Analysis

  • max time kernel
    150s
  • max time network
    130s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    17/06/2024, 05:14

General

  • Target

    4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe

  • Size

    66KB

  • MD5

    4f638f90ece1cd2c4f8b10a792956d70

  • SHA1

    ab95276f68053c4bdaea10975610dea6b0b042eb

  • SHA256

    e70f2481aa838b9592454700e264c29acb17521fda0303adfbaac30963ec6a59

  • SHA512

    e5801242754199a6ff77dc2d8ec266f2051971b8dc74f5f05108ecbdce2ab9346a2ab0bde9847ba075edfaf0ed5be88d380d89750e7cfe842caffd410f9a2bbb

  • SSDEEP

    1536:37OE59Vyzrc8K3WgFtKhJP+tcrVOXKzaJThZfaKhQiSEKNJ:LV5998K3WQ8fjEXKgZfnhfxu

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 12 IoCs
  • Modifies visibility of file extensions in Explorer 2 TTPs 6 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 6 IoCs
  • UAC bypass 3 TTPs 6 IoCs
  • Disables RegEdit via registry modification 6 IoCs
  • Disables use of System Restore points 1 TTPs
  • Drops file in Drivers directory 24 IoCs
  • Sets file execution options in registry 2 TTPs 64 IoCs
  • Executes dropped EXE 30 IoCs
  • Loads dropped DLL 64 IoCs
  • UPX packed file 64 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Adds Run key to start application 2 TTPs 24 IoCs
  • Checks whether UAC is enabled 1 TTPs 6 IoCs
  • Drops desktop.ini file(s) 64 IoCs
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops autorun.inf file 1 TTPs 64 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 38 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 6 IoCs
  • Drops file in Windows directory 64 IoCs
  • Modifies Control Panel 64 IoCs
  • Modifies Internet Explorer settings 1 TTPs 12 IoCs
  • Modifies registry class 48 IoCs
  • Runs ping.exe 1 TTPs 32 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 31 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Modifies visibility of file extensions in Explorer
    • Modifies visiblity of hidden/system files in Explorer
    • UAC bypass
    • Disables RegEdit via registry modification
    • Drops file in Drivers directory
    • Sets file execution options in registry
    • Loads dropped DLL
    • Adds Run key to start application
    • Checks whether UAC is enabled
    • Drops desktop.ini file(s)
    • Enumerates connected drives
    • Drops autorun.inf file
    • Drops file in System32 directory
    • Sets desktop wallpaper using registry
    • Drops file in Windows directory
    • Modifies Control Panel
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2416
    • C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe
      "C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • UAC bypass
      • Disables RegEdit via registry modification
      • Drops file in Drivers directory
      • Sets file execution options in registry
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Drops desktop.ini file(s)
      • Enumerates connected drives
      • Drops autorun.inf file
      • Drops file in System32 directory
      • Sets desktop wallpaper using registry
      • Drops file in Windows directory
      • Modifies Control Panel
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:2648
      • C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe
        "C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetWindowsHookEx
        PID:1964
      • C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe
        "C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe"
        3⤵
        • Modifies WinLogon for persistence
        • Modifies visibility of file extensions in Explorer
        • Modifies visiblity of hidden/system files in Explorer
        • UAC bypass
        • Disables RegEdit via registry modification
        • Drops file in Drivers directory
        • Sets file execution options in registry
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • Checks whether UAC is enabled
        • Drops desktop.ini file(s)
        • Enumerates connected drives
        • Drops autorun.inf file
        • Drops file in System32 directory
        • Sets desktop wallpaper using registry
        • Drops file in Windows directory
        • Modifies Control Panel
        • Modifies Internet Explorer settings
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        • System policy modification
        PID:2796
        • C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe
          "C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe"
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of SetWindowsHookEx
          PID:2872
        • C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe
          "C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe"
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of SetWindowsHookEx
          PID:1032
        • C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe
          "C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe"
          4⤵
          • Modifies WinLogon for persistence
          • Modifies visibility of file extensions in Explorer
          • Modifies visiblity of hidden/system files in Explorer
          • UAC bypass
          • Disables RegEdit via registry modification
          • Drops file in Drivers directory
          • Sets file execution options in registry
          • Executes dropped EXE
          • Loads dropped DLL
          • Adds Run key to start application
          • Checks whether UAC is enabled
          • Drops desktop.ini file(s)
          • Enumerates connected drives
          • Drops autorun.inf file
          • Drops file in System32 directory
          • Sets desktop wallpaper using registry
          • Drops file in Windows directory
          • Modifies Control Panel
          • Modifies Internet Explorer settings
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:1248
          • C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe
            "C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe"
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Suspicious use of SetWindowsHookEx
            PID:1768
          • C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe
            "C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe"
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Suspicious use of SetWindowsHookEx
            PID:1284
          • C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe
            "C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe"
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Suspicious use of SetWindowsHookEx
            PID:2068
          • C:\Windows\SysWOW64\drivers\Kazekage.exe
            C:\Windows\system32\drivers\Kazekage.exe
            5⤵
            • Modifies WinLogon for persistence
            • Modifies visibility of file extensions in Explorer
            • Modifies visiblity of hidden/system files in Explorer
            • UAC bypass
            • Disables RegEdit via registry modification
            • Drops file in Drivers directory
            • Sets file execution options in registry
            • Executes dropped EXE
            • Loads dropped DLL
            • Adds Run key to start application
            • Checks whether UAC is enabled
            • Drops desktop.ini file(s)
            • Enumerates connected drives
            • Drops autorun.inf file
            • Drops file in System32 directory
            • Sets desktop wallpaper using registry
            • Drops file in Windows directory
            • Modifies Control Panel
            • Modifies Internet Explorer settings
            • Modifies registry class
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            • System policy modification
            PID:1712
            • C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe
              "C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe"
              6⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • Suspicious use of SetWindowsHookEx
              PID:332
            • C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe
              "C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe"
              6⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • Suspicious use of SetWindowsHookEx
              PID:112
            • C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe
              "C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe"
              6⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • Suspicious use of SetWindowsHookEx
              PID:1104
            • C:\Windows\SysWOW64\drivers\Kazekage.exe
              C:\Windows\system32\drivers\Kazekage.exe
              6⤵
              • Executes dropped EXE
              • Suspicious use of SetWindowsHookEx
              PID:1668
            • C:\Windows\SysWOW64\drivers\system32.exe
              C:\Windows\system32\drivers\system32.exe
              6⤵
              • Modifies WinLogon for persistence
              • Modifies visibility of file extensions in Explorer
              • Modifies visiblity of hidden/system files in Explorer
              • UAC bypass
              • Disables RegEdit via registry modification
              • Drops file in Drivers directory
              • Sets file execution options in registry
              • Executes dropped EXE
              • Loads dropped DLL
              • Adds Run key to start application
              • Checks whether UAC is enabled
              • Drops desktop.ini file(s)
              • Enumerates connected drives
              • Drops autorun.inf file
              • Drops file in System32 directory
              • Sets desktop wallpaper using registry
              • Drops file in Windows directory
              • Modifies Control Panel
              • Modifies Internet Explorer settings
              • Modifies registry class
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              • System policy modification
              PID:1784
              • C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe
                "C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe"
                7⤵
                • Executes dropped EXE
                • Loads dropped DLL
                • Suspicious use of SetWindowsHookEx
                PID:2264
              • C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe
                "C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe"
                7⤵
                • Executes dropped EXE
                • Loads dropped DLL
                • Suspicious use of SetWindowsHookEx
                PID:1732
              • C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe
                "C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe"
                7⤵
                • Executes dropped EXE
                • Loads dropped DLL
                • Suspicious use of SetWindowsHookEx
                PID:1792
              • C:\Windows\SysWOW64\drivers\Kazekage.exe
                C:\Windows\system32\drivers\Kazekage.exe
                7⤵
                • Executes dropped EXE
                • Suspicious use of SetWindowsHookEx
                PID:952
              • C:\Windows\SysWOW64\drivers\system32.exe
                C:\Windows\system32\drivers\system32.exe
                7⤵
                • Executes dropped EXE
                • Suspicious use of SetWindowsHookEx
                PID:1940
              • C:\Windows\SysWOW64\ping.exe
                ping -a -l www.rasasayang.com.my 65500
                7⤵
                • Runs ping.exe
                PID:992
              • C:\Windows\SysWOW64\ping.exe
                ping -a -l www.duniasex.com 65500
                7⤵
                • Runs ping.exe
                PID:1600
              • C:\Windows\SysWOW64\ping.exe
                ping -a -l www.rasasayang.com.my 65500
                7⤵
                • Runs ping.exe
                PID:1920
              • C:\Windows\SysWOW64\ping.exe
                ping -a -l www.duniasex.com 65500
                7⤵
                • Runs ping.exe
                PID:2992
              • C:\Windows\SysWOW64\ping.exe
                ping -a -l www.rasasayang.com.my 65500
                7⤵
                • Runs ping.exe
                PID:2052
              • C:\Windows\SysWOW64\ping.exe
                ping -a -l www.duniasex.com 65500
                7⤵
                • Runs ping.exe
                PID:2868
            • C:\Windows\SysWOW64\ping.exe
              ping -a -l www.rasasayang.com.my 65500
              6⤵
              • Runs ping.exe
              PID:2624
            • C:\Windows\SysWOW64\ping.exe
              ping -a -l www.duniasex.com 65500
              6⤵
              • Runs ping.exe
              PID:2508
            • C:\Windows\SysWOW64\ping.exe
              ping -a -l www.rasasayang.com.my 65500
              6⤵
              • Runs ping.exe
              PID:1952
            • C:\Windows\SysWOW64\ping.exe
              ping -a -l www.duniasex.com 65500
              6⤵
              • Runs ping.exe
              PID:2504
          • C:\Windows\SysWOW64\drivers\system32.exe
            C:\Windows\system32\drivers\system32.exe
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            PID:2304
          • C:\Windows\SysWOW64\ping.exe
            ping -a -l www.rasasayang.com.my 65500
            5⤵
            • Runs ping.exe
            PID:1940
          • C:\Windows\SysWOW64\ping.exe
            ping -a -l www.duniasex.com 65500
            5⤵
            • Runs ping.exe
            PID:1984
          • C:\Windows\SysWOW64\ping.exe
            ping -a -l www.rasasayang.com.my 65500
            5⤵
            • Runs ping.exe
            PID:3016
          • C:\Windows\SysWOW64\ping.exe
            ping -a -l www.duniasex.com 65500
            5⤵
            • Runs ping.exe
            PID:2240
          • C:\Windows\SysWOW64\ping.exe
            ping -a -l www.rasasayang.com.my 65500
            5⤵
            • Runs ping.exe
            PID:2832
          • C:\Windows\SysWOW64\ping.exe
            ping -a -l www.duniasex.com 65500
            5⤵
            • Runs ping.exe
            PID:2808
        • C:\Windows\SysWOW64\drivers\Kazekage.exe
          C:\Windows\system32\drivers\Kazekage.exe
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetWindowsHookEx
          PID:1620
        • C:\Windows\SysWOW64\drivers\system32.exe
          C:\Windows\system32\drivers\system32.exe
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetWindowsHookEx
          PID:1716
        • C:\Windows\SysWOW64\ping.exe
          ping -a -l www.rasasayang.com.my 65500
          4⤵
          • Runs ping.exe
          PID:1312
        • C:\Windows\SysWOW64\ping.exe
          ping -a -l www.duniasex.com 65500
          4⤵
          • Runs ping.exe
          PID:1540
        • C:\Windows\SysWOW64\ping.exe
          ping -a -l www.rasasayang.com.my 65500
          4⤵
          • Runs ping.exe
          PID:2332
        • C:\Windows\SysWOW64\ping.exe
          ping -a -l www.duniasex.com 65500
          4⤵
          • Runs ping.exe
          PID:912
        • C:\Windows\SysWOW64\ping.exe
          ping -a -l www.rasasayang.com.my 65500
          4⤵
          • Runs ping.exe
          PID:2668
        • C:\Windows\SysWOW64\ping.exe
          ping -a -l www.duniasex.com 65500
          4⤵
          • Runs ping.exe
          PID:2600
      • C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe
        "C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetWindowsHookEx
        PID:1384
      • C:\Windows\SysWOW64\drivers\Kazekage.exe
        C:\Windows\system32\drivers\Kazekage.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:2056
      • C:\Windows\SysWOW64\drivers\system32.exe
        C:\Windows\system32\drivers\system32.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:3028
      • C:\Windows\SysWOW64\ping.exe
        ping -a -l www.rasasayang.com.my 65500
        3⤵
        • Runs ping.exe
        PID:2504
      • C:\Windows\SysWOW64\ping.exe
        ping -a -l www.duniasex.com 65500
        3⤵
        • Runs ping.exe
        PID:316
      • C:\Windows\SysWOW64\ping.exe
        ping -a -l www.rasasayang.com.my 65500
        3⤵
        • Runs ping.exe
        PID:1500
      • C:\Windows\SysWOW64\ping.exe
        ping -a -l www.duniasex.com 65500
        3⤵
        • Runs ping.exe
        PID:1668
    • C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe
      "C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:2344
    • C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe
      "C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:2908
    • C:\Windows\SysWOW64\drivers\Kazekage.exe
      C:\Windows\system32\drivers\Kazekage.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:1656
    • C:\Windows\SysWOW64\drivers\system32.exe
      C:\Windows\system32\drivers\system32.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:2748
    • C:\Windows\SysWOW64\ping.exe
      ping -a -l www.rasasayang.com.my 65500
      2⤵
      • Runs ping.exe
      PID:1944
    • C:\Windows\SysWOW64\ping.exe
      ping -a -l www.duniasex.com 65500
      2⤵
      • Runs ping.exe
      PID:1032
    • C:\Windows\SysWOW64\ping.exe
      ping -a -l www.rasasayang.com.my 65500
      2⤵
      • Runs ping.exe
      PID:1900
    • C:\Windows\SysWOW64\ping.exe
      ping -a -l www.duniasex.com 65500
      2⤵
      • Runs ping.exe
      PID:344
    • C:\Windows\SysWOW64\ping.exe
      ping -a -l www.rasasayang.com.my 65500
      2⤵
      • Runs ping.exe
      PID:1036
    • C:\Windows\SysWOW64\ping.exe
      ping -a -l www.duniasex.com 65500
      2⤵
      • Runs ping.exe
      PID:2948

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Admin Games\Readme.txt

    Filesize

    736B

    MD5

    bb5d6abdf8d0948ac6895ce7fdfbc151

    SHA1

    9266b7a247a4685892197194d2b9b86c8f6dddbd

    SHA256

    5db2e0915b5464d32e83484f8ae5e3c73d2c78f238fde5f58f9b40dbb5322de8

    SHA512

    878444760e8df878d65bb62b4798177e168eb099def58ad3634f4348e96705c83f74324f9fa358f0eff389991976698a233ca53e9b72034ae11c86d42322a76c

  • C:\Autorun.inf

    Filesize

    196B

    MD5

    1564dfe69ffed40950e5cb644e0894d1

    SHA1

    201b6f7a01cc49bb698bea6d4945a082ed454ce4

    SHA256

    be114a2dbcc08540b314b01882aa836a772a883322a77b67aab31233e26dc184

    SHA512

    72df187e39674b657974392cfa268e71ef86dc101ebd2303896381ca56d3c05aa9db3f0ab7d0e428d7436e0108c8f19e94c2013814d30b0b95a23a6b9e341097

  • C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe

    Filesize

    66KB

    MD5

    a56111dc985a023d684af9a9ae112981

    SHA1

    c4e7e68b067d011d4c83030736e0507343ba5da6

    SHA256

    b133d74ce4162f3d7e2467c18182a646bec0ffdf146d8404c480a129ced3b25e

    SHA512

    4393c2fa7131c0538a37617b858e7f43d60a489ca39c84e389f2686f89ee2bb9d50de91d551a19e8b726481888c62d00d580ad485639cf63c077d48a66a1979a

  • C:\Windows\Fonts\The Kazekage.jpg

    Filesize

    1.4MB

    MD5

    d6b05020d4a0ec2a3a8b687099e335df

    SHA1

    df239d830ebcd1cde5c68c46a7b76dad49d415f4

    SHA256

    9824b98dab6af65a9e84c2ea40e9df948f9766ce2096e81feecad7db8dd6080a

    SHA512

    78fd360faa4d34f5732056d6e9ad7b9930964441c69cf24535845d397de92179553b9377a25649c01eb5ac7d547c29cc964e69ede7f2af9fc677508a99251fff

  • C:\Windows\SysWOW64\Desktop.ini

    Filesize

    65B

    MD5

    64acfa7e03b01f48294cf30d201a0026

    SHA1

    10facd995b38a095f30b4a800fa454c0bcbf8438

    SHA256

    ba8159d865d106e7b4d0043007a63d1541e1de455dc8d7ff0edd3013bd425c62

    SHA512

    65a9b2e639de74a2a7faa83463a03f5f5b526495e3c793ec1e144c422ed0b842dd304cd5ff4f8aec3d76d826507030c5916f70a231429cea636ec2d8ab43931a

  • C:\Windows\SysWOW64\drivers\Kazekage.exe

    Filesize

    66KB

    MD5

    3c02e26e944908f6ede7e619bdceafb3

    SHA1

    1d6ae1a6a47907be95f83e76e5357c690ed2fe80

    SHA256

    7a4c3d86b99887cccb051133e07b747e7793f481ef60e5647a73bf7792780a4e

    SHA512

    73c9327383a9326db8e426dbfd62cd33a6a16c2d13cc582e34f64bdf9f792cd7e0eb773abe47011d177a89279ef119d1e1ca57be416522a4a118828c5a670080

  • C:\Windows\SysWOW64\drivers\Kazekage.exe

    Filesize

    66KB

    MD5

    4f638f90ece1cd2c4f8b10a792956d70

    SHA1

    ab95276f68053c4bdaea10975610dea6b0b042eb

    SHA256

    e70f2481aa838b9592454700e264c29acb17521fda0303adfbaac30963ec6a59

    SHA512

    e5801242754199a6ff77dc2d8ec266f2051971b8dc74f5f05108ecbdce2ab9346a2ab0bde9847ba075edfaf0ed5be88d380d89750e7cfe842caffd410f9a2bbb

  • C:\Windows\SysWOW64\drivers\Kazekage.exe

    Filesize

    66KB

    MD5

    c05db41de34cd32d667c3805a5f3dd5e

    SHA1

    bef57144ad3d8ba9218e7ace31ae9a61e9eba5c3

    SHA256

    dcb15b123582eb32d92e98db68a22e674511dc118381e4a5dc7e878132f3a1b7

    SHA512

    596431d920698d8bffd0103ab1d9432c4575ab0fcc15411a834d01fbd2105d99feab6046bbb5ad32eeda3d0913f4c34c7160e44acdadc6e59df33184cafb844e

  • C:\Windows\SysWOW64\drivers\system32.exe

    Filesize

    66KB

    MD5

    23588ff63a8525558c0f783839612dab

    SHA1

    854a5763eb864f3c15c3b9bc12d28274be53aff5

    SHA256

    9133db91763b9500f5f4d7deb66846509405abb5d7a3d96d87b2384f6f9d4f81

    SHA512

    0b4d1e52d28aa3beeff7bac758e7428d1452864c7a8549dc4f8a994a56ce44c44dc5bec9bd9400cfa68ab89688090fc60f3d76a0f52d2c6818438d081f517d4c

  • C:\Windows\SysWOW64\drivers\system32.exe

    Filesize

    66KB

    MD5

    60dafa79cbeddef47e65c85574d824f5

    SHA1

    a75e1cdd387fcd9ce8613e8f632418015dc25354

    SHA256

    ab0b8917c4fc97bdd2e6896bf88b55e8fae1dda154200512016ad5334cb9b044

    SHA512

    8a98a710f259865abebd6c450de42cac7407004a3b12e8767671ac8160e48f1f2985abbe1356502aa88749cda9278d6e6fde3ad1567d23afc66902b7a200634f

  • C:\Windows\msvbvm60.dll

    Filesize

    960KB

    MD5

    d59546150d62ff1bd62f4d69b43a970a

    SHA1

    3688f73e9fd18e61df1d59f3153ce88a7f6b37c5

    SHA256

    5cd7a9848fe89888e660b08c4e1b0169a43d99c8580206d16641f3cc3f097b71

    SHA512

    d04c325c00b25c4ba2b4f818bd5525c78a085e8fac771f9f280714deac8a406cbaad49f347029be7abb1b65e35cbfdfc027ba7dfc729306e9db82d64294b3585

  • C:\Windows\msvbvm60.dll

    Filesize

    1.3MB

    MD5

    b905105a3b1b10882ba1a8544f7237fb

    SHA1

    04f234f902675b6bf434173e08d27a3df3e579ee

    SHA256

    04d113b23c6be6d36201328504e7b9664471a121f81afc037f73e03a05d914d7

    SHA512

    0d8b5c5027931e7525a3f08347605764358b617827f9a9782e36055268f6237b46136e1800791368cac6c279b85d1e7152d250894a72f0b27d6305940543b4e9

  • C:\Windows\system\msvbvm60.dll

    Filesize

    1.3MB

    MD5

    5343a19c618bc515ceb1695586c6c137

    SHA1

    4dedae8cbde066f31c8e6b52c0baa3f8b1117742

    SHA256

    2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

    SHA512

    708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

  • C:\Windows\system\msvbvm60.dll

    Filesize

    768KB

    MD5

    09298236a9fd4b7d2450cf3538f16827

    SHA1

    1528d16de7f6aabde96ada46ae92452d84eb0bdf

    SHA256

    83462cf5217c728d9370b9d8aedfadde8f1cefda3d17a148cbec5b231fc58b8c

    SHA512

    64381995b720a633cefffa5400eb5cf7b320c26c57de105606450fd2e2254081ab9acd88c07281db7f222a4263c732123ce6fc720a4d99061bcd0345febafc1f

  • \Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe

    Filesize

    66KB

    MD5

    5ac7618c3999a1933252ecbcd6d14109

    SHA1

    5834d5c5be08fd78557ec2f2c95e01923e8fa8f7

    SHA256

    e440500d3ac82ece0142d2c3a6de4caebe92a15fb47bd655b51063183cdaf7d6

    SHA512

    0d5d42ef92b3e41397c525f5865879fcb7a1ce323a669ab3cb2d8f6cbcfd7cb0e4d2f15589150eeaf38149c72b141078a8f78d63f57180fd14a1ddef250700f6

  • \Windows\Fonts\Admin 17 - 6 - 2024\smss.exe

    Filesize

    66KB

    MD5

    3c14f46add7c22aa4a3fbc79e68ba8bb

    SHA1

    0a583f35e06d980c5e253251be7f6a47d2560142

    SHA256

    320a4b20eae0e578f25cb7cf586e4ecaf5a05d45c8d80e7cb6f8dfffc3a57af8

    SHA512

    9906b4fcc244d252d464705b6038a9839fb21eeaa4d2f991f0e52219541e299511f307b6dc409c783e81edab66d947d00fac3321ab5c4af7c30a5a5b42c96db6

  • memory/112-237-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/112-240-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/332-230-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/332-234-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/952-287-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/952-285-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/1032-136-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/1032-141-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/1104-243-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/1248-586-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/1248-252-0x0000000000540000-0x000000000056A000-memory.dmp

    Filesize

    168KB

  • memory/1248-197-0x0000000000540000-0x000000000056A000-memory.dmp

    Filesize

    168KB

  • memory/1248-353-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/1248-265-0x0000000000540000-0x000000000056A000-memory.dmp

    Filesize

    168KB

  • memory/1248-187-0x0000000000540000-0x000000000056A000-memory.dmp

    Filesize

    168KB

  • memory/1248-343-0x0000000000540000-0x000000000056A000-memory.dmp

    Filesize

    168KB

  • memory/1248-342-0x0000000000540000-0x000000000056A000-memory.dmp

    Filesize

    168KB

  • memory/1248-238-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/1248-149-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/1248-295-0x0000000000540000-0x000000000056A000-memory.dmp

    Filesize

    168KB

  • memory/1284-192-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/1284-194-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/1384-314-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/1620-300-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/1620-304-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/1656-336-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/1668-246-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/1712-284-0x0000000000370000-0x000000000039A000-memory.dmp

    Filesize

    168KB

  • memory/1712-276-0x0000000000370000-0x000000000039A000-memory.dmp

    Filesize

    168KB

  • memory/1712-271-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/1712-210-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/1712-354-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/1716-305-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/1716-309-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/1732-272-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/1732-277-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/1768-184-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/1784-254-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/1784-310-0x0000000002470000-0x000000000249A000-memory.dmp

    Filesize

    168KB

  • memory/1784-299-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/1784-330-0x0000000002470000-0x000000000249A000-memory.dmp

    Filesize

    168KB

  • memory/1784-355-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/1784-588-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/1792-281-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/1940-292-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/1940-289-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/1964-80-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/1964-88-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/2056-318-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/2056-320-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/2068-198-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/2068-201-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/2264-266-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/2264-270-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/2304-296-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/2304-298-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/2344-326-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/2344-329-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/2416-179-0x0000000000430000-0x000000000045A000-memory.dmp

    Filesize

    168KB

  • memory/2416-36-0x0000000000430000-0x000000000045A000-memory.dmp

    Filesize

    168KB

  • memory/2416-583-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/2416-350-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/2416-147-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/2416-148-0x0000000000430000-0x000000000045A000-memory.dmp

    Filesize

    168KB

  • memory/2416-0-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/2416-37-0x0000000000430000-0x000000000045A000-memory.dmp

    Filesize

    168KB

  • memory/2648-584-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/2648-186-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/2648-40-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/2648-90-0x0000000000390000-0x00000000003BA000-memory.dmp

    Filesize

    168KB

  • memory/2648-91-0x0000000000390000-0x00000000003BA000-memory.dmp

    Filesize

    168KB

  • memory/2648-349-0x0000000000390000-0x00000000003BA000-memory.dmp

    Filesize

    168KB

  • memory/2648-351-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/2648-315-0x0000000000390000-0x00000000003BA000-memory.dmp

    Filesize

    168KB

  • memory/2648-357-0x0000000000390000-0x00000000003BA000-memory.dmp

    Filesize

    168KB

  • memory/2648-356-0x0000000000390000-0x00000000003BA000-memory.dmp

    Filesize

    168KB

  • memory/2748-344-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/2748-345-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/2796-209-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/2796-127-0x0000000000300000-0x000000000032A000-memory.dmp

    Filesize

    168KB

  • memory/2796-352-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/2796-124-0x0000000000300000-0x000000000032A000-memory.dmp

    Filesize

    168KB

  • memory/2796-92-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/2796-585-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/2796-229-0x0000000000300000-0x000000000032A000-memory.dmp

    Filesize

    168KB

  • memory/2872-134-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/2908-331-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/2908-335-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/3028-323-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/3028-325-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB