd9e87fadc157d7fba3c697cdf11d259f26700a5eee73b728e

          • C:\Windows\SysWOW64\drivers\Kazekage.exe

            Filesize

            236KB

            MD5

            eec64ee5175c599f800568f62ec93b00

            SHA1

            6046c5b9ae52821a00fdfb5e6dd4624c813534d5

            SHA256

            2421994bff990382f0b701ef31dca567aa1f4f9fe99d46c157504c079fc07f93

            SHA512

            7101761e2a51acb6ca8608470626e41cd4a4403c0d680fbc6b0fe0ed15d67eab832ed9beef3c4eb0bcedf5eec4dbb3cbce1bb0a4e72da85f0a33063f40012ebf

          • C:\Windows\SysWOW64\drivers\Kazekage.exe

            Filesize

            236KB

            MD5

            075e0ad1c8298e7b03b1e76c90e45222

            SHA1

            3f360c145156f87c0b51c545cd6023a181c2c2c6

            SHA256

            4cd918f25a2e895a0ed7ffddb46bffce87d7196f7ea11361aebfad1662b84049

            SHA512

            6235e12b45187489b7b78993c915782c4382e6312a4142d22d54cf80a9c39b81782413d91d37705bff624f783756f388c3b57503c4aeb0c5a1d7be68607424fd

          • C:\Windows\SysWOW64\drivers\system32.exe

            Filesize

            236KB

            MD5

            456d1e63e88a0f18f118bc965faf7cfa

            SHA1

            9e0c05689583f56cd01e4f303a29ae39520ed445

            SHA256

            03e25226168cdcae6a9c0e14b753eccc979028089562375d6a4e3845b8155f15

            SHA512

            740529570e6f0485c78370f0e73c10db88aca9955f1a1fc958b04c4f0379434ac8819c74260d7440a560b705ce4abd2c068da113d97e7f5da1b2279ddbebb0f1

          • C:\Windows\SysWOW64\drivers\system32.exe

            Filesize

            236KB

            MD5

            b1cf06d4594906680d71c5f11e05614b

            SHA1

            3b6abd6cc8c71340f386e3b973eb0f85e1011f42

            SHA256

            120a5394cac4089d28977d3ddf9a4708b29e785a247719ea7b7eedbb0e5bb9c9

            SHA512

            1fcd62e17f3a28bb0e78766d99ebd42fa20ae4d5e3f512de5a4e4a529e741e88fa029958fb37915e2381811f01466ed523bdc7c8e6ca0e8641d4f63ead37cb04

          • C:\Windows\SysWOW64\drivers\system32.exe

            Filesize

            236KB

            MD5

            29eb6ff8a664ad5ce1e461f4043c0fb0

            SHA1

            081889330cf83b2954504e192fa8a5ff0ee1e649

            SHA256

            93bcaaf56727c23a5d7841c4607ca843ecfdeacde638eed3ebb891e3ccddaaaf

            SHA512

            0adbfb03789575f12ddbf9c0d2e2a700c98b3b231b1fa8736d364b92513f0afd814344b8b5e2c1a69390d9ce76308d2a234048214e992e20249b49a762eaea02

          • C:\Windows\SysWOW64\drivers\system32.exe

            Filesize

            236KB

            MD5

            432bf4990c150c818b09e5d1ff317264

            SHA1

            0615a5b7f477b0d058bd07b78f33f1e809272665

            SHA256

            c09866674246250f52ca9a3552d7eb90d324161e559b2af85efac87d439dc218

            SHA512

            4c29e992743056bb5133a935391cf6ecd9d27d9674b4fb45e2c0f2920f79ade69271880852b7a7cbc7eff600781561147c27ff182f5ed3f7af0fa12f9d9dd5ec

          • C:\Windows\System\msvbvm60.dll

            Filesize

            1.4MB

            MD5

            25f62c02619174b35851b0e0455b3d94

            SHA1

            4e8ee85157f1769f6e3f61c0acbe59072209da71

            SHA256

            898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

            SHA512

            f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

          • memory/392-201-0x0000000000400000-0x000000000043B000-memory.dmp

            Filesize

            236KB

          • memory/820-255-0x0000000000400000-0x000000000043B000-memory.dmp

            Filesize

            236KB

          • memory/820-259-0x0000000000400000-0x000000000043B000-memory.dmp

            Filesize

            236KB

          • memory/864-205-0x0000000000400000-0x000000000043B000-memory.dmp

            Filesize

            236KB

          • memory/976-238-0x0000000000400000-0x000000000043B000-memory.dmp

            Filesize

            236KB

          • memory/1200-278-0x0000000000400000-0x000000000043B000-memory.dmp

            Filesize

            236KB

          • memory/1204-239-0x0000000000400000-0x000000000043B000-memory.dmp

            Filesize

            236KB

          • memory/1204-242-0x0000000000400000-0x000000000043B000-memory.dmp

            Filesize

            236KB

          • memory/1288-249-0x0000000000400000-0x000000000043B000-memory.dmp

            Filesize

            236KB

          • memory/1512-168-0x0000000000400000-0x000000000043B000-memory.dmp

            Filesize

            236KB

          • memory/1512-160-0x0000000000400000-0x000000000043B000-memory.dmp

            Filesize

            236KB

          • memory/1576-159-0x0000000000400000-0x000000000043B000-memory.dmp

            Filesize

            236KB

          • memory/1860-191-0x0000000000400000-0x000000000043B000-memory.dmp

            Filesize

            236KB

          • memory/1860-32-0x0000000000400000-0x000000000043B000-memory.dmp

            Filesize

            236KB

          • memory/1892-272-0x0000000000400000-0x000000000043B000-memory.dmp

            Filesize

            236KB

          • memory/1912-120-0x0000000000400000-0x000000000043B000-memory.dmp

            Filesize

            236KB

          • memory/1912-115-0x0000000000400000-0x000000000043B000-memory.dmp

            Filesize

            236KB

          • memory/1980-0-0x0000000000400000-0x000000000043B000-memory.dmp

            Filesize

            236KB

          • memory/1980-166-0x0000000000400000-0x000000000043B000-memory.dmp

            Filesize

            236KB

          • memory/2468-237-0x0000000000400000-0x000000000043B000-memory.dmp

            Filesize

            236KB

          • memory/2476-275-0x0000000000400000-0x000000000043B000-memory.dmp

            Filesize

            236KB

          • memory/2520-150-0x0000000000400000-0x000000000043B000-memory.dmp

            Filesize

            236KB

          • memory/2996-211-0x0000000000400000-0x000000000043B000-memory.dmp

            Filesize

            236KB

          • memory/3004-262-0x0000000000400000-0x000000000043B000-memory.dmp

            Filesize

            236KB

          • memory/3004-212-0x0000000000400000-0x000000000043B000-memory.dmp

            Filesize

            236KB

          • memory/3044-230-0x0000000000400000-0x000000000043B000-memory.dmp

            Filesize

            236KB

          • memory/3044-122-0x0000000000400000-0x000000000043B000-memory.dmp

            Filesize

            236KB

          • memory/3300-72-0x0000000000400000-0x000000000043B000-memory.dmp

            Filesize

            236KB

          • memory/3300-77-0x0000000000400000-0x000000000043B000-memory.dmp

            Filesize

            236KB

          • memory/3676-75-0x0000000000400000-0x000000000043B000-memory.dmp

            Filesize

            236KB

          • memory/3676-200-0x0000000000400000-0x000000000043B000-memory.dmp

            Filesize

            236KB

          • memory/3860-246-0x0000000000400000-0x000000000043B000-memory.dmp

            Filesize

            236KB

          • memory/4040-265-0x0000000000400000-0x000000000043B000-memory.dmp

            Filesize

            236KB

          • memory/4152-114-0x0000000000400000-0x000000000043B000-memory.dmp

            Filesize

            236KB

          • memory/4152-111-0x0000000000400000-0x000000000043B000-memory.dmp

            Filesize

            236KB

          • memory/4408-269-0x0000000000400000-0x000000000043B000-memory.dmp

            Filesize

            236KB

          • memory/4428-256-0x0000000000400000-0x000000000043B000-memory.dmp

            Filesize

            236KB

          • memory/5000-266-0x0000000000400000-0x000000000043B000-memory.dmp

            Filesize

            236KB

          • memory/5048-167-0x0000000000400000-0x000000000043B000-memory.dmp

            Filesize

            236KB

          • memory/5048-243-0x0000000000400000-0x000000000043B000-memory.dmp

            Filesize

            236KB

          • memory/5072-281-0x0000000000400000-0x000000000043B000-memory.dmp

            Filesize

            236KB