1c958bc2a268ce3f104a35882f694f8bead71015937bfb99b0986400ab29d703

Analysis

max time kernel
148s
max time network
48s
platform
windows7_x64
resource
win7v20210410
submitted
05-05-2021 11:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c9915631_by_Libranalysis.exe
Size

124KB
MD5

c9915631dd271219bf51fe0a46a1d8ff
SHA1

7d6b0dd72dd6dd3261b0f30525c6860f86de012f
SHA256

1c958bc2a268ce3f104a35882f694f8bead71015937bfb99b0986400ab29d703
SHA512

045d441879636ebc9c6a25994a6aa08172bec3756829bba7b2eb188ee1585d7659f77e43d505c61032a5d36815f205f29b875ae5354fe13857941f366dae0941

Score

10^/10

evasion persistence ransomware trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 12 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

c9915631_by_Libranalysis.exeGaara.execsrss.exeKazekage.exesystem32.exesmss.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe"	c9915631_by_Libranalysis.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe"	Gaara.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe"	Kazekage.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe"	system32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe"	system32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe"	Gaara.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe"	Kazekage.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe"	c9915631_by_Libranalysis.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe"	smss.exe

Modifies visibility of file extensions in Explorer 2 TTPs
evasion

Hidden Files and Directories
T1158

Modify Registry
T1112
Modifies visiblity of hidden/system files in Explorer 2 TTPs
evasion

Hidden Files and Directories
T1158

Modify Registry
T1112
UAC bypass 3 TTPs
evasion trojan

Bypass User Account Control
T1088

Disabling Security Tools
T1089

Modify Registry
T1112
Disables RegEdit via registry modification
evasion
Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490

Drops file in Drivers directory 24 IoCs

Processes:

c9915631_by_Libranalysis.exesmss.exeKazekage.exesystem32.execsrss.exeGaara.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\drivers\system32.exe	c9915631_by_Libranalysis.exe
File opened for modification	C:\Windows\SysWOW64\drivers\Kazekage.exe	smss.exe
File created	C:\Windows\SysWOW64\drivers\Kazekage.exe	Kazekage.exe
File opened for modification	C:\Windows\SysWOW64\drivers\system32.exe	Kazekage.exe
File created	C:\Windows\SysWOW64\drivers\system32.exe	system32.exe
File created	C:\Windows\SysWOW64\drivers\system32.exe	csrss.exe
File created	C:\Windows\SysWOW64\drivers\system32.exe	Kazekage.exe
File created	C:\Windows\SysWOW64\drivers\system32.exe	c9915631_by_Libranalysis.exe
File opened for modification	C:\Windows\SysWOW64\drivers\system32.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\drivers\system32.exe	csrss.exe
File opened for modification	C:\Windows\SysWOW64\drivers\Kazekage.exe	Kazekage.exe
File opened for modification	C:\Windows\SysWOW64\drivers\Kazekage.exe	system32.exe
File opened for modification	C:\Windows\SysWOW64\drivers\system32.exe	system32.exe
File created	C:\Windows\SysWOW64\drivers\Kazekage.exe	Gaara.exe
File created	C:\Windows\SysWOW64\drivers\Kazekage.exe	c9915631_by_Libranalysis.exe
File opened for modification	C:\Windows\SysWOW64\drivers\Kazekage.exe	Gaara.exe
File opened for modification	C:\Windows\SysWOW64\drivers\Kazekage.exe	csrss.exe
File created	C:\Windows\SysWOW64\drivers\Kazekage.exe	system32.exe
File created	C:\Windows\SysWOW64\drivers\Kazekage.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\drivers\Kazekage.exe	c9915631_by_Libranalysis.exe
File opened for modification	C:\Windows\SysWOW64\drivers\system32.exe	Gaara.exe
File created	C:\Windows\SysWOW64\drivers\system32.exe	smss.exe
File created	C:\Windows\SysWOW64\drivers\system32.exe	Gaara.exe
File created	C:\Windows\SysWOW64\drivers\Kazekage.exe	csrss.exe

Executes dropped EXE 30 IoCs

Processes:

smss.exesmss.exeGaara.exesmss.exeGaara.execsrss.exesmss.exeGaara.execsrss.exeKazekage.exesmss.exeGaara.execsrss.exeKazekage.exesystem32.exesmss.exeGaara.execsrss.exeKazekage.exesystem32.exesystem32.exeKazekage.exesystem32.execsrss.exeKazekage.exesystem32.exeGaara.execsrss.exeKazekage.exesystem32.exe

pid	process
1980	smss.exe
1776	smss.exe
1724	Gaara.exe
1068	smss.exe
1848	Gaara.exe
1648	csrss.exe
816	smss.exe
268	Gaara.exe
992	csrss.exe
2012	Kazekage.exe
1696	smss.exe
1692	Gaara.exe
1764	csrss.exe
1604	Kazekage.exe
1608	system32.exe
1828	smss.exe
420	Gaara.exe
1104	csrss.exe
1944	Kazekage.exe
1740	system32.exe
1888	system32.exe
1212	Kazekage.exe
1628	system32.exe
1772	csrss.exe
1420	Kazekage.exe
1776	system32.exe
1760	Gaara.exe
1764	csrss.exe
1008	Kazekage.exe
528	system32.exe

Sets file execution options in registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Loads dropped DLL 63 IoCs

Processes:

c9915631_by_Libranalysis.exesmss.exesmss.exeGaara.exesmss.exeGaara.execsrss.exesmss.exeGaara.execsrss.exeKazekage.exesmss.exeGaara.execsrss.exesystem32.exesmss.exeGaara.execsrss.execsrss.exeGaara.execsrss.exe

pid	process
1996	c9915631_by_Libranalysis.exe
1996	c9915631_by_Libranalysis.exe
1980	smss.exe
1980	smss.exe
1776	smss.exe
1980	smss.exe
1980	smss.exe
1724	Gaara.exe
1724	Gaara.exe
1724	Gaara.exe
1068	smss.exe
1724	Gaara.exe
1848	Gaara.exe
1724	Gaara.exe
1724	Gaara.exe
1648	csrss.exe
1648	csrss.exe
816	smss.exe
1648	csrss.exe
268	Gaara.exe
992	csrss.exe
1648	csrss.exe
1648	csrss.exe
2012	Kazekage.exe
1696	smss.exe
2012	Kazekage.exe
1692	Gaara.exe
2012	Kazekage.exe
1764	csrss.exe
2012	Kazekage.exe
2012	Kazekage.exe
2012	Kazekage.exe
2012	Kazekage.exe
1608	system32.exe
1828	smss.exe
1608	system32.exe
420	Gaara.exe
1608	system32.exe
1104	csrss.exe
1608	system32.exe
1608	system32.exe
1608	system32.exe
1608	system32.exe
1648	csrss.exe
1648	csrss.exe
1724	Gaara.exe
1724	Gaara.exe
1724	Gaara.exe
1724	Gaara.exe
1980	smss.exe
1772	csrss.exe
1980	smss.exe
1980	smss.exe
1980	smss.exe
1980	smss.exe
1996	c9915631_by_Libranalysis.exe
1760	Gaara.exe
1996	c9915631_by_Libranalysis.exe
1764	csrss.exe
1996	c9915631_by_Libranalysis.exe
1996	c9915631_by_Libranalysis.exe
1996	c9915631_by_Libranalysis.exe
1996	c9915631_by_Libranalysis.exe

Adds Run key to start application 2 TTPs 30 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

system32.exec9915631_by_Libranalysis.execsrss.exesmss.exeGaara.exeKazekage.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe"	system32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 5 - 5 - 2021\\Gaara.exe"	c9915631_by_Libranalysis.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "5-5-2021.exe"	c9915631_by_Libranalysis.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "5-5-2021.exe"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 5 - 5 - 2021\\Gaara.exe"	Gaara.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 5 - 5 - 2021\\smss.exe"	Kazekage.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe"	c9915631_by_Libranalysis.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "5-5-2021.exe"	Gaara.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe"	Gaara.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 5 - 5 - 2021\\Gaara.exe"	Kazekage.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	system32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 5 - 5 - 2021\\smss.exe"	system32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "5-5-2021.exe"	system32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	Gaara.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 5 - 5 - 2021\\smss.exe"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 5 - 5 - 2021\\Gaara.exe"	csrss.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	Kazekage.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "5-5-2021.exe"	Kazekage.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 5 - 5 - 2021\\smss.exe"	Gaara.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "5-5-2021.exe"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 5 - 5 - 2021\\Gaara.exe"	system32.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	c9915631_by_Libranalysis.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 5 - 5 - 2021\\smss.exe"	smss.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe"	Kazekage.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 5 - 5 - 2021\\smss.exe"	c9915631_by_Libranalysis.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 5 - 5 - 2021\\Gaara.exe"	smss.exe

Checks whether UAC is enabled 1 TTPs 6 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

system32.exec9915631_by_Libranalysis.exesmss.exeGaara.execsrss.exeKazekage.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	system32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	c9915631_by_Libranalysis.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Gaara.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Kazekage.exe

Drops desktop.ini file(s) 64 IoCs

Processes:

csrss.exeKazekage.exesmss.exeGaara.exesystem32.exec9915631_by_Libranalysis.exe

description	ioc	process
File opened for modification	\??\P:\Desktop.ini	csrss.exe
File opened for modification	\??\N:\Desktop.ini	Kazekage.exe
File opened for modification	\??\V:\Desktop.ini	smss.exe
File opened for modification	\??\M:\Desktop.ini	Gaara.exe
File opened for modification	\??\Y:\Desktop.ini	Gaara.exe
File opened for modification	\??\Z:\Desktop.ini	Gaara.exe
File opened for modification	\??\J:\Desktop.ini	csrss.exe
File opened for modification	\??\S:\Desktop.ini	system32.exe
File opened for modification	\??\F:\Desktop.ini	smss.exe
File opened for modification	\??\Z:\Desktop.ini	c9915631_by_Libranalysis.exe
File opened for modification	\??\I:\Desktop.ini	Gaara.exe
File opened for modification	\??\W:\Desktop.ini	csrss.exe
File opened for modification	C:\Desktop.ini	Gaara.exe
File opened for modification	\??\F:\Desktop.ini	Kazekage.exe
File opened for modification	\??\B:\Desktop.ini	smss.exe
File opened for modification	\??\Z:\Desktop.ini	system32.exe
File opened for modification	\??\Y:\Desktop.ini	c9915631_by_Libranalysis.exe
File opened for modification	\??\K:\Desktop.ini	Gaara.exe
File opened for modification	\??\H:\Desktop.ini	csrss.exe
File opened for modification	D:\Desktop.ini	Gaara.exe
File opened for modification	\??\P:\Desktop.ini	Gaara.exe
File opened for modification	\??\U:\Desktop.ini	Gaara.exe
File opened for modification	\??\W:\Desktop.ini	Gaara.exe
File opened for modification	\??\W:\Desktop.ini	system32.exe
File opened for modification	\??\O:\Desktop.ini	Kazekage.exe
File opened for modification	\??\A:\Desktop.ini	system32.exe
File opened for modification	\??\J:\Desktop.ini	c9915631_by_Libranalysis.exe
File opened for modification	\??\M:\Desktop.ini	c9915631_by_Libranalysis.exe
File opened for modification	\??\W:\Desktop.ini	c9915631_by_Libranalysis.exe
File opened for modification	\??\Z:\Desktop.ini	smss.exe
File opened for modification	\??\N:\Desktop.ini	Gaara.exe
File opened for modification	\??\B:\Desktop.ini	csrss.exe
File opened for modification	\??\V:\Desktop.ini	Gaara.exe
File opened for modification	\??\F:\Desktop.ini	csrss.exe
File opened for modification	\??\X:\Desktop.ini	csrss.exe
File opened for modification	\??\K:\Desktop.ini	system32.exe
File opened for modification	\??\R:\Desktop.ini	c9915631_by_Libranalysis.exe
File opened for modification	\??\N:\Desktop.ini	csrss.exe
File opened for modification	\??\V:\Desktop.ini	csrss.exe
File opened for modification	\??\Y:\Desktop.ini	csrss.exe
File opened for modification	\??\B:\Desktop.ini	Kazekage.exe
File opened for modification	\??\W:\Desktop.ini	Kazekage.exe
File opened for modification	\??\X:\Desktop.ini	system32.exe
File opened for modification	\??\I:\Desktop.ini	smss.exe
File opened for modification	\??\V:\Desktop.ini	c9915631_by_Libranalysis.exe
File opened for modification	\??\O:\Desktop.ini	csrss.exe
File opened for modification	\??\O:\Desktop.ini	smss.exe
File opened for modification	\??\U:\Desktop.ini	smss.exe
File opened for modification	\??\J:\Desktop.ini	Gaara.exe
File opened for modification	\??\R:\Desktop.ini	Gaara.exe
File opened for modification	\??\M:\Desktop.ini	smss.exe
File opened for modification	\??\N:\Desktop.ini	smss.exe
File opened for modification	\??\X:\Desktop.ini	smss.exe
File opened for modification	\??\V:\Desktop.ini	Kazekage.exe
File opened for modification	\??\F:\Desktop.ini	system32.exe
File opened for modification	\??\B:\Desktop.ini	Gaara.exe
File opened for modification	\??\M:\Desktop.ini	csrss.exe
File opened for modification	\??\G:\Desktop.ini	smss.exe
File opened for modification	\??\U:\Desktop.ini	csrss.exe
File opened for modification	\??\T:\Desktop.ini	Kazekage.exe
File opened for modification	C:\Desktop.ini	system32.exe
File opened for modification	\??\L:\Desktop.ini	system32.exe
File opened for modification	\??\G:\Desktop.ini	Kazekage.exe
File opened for modification	\??\G:\Desktop.ini	csrss.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

csrss.exeKazekage.exec9915631_by_Libranalysis.exesystem32.exeGaara.exesmss.exe

description	ioc	process
File opened (read-only)	\??\I:	csrss.exe
File opened (read-only)	\??\J:	csrss.exe
File opened (read-only)	\??\Z:	csrss.exe
File opened (read-only)	\??\S:	Kazekage.exe
File opened (read-only)	\??\T:	Kazekage.exe
File opened (read-only)	\??\A:	c9915631_by_Libranalysis.exe
File opened (read-only)	\??\B:	c9915631_by_Libranalysis.exe
File opened (read-only)	\??\J:	c9915631_by_Libranalysis.exe
File opened (read-only)	\??\M:	system32.exe
File opened (read-only)	\??\K:	Gaara.exe
File opened (read-only)	\??\H:	csrss.exe
File opened (read-only)	\??\E:	Kazekage.exe
File opened (read-only)	\??\G:	c9915631_by_Libranalysis.exe
File opened (read-only)	\??\L:	c9915631_by_Libranalysis.exe
File opened (read-only)	\??\O:	system32.exe
File opened (read-only)	\??\Y:	system32.exe
File opened (read-only)	\??\T:	smss.exe
File opened (read-only)	\??\T:	Gaara.exe
File opened (read-only)	\??\U:	Gaara.exe
File opened (read-only)	\??\X:	smss.exe
File opened (read-only)	\??\H:	Gaara.exe
File opened (read-only)	\??\M:	csrss.exe
File opened (read-only)	\??\X:	csrss.exe
File opened (read-only)	\??\A:	Kazekage.exe
File opened (read-only)	\??\W:	smss.exe
File opened (read-only)	\??\S:	Gaara.exe
File opened (read-only)	\??\J:	Kazekage.exe
File opened (read-only)	\??\I:	smss.exe
File opened (read-only)	\??\Y:	smss.exe
File opened (read-only)	\??\I:	Gaara.exe
File opened (read-only)	\??\W:	Gaara.exe
File opened (read-only)	\??\V:	Kazekage.exe
File opened (read-only)	\??\Y:	Kazekage.exe
File opened (read-only)	\??\P:	system32.exe
File opened (read-only)	\??\S:	system32.exe
File opened (read-only)	\??\T:	system32.exe
File opened (read-only)	\??\B:	Gaara.exe
File opened (read-only)	\??\R:	csrss.exe
File opened (read-only)	\??\M:	Gaara.exe
File opened (read-only)	\??\H:	Kazekage.exe
File opened (read-only)	\??\N:	c9915631_by_Libranalysis.exe
File opened (read-only)	\??\V:	system32.exe
File opened (read-only)	\??\Y:	c9915631_by_Libranalysis.exe
File opened (read-only)	\??\S:	smss.exe
File opened (read-only)	\??\A:	csrss.exe
File opened (read-only)	\??\M:	c9915631_by_Libranalysis.exe
File opened (read-only)	\??\A:	Gaara.exe
File opened (read-only)	\??\J:	smss.exe
File opened (read-only)	\??\P:	Gaara.exe
File opened (read-only)	\??\E:	system32.exe
File opened (read-only)	\??\Q:	system32.exe
File opened (read-only)	\??\U:	smss.exe
File opened (read-only)	\??\E:	c9915631_by_Libranalysis.exe
File opened (read-only)	\??\J:	system32.exe
File opened (read-only)	\??\T:	c9915631_by_Libranalysis.exe
File opened (read-only)	\??\P:	smss.exe
File opened (read-only)	\??\Y:	csrss.exe
File opened (read-only)	\??\K:	c9915631_by_Libranalysis.exe
File opened (read-only)	\??\F:	Gaara.exe
File opened (read-only)	\??\Z:	smss.exe
File opened (read-only)	\??\W:	Kazekage.exe
File opened (read-only)	\??\L:	Gaara.exe
File opened (read-only)	\??\R:	Gaara.exe
File opened (read-only)	\??\V:	csrss.exe

Drops autorun.inf file 1 TTPs
Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media
T1091

Drops file in System32 directory 38 IoCs

Processes:

c9915631_by_Libranalysis.exeGaara.exesystem32.execsrss.exeKazekage.exesmss.exe

description	ioc	process
File created	C:\Windows\SysWOW64\msvbvm60.dll	c9915631_by_Libranalysis.exe
File opened for modification	C:\Windows\SysWOW64\Desktop.ini	Gaara.exe
File opened for modification	C:\Windows\SysWOW64\	system32.exe
File opened for modification	C:\Windows\SysWOW64\5-5-2021.exe	csrss.exe
File opened for modification	C:\Windows\SysWOW64\5-5-2021.exe	Kazekage.exe
File opened for modification	C:\Windows\SysWOW64\mscomctl.ocx	smss.exe
File opened for modification	C:\Windows\SysWOW64\mscomctl.ocx	Gaara.exe
File opened for modification	C:\Windows\SysWOW64\	csrss.exe
File opened for modification	C:\Windows\SysWOW64\5-5-2021.exe	c9915631_by_Libranalysis.exe
File opened for modification	C:\Windows\SysWOW64\5-5-2021.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\mscomctl.ocx	c9915631_by_Libranalysis.exe
File opened for modification	C:\Windows\SysWOW64\	Kazekage.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	Kazekage.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	smss.exe
File opened for modification	C:\Windows\SysWOW64\5-5-2021.exe	Gaara.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	smss.exe
File opened for modification	C:\Windows\SysWOW64\Desktop.ini	csrss.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	csrss.exe
File created	C:\Windows\SysWOW64\5-5-2021.exe	c9915631_by_Libranalysis.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	Gaara.exe
File opened for modification	C:\Windows\SysWOW64\Desktop.ini	smss.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	system32.exe
File opened for modification	C:\Windows\SysWOW64\mscomctl.ocx	Kazekage.exe
File opened for modification	C:\Windows\SysWOW64\Desktop.ini	c9915631_by_Libranalysis.exe
File opened for modification	C:\Windows\SysWOW64\	c9915631_by_Libranalysis.exe
File opened for modification	C:\Windows\SysWOW64\mscomctl.ocx	csrss.exe
File created	C:\Windows\SysWOW64\Desktop.ini	c9915631_by_Libranalysis.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	c9915631_by_Libranalysis.exe
File opened for modification	C:\Windows\SysWOW64\	Gaara.exe
File opened for modification	C:\Windows\SysWOW64\Desktop.ini	system32.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	Gaara.exe
File opened for modification	C:\Windows\SysWOW64\mscomctl.ocx	system32.exe
File opened for modification	C:\Windows\SysWOW64\Desktop.ini	Kazekage.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	csrss.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	Kazekage.exe
File opened for modification	C:\Windows\SysWOW64\5-5-2021.exe	system32.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	system32.exe
File opened for modification	C:\Windows\SysWOW64\	smss.exe

Sets desktop wallpaper using registry 2 TTPs 6 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

c9915631_by_Libranalysis.exesmss.exeGaara.execsrss.exeKazekage.exesystem32.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg"	c9915631_by_Libranalysis.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg"	smss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg"	Gaara.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg"	csrss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg"	Kazekage.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg"	system32.exe

Drops file in Windows directory 64 IoCs

Processes:

smss.exeKazekage.exec9915631_by_Libranalysis.execsrss.exesystem32.exeGaara.exe

description	ioc	process
File opened for modification	C:\Windows\system\msvbvm60.dll	smss.exe
File created	C:\Windows\Fonts\Admin 5 - 5 - 2021\csrss.exe	Kazekage.exe
File created	C:\Windows\msvbvm60.dll	c9915631_by_Libranalysis.exe
File opened for modification	C:\Windows\Fonts\Admin 5 - 5 - 2021\smss.exe	csrss.exe
File opened for modification	C:\Windows\system\msvbvm60.dll	csrss.exe
File opened for modification	C:\Windows\system\mscoree.dll	system32.exe
File opened for modification	C:\Windows\system\msvbvm60.dll	system32.exe
File opened for modification	C:\Windows\	smss.exe
File created	C:\Windows\WBEM\msvbvm60.dll	c9915631_by_Libranalysis.exe
File created	C:\Windows\WBEM\msvbvm60.dll	Gaara.exe
File created	C:\Windows\Fonts\Admin 5 - 5 - 2021\Gaara.exe	csrss.exe
File created	C:\Windows\Fonts\Admin 5 - 5 - 2021\msvbvm60.dll	Kazekage.exe
File created	C:\Windows\Fonts\Admin 5 - 5 - 2021\smss.exe	system32.exe
File opened for modification	C:\Windows\Fonts\Admin 5 - 5 - 2021\Gaara.exe	system32.exe
File opened for modification	C:\Windows\mscomctl.ocx	smss.exe
File opened for modification	C:\Windows\system\mscoree.dll	Gaara.exe
File opened for modification	C:\Windows\Fonts\Admin 5 - 5 - 2021\Gaara.exe	smss.exe
File created	C:\Windows\Fonts\Admin 5 - 5 - 2021\Gaara.exe	Gaara.exe
File opened for modification	C:\Windows\msvbvm60.dll	csrss.exe
File opened for modification	C:\Windows\Fonts\Admin 5 - 5 - 2021\csrss.exe	Kazekage.exe
File created	C:\Windows\mscomctl.ocx	c9915631_by_Libranalysis.exe
File created	C:\Windows\Fonts\Admin 5 - 5 - 2021\smss.exe	c9915631_by_Libranalysis.exe
File opened for modification	C:\Windows\Fonts\Admin 5 - 5 - 2021\Gaara.exe	csrss.exe
File created	C:\Windows\Fonts\Admin 5 - 5 - 2021\smss.exe	Kazekage.exe
File created	C:\Windows\Fonts\Admin 5 - 5 - 2021\Gaara.exe	Kazekage.exe
File opened for modification	C:\Windows\Fonts\Admin 5 - 5 - 2021\smss.exe	c9915631_by_Libranalysis.exe
File opened for modification	C:\Windows\msvbvm60.dll	smss.exe
File opened for modification	C:\Windows\Fonts\Admin 5 - 5 - 2021\smss.exe	Gaara.exe
File opened for modification	C:\Windows\Fonts\Admin 5 - 5 - 2021\csrss.exe	csrss.exe
File opened for modification	C:\Windows\Fonts\Admin 5 - 5 - 2021\csrss.exe	system32.exe
File opened for modification	C:\Windows\	system32.exe
File created	C:\Windows\Fonts\Admin 5 - 5 - 2021\Gaara.exe	c9915631_by_Libranalysis.exe
File opened for modification	C:\Windows\Fonts\The Kazekage.jpg	csrss.exe
File created	C:\Windows\Fonts\Admin 5 - 5 - 2021\csrss.exe	csrss.exe
File opened for modification	C:\Windows\Fonts\The Kazekage.jpg	Kazekage.exe
File created	C:\Windows\WBEM\msvbvm60.dll	system32.exe
File opened for modification	C:\Windows\	c9915631_by_Libranalysis.exe
File opened for modification	C:\Windows\Fonts\Admin 5 - 5 - 2021\Gaara.exe	Gaara.exe
File opened for modification	C:\Windows\system\mscoree.dll	smss.exe
File created	C:\Windows\Fonts\Admin 5 - 5 - 2021\msvbvm60.dll	smss.exe
File opened for modification	C:\Windows\Fonts\Admin 5 - 5 - 2021\csrss.exe	Gaara.exe
File opened for modification	C:\Windows\system\mscoree.dll	Kazekage.exe
File opened for modification	C:\Windows\msvbvm60.dll	Kazekage.exe
File created	C:\Windows\Fonts\The Kazekage.jpg	c9915631_by_Libranalysis.exe
File opened for modification	C:\Windows\Fonts\Admin 5 - 5 - 2021\Gaara.exe	c9915631_by_Libranalysis.exe
File created	C:\Windows\WBEM\msvbvm60.dll	smss.exe
File created	C:\Windows\WBEM\msvbvm60.dll	csrss.exe
File created	C:\Windows\WBEM\msvbvm60.dll	Kazekage.exe
File opened for modification	C:\Windows\mscomctl.ocx	csrss.exe
File opened for modification	C:\Windows\system\mscoree.dll	c9915631_by_Libranalysis.exe
File created	C:\Windows\Fonts\Admin 5 - 5 - 2021\smss.exe	Gaara.exe
File created	C:\Windows\Fonts\Admin 5 - 5 - 2021\csrss.exe	system32.exe
File opened for modification	C:\Windows\mscomctl.ocx	Gaara.exe
File opened for modification	C:\Windows\Fonts\Admin 5 - 5 - 2021\csrss.exe	smss.exe
File created	C:\Windows\Fonts\Admin 5 - 5 - 2021\smss.exe	smss.exe
File opened for modification	C:\Windows\msvbvm60.dll	system32.exe
File created	C:\Windows\Fonts\Admin 5 - 5 - 2021\msvbvm60.dll	c9915631_by_Libranalysis.exe
File opened for modification	C:\Windows\system\mscoree.dll	csrss.exe
File created	C:\Windows\Fonts\Admin 5 - 5 - 2021\smss.exe	csrss.exe
File created	C:\Windows\Fonts\Admin 5 - 5 - 2021\Gaara.exe	system32.exe
File opened for modification	C:\Windows\mscomctl.ocx	c9915631_by_Libranalysis.exe
File created	C:\Windows\Fonts\Admin 5 - 5 - 2021\csrss.exe	smss.exe
File created	C:\Windows\Fonts\Admin 5 - 5 - 2021\csrss.exe	Gaara.exe
File opened for modification	C:\Windows\	csrss.exe

Modifies Control Panel 64 IoCs

evasion

Processes:

Kazekage.exesystem32.exec9915631_by_Libranalysis.exeGaara.exesmss.execsrss.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Control Panel\Desktop	Kazekage.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg"	Kazekage.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg"	system32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0"	system32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0"	c9915631_by_Libranalysis.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Control Panel\Screen Saver.Marquee\Speed = "4"	Gaara.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC"	smss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg"	Gaara.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Control Panel\Desktop\WallpaperStyle = "2"	Gaara.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Control Panel\Desktop	system32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC"	Kazekage.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )"	Kazekage.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Control Panel\Screen Saver.Marquee\Size = "72"	c9915631_by_Libranalysis.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Control Panel\Screen Saver.Marquee\Speed = "4"	c9915631_by_Libranalysis.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1"	c9915631_by_Libranalysis.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg"	smss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )"	smss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC"	Gaara.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Control Panel\Desktop\WallpaperStyle = "2"	csrss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Control Panel\Desktop\WallpaperStyle = "2"	system32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Control Panel\Screen Saver.Marquee\Size = "72"	csrss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Control Panel\Screen Saver.Marquee\Speed = "4"	csrss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr"	c9915631_by_Libranalysis.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1"	Gaara.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg"	c9915631_by_Libranalysis.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Control Panel\Desktop\WallpaperStyle = "2"	Kazekage.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC"	csrss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )"	csrss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400"	c9915631_by_Libranalysis.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Control Panel\Screen Saver.Marquee	c9915631_by_Libranalysis.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1"	smss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0"	Kazekage.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Control Panel\Screen Saver.Marquee\Speed = "4"	system32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )"	system32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr"	csrss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Control Panel\Screen Saver.Marquee\Speed = "4"	Kazekage.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg"	system32.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Control Panel\Screen Saver.Marquee	Kazekage.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr"	system32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg"	c9915631_by_Libranalysis.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400"	csrss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400"	Kazekage.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Control Panel\Screen Saver.Marquee	Gaara.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg"	csrss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0"	csrss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0"	csrss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1"	Kazekage.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Control Panel\Screen Saver.Marquee\Size = "72"	Kazekage.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1"	system32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0"	Gaara.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Control Panel\Desktop	csrss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400"	system32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Control Panel\Screen Saver.Marquee\Size = "72"	system32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC"	c9915631_by_Libranalysis.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Control Panel\Screen Saver.Marquee\Speed = "4"	smss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1"	csrss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0"	Kazekage.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400"	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Control Panel\Screen Saver.Marquee	smss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0"	smss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0"	Gaara.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Control Panel\Desktop	smss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Control Panel\Desktop\WallpaperStyle = "2"	smss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg"	csrss.exe

Modifies Internet Explorer settings 1 TTPs 12 IoCs

adware spyware

Modify Registry

T1112

Processes:

smss.exeGaara.execsrss.exesystem32.exec9915631_by_Libranalysis.exeKazekage.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!"	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main	Gaara.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!"	Gaara.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!"	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main	system32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!"	system32.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main	c9915631_by_Libranalysis.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main	Kazekage.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!"	Kazekage.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!"	c9915631_by_Libranalysis.exe

Modifies registry class 48 IoCs

Processes:

c9915631_by_Libranalysis.exesmss.exeGaara.exesystem32.exeKazekage.execsrss.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command	c9915631_by_Libranalysis.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe"	Gaara.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe"	system32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command	system32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe"	Kazekage.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe"	Kazekage.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe"	system32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command	c9915631_by_Libranalysis.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe"	c9915631_by_Libranalysis.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command	Gaara.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe"	Gaara.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command	Gaara.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command	system32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command	system32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe"	system32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0"	system32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0"	Gaara.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command	Kazekage.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0"	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command	Kazekage.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command	Kazekage.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0"	Kazekage.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe"	c9915631_by_Libranalysis.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe"	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command	Gaara.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe"	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command	system32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command	c9915631_by_Libranalysis.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0"	c9915631_by_Libranalysis.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe"	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command	c9915631_by_Libranalysis.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe"	Gaara.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe"	Kazekage.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command	Kazekage.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe"	c9915631_by_Libranalysis.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe"	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command	Gaara.exe

Runs ping.exe 1 TTPs 34 IoCs

Remote System Discovery

T1018

Processes:

ping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exe

pid	process
796	ping.exe
1756	ping.exe
2032	ping.exe
860	ping.exe
1392	ping.exe
328	ping.exe
112	ping.exe
1660	ping.exe
1300	ping.exe
328	ping.exe
1140	ping.exe
1852	ping.exe
628	ping.exe
520	ping.exe
1480	ping.exe
1060	ping.exe
552	ping.exe
336	ping.exe
984	ping.exe
1352	ping.exe
548	ping.exe
1744	ping.exe
588	ping.exe
844	ping.exe
1780	ping.exe
1156	ping.exe
1056	ping.exe
668	ping.exe
1696	ping.exe
1944	ping.exe
1696	ping.exe
1176	ping.exe
668	ping.exe
1840	ping.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

csrss.exeKazekage.exesystem32.exec9915631_by_Libranalysis.exesmss.exeGaara.exe

pid	process
1648	csrss.exe
1648	csrss.exe
1648	csrss.exe
1648	csrss.exe
1648	csrss.exe
1648	csrss.exe
1648	csrss.exe
1648	csrss.exe
1648	csrss.exe
1648	csrss.exe
1648	csrss.exe
1648	csrss.exe
2012	Kazekage.exe
2012	Kazekage.exe
2012	Kazekage.exe
2012	Kazekage.exe
2012	Kazekage.exe
2012	Kazekage.exe
2012	Kazekage.exe
2012	Kazekage.exe
2012	Kazekage.exe
2012	Kazekage.exe
2012	Kazekage.exe
2012	Kazekage.exe
1608	system32.exe
1608	system32.exe
1608	system32.exe
1608	system32.exe
1608	system32.exe
1608	system32.exe
1608	system32.exe
1608	system32.exe
1608	system32.exe
1608	system32.exe
1608	system32.exe
1608	system32.exe
1996	c9915631_by_Libranalysis.exe
1996	c9915631_by_Libranalysis.exe
1996	c9915631_by_Libranalysis.exe
1996	c9915631_by_Libranalysis.exe
1996	c9915631_by_Libranalysis.exe
1996	c9915631_by_Libranalysis.exe
1996	c9915631_by_Libranalysis.exe
1996	c9915631_by_Libranalysis.exe
1996	c9915631_by_Libranalysis.exe
1996	c9915631_by_Libranalysis.exe
1996	c9915631_by_Libranalysis.exe
1996	c9915631_by_Libranalysis.exe
1980	smss.exe
1980	smss.exe
1980	smss.exe
1980	smss.exe
1980	smss.exe
1980	smss.exe
1980	smss.exe
1980	smss.exe
1980	smss.exe
1980	smss.exe
1980	smss.exe
1980	smss.exe
1724	Gaara.exe
1724	Gaara.exe
1724	Gaara.exe
1724	Gaara.exe

Suspicious use of SetWindowsHookEx 31 IoCs

Processes:

c9915631_by_Libranalysis.exesmss.exesmss.exeGaara.exesmss.exeGaara.execsrss.exesmss.exeGaara.execsrss.exeKazekage.exesmss.exeGaara.execsrss.exeKazekage.exesystem32.exesmss.exeGaara.execsrss.exeKazekage.exesystem32.exesystem32.exeKazekage.exesystem32.execsrss.exeKazekage.exesystem32.exeGaara.execsrss.exeKazekage.exesystem32.exe

pid	process
1996	c9915631_by_Libranalysis.exe
1980	smss.exe
1776	smss.exe
1724	Gaara.exe
1068	smss.exe
1848	Gaara.exe
1648	csrss.exe
816	smss.exe
268	Gaara.exe
992	csrss.exe
2012	Kazekage.exe
1696	smss.exe
1692	Gaara.exe
1764	csrss.exe
1604	Kazekage.exe
1608	system32.exe
1828	smss.exe
420	Gaara.exe
1104	csrss.exe
1944	Kazekage.exe
1740	system32.exe
1888	system32.exe
1212	Kazekage.exe
1628	system32.exe
1772	csrss.exe
1420	Kazekage.exe
1776	system32.exe
1760	Gaara.exe
1764	csrss.exe
1008	Kazekage.exe
528	system32.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

c9915631_by_Libranalysis.exesmss.exeGaara.execsrss.exeKazekage.exesystem32.exe

description	pid	process	target process
PID 1996 wrote to memory of 1980	1996	c9915631_by_Libranalysis.exe	smss.exe
PID 1996 wrote to memory of 1980	1996	c9915631_by_Libranalysis.exe	smss.exe
PID 1996 wrote to memory of 1980	1996	c9915631_by_Libranalysis.exe	smss.exe
PID 1996 wrote to memory of 1980	1996	c9915631_by_Libranalysis.exe	smss.exe
PID 1980 wrote to memory of 1776	1980	smss.exe	smss.exe
PID 1980 wrote to memory of 1776	1980	smss.exe	smss.exe
PID 1980 wrote to memory of 1776	1980	smss.exe	smss.exe
PID 1980 wrote to memory of 1776	1980	smss.exe	smss.exe
PID 1980 wrote to memory of 1724	1980	smss.exe	Gaara.exe
PID 1980 wrote to memory of 1724	1980	smss.exe	Gaara.exe
PID 1980 wrote to memory of 1724	1980	smss.exe	Gaara.exe
PID 1980 wrote to memory of 1724	1980	smss.exe	Gaara.exe
PID 1724 wrote to memory of 1068	1724	Gaara.exe	smss.exe
PID 1724 wrote to memory of 1068	1724	Gaara.exe	smss.exe
PID 1724 wrote to memory of 1068	1724	Gaara.exe	smss.exe
PID 1724 wrote to memory of 1068	1724	Gaara.exe	smss.exe
PID 1724 wrote to memory of 1848	1724	Gaara.exe	Gaara.exe
PID 1724 wrote to memory of 1848	1724	Gaara.exe	Gaara.exe
PID 1724 wrote to memory of 1848	1724	Gaara.exe	Gaara.exe
PID 1724 wrote to memory of 1848	1724	Gaara.exe	Gaara.exe
PID 1724 wrote to memory of 1648	1724	Gaara.exe	csrss.exe
PID 1724 wrote to memory of 1648	1724	Gaara.exe	csrss.exe
PID 1724 wrote to memory of 1648	1724	Gaara.exe	csrss.exe
PID 1724 wrote to memory of 1648	1724	Gaara.exe	csrss.exe
PID 1648 wrote to memory of 816	1648	csrss.exe	smss.exe
PID 1648 wrote to memory of 816	1648	csrss.exe	smss.exe
PID 1648 wrote to memory of 816	1648	csrss.exe	smss.exe
PID 1648 wrote to memory of 816	1648	csrss.exe	smss.exe
PID 1648 wrote to memory of 268	1648	csrss.exe	Gaara.exe
PID 1648 wrote to memory of 268	1648	csrss.exe	Gaara.exe
PID 1648 wrote to memory of 268	1648	csrss.exe	Gaara.exe
PID 1648 wrote to memory of 268	1648	csrss.exe	Gaara.exe
PID 1648 wrote to memory of 992	1648	csrss.exe	csrss.exe
PID 1648 wrote to memory of 992	1648	csrss.exe	csrss.exe
PID 1648 wrote to memory of 992	1648	csrss.exe	csrss.exe
PID 1648 wrote to memory of 992	1648	csrss.exe	csrss.exe
PID 1648 wrote to memory of 2012	1648	csrss.exe	Kazekage.exe
PID 1648 wrote to memory of 2012	1648	csrss.exe	Kazekage.exe
PID 1648 wrote to memory of 2012	1648	csrss.exe	Kazekage.exe
PID 1648 wrote to memory of 2012	1648	csrss.exe	Kazekage.exe
PID 2012 wrote to memory of 1696	2012	Kazekage.exe	smss.exe
PID 2012 wrote to memory of 1696	2012	Kazekage.exe	smss.exe
PID 2012 wrote to memory of 1696	2012	Kazekage.exe	smss.exe
PID 2012 wrote to memory of 1696	2012	Kazekage.exe	smss.exe
PID 2012 wrote to memory of 1692	2012	Kazekage.exe	Gaara.exe
PID 2012 wrote to memory of 1692	2012	Kazekage.exe	Gaara.exe
PID 2012 wrote to memory of 1692	2012	Kazekage.exe	Gaara.exe
PID 2012 wrote to memory of 1692	2012	Kazekage.exe	Gaara.exe
PID 2012 wrote to memory of 1764	2012	Kazekage.exe	csrss.exe
PID 2012 wrote to memory of 1764	2012	Kazekage.exe	csrss.exe
PID 2012 wrote to memory of 1764	2012	Kazekage.exe	csrss.exe
PID 2012 wrote to memory of 1764	2012	Kazekage.exe	csrss.exe
PID 2012 wrote to memory of 1604	2012	Kazekage.exe	Kazekage.exe
PID 2012 wrote to memory of 1604	2012	Kazekage.exe	Kazekage.exe
PID 2012 wrote to memory of 1604	2012	Kazekage.exe	Kazekage.exe
PID 2012 wrote to memory of 1604	2012	Kazekage.exe	Kazekage.exe
PID 2012 wrote to memory of 1608	2012	Kazekage.exe	system32.exe
PID 2012 wrote to memory of 1608	2012	Kazekage.exe	system32.exe
PID 2012 wrote to memory of 1608	2012	Kazekage.exe	system32.exe
PID 2012 wrote to memory of 1608	2012	Kazekage.exe	system32.exe
PID 1608 wrote to memory of 1828	1608	system32.exe	smss.exe
PID 1608 wrote to memory of 1828	1608	system32.exe	smss.exe
PID 1608 wrote to memory of 1828	1608	system32.exe	smss.exe
PID 1608 wrote to memory of 1828	1608	system32.exe	smss.exe

System policy modification 1 TTPs 12 IoCs

evasion

Modify Registry

T1112

Processes:

system32.exec9915631_by_Libranalysis.exesmss.exeGaara.execsrss.exeKazekage.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	system32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	c9915631_by_Libranalysis.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Gaara.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	c9915631_by_Libranalysis.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	Gaara.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	Kazekage.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Kazekage.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	system32.exe

C:\Users\Admin\AppData\Local\Temp\c9915631_by_Libranalysis.exe
"C:\Users\Admin\AppData\Local\Temp\c9915631_by_Libranalysis.exe"
1⤵
- Modifies WinLogon for persistence
- Drops file in Drivers directory
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1996

C:\Windows\Fonts\Admin 5 - 5 - 2021\smss.exe
"C:\Windows\Fonts\Admin 5 - 5 - 2021\smss.exe"
2⤵
- Modifies WinLogon for persistence
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1980

C:\Windows\Fonts\Admin 5 - 5 - 2021\smss.exe
"C:\Windows\Fonts\Admin 5 - 5 - 2021\smss.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1776

C:\Windows\Fonts\Admin 5 - 5 - 2021\Gaara.exe
"C:\Windows\Fonts\Admin 5 - 5 - 2021\Gaara.exe"
3⤵
- Modifies WinLogon for persistence
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1724

C:\Windows\Fonts\Admin 5 - 5 - 2021\smss.exe
"C:\Windows\Fonts\Admin 5 - 5 - 2021\smss.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1068

C:\Windows\Fonts\Admin 5 - 5 - 2021\Gaara.exe
"C:\Windows\Fonts\Admin 5 - 5 - 2021\Gaara.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1848

C:\Windows\Fonts\Admin 5 - 5 - 2021\csrss.exe
"C:\Windows\Fonts\Admin 5 - 5 - 2021\csrss.exe"
4⤵
- Modifies WinLogon for persistence
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1648

C:\Windows\Fonts\Admin 5 - 5 - 2021\smss.exe
"C:\Windows\Fonts\Admin 5 - 5 - 2021\smss.exe"
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:816

C:\Windows\Fonts\Admin 5 - 5 - 2021\Gaara.exe
"C:\Windows\Fonts\Admin 5 - 5 - 2021\Gaara.exe"
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:268

C:\Windows\Fonts\Admin 5 - 5 - 2021\csrss.exe
"C:\Windows\Fonts\Admin 5 - 5 - 2021\csrss.exe"
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:992

C:\Windows\SysWOW64\drivers\Kazekage.exe
C:\Windows\system32\drivers\Kazekage.exe
5⤵
- Modifies WinLogon for persistence
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2012

C:\Windows\Fonts\Admin 5 - 5 - 2021\smss.exe
"C:\Windows\Fonts\Admin 5 - 5 - 2021\smss.exe"
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1696

C:\Windows\Fonts\Admin 5 - 5 - 2021\Gaara.exe
"C:\Windows\Fonts\Admin 5 - 5 - 2021\Gaara.exe"
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1692

C:\Windows\Fonts\Admin 5 - 5 - 2021\csrss.exe
"C:\Windows\Fonts\Admin 5 - 5 - 2021\csrss.exe"
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1764

C:\Windows\SysWOW64\drivers\Kazekage.exe
C:\Windows\system32\drivers\Kazekage.exe
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1604

C:\Windows\SysWOW64\drivers\system32.exe
C:\Windows\system32\drivers\system32.exe
6⤵
- Modifies WinLogon for persistence
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1608

C:\Windows\Fonts\Admin 5 - 5 - 2021\smss.exe
"C:\Windows\Fonts\Admin 5 - 5 - 2021\smss.exe"
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1828

C:\Windows\Fonts\Admin 5 - 5 - 2021\Gaara.exe
"C:\Windows\Fonts\Admin 5 - 5 - 2021\Gaara.exe"
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:420

C:\Windows\Fonts\Admin 5 - 5 - 2021\csrss.exe
"C:\Windows\Fonts\Admin 5 - 5 - 2021\csrss.exe"
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1104

C:\Windows\SysWOW64\drivers\Kazekage.exe
C:\Windows\system32\drivers\Kazekage.exe
7⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1944

C:\Windows\SysWOW64\drivers\system32.exe
C:\Windows\system32\drivers\system32.exe
7⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1740

C:\Windows\SysWOW64\ping.exe
ping -a -l www.rasasayang.com.my 65500
7⤵
- Runs ping.exe
PID:336

C:\Windows\SysWOW64\ping.exe
ping -a -l www.duniasex.com 65500
7⤵
- Runs ping.exe
PID:1756

C:\Windows\SysWOW64\ping.exe
ping -a -l www.rasasayang.com.my 65500
7⤵
- Runs ping.exe
PID:548

C:\Windows\SysWOW64\ping.exe
ping -a -l www.duniasex.com 65500
7⤵
- Runs ping.exe
PID:628

C:\Windows\SysWOW64\ping.exe
ping -a -l www.rasasayang.com.my 65500
7⤵
- Runs ping.exe
PID:1140

C:\Windows\SysWOW64\ping.exe
ping -a -l www.duniasex.com 65500
7⤵
- Runs ping.exe
PID:2032

C:\Windows\SysWOW64\ping.exe
ping -a -l www.rasasayang.com.my 65500
6⤵
- Runs ping.exe
PID:1852

C:\Windows\SysWOW64\ping.exe
ping -a -l www.duniasex.com 65500
6⤵
- Runs ping.exe
PID:328

C:\Windows\SysWOW64\ping.exe
ping -a -l www.rasasayang.com.my 65500
6⤵
- Runs ping.exe
PID:1840

C:\Windows\SysWOW64\ping.exe
ping -a -l www.duniasex.com 65500
6⤵
- Runs ping.exe
PID:860

C:\Windows\SysWOW64\drivers\system32.exe
C:\Windows\system32\drivers\system32.exe
5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1888

C:\Windows\SysWOW64\ping.exe
ping -a -l www.rasasayang.com.my 65500
5⤵
- Runs ping.exe
PID:1660

C:\Windows\SysWOW64\ping.exe
ping -a -l www.duniasex.com 65500
5⤵
- Runs ping.exe
PID:552

C:\Windows\SysWOW64\ping.exe
ping -a -l www.rasasayang.com.my 65500
5⤵
- Runs ping.exe
PID:1352

C:\Windows\SysWOW64\ping.exe
ping -a -l www.duniasex.com 65500
5⤵
- Runs ping.exe
PID:1156

C:\Windows\SysWOW64\ping.exe
ping -a -l www.rasasayang.com.my 65500
5⤵
- Runs ping.exe
PID:1176

C:\Windows\SysWOW64\ping.exe
ping -a -l www.duniasex.com 65500
5⤵
- Runs ping.exe
PID:112

C:\Windows\SysWOW64\drivers\Kazekage.exe
C:\Windows\system32\drivers\Kazekage.exe
4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1212

C:\Windows\SysWOW64\drivers\system32.exe
C:\Windows\system32\drivers\system32.exe
4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1628

C:\Windows\SysWOW64\ping.exe
ping -a -l www.rasasayang.com.my 65500
4⤵
- Runs ping.exe
PID:1696

C:\Windows\SysWOW64\ping.exe
ping -a -l www.duniasex.com 65500
4⤵
- Runs ping.exe
PID:796

C:\Windows\SysWOW64\ping.exe
ping -a -l www.rasasayang.com.my 65500
4⤵
- Runs ping.exe
PID:1696

C:\Windows\SysWOW64\ping.exe
ping -a -l www.duniasex.com 65500
4⤵
- Runs ping.exe
PID:1300

C:\Windows\SysWOW64\ping.exe
ping -a -l www.rasasayang.com.my 65500
4⤵
- Runs ping.exe
PID:668

C:\Windows\SysWOW64\ping.exe
ping -a -l www.duniasex.com 65500
4⤵
- Runs ping.exe
PID:588

C:\Windows\Fonts\Admin 5 - 5 - 2021\csrss.exe
"C:\Windows\Fonts\Admin 5 - 5 - 2021\csrss.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1772

C:\Windows\SysWOW64\drivers\Kazekage.exe
C:\Windows\system32\drivers\Kazekage.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1420

C:\Windows\SysWOW64\drivers\system32.exe
C:\Windows\system32\drivers\system32.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1776

C:\Windows\SysWOW64\ping.exe
ping -a -l www.rasasayang.com.my 65500
3⤵
- Runs ping.exe
PID:1480

C:\Windows\SysWOW64\ping.exe
ping -a -l www.duniasex.com 65500
3⤵
- Runs ping.exe
PID:668

C:\Windows\SysWOW64\ping.exe
ping -a -l www.rasasayang.com.my 65500
3⤵
- Runs ping.exe
PID:1060

C:\Windows\SysWOW64\ping.exe
ping -a -l www.duniasex.com 65500
3⤵
- Runs ping.exe
PID:1392

C:\Windows\SysWOW64\ping.exe
ping -a -l www.rasasayang.com.my 65500
3⤵
- Runs ping.exe
PID:1056

C:\Windows\SysWOW64\ping.exe
ping -a -l www.duniasex.com 65500
3⤵
- Runs ping.exe
PID:1744

C:\Windows\Fonts\Admin 5 - 5 - 2021\Gaara.exe
"C:\Windows\Fonts\Admin 5 - 5 - 2021\Gaara.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1760

C:\Windows\Fonts\Admin 5 - 5 - 2021\csrss.exe
"C:\Windows\Fonts\Admin 5 - 5 - 2021\csrss.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1764

C:\Windows\SysWOW64\drivers\Kazekage.exe
C:\Windows\system32\drivers\Kazekage.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1008

C:\Windows\SysWOW64\drivers\system32.exe
C:\Windows\system32\drivers\system32.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:528

C:\Windows\SysWOW64\ping.exe
ping -a -l www.rasasayang.com.my 65500
2⤵
- Runs ping.exe
PID:844

C:\Windows\SysWOW64\ping.exe
ping -a -l www.duniasex.com 65500
2⤵
- Runs ping.exe
PID:1780

C:\Windows\SysWOW64\ping.exe
ping -a -l www.rasasayang.com.my 65500
2⤵
- Runs ping.exe
PID:984

C:\Windows\SysWOW64\ping.exe
ping -a -l www.duniasex.com 65500
2⤵
- Runs ping.exe
PID:1944

C:\Windows\SysWOW64\ping.exe
ping -a -l www.rasasayang.com.my 65500
2⤵
- Runs ping.exe
PID:520

C:\Windows\SysWOW64\ping.exe
ping -a -l www.duniasex.com 65500
2⤵
- Runs ping.exe
PID:328

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Winlogon Helper DLL

T1004

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Modify Registry

T1112

Hidden Files and Directories

T1158

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Remote System Discovery

T1018

Lateral Movement

Replication Through Removable Media

T1091

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

T1490

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Fonts\Admin 5 - 5 - 2021\Gaara.exe
MD5
d74a5ee9e24ce8b52d93b7ab16b5d5a0

SHA1
99f88e2955c41341c0c62fcac29472ad4790c9b2

SHA256
5d38d473b2ae4cd7eb8dc475347150f68bdde2469b8412755478201d745d0a17

SHA512
67b8d222226d82a280bb128dc78c47b4611fe4c183d12e6f973424ef0546b5b3cfde60ecbe64d53533e7d8848d631232d90ecfde103d9f5e1825e50a3399ceab

Download Submit
C:\Windows\Fonts\Admin 5 - 5 - 2021\Gaara.exe
MD5
d74a5ee9e24ce8b52d93b7ab16b5d5a0

SHA1
99f88e2955c41341c0c62fcac29472ad4790c9b2

SHA256
5d38d473b2ae4cd7eb8dc475347150f68bdde2469b8412755478201d745d0a17

SHA512
67b8d222226d82a280bb128dc78c47b4611fe4c183d12e6f973424ef0546b5b3cfde60ecbe64d53533e7d8848d631232d90ecfde103d9f5e1825e50a3399ceab

Download Submit
C:\Windows\Fonts\Admin 5 - 5 - 2021\Gaara.exe
MD5
d74a5ee9e24ce8b52d93b7ab16b5d5a0

SHA1
99f88e2955c41341c0c62fcac29472ad4790c9b2

SHA256
5d38d473b2ae4cd7eb8dc475347150f68bdde2469b8412755478201d745d0a17

SHA512
67b8d222226d82a280bb128dc78c47b4611fe4c183d12e6f973424ef0546b5b3cfde60ecbe64d53533e7d8848d631232d90ecfde103d9f5e1825e50a3399ceab

Download Submit
C:\Windows\Fonts\Admin 5 - 5 - 2021\Gaara.exe
MD5
d74a5ee9e24ce8b52d93b7ab16b5d5a0

SHA1
99f88e2955c41341c0c62fcac29472ad4790c9b2

SHA256
5d38d473b2ae4cd7eb8dc475347150f68bdde2469b8412755478201d745d0a17

SHA512
67b8d222226d82a280bb128dc78c47b4611fe4c183d12e6f973424ef0546b5b3cfde60ecbe64d53533e7d8848d631232d90ecfde103d9f5e1825e50a3399ceab

Download Submit
C:\Windows\Fonts\Admin 5 - 5 - 2021\Gaara.exe
MD5
d74a5ee9e24ce8b52d93b7ab16b5d5a0

SHA1
99f88e2955c41341c0c62fcac29472ad4790c9b2

SHA256
5d38d473b2ae4cd7eb8dc475347150f68bdde2469b8412755478201d745d0a17

SHA512
67b8d222226d82a280bb128dc78c47b4611fe4c183d12e6f973424ef0546b5b3cfde60ecbe64d53533e7d8848d631232d90ecfde103d9f5e1825e50a3399ceab

Download Submit
C:\Windows\Fonts\Admin 5 - 5 - 2021\MSVBVM60.DLL
MD5
5343a19c618bc515ceb1695586c6c137

SHA1
4dedae8cbde066f31c8e6b52c0baa3f8b1117742

SHA256
2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

SHA512
708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

Download Submit
C:\Windows\Fonts\Admin 5 - 5 - 2021\csrss.exe
MD5
5453981a7ec8967178c734842c87a511

SHA1
4437c1763cf4ab9ab4d30e918df8e617c8e6377e

SHA256
8ebc373fc3a0f3c7e625ad88f7f9de30bb4b2119f642525729937247ae373087

SHA512
5442126f9755d15026bd9d451a8cee770cfc9622b341e364a14f22b3d3b99ce6952fe43e643e7ed68f646c63adc2e244930ac5a51e32bb4ab39c7c3fd8705deb

Download Submit
C:\Windows\Fonts\Admin 5 - 5 - 2021\csrss.exe
MD5
5453981a7ec8967178c734842c87a511

SHA1
4437c1763cf4ab9ab4d30e918df8e617c8e6377e

SHA256
8ebc373fc3a0f3c7e625ad88f7f9de30bb4b2119f642525729937247ae373087

SHA512
5442126f9755d15026bd9d451a8cee770cfc9622b341e364a14f22b3d3b99ce6952fe43e643e7ed68f646c63adc2e244930ac5a51e32bb4ab39c7c3fd8705deb

Download Submit
C:\Windows\Fonts\Admin 5 - 5 - 2021\csrss.exe
MD5
5453981a7ec8967178c734842c87a511

SHA1
4437c1763cf4ab9ab4d30e918df8e617c8e6377e

SHA256
8ebc373fc3a0f3c7e625ad88f7f9de30bb4b2119f642525729937247ae373087

SHA512
5442126f9755d15026bd9d451a8cee770cfc9622b341e364a14f22b3d3b99ce6952fe43e643e7ed68f646c63adc2e244930ac5a51e32bb4ab39c7c3fd8705deb

Download Submit
C:\Windows\Fonts\Admin 5 - 5 - 2021\csrss.exe
MD5
709797a48af4d80eb2ef4abc6ef4a75b

SHA1
bdd09da0709d9b9691d4629a7e67973105a14da5

SHA256
a044ce96db0cecbd9eccbb30628bd9157ffdc942e251c741409e3f4d4ffdaa2e

SHA512
c8b396c16066c85dff353efcc2795bdfddb4e9932ffe39ee3ae451fde429945a6f0b32f3a17f357c3080225c61465e6fab5b91a702ea2d53e66a758d267639e4

Download Submit
C:\Windows\Fonts\Admin 5 - 5 - 2021\csrss.exe
MD5
5453981a7ec8967178c734842c87a511

SHA1
4437c1763cf4ab9ab4d30e918df8e617c8e6377e

SHA256
8ebc373fc3a0f3c7e625ad88f7f9de30bb4b2119f642525729937247ae373087

SHA512
5442126f9755d15026bd9d451a8cee770cfc9622b341e364a14f22b3d3b99ce6952fe43e643e7ed68f646c63adc2e244930ac5a51e32bb4ab39c7c3fd8705deb

Download Submit
C:\Windows\Fonts\Admin 5 - 5 - 2021\smss.exe
MD5
7546d2c72c6a33de3390703e2046b052

SHA1
a36333936e9174c50f0fe43b0ef14289a626e443

SHA256
7da41258de481f60e1f035dfff1e0f70a85216680ae910cf371bdc3271e93366

SHA512
1ec6a4e5015b1955bc8f784e803009df372d144b06f61dff9030dbd6009a8df0a248d735434e611c5c23af48a0d33c026aa9e69e15bc6d6c6b2b439444cb1acf

Download Submit
C:\Windows\Fonts\Admin 5 - 5 - 2021\smss.exe
MD5
7546d2c72c6a33de3390703e2046b052

SHA1
a36333936e9174c50f0fe43b0ef14289a626e443

SHA256
7da41258de481f60e1f035dfff1e0f70a85216680ae910cf371bdc3271e93366

SHA512
1ec6a4e5015b1955bc8f784e803009df372d144b06f61dff9030dbd6009a8df0a248d735434e611c5c23af48a0d33c026aa9e69e15bc6d6c6b2b439444cb1acf

Download Submit
C:\Windows\Fonts\Admin 5 - 5 - 2021\smss.exe
MD5
7546d2c72c6a33de3390703e2046b052

SHA1
a36333936e9174c50f0fe43b0ef14289a626e443

SHA256
7da41258de481f60e1f035dfff1e0f70a85216680ae910cf371bdc3271e93366

SHA512
1ec6a4e5015b1955bc8f784e803009df372d144b06f61dff9030dbd6009a8df0a248d735434e611c5c23af48a0d33c026aa9e69e15bc6d6c6b2b439444cb1acf

Download Submit
C:\Windows\Fonts\Admin 5 - 5 - 2021\smss.exe
MD5
7546d2c72c6a33de3390703e2046b052

SHA1
a36333936e9174c50f0fe43b0ef14289a626e443

SHA256
7da41258de481f60e1f035dfff1e0f70a85216680ae910cf371bdc3271e93366

SHA512
1ec6a4e5015b1955bc8f784e803009df372d144b06f61dff9030dbd6009a8df0a248d735434e611c5c23af48a0d33c026aa9e69e15bc6d6c6b2b439444cb1acf

Download Submit
C:\Windows\Fonts\Admin 5 - 5 - 2021\smss.exe
MD5
7546d2c72c6a33de3390703e2046b052

SHA1
a36333936e9174c50f0fe43b0ef14289a626e443

SHA256
7da41258de481f60e1f035dfff1e0f70a85216680ae910cf371bdc3271e93366

SHA512
1ec6a4e5015b1955bc8f784e803009df372d144b06f61dff9030dbd6009a8df0a248d735434e611c5c23af48a0d33c026aa9e69e15bc6d6c6b2b439444cb1acf

Download Submit
C:\Windows\Fonts\The Kazekage.jpg
MD5
d6b05020d4a0ec2a3a8b687099e335df

SHA1
df239d830ebcd1cde5c68c46a7b76dad49d415f4

SHA256
9824b98dab6af65a9e84c2ea40e9df948f9766ce2096e81feecad7db8dd6080a

SHA512
78fd360faa4d34f5732056d6e9ad7b9930964441c69cf24535845d397de92179553b9377a25649c01eb5ac7d547c29cc964e69ede7f2af9fc677508a99251fff

Download Submit
C:\Windows\Fonts\The Kazekage.jpg
MD5
d6b05020d4a0ec2a3a8b687099e335df

SHA1
df239d830ebcd1cde5c68c46a7b76dad49d415f4

SHA256
9824b98dab6af65a9e84c2ea40e9df948f9766ce2096e81feecad7db8dd6080a

SHA512
78fd360faa4d34f5732056d6e9ad7b9930964441c69cf24535845d397de92179553b9377a25649c01eb5ac7d547c29cc964e69ede7f2af9fc677508a99251fff

Download Submit
C:\Windows\Fonts\The Kazekage.jpg
MD5
d6b05020d4a0ec2a3a8b687099e335df

SHA1
df239d830ebcd1cde5c68c46a7b76dad49d415f4

SHA256
9824b98dab6af65a9e84c2ea40e9df948f9766ce2096e81feecad7db8dd6080a

SHA512
78fd360faa4d34f5732056d6e9ad7b9930964441c69cf24535845d397de92179553b9377a25649c01eb5ac7d547c29cc964e69ede7f2af9fc677508a99251fff

Download Submit
C:\Windows\Fonts\The Kazekage.jpg
MD5
d6b05020d4a0ec2a3a8b687099e335df

SHA1
df239d830ebcd1cde5c68c46a7b76dad49d415f4

SHA256
9824b98dab6af65a9e84c2ea40e9df948f9766ce2096e81feecad7db8dd6080a

SHA512
78fd360faa4d34f5732056d6e9ad7b9930964441c69cf24535845d397de92179553b9377a25649c01eb5ac7d547c29cc964e69ede7f2af9fc677508a99251fff

Download Submit
C:\Windows\SysWOW64\5-5-2021.exe
MD5
70f3662e749d408f1cd71fb3be3711c5

SHA1
78563537f70c124246146c6539c60413bd63eaa5

SHA256
d3c0c57f36a82ad2385c28c8127e3e158881d4056ae0958d5ec39c546c785c76

SHA512
c0a5cf2c1cd65bbed90a7164762a1d08a2a5bfa44f7b27cece1c1a8d3ec59ff8437d4e9e3aee64d4c8fe79e9123a4e098b397163545dff9fc56c8dbeec2e4db7

Download Submit
C:\Windows\SysWOW64\5-5-2021.exe
MD5
ccb8c53083700be4dc966d9c0b0d1d0f

SHA1
3869271e77f2f298011f26fd05d37e436de8b952

SHA256
e3d01c7eb1f26f330d7a401e49ebf315d721442fe89e0157c26371412afe4f67

SHA512
1a36620c6ea1c83d95eabf809cbcba0dd66ab4b78108e8975a2c46867750d652a64a74c3d801e5dc855443723792838ff01b095644352bf131397043cbfbbc64

Download Submit
C:\Windows\SysWOW64\5-5-2021.exe
MD5
d3ef33f561652a65735fb12b65b61d2e

SHA1
d930e3a06e8d6ff1824fb2d746ddddbc5c9b154e

SHA256
17093e990521631c656508b1fc66141eec7a61943b9b9526f3dec41ac1fafeb1

SHA512
9a4d409436eb9c0852aaaeba57f2b99cff73e35e8f3db2d21a601b317c330a2f32bc7f7effbd7f2dc9d1eaa7b656771890d036ce5692803d4ad0f1a0a20399dc

Download Submit
C:\Windows\SysWOW64\5-5-2021.exe
MD5
fa559399594488ced5477c3f2e4df2df

SHA1
8be49f2e9e22f431ad5e40b2b1a19f95b196763d

SHA256
ea26443eb344b67469e7e732612475ed707be914f4451886e3027cb7c5c7ccad

SHA512
f3e20c8ca7eb6c8cddcc2fa0d844e3d65b3417bc4f5ce05d851d4ee1eef952bbc4bd46188d62e45c1b413769edce924a7d6a3460bb5083d36ff20901052b47b2

Download Submit
C:\Windows\SysWOW64\drivers\Kazekage.exe
MD5
4002866af8490e46df8e63ee05aba853

SHA1
6bd279bcbacdf32495eae6045254717e2c3e130d

SHA256
05c7adbc013efb0127081a5d5c79360716dfdb6c5ae45aa8f9dc8fea02c4ca52

SHA512
725671f4b64d6e9c6efb145425f76effcf19302c2cafe2eff64da062886ab65f4efd1d66d36320e698fde7da1170d326bbb6e4dcfe86d4eb8b653d1e2289357e

Download Submit
C:\Windows\SysWOW64\drivers\Kazekage.exe
MD5
9090db50bf7ff111bcaa85f26a830b94

SHA1
ab9c2c7646bf69fee6aa054323783180303e4a70

SHA256
9c02b83d5b3469347397989e7eb947583ca7945e03f313cc05f889c710f49f90

SHA512
0732b502592172067f33d48134028dd2bd29f1894e4b09a0a738a9afb3db99df3b315c3e7aa003a1972e54e86b886181c81d8e46ec1f286e019258b7e2dd68cb

Download Submit
C:\Windows\SysWOW64\drivers\Kazekage.exe
MD5
9090db50bf7ff111bcaa85f26a830b94

SHA1
ab9c2c7646bf69fee6aa054323783180303e4a70

SHA256
9c02b83d5b3469347397989e7eb947583ca7945e03f313cc05f889c710f49f90

SHA512
0732b502592172067f33d48134028dd2bd29f1894e4b09a0a738a9afb3db99df3b315c3e7aa003a1972e54e86b886181c81d8e46ec1f286e019258b7e2dd68cb

Download Submit
C:\Windows\SysWOW64\drivers\Kazekage.exe
MD5
9090db50bf7ff111bcaa85f26a830b94

SHA1
ab9c2c7646bf69fee6aa054323783180303e4a70

SHA256
9c02b83d5b3469347397989e7eb947583ca7945e03f313cc05f889c710f49f90

SHA512
0732b502592172067f33d48134028dd2bd29f1894e4b09a0a738a9afb3db99df3b315c3e7aa003a1972e54e86b886181c81d8e46ec1f286e019258b7e2dd68cb

Download Submit
C:\Windows\SysWOW64\drivers\Kazekage.exe
MD5
39423b2856cb5ef6dc7178c74f38625c

SHA1
6520e099f3ff56ace3c247e7ed8098448b451858

SHA256
ec2a9c680cc8c5af17da3018775a32b3076c134efdf99cf8822e97c31e9555ba

SHA512
c5bada0c026031cf6cb70d40ac80e2110d30f70edd19b940d4d6b79e73a8d112e85b2194969b2005e26f6e5ab362b7d5f0610456c25305318848091f094703ee

Download Submit
C:\Windows\SysWOW64\drivers\system32.exe
MD5
8cf787d0e734bf11ac2cd442df08cec1

SHA1
12498153324626c3558c7cb08fc7cda46f98e628

SHA256
6c32a3547b1192fa932e1f4bb9ad13a0186efa229f068896b92f1ed326fd2271

SHA512
fbcb9ec65603ee505338ea228e240dfd753a42c40c45c7ce97b1f158631ceebf6f9775e5bce4381dc3e21b85228a32662d26d9bd6ed765be1874fd5d8dbba615

Download Submit
C:\Windows\SysWOW64\drivers\system32.exe
MD5
5c1d27877beb8527605a49a48a2be85e

SHA1
c5f5223c30abac3d620ce19ad13b249934f32671

SHA256
f08cc37002c2273923c7653b87c12c881179fd9aafac89bfd9fe23d703842378

SHA512
7712ca01a9aaab5529022d1db5871a93225317c72047496433199b0ea0c6cb1a22dc1c4dbe594bc98e511c30aa4a0d50fd7d523a74fe3dba64ee3bffd39de653

Download Submit
C:\Windows\SysWOW64\drivers\system32.exe
MD5
fcc820824b1f5731a8b4f1473ce1c3cb

SHA1
75388f5966b6f249ae60934127f8034cc8d5b6c1

SHA256
10b9fed793dc30869020b09c44585ef5bb84ed7d5e31f4ac3cc3aa0c3b7e5a9d

SHA512
cbe52d79bea90b2965b1c9035d3b6bd7a43d21e7e3839e9435c17a1545a75c1dae993325f25b4872fce523990478cd99739313f2991fe6d9dad4c5ef98758ff1

Download Submit
C:\Windows\SysWOW64\drivers\system32.exe
MD5
ea3f8fae053ab7dc8bcfab68354116f3

SHA1
de1062ff2ab3b1741d487ec53d7365601e39ed78

SHA256
6816ed78a5efefe207023bb534da612f85681bed01358abfc11020defe687885

SHA512
65801789e235e335fd5ef9063ab48dd2b3bc10cc88d88e31883f94434424d58e25939fa1f5ac58bd89577a8276137bf6d856f115fdf99499459eb6f2c8546d8f

Download Submit
C:\Windows\msvbvm60.dll
MD5
5343a19c618bc515ceb1695586c6c137

SHA1
4dedae8cbde066f31c8e6b52c0baa3f8b1117742

SHA256
2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

SHA512
708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

Download Submit
C:\Windows\msvbvm60.dll
MD5
5343a19c618bc515ceb1695586c6c137

SHA1
4dedae8cbde066f31c8e6b52c0baa3f8b1117742

SHA256
2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

SHA512
708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

Download Submit
C:\Windows\msvbvm60.dll
MD5
5343a19c618bc515ceb1695586c6c137

SHA1
4dedae8cbde066f31c8e6b52c0baa3f8b1117742

SHA256
2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

SHA512
708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

Download Submit
C:\Windows\msvbvm60.dll
MD5
5343a19c618bc515ceb1695586c6c137

SHA1
4dedae8cbde066f31c8e6b52c0baa3f8b1117742

SHA256
2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

SHA512
708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

Download Submit
C:\Windows\system\msvbvm60.dll
MD5
5343a19c618bc515ceb1695586c6c137

SHA1
4dedae8cbde066f31c8e6b52c0baa3f8b1117742

SHA256
2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

SHA512
708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

Download Submit
C:\Windows\system\msvbvm60.dll
MD5
5343a19c618bc515ceb1695586c6c137

SHA1
4dedae8cbde066f31c8e6b52c0baa3f8b1117742

SHA256
2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

SHA512
708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

Download Submit
C:\Windows\system\msvbvm60.dll
MD5
5343a19c618bc515ceb1695586c6c137

SHA1
4dedae8cbde066f31c8e6b52c0baa3f8b1117742

SHA256
2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

SHA512
708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

Download Submit
C:\Windows\system\msvbvm60.dll
MD5
5343a19c618bc515ceb1695586c6c137

SHA1
4dedae8cbde066f31c8e6b52c0baa3f8b1117742

SHA256
2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

SHA512
708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

Download Submit
\Windows\Fonts\Admin 5 - 5 - 2021\Gaara.exe
MD5
d74a5ee9e24ce8b52d93b7ab16b5d5a0

SHA1
99f88e2955c41341c0c62fcac29472ad4790c9b2

SHA256
5d38d473b2ae4cd7eb8dc475347150f68bdde2469b8412755478201d745d0a17

SHA512
67b8d222226d82a280bb128dc78c47b4611fe4c183d12e6f973424ef0546b5b3cfde60ecbe64d53533e7d8848d631232d90ecfde103d9f5e1825e50a3399ceab

Download Submit
\Windows\Fonts\Admin 5 - 5 - 2021\Gaara.exe
MD5
d74a5ee9e24ce8b52d93b7ab16b5d5a0

SHA1
99f88e2955c41341c0c62fcac29472ad4790c9b2

SHA256
5d38d473b2ae4cd7eb8dc475347150f68bdde2469b8412755478201d745d0a17

SHA512
67b8d222226d82a280bb128dc78c47b4611fe4c183d12e6f973424ef0546b5b3cfde60ecbe64d53533e7d8848d631232d90ecfde103d9f5e1825e50a3399ceab

Download Submit
\Windows\Fonts\Admin 5 - 5 - 2021\Gaara.exe
MD5
d74a5ee9e24ce8b52d93b7ab16b5d5a0

SHA1
99f88e2955c41341c0c62fcac29472ad4790c9b2

SHA256
5d38d473b2ae4cd7eb8dc475347150f68bdde2469b8412755478201d745d0a17

SHA512
67b8d222226d82a280bb128dc78c47b4611fe4c183d12e6f973424ef0546b5b3cfde60ecbe64d53533e7d8848d631232d90ecfde103d9f5e1825e50a3399ceab

Download Submit
\Windows\Fonts\Admin 5 - 5 - 2021\Gaara.exe
MD5
d74a5ee9e24ce8b52d93b7ab16b5d5a0

SHA1
99f88e2955c41341c0c62fcac29472ad4790c9b2

SHA256
5d38d473b2ae4cd7eb8dc475347150f68bdde2469b8412755478201d745d0a17

SHA512
67b8d222226d82a280bb128dc78c47b4611fe4c183d12e6f973424ef0546b5b3cfde60ecbe64d53533e7d8848d631232d90ecfde103d9f5e1825e50a3399ceab

Download Submit
\Windows\Fonts\Admin 5 - 5 - 2021\csrss.exe
MD5
5453981a7ec8967178c734842c87a511

SHA1
4437c1763cf4ab9ab4d30e918df8e617c8e6377e

SHA256
8ebc373fc3a0f3c7e625ad88f7f9de30bb4b2119f642525729937247ae373087

SHA512
5442126f9755d15026bd9d451a8cee770cfc9622b341e364a14f22b3d3b99ce6952fe43e643e7ed68f646c63adc2e244930ac5a51e32bb4ab39c7c3fd8705deb

Download Submit
\Windows\Fonts\Admin 5 - 5 - 2021\csrss.exe
MD5
5453981a7ec8967178c734842c87a511

SHA1
4437c1763cf4ab9ab4d30e918df8e617c8e6377e

SHA256
8ebc373fc3a0f3c7e625ad88f7f9de30bb4b2119f642525729937247ae373087

SHA512
5442126f9755d15026bd9d451a8cee770cfc9622b341e364a14f22b3d3b99ce6952fe43e643e7ed68f646c63adc2e244930ac5a51e32bb4ab39c7c3fd8705deb

Download Submit
\Windows\Fonts\Admin 5 - 5 - 2021\msvbvm60.dll
MD5
5343a19c618bc515ceb1695586c6c137

SHA1
4dedae8cbde066f31c8e6b52c0baa3f8b1117742

SHA256
2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

SHA512
708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

Download Submit
\Windows\Fonts\Admin 5 - 5 - 2021\msvbvm60.dll
MD5
5343a19c618bc515ceb1695586c6c137

SHA1
4dedae8cbde066f31c8e6b52c0baa3f8b1117742

SHA256
2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

SHA512
708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

Download Submit
\Windows\Fonts\Admin 5 - 5 - 2021\msvbvm60.dll
MD5
5343a19c618bc515ceb1695586c6c137

SHA1
4dedae8cbde066f31c8e6b52c0baa3f8b1117742

SHA256
2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

SHA512
708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

Download Submit
\Windows\Fonts\Admin 5 - 5 - 2021\msvbvm60.dll
MD5
5343a19c618bc515ceb1695586c6c137

SHA1
4dedae8cbde066f31c8e6b52c0baa3f8b1117742

SHA256
2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

SHA512
708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

Download Submit
\Windows\Fonts\Admin 5 - 5 - 2021\msvbvm60.dll
MD5
5343a19c618bc515ceb1695586c6c137

SHA1
4dedae8cbde066f31c8e6b52c0baa3f8b1117742

SHA256
2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

SHA512
708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

Download Submit
\Windows\Fonts\Admin 5 - 5 - 2021\msvbvm60.dll
MD5
5343a19c618bc515ceb1695586c6c137

SHA1
4dedae8cbde066f31c8e6b52c0baa3f8b1117742

SHA256
2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

SHA512
708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

Download Submit
\Windows\Fonts\Admin 5 - 5 - 2021\msvbvm60.dll
MD5
5343a19c618bc515ceb1695586c6c137

SHA1
4dedae8cbde066f31c8e6b52c0baa3f8b1117742

SHA256
2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

SHA512
708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

Download Submit
\Windows\Fonts\Admin 5 - 5 - 2021\msvbvm60.dll
MD5
5343a19c618bc515ceb1695586c6c137

SHA1
4dedae8cbde066f31c8e6b52c0baa3f8b1117742

SHA256
2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

SHA512
708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

Download Submit
\Windows\Fonts\Admin 5 - 5 - 2021\msvbvm60.dll
MD5
5343a19c618bc515ceb1695586c6c137

SHA1
4dedae8cbde066f31c8e6b52c0baa3f8b1117742

SHA256
2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

SHA512
708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

Download Submit
\Windows\Fonts\Admin 5 - 5 - 2021\smss.exe
MD5
7546d2c72c6a33de3390703e2046b052

SHA1
a36333936e9174c50f0fe43b0ef14289a626e443

SHA256
7da41258de481f60e1f035dfff1e0f70a85216680ae910cf371bdc3271e93366

SHA512
1ec6a4e5015b1955bc8f784e803009df372d144b06f61dff9030dbd6009a8df0a248d735434e611c5c23af48a0d33c026aa9e69e15bc6d6c6b2b439444cb1acf

Download Submit
\Windows\Fonts\Admin 5 - 5 - 2021\smss.exe
MD5
7546d2c72c6a33de3390703e2046b052

SHA1
a36333936e9174c50f0fe43b0ef14289a626e443

SHA256
7da41258de481f60e1f035dfff1e0f70a85216680ae910cf371bdc3271e93366

SHA512
1ec6a4e5015b1955bc8f784e803009df372d144b06f61dff9030dbd6009a8df0a248d735434e611c5c23af48a0d33c026aa9e69e15bc6d6c6b2b439444cb1acf

Download Submit
\Windows\Fonts\Admin 5 - 5 - 2021\smss.exe
MD5
7546d2c72c6a33de3390703e2046b052

SHA1
a36333936e9174c50f0fe43b0ef14289a626e443

SHA256
7da41258de481f60e1f035dfff1e0f70a85216680ae910cf371bdc3271e93366

SHA512
1ec6a4e5015b1955bc8f784e803009df372d144b06f61dff9030dbd6009a8df0a248d735434e611c5c23af48a0d33c026aa9e69e15bc6d6c6b2b439444cb1acf

Download Submit
\Windows\Fonts\Admin 5 - 5 - 2021\smss.exe
MD5
7546d2c72c6a33de3390703e2046b052

SHA1
a36333936e9174c50f0fe43b0ef14289a626e443

SHA256
7da41258de481f60e1f035dfff1e0f70a85216680ae910cf371bdc3271e93366

SHA512
1ec6a4e5015b1955bc8f784e803009df372d144b06f61dff9030dbd6009a8df0a248d735434e611c5c23af48a0d33c026aa9e69e15bc6d6c6b2b439444cb1acf

Download Submit
\Windows\Fonts\Admin 5 - 5 - 2021\smss.exe
MD5
7546d2c72c6a33de3390703e2046b052

SHA1
a36333936e9174c50f0fe43b0ef14289a626e443

SHA256
7da41258de481f60e1f035dfff1e0f70a85216680ae910cf371bdc3271e93366

SHA512
1ec6a4e5015b1955bc8f784e803009df372d144b06f61dff9030dbd6009a8df0a248d735434e611c5c23af48a0d33c026aa9e69e15bc6d6c6b2b439444cb1acf

Download Submit
\Windows\Fonts\Admin 5 - 5 - 2021\smss.exe
MD5
7546d2c72c6a33de3390703e2046b052

SHA1
a36333936e9174c50f0fe43b0ef14289a626e443

SHA256
7da41258de481f60e1f035dfff1e0f70a85216680ae910cf371bdc3271e93366

SHA512
1ec6a4e5015b1955bc8f784e803009df372d144b06f61dff9030dbd6009a8df0a248d735434e611c5c23af48a0d33c026aa9e69e15bc6d6c6b2b439444cb1acf

Download Submit
\Windows\SysWOW64\drivers\Kazekage.exe
MD5
9090db50bf7ff111bcaa85f26a830b94

SHA1
ab9c2c7646bf69fee6aa054323783180303e4a70

SHA256
9c02b83d5b3469347397989e7eb947583ca7945e03f313cc05f889c710f49f90

SHA512
0732b502592172067f33d48134028dd2bd29f1894e4b09a0a738a9afb3db99df3b315c3e7aa003a1972e54e86b886181c81d8e46ec1f286e019258b7e2dd68cb

Download Submit
\Windows\SysWOW64\drivers\Kazekage.exe
MD5
9090db50bf7ff111bcaa85f26a830b94

SHA1
ab9c2c7646bf69fee6aa054323783180303e4a70

SHA256
9c02b83d5b3469347397989e7eb947583ca7945e03f313cc05f889c710f49f90

SHA512
0732b502592172067f33d48134028dd2bd29f1894e4b09a0a738a9afb3db99df3b315c3e7aa003a1972e54e86b886181c81d8e46ec1f286e019258b7e2dd68cb

Download Submit
memory/112-244-0x0000000000000000-mapping.dmp

Download
memory/268-142-0x0000000000000000-mapping.dmp

Download
memory/328-235-0x0000000000000000-mapping.dmp

Download
memory/328-241-0x0000000000000000-mapping.dmp

Download
memory/336-226-0x0000000000000000-mapping.dmp

Download
memory/420-191-0x0000000000000000-mapping.dmp

Download
memory/520-240-0x0000000000000000-mapping.dmp

Download
memory/528-217-0x0000000000000000-mapping.dmp

Download
memory/548-238-0x0000000000000000-mapping.dmp

Download
memory/552-225-0x0000000000000000-mapping.dmp

Download
memory/588-247-0x0000000000000000-mapping.dmp

Download
memory/628-239-0x0000000000000000-mapping.dmp

Download
memory/668-246-0x0000000000000000-mapping.dmp

Download
memory/668-221-0x0000000000000000-mapping.dmp

Download
memory/796-223-0x0000000000000000-mapping.dmp

Download
memory/816-135-0x0000000000000000-mapping.dmp

Download
memory/844-218-0x0000000000000000-mapping.dmp

Download
memory/860-251-0x0000000000000000-mapping.dmp

Download
memory/984-228-0x0000000000000000-mapping.dmp

Download
memory/992-148-0x0000000000000000-mapping.dmp

Download
memory/1008-216-0x0000000000000000-mapping.dmp

Download
memory/1056-243-0x0000000000000000-mapping.dmp

Download
memory/1060-230-0x0000000000000000-mapping.dmp

Download
memory/1068-106-0x0000000000000000-mapping.dmp

Download
memory/1104-195-0x0000000000000000-mapping.dmp

Download
memory/1140-248-0x0000000000000000-mapping.dmp

Download
memory/1156-237-0x0000000000000000-mapping.dmp

Download
memory/1176-242-0x0000000000000000-mapping.dmp

Download
memory/1212-209-0x0000000000000000-mapping.dmp

Download
memory/1300-233-0x0000000000000000-mapping.dmp

Download
memory/1352-236-0x0000000000000000-mapping.dmp

Download
memory/1392-231-0x0000000000000000-mapping.dmp

Download
memory/1420-212-0x0000000000000000-mapping.dmp

Download
memory/1480-220-0x0000000000000000-mapping.dmp

Download
memory/1604-179-0x0000000000000000-mapping.dmp

Download
memory/1608-183-0x0000000000000000-mapping.dmp

Download
memory/1628-210-0x0000000000000000-mapping.dmp

Download
memory/1648-121-0x0000000000000000-mapping.dmp

Download
memory/1660-224-0x0000000000000000-mapping.dmp

Download
memory/1692-171-0x0000000000000000-mapping.dmp

Download
memory/1696-232-0x0000000000000000-mapping.dmp

Download
memory/1696-167-0x0000000000000000-mapping.dmp

Download
memory/1696-222-0x0000000000000000-mapping.dmp

Download
memory/1724-90-0x0000000000000000-mapping.dmp

Download
memory/1740-203-0x0000000000000000-mapping.dmp

Download
memory/1744-245-0x0000000000000000-mapping.dmp

Download
memory/1756-227-0x0000000000000000-mapping.dmp

Download
memory/1760-214-0x0000000000000000-mapping.dmp

Download
memory/1764-175-0x0000000000000000-mapping.dmp

Download
memory/1764-215-0x0000000000000000-mapping.dmp

Download
memory/1772-211-0x0000000000000000-mapping.dmp

Download
memory/1776-213-0x0000000000000000-mapping.dmp

Download
memory/1776-82-0x0000000000000000-mapping.dmp

Download
memory/1780-219-0x0000000000000000-mapping.dmp

Download
memory/1828-187-0x0000000000000000-mapping.dmp

Download
memory/1840-250-0x0000000000000000-mapping.dmp

Download
memory/1848-113-0x0000000000000000-mapping.dmp

Download
memory/1852-234-0x0000000000000000-mapping.dmp

Download
memory/1888-207-0x0000000000000000-mapping.dmp

Download
memory/1944-199-0x0000000000000000-mapping.dmp

Download
memory/1944-229-0x0000000000000000-mapping.dmp

Download
memory/1980-65-0x0000000000000000-mapping.dmp

Download
memory/1996-62-0x0000000075D41000-0x0000000075D43000-memory.dmp

Filesize
8KB

Download
memory/2012-156-0x0000000000000000-mapping.dmp

Download
memory/2032-249-0x0000000000000000-mapping.dmp

Download