Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17/06/2024, 05:14

General

  • Target

    4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe

  • Size

    66KB

  • MD5

    4f638f90ece1cd2c4f8b10a792956d70

  • SHA1

    ab95276f68053c4bdaea10975610dea6b0b042eb

  • SHA256

    e70f2481aa838b9592454700e264c29acb17521fda0303adfbaac30963ec6a59

  • SHA512

    e5801242754199a6ff77dc2d8ec266f2051971b8dc74f5f05108ecbdce2ab9346a2ab0bde9847ba075edfaf0ed5be88d380d89750e7cfe842caffd410f9a2bbb

  • SSDEEP

    1536:37OE59Vyzrc8K3WgFtKhJP+tcrVOXKzaJThZfaKhQiSEKNJ:LV5998K3WQ8fjEXKgZfnhfxu

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 12 IoCs
  • Modifies visibility of file extensions in Explorer 2 TTPs 6 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 6 IoCs
  • UAC bypass 3 TTPs 6 IoCs
  • Disables RegEdit via registry modification 6 IoCs
  • Disables use of System Restore points 1 TTPs
  • Drops file in Drivers directory 24 IoCs
  • Sets file execution options in registry 2 TTPs 64 IoCs
  • Executes dropped EXE 30 IoCs
  • Loads dropped DLL 18 IoCs
  • UPX packed file 64 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Adds Run key to start application 2 TTPs 24 IoCs
  • Checks whether UAC is enabled 1 TTPs 6 IoCs
  • Drops desktop.ini file(s) 64 IoCs
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops autorun.inf file 1 TTPs 64 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 39 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 6 IoCs
  • Drops file in Windows directory 64 IoCs
  • Modifies Control Panel 64 IoCs
  • Modifies Internet Explorer settings 1 TTPs 12 IoCs
  • Modifies registry class 51 IoCs
  • Runs ping.exe 1 TTPs 34 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 31 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\4f638f90ece1cd2c4f8b10a792956d70_NeikiAnalytics.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Modifies visibility of file extensions in Explorer
    • Modifies visiblity of hidden/system files in Explorer
    • UAC bypass
    • Disables RegEdit via registry modification
    • Drops file in Drivers directory
    • Sets file execution options in registry
    • Adds Run key to start application
    • Checks whether UAC is enabled
    • Drops desktop.ini file(s)
    • Enumerates connected drives
    • Drops autorun.inf file
    • Drops file in System32 directory
    • Sets desktop wallpaper using registry
    • Drops file in Windows directory
    • Modifies Control Panel
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:1544
    • C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe
      "C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • UAC bypass
      • Disables RegEdit via registry modification
      • Drops file in Drivers directory
      • Sets file execution options in registry
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Drops desktop.ini file(s)
      • Enumerates connected drives
      • Drops autorun.inf file
      • Drops file in System32 directory
      • Sets desktop wallpaper using registry
      • Drops file in Windows directory
      • Modifies Control Panel
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:2360
      • C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe
        "C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetWindowsHookEx
        PID:2380
      • C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe
        "C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe"
        3⤵
        • Modifies WinLogon for persistence
        • Modifies visibility of file extensions in Explorer
        • Modifies visiblity of hidden/system files in Explorer
        • UAC bypass
        • Disables RegEdit via registry modification
        • Drops file in Drivers directory
        • Sets file execution options in registry
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • Checks whether UAC is enabled
        • Drops desktop.ini file(s)
        • Enumerates connected drives
        • Drops autorun.inf file
        • Drops file in System32 directory
        • Sets desktop wallpaper using registry
        • Drops file in Windows directory
        • Modifies Control Panel
        • Modifies Internet Explorer settings
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        • System policy modification
        PID:3112
        • C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe
          "C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe"
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of SetWindowsHookEx
          PID:4140
        • C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe
          "C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe"
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of SetWindowsHookEx
          PID:5060
        • C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe
          "C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe"
          4⤵
          • Modifies WinLogon for persistence
          • Modifies visibility of file extensions in Explorer
          • Modifies visiblity of hidden/system files in Explorer
          • UAC bypass
          • Disables RegEdit via registry modification
          • Drops file in Drivers directory
          • Sets file execution options in registry
          • Executes dropped EXE
          • Loads dropped DLL
          • Adds Run key to start application
          • Checks whether UAC is enabled
          • Drops desktop.ini file(s)
          • Enumerates connected drives
          • Drops autorun.inf file
          • Drops file in System32 directory
          • Sets desktop wallpaper using registry
          • Drops file in Windows directory
          • Modifies Control Panel
          • Modifies Internet Explorer settings
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:520
          • C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe
            "C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe"
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Suspicious use of SetWindowsHookEx
            PID:3028
          • C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe
            "C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe"
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Suspicious use of SetWindowsHookEx
            PID:3712
          • C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe
            "C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe"
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Suspicious use of SetWindowsHookEx
            PID:1444
          • C:\Windows\SysWOW64\drivers\Kazekage.exe
            C:\Windows\system32\drivers\Kazekage.exe
            5⤵
            • Modifies WinLogon for persistence
            • Modifies visibility of file extensions in Explorer
            • Modifies visiblity of hidden/system files in Explorer
            • UAC bypass
            • Disables RegEdit via registry modification
            • Drops file in Drivers directory
            • Sets file execution options in registry
            • Executes dropped EXE
            • Adds Run key to start application
            • Checks whether UAC is enabled
            • Drops desktop.ini file(s)
            • Enumerates connected drives
            • Drops autorun.inf file
            • Drops file in System32 directory
            • Sets desktop wallpaper using registry
            • Drops file in Windows directory
            • Modifies Control Panel
            • Modifies Internet Explorer settings
            • Modifies registry class
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            • System policy modification
            PID:3100
            • C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe
              "C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe"
              6⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • Suspicious use of SetWindowsHookEx
              PID:1232
            • C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe
              "C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe"
              6⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • Suspicious use of SetWindowsHookEx
              PID:4652
            • C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe
              "C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe"
              6⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • Suspicious use of SetWindowsHookEx
              PID:4408
            • C:\Windows\SysWOW64\drivers\Kazekage.exe
              C:\Windows\system32\drivers\Kazekage.exe
              6⤵
              • Executes dropped EXE
              • Suspicious use of SetWindowsHookEx
              PID:2396
            • C:\Windows\SysWOW64\drivers\system32.exe
              C:\Windows\system32\drivers\system32.exe
              6⤵
              • Modifies WinLogon for persistence
              • Modifies visibility of file extensions in Explorer
              • Modifies visiblity of hidden/system files in Explorer
              • UAC bypass
              • Disables RegEdit via registry modification
              • Drops file in Drivers directory
              • Sets file execution options in registry
              • Executes dropped EXE
              • Adds Run key to start application
              • Checks whether UAC is enabled
              • Drops desktop.ini file(s)
              • Enumerates connected drives
              • Drops autorun.inf file
              • Drops file in System32 directory
              • Sets desktop wallpaper using registry
              • Drops file in Windows directory
              • Modifies Control Panel
              • Modifies Internet Explorer settings
              • Modifies registry class
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              • System policy modification
              PID:2032
              • C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe
                "C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe"
                7⤵
                • Executes dropped EXE
                • Loads dropped DLL
                • Suspicious use of SetWindowsHookEx
                PID:2648
              • C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe
                "C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe"
                7⤵
                • Executes dropped EXE
                • Loads dropped DLL
                • Suspicious use of SetWindowsHookEx
                PID:3740
              • C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe
                "C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe"
                7⤵
                • Executes dropped EXE
                • Loads dropped DLL
                • Suspicious use of SetWindowsHookEx
                PID:628
              • C:\Windows\SysWOW64\drivers\Kazekage.exe
                C:\Windows\system32\drivers\Kazekage.exe
                7⤵
                • Executes dropped EXE
                • Suspicious use of SetWindowsHookEx
                PID:3792
              • C:\Windows\SysWOW64\drivers\system32.exe
                C:\Windows\system32\drivers\system32.exe
                7⤵
                • Executes dropped EXE
                • Suspicious use of SetWindowsHookEx
                PID:800
              • C:\Windows\SysWOW64\ping.exe
                ping -a -l www.rasasayang.com.my 65500
                7⤵
                • Runs ping.exe
                PID:3776
              • C:\Windows\SysWOW64\ping.exe
                ping -a -l www.duniasex.com 65500
                7⤵
                • Runs ping.exe
                PID:3456
              • C:\Windows\SysWOW64\ping.exe
                ping -a -l www.rasasayang.com.my 65500
                7⤵
                • Runs ping.exe
                PID:4164
              • C:\Windows\SysWOW64\ping.exe
                ping -a -l www.duniasex.com 65500
                7⤵
                • Runs ping.exe
                PID:4572
              • C:\Windows\SysWOW64\ping.exe
                ping -a -l www.rasasayang.com.my 65500
                7⤵
                • Runs ping.exe
                PID:3168
              • C:\Windows\SysWOW64\ping.exe
                ping -a -l www.duniasex.com 65500
                7⤵
                • Runs ping.exe
                PID:1276
            • C:\Windows\SysWOW64\ping.exe
              ping -a -l www.rasasayang.com.my 65500
              6⤵
              • Runs ping.exe
              PID:3380
            • C:\Windows\SysWOW64\ping.exe
              ping -a -l www.duniasex.com 65500
              6⤵
              • Runs ping.exe
              PID:3432
            • C:\Windows\SysWOW64\ping.exe
              ping -a -l www.rasasayang.com.my 65500
              6⤵
              • Runs ping.exe
              PID:3628
            • C:\Windows\SysWOW64\ping.exe
              ping -a -l www.duniasex.com 65500
              6⤵
              • Runs ping.exe
              PID:3880
          • C:\Windows\SysWOW64\drivers\system32.exe
            C:\Windows\system32\drivers\system32.exe
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            PID:3388
          • C:\Windows\SysWOW64\ping.exe
            ping -a -l www.rasasayang.com.my 65500
            5⤵
            • Runs ping.exe
            PID:3904
          • C:\Windows\SysWOW64\ping.exe
            ping -a -l www.duniasex.com 65500
            5⤵
            • Runs ping.exe
            PID:4596
          • C:\Windows\SysWOW64\ping.exe
            ping -a -l www.rasasayang.com.my 65500
            5⤵
            • Runs ping.exe
            PID:4048
          • C:\Windows\SysWOW64\ping.exe
            ping -a -l www.duniasex.com 65500
            5⤵
            • Runs ping.exe
            PID:1164
          • C:\Windows\SysWOW64\ping.exe
            ping -a -l www.rasasayang.com.my 65500
            5⤵
            • Runs ping.exe
            PID:2588
          • C:\Windows\SysWOW64\ping.exe
            ping -a -l www.duniasex.com 65500
            5⤵
            • Runs ping.exe
            PID:3564
        • C:\Windows\SysWOW64\drivers\Kazekage.exe
          C:\Windows\system32\drivers\Kazekage.exe
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetWindowsHookEx
          PID:112
        • C:\Windows\SysWOW64\drivers\system32.exe
          C:\Windows\system32\drivers\system32.exe
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetWindowsHookEx
          PID:3556
        • C:\Windows\SysWOW64\ping.exe
          ping -a -l www.rasasayang.com.my 65500
          4⤵
          • Runs ping.exe
          PID:448
        • C:\Windows\SysWOW64\ping.exe
          ping -a -l www.duniasex.com 65500
          4⤵
          • Runs ping.exe
          PID:856
        • C:\Windows\SysWOW64\ping.exe
          ping -a -l www.rasasayang.com.my 65500
          4⤵
          • Runs ping.exe
          PID:1004
        • C:\Windows\SysWOW64\ping.exe
          ping -a -l www.duniasex.com 65500
          4⤵
          • Runs ping.exe
          PID:2908
        • C:\Windows\SysWOW64\ping.exe
          ping -a -l www.rasasayang.com.my 65500
          4⤵
          • Runs ping.exe
          PID:3388
        • C:\Windows\SysWOW64\ping.exe
          ping -a -l www.duniasex.com 65500
          4⤵
          • Runs ping.exe
          PID:3560
      • C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe
        "C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetWindowsHookEx
        PID:1988
      • C:\Windows\SysWOW64\drivers\Kazekage.exe
        C:\Windows\system32\drivers\Kazekage.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:2960
      • C:\Windows\SysWOW64\drivers\system32.exe
        C:\Windows\system32\drivers\system32.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:456
      • C:\Windows\SysWOW64\ping.exe
        ping -a -l www.rasasayang.com.my 65500
        3⤵
        • Runs ping.exe
        PID:1492
      • C:\Windows\SysWOW64\ping.exe
        ping -a -l www.duniasex.com 65500
        3⤵
        • Runs ping.exe
        PID:2020
      • C:\Windows\SysWOW64\ping.exe
        ping -a -l www.rasasayang.com.my 65500
        3⤵
        • Runs ping.exe
        PID:3940
      • C:\Windows\SysWOW64\ping.exe
        ping -a -l www.duniasex.com 65500
        3⤵
        • Runs ping.exe
        PID:456
      • C:\Windows\SysWOW64\ping.exe
        ping -a -l www.rasasayang.com.my 65500
        3⤵
        • Runs ping.exe
        PID:228
      • C:\Windows\SysWOW64\ping.exe
        ping -a -l www.duniasex.com 65500
        3⤵
        • Runs ping.exe
        PID:2772
    • C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe
      "C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of SetWindowsHookEx
      PID:4332
    • C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe
      "C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of SetWindowsHookEx
      PID:2948
    • C:\Windows\SysWOW64\drivers\Kazekage.exe
      C:\Windows\system32\drivers\Kazekage.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:3436
    • C:\Windows\SysWOW64\drivers\system32.exe
      C:\Windows\system32\drivers\system32.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:3480
    • C:\Windows\SysWOW64\ping.exe
      ping -a -l www.rasasayang.com.my 65500
      2⤵
      • Runs ping.exe
      PID:5092
    • C:\Windows\SysWOW64\ping.exe
      ping -a -l www.duniasex.com 65500
      2⤵
      • Runs ping.exe
      PID:3760
    • C:\Windows\SysWOW64\ping.exe
      ping -a -l www.rasasayang.com.my 65500
      2⤵
      • Runs ping.exe
      PID:3704
    • C:\Windows\SysWOW64\ping.exe
      ping -a -l www.duniasex.com 65500
      2⤵
      • Runs ping.exe
      PID:1596
    • C:\Windows\SysWOW64\ping.exe
      ping -a -l www.rasasayang.com.my 65500
      2⤵
      • Runs ping.exe
      PID:1956
    • C:\Windows\SysWOW64\ping.exe
      ping -a -l www.duniasex.com 65500
      2⤵
      • Runs ping.exe
      PID:2292

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Admin Games\Readme.txt

    Filesize

    736B

    MD5

    bb5d6abdf8d0948ac6895ce7fdfbc151

    SHA1

    9266b7a247a4685892197194d2b9b86c8f6dddbd

    SHA256

    5db2e0915b5464d32e83484f8ae5e3c73d2c78f238fde5f58f9b40dbb5322de8

    SHA512

    878444760e8df878d65bb62b4798177e168eb099def58ad3634f4348e96705c83f74324f9fa358f0eff389991976698a233ca53e9b72034ae11c86d42322a76c

  • C:\Autorun.inf

    Filesize

    196B

    MD5

    1564dfe69ffed40950e5cb644e0894d1

    SHA1

    201b6f7a01cc49bb698bea6d4945a082ed454ce4

    SHA256

    be114a2dbcc08540b314b01882aa836a772a883322a77b67aab31233e26dc184

    SHA512

    72df187e39674b657974392cfa268e71ef86dc101ebd2303896381ca56d3c05aa9db3f0ab7d0e428d7436e0108c8f19e94c2013814d30b0b95a23a6b9e341097

  • C:\Windows\Fonts\Admin 17 - 6 - 2024\Gaara.exe

    Filesize

    66KB

    MD5

    f8e6acd8e3507d1a8e7cbd9e10bcb748

    SHA1

    5b7bb8a950ea4c2fe570d89855ead987f5db0296

    SHA256

    539c8227be47cb3dc67bc467dc389773ac53913606af7f31306e62e7a7d1998c

    SHA512

    03db1711cf6b2fd8ff0c34bc4a329937e8f4798895a683fef4cfc7c6243a174bcdbe16e68a560eb510b01e79fe4777ad0ce7998e12b7be0390aa2fd2af93b5ce

  • C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe

    Filesize

    66KB

    MD5

    ade08a217229b2b8ecf6098e6d877616

    SHA1

    435f31d0ed6e307f094bc1728a4d2f3805f189f4

    SHA256

    d92dbdef131aa74be5094416a44f8e0808d1277483eb4efccee6785373499c70

    SHA512

    c79b3c22bef2182ab2e617ccc43b8c45fb38cbfde739d319adc67f7f9ef836018860217a9efdd22013f50e1896fc02502dfad3c38c5319ee079dce2ce6ed3370

  • C:\Windows\Fonts\Admin 17 - 6 - 2024\csrss.exe

    Filesize

    66KB

    MD5

    58dc751be7925f6c269bdf1cb3314136

    SHA1

    650311b4875e4f19f392b1b792fe83087b03714d

    SHA256

    177b23be6f4351a12374bf4f281f007e3d605b64667bad760c53ce4face4eb66

    SHA512

    ba1a2a801b18ebb09a5b1086e279ce93ffdb63652ecd61154eafeb43ef25449860ea52f9e64f95e4af5741f7ad71cb98628962cb11f75a9428bdea4b3e899990

  • C:\Windows\Fonts\Admin 17 - 6 - 2024\smss.exe

    Filesize

    66KB

    MD5

    26cd74cfefe4c844efcb6aa1c609f010

    SHA1

    4e0631f8612d3748bb1d0d1a2422eb3f1e88d642

    SHA256

    f94236012479ff7c0d8bc3871cc3fff3199f2006c414de346c7a9634b723fed7

    SHA512

    b5abc5235a4d8ce222886cb4909882e04c3997c5e11e05ad9f63df51669ff2dec4d8ec9489c483f84e700c4243421e769b6794d18bc070d25a3acafc81e4225a

  • C:\Windows\Fonts\The Kazekage.jpg

    Filesize

    1.4MB

    MD5

    d6b05020d4a0ec2a3a8b687099e335df

    SHA1

    df239d830ebcd1cde5c68c46a7b76dad49d415f4

    SHA256

    9824b98dab6af65a9e84c2ea40e9df948f9766ce2096e81feecad7db8dd6080a

    SHA512

    78fd360faa4d34f5732056d6e9ad7b9930964441c69cf24535845d397de92179553b9377a25649c01eb5ac7d547c29cc964e69ede7f2af9fc677508a99251fff

  • C:\Windows\SysWOW64\17-6-2024.exe

    Filesize

    66KB

    MD5

    ad38cb6a7dee2e98601bfb01f4ad23da

    SHA1

    b662b00cf35d992f1e7c991f934d03d89722db1d

    SHA256

    ea379a7314945019f0af152d1b3aa867e8286d6de4f5f484f8e11a7a950c8b15

    SHA512

    71ed2411b53b4635497b111363cc527a19db9286f2fdcaffb3d3697fbd06aad8a926f6d5ead774cb075eaa894a49dba95f98a6e097fca984a5f87b9597b2239f

  • C:\Windows\SysWOW64\17-6-2024.exe

    Filesize

    66KB

    MD5

    92eb068d9fc062130e70a586734e2484

    SHA1

    afe7d503097524ef6909df54bfa62a204079e11a

    SHA256

    6dae946ae709486f556084211202f6b9e0fb5708182d14495fe9b16f248687ee

    SHA512

    8fc100014db57e2cd6ea215eb16f44d28733c5293e7377f5a3deeb7237f33327aa7a8e9061ecd526ce0a42ba529222d7237013561b51bf6dabdedb99a5eefcab

  • C:\Windows\SysWOW64\17-6-2024.exe

    Filesize

    66KB

    MD5

    2aef202d213a5b3d0cdd09df686b8bcb

    SHA1

    da0d3f4e0751b1a13d0449d95196f8b9071c0fbe

    SHA256

    f43771c56df95d507eff4f8f569db96dd42a423fac45336bf9be8788797ff459

    SHA512

    1ff05f9c07c8be1db3e46a586de10e033f6e68f43b4255989b11ab1bae3ae380e2921e07bba8af22df411020066f83ad618568f0b02c202252f9a5ca1097c75c

  • C:\Windows\SysWOW64\Desktop.ini

    Filesize

    65B

    MD5

    64acfa7e03b01f48294cf30d201a0026

    SHA1

    10facd995b38a095f30b4a800fa454c0bcbf8438

    SHA256

    ba8159d865d106e7b4d0043007a63d1541e1de455dc8d7ff0edd3013bd425c62

    SHA512

    65a9b2e639de74a2a7faa83463a03f5f5b526495e3c793ec1e144c422ed0b842dd304cd5ff4f8aec3d76d826507030c5916f70a231429cea636ec2d8ab43931a

  • C:\Windows\SysWOW64\drivers\Kazekage.exe

    Filesize

    66KB

    MD5

    71c393886944cfbabd173fef7c1703c0

    SHA1

    17e6b1d588c76c6cbb515d156e507c32bb160a36

    SHA256

    a3fe481defc9565201417d35eeb1d4d895924e2b63f961eddadf98843d0de2cd

    SHA512

    bae215867d6d108f61adbb8359d4c6fd9fc9c769d8ea84f6aa0642aba8a1e740f93c35bb94a0feb56dd45c0bb41f147ca87cad27090ec09f0af9f791b41d8659

  • C:\Windows\SysWOW64\drivers\Kazekage.exe

    Filesize

    66KB

    MD5

    c05db41de34cd32d667c3805a5f3dd5e

    SHA1

    bef57144ad3d8ba9218e7ace31ae9a61e9eba5c3

    SHA256

    dcb15b123582eb32d92e98db68a22e674511dc118381e4a5dc7e878132f3a1b7

    SHA512

    596431d920698d8bffd0103ab1d9432c4575ab0fcc15411a834d01fbd2105d99feab6046bbb5ad32eeda3d0913f4c34c7160e44acdadc6e59df33184cafb844e

  • C:\Windows\SysWOW64\drivers\Kazekage.exe

    Filesize

    66KB

    MD5

    e24b28a9d1d9f2b22501f3b455a4feae

    SHA1

    630561059e67708faa0c8016a92e718c0735391e

    SHA256

    815f39d4961e918aeeaab920006e70905b38854ef9728ddb4ad64d94bbbf5560

    SHA512

    c631b172ed557736d845ebe0eea7502ffba24d843b0baf57663e375a68038e06b9536d6dd29a8a4943772da9c0fd0f3b4c302efa2675f4e7e712113eded39502

  • C:\Windows\SysWOW64\drivers\system32.exe

    Filesize

    66KB

    MD5

    240c92251cfb8a75ce3c31647e532073

    SHA1

    3d04dbe66d1a6eefd84fbbde1c49c7af49fd5189

    SHA256

    bc3fb974a239527a192583e45459020c5b1528a977e3f88d528757f6f21ad635

    SHA512

    a737c1240ac30646b99cdbfb52062392bb7c509ab38c1ebfbdbf391975ae79b467ab5274d28b685dced5632a66925da31556b4c27585830624a8be8406a82bb7

  • C:\Windows\SysWOW64\drivers\system32.exe

    Filesize

    66KB

    MD5

    9d3a531e0dc899c3853498eb276aa4e9

    SHA1

    aa515978a20600cf3943f4cee51288790953382c

    SHA256

    8750fefd816d2ea1a5ce95c15b69a26823570635a7da409bf11422b453919d4b

    SHA512

    e0eae0fe80188f4e8ab84d16d1b6e9eeceb56b7da885e68cd87778935bf8980daaec75a4828a1a64a209b08a11b0ae329755c84e755125cecdaf75fd980779e9

  • C:\Windows\SysWOW64\drivers\system32.exe

    Filesize

    66KB

    MD5

    7973b7409af7c2f4805111f5aa45d7c3

    SHA1

    3b9f10e678f929c513b850879d843cd75face745

    SHA256

    5f336127806f983c22ecc8648f2f1b4dbe2cff58fed9f808bb800f5fa089bd46

    SHA512

    633697bcceed4e8738b347c303bb4da9adec817611da9afef67ff096a150398c064de20dd6caed03fa12caf26868f643508e03422fe2629a413f4c610488b896

  • C:\Windows\SysWOW64\drivers\system32.exe

    Filesize

    66KB

    MD5

    1723fcc62611bc8dc57aa9fab5594b84

    SHA1

    3350a562942099a383b0c8f4bf529baf22c4c7be

    SHA256

    d7f1f6a574249a285d0ded959013a694ce1ad98f1fa68cf3ae01afea97f264c2

    SHA512

    6a38b45f072cf8f5ee9179d6b8c3b49c16f33ee842dbe490e87b0300e5e95460f9b9263de6dc782ae423f04a232be091251b85756df44210d63a7fbc35f1ed1f

  • C:\Windows\System\msvbvm60.dll

    Filesize

    1.4MB

    MD5

    25f62c02619174b35851b0e0455b3d94

    SHA1

    4e8ee85157f1769f6e3f61c0acbe59072209da71

    SHA256

    898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

    SHA512

    f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

  • F:\Gaara.exe

    Filesize

    66KB

    MD5

    4f638f90ece1cd2c4f8b10a792956d70

    SHA1

    ab95276f68053c4bdaea10975610dea6b0b042eb

    SHA256

    e70f2481aa838b9592454700e264c29acb17521fda0303adfbaac30963ec6a59

    SHA512

    e5801242754199a6ff77dc2d8ec266f2051971b8dc74f5f05108ecbdce2ab9346a2ab0bde9847ba075edfaf0ed5be88d380d89750e7cfe842caffd410f9a2bbb

  • memory/112-275-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/456-292-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/520-121-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/520-542-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/520-311-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/520-242-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/628-255-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/800-265-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/800-261-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/1232-204-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/1444-165-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/1444-172-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/1544-0-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/1544-173-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/1544-416-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/1544-308-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/1988-283-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/2032-585-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/2032-284-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/2032-313-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/2032-223-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/2360-197-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/2360-417-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/2360-34-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/2360-309-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/2380-70-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/2380-79-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/2396-221-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/2648-246-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/2648-243-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/2948-298-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/2960-288-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/3028-158-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/3100-260-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/3100-312-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/3100-174-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/3112-78-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/3112-541-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/3112-208-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/3112-310-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/3388-269-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/3436-303-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/3436-299-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/3480-307-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/3556-279-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/3712-164-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/3712-156-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/3740-250-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/3792-259-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/3792-253-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/4140-116-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/4332-295-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/4408-209-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/4408-216-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/4652-211-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/5060-125-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

  • memory/5060-114-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB