1c958bc2a268ce3f104a35882f694f8bead71015937bfb99b0986400ab29d703

Analysis

max time kernel
119s
max time network
155s
platform
windows10_x64
resource
win10v20210410
submitted
05-05-2021 11:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c9915631_by_Libranalysis.exe
Size

124KB
MD5

c9915631dd271219bf51fe0a46a1d8ff
SHA1

7d6b0dd72dd6dd3261b0f30525c6860f86de012f
SHA256

1c958bc2a268ce3f104a35882f694f8bead71015937bfb99b0986400ab29d703
SHA512

045d441879636ebc9c6a25994a6aa08172bec3756829bba7b2eb188ee1585d7659f77e43d505c61032a5d36815f205f29b875ae5354fe13857941f366dae0941

Score

10^/10

evasion persistence ransomware trojan

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 12 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

Kazekage.exesmss.exesystem32.exec9915631_by_Libranalysis.execsrss.exeGaara.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe"	Kazekage.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe"	system32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe"	system32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe"	c9915631_by_Libranalysis.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe"	c9915631_by_Libranalysis.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe"	Kazekage.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe"	Gaara.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe"	Gaara.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe"	csrss.exe

Modifies visibility of file extensions in Explorer 2 TTPs
evasion

Hidden Files and Directories
T1158

Modify Registry
T1112
Modifies visiblity of hidden/system files in Explorer 2 TTPs
evasion

Hidden Files and Directories
T1158

Modify Registry
T1112
UAC bypass 3 TTPs
evasion trojan

Bypass User Account Control
T1088

Disabling Security Tools
T1089

Modify Registry
T1112
Disables RegEdit via registry modification
evasion
Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490

Drops file in Drivers directory 24 IoCs

Processes:

Kazekage.execsrss.exeGaara.exesmss.exec9915631_by_Libranalysis.exesystem32.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\drivers\Kazekage.exe	Kazekage.exe
File created	C:\Windows\SysWOW64\drivers\system32.exe	csrss.exe
File opened for modification	C:\Windows\SysWOW64\drivers\Kazekage.exe	Gaara.exe
File opened for modification	C:\Windows\SysWOW64\drivers\Kazekage.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\drivers\system32.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\drivers\system32.exe	Gaara.exe
File opened for modification	C:\Windows\SysWOW64\drivers\Kazekage.exe	csrss.exe
File opened for modification	C:\Windows\SysWOW64\drivers\Kazekage.exe	c9915631_by_Libranalysis.exe
File created	C:\Windows\SysWOW64\drivers\system32.exe	c9915631_by_Libranalysis.exe
File created	C:\Windows\SysWOW64\drivers\Kazekage.exe	Kazekage.exe
File created	C:\Windows\SysWOW64\drivers\Kazekage.exe	system32.exe
File created	C:\Windows\SysWOW64\drivers\system32.exe	system32.exe
File opened for modification	C:\Windows\SysWOW64\drivers\system32.exe	system32.exe
File created	C:\Windows\SysWOW64\drivers\Kazekage.exe	smss.exe
File created	C:\Windows\SysWOW64\drivers\Kazekage.exe	Gaara.exe
File created	C:\Windows\SysWOW64\drivers\Kazekage.exe	c9915631_by_Libranalysis.exe
File created	C:\Windows\SysWOW64\drivers\Kazekage.exe	csrss.exe
File created	C:\Windows\SysWOW64\drivers\system32.exe	Kazekage.exe
File created	C:\Windows\SysWOW64\drivers\system32.exe	Gaara.exe
File opened for modification	C:\Windows\SysWOW64\drivers\system32.exe	csrss.exe
File opened for modification	C:\Windows\SysWOW64\drivers\system32.exe	Kazekage.exe
File opened for modification	C:\Windows\SysWOW64\drivers\Kazekage.exe	system32.exe
File created	C:\Windows\SysWOW64\drivers\system32.exe	smss.exe
File opened for modification	C:\Windows\SysWOW64\drivers\system32.exe	c9915631_by_Libranalysis.exe

Executes dropped EXE 30 IoCs

Processes:

smss.exesmss.exeGaara.exesmss.exeGaara.execsrss.exesmss.exeGaara.execsrss.exeKazekage.exesmss.exeGaara.execsrss.exeKazekage.exesystem32.exesmss.exeGaara.execsrss.exeKazekage.exesystem32.exesystem32.exeKazekage.exesystem32.execsrss.exeKazekage.exesystem32.exeGaara.execsrss.exeKazekage.exesystem32.exe

pid	process
2384	smss.exe
2944	smss.exe
3100	Gaara.exe
1368	smss.exe
3784	Gaara.exe
1612	csrss.exe
1040	smss.exe
3816	Gaara.exe
2680	csrss.exe
1624	Kazekage.exe
200	smss.exe
3048	Gaara.exe
2528	csrss.exe
3312	Kazekage.exe
3676	system32.exe
1376	smss.exe
1040	Gaara.exe
3800	csrss.exe
1196	Kazekage.exe
200	system32.exe
3776	system32.exe
3484	Kazekage.exe
3976	system32.exe
1664	csrss.exe
2388	Kazekage.exe
2504	system32.exe
2632	Gaara.exe
3040	csrss.exe
1196	Kazekage.exe
3048	system32.exe

Sets file execution options in registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Loads dropped DLL 18 IoCs

Processes:

smss.exesmss.exeGaara.exesmss.exeGaara.execsrss.exesmss.exeGaara.execsrss.exesmss.exeGaara.execsrss.exesmss.exeGaara.execsrss.execsrss.exeGaara.execsrss.exe

pid	process
2384	smss.exe
2944	smss.exe
3100	Gaara.exe
1368	smss.exe
3784	Gaara.exe
1612	csrss.exe
1040	smss.exe
3816	Gaara.exe
2680	csrss.exe
200	smss.exe
3048	Gaara.exe
2528	csrss.exe
1376	smss.exe
1040	Gaara.exe
3800	csrss.exe
1664	csrss.exe
2632	Gaara.exe
3040	csrss.exe

Adds Run key to start application 2 TTPs 30 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

Kazekage.exesmss.exeGaara.execsrss.exec9915631_by_Libranalysis.exesystem32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe"	Kazekage.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 5 - 5 - 2021\\Gaara.exe"	Gaara.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "5-5-2021.exe"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "5-5-2021.exe"	csrss.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	c9915631_by_Libranalysis.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	system32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 5 - 5 - 2021\\Gaara.exe"	system32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 5 - 5 - 2021\\Gaara.exe"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 5 - 5 - 2021\\smss.exe"	Kazekage.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 5 - 5 - 2021\\smss.exe"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 5 - 5 - 2021\\smss.exe"	system32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "5-5-2021.exe"	system32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe"	system32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 5 - 5 - 2021\\smss.exe"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe"	smss.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	Gaara.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 5 - 5 - 2021\\smss.exe"	Gaara.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "5-5-2021.exe"	Gaara.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe"	Gaara.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 5 - 5 - 2021\\Gaara.exe"	Kazekage.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 5 - 5 - 2021\\smss.exe"	c9915631_by_Libranalysis.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	Kazekage.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 5 - 5 - 2021\\Gaara.exe"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 5 - 5 - 2021\\Gaara.exe"	c9915631_by_Libranalysis.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe"	c9915631_by_Libranalysis.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "5-5-2021.exe"	Kazekage.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "5-5-2021.exe"	c9915631_by_Libranalysis.exe

Checks whether UAC is enabled 1 TTPs 6 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

csrss.exec9915631_by_Libranalysis.exeKazekage.exesmss.exeGaara.exesystem32.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	c9915631_by_Libranalysis.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Kazekage.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Gaara.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	system32.exe

Drops desktop.ini file(s) 64 IoCs

Processes:

Gaara.execsrss.exeKazekage.exesystem32.exec9915631_by_Libranalysis.exesmss.exe

description	ioc	process
File opened for modification	D:\Desktop.ini	Gaara.exe
File opened for modification	\??\M:\Desktop.ini	Gaara.exe
File opened for modification	\??\Y:\Desktop.ini	csrss.exe
File opened for modification	\??\M:\Desktop.ini	Kazekage.exe
File opened for modification	\??\P:\Desktop.ini	csrss.exe
File opened for modification	\??\H:\Desktop.ini	Gaara.exe
File opened for modification	\??\L:\Desktop.ini	system32.exe
File opened for modification	\??\U:\Desktop.ini	Gaara.exe
File opened for modification	\??\Y:\Desktop.ini	Gaara.exe
File opened for modification	\??\S:\Desktop.ini	system32.exe
File opened for modification	\??\V:\Desktop.ini	system32.exe
File opened for modification	\??\L:\Desktop.ini	Gaara.exe
File opened for modification	\??\N:\Desktop.ini	Gaara.exe
File opened for modification	\??\M:\Desktop.ini	c9915631_by_Libranalysis.exe
File opened for modification	\??\A:\Desktop.ini	smss.exe
File opened for modification	\??\I:\Desktop.ini	Kazekage.exe
File opened for modification	\??\R:\Desktop.ini	Kazekage.exe
File opened for modification	\??\Y:\Desktop.ini	Kazekage.exe
File opened for modification	\??\F:\Desktop.ini	c9915631_by_Libranalysis.exe
File opened for modification	\??\L:\Desktop.ini	smss.exe
File opened for modification	\??\B:\Desktop.ini	system32.exe
File opened for modification	\??\T:\Desktop.ini	system32.exe
File opened for modification	\??\A:\Desktop.ini	c9915631_by_Libranalysis.exe
File opened for modification	\??\Q:\Desktop.ini	Kazekage.exe
File opened for modification	\??\T:\Desktop.ini	csrss.exe
File opened for modification	\??\X:\Desktop.ini	csrss.exe
File opened for modification	\??\S:\Desktop.ini	Kazekage.exe
File opened for modification	\??\W:\Desktop.ini	Gaara.exe
File opened for modification	\??\H:\Desktop.ini	csrss.exe
File opened for modification	\??\L:\Desktop.ini	csrss.exe
File opened for modification	\??\R:\Desktop.ini	csrss.exe
File opened for modification	\??\V:\Desktop.ini	smss.exe
File opened for modification	\??\Q:\Desktop.ini	Gaara.exe
File opened for modification	C:\Desktop.ini	Kazekage.exe
File opened for modification	\??\B:\Desktop.ini	smss.exe
File opened for modification	\??\Z:\Desktop.ini	smss.exe
File opened for modification	\??\S:\Desktop.ini	Gaara.exe
File opened for modification	\??\N:\Desktop.ini	csrss.exe
File opened for modification	\??\G:\Desktop.ini	c9915631_by_Libranalysis.exe
File opened for modification	\??\L:\Desktop.ini	c9915631_by_Libranalysis.exe
File opened for modification	\??\X:\Desktop.ini	smss.exe
File opened for modification	\??\E:\Desktop.ini	Gaara.exe
File opened for modification	\??\K:\Desktop.ini	Gaara.exe
File opened for modification	\??\P:\Desktop.ini	system32.exe
File opened for modification	\??\X:\Desktop.ini	Gaara.exe
File opened for modification	\??\K:\Desktop.ini	csrss.exe
File opened for modification	\??\Z:\Desktop.ini	Kazekage.exe
File opened for modification	\??\F:\Desktop.ini	smss.exe
File opened for modification	\??\G:\Desktop.ini	Gaara.exe
File opened for modification	\??\B:\Desktop.ini	csrss.exe
File opened for modification	\??\S:\Desktop.ini	csrss.exe
File opened for modification	\??\X:\Desktop.ini	c9915631_by_Libranalysis.exe
File opened for modification	\??\L:\Desktop.ini	Kazekage.exe
File opened for modification	\??\W:\Desktop.ini	smss.exe
File opened for modification	\??\A:\Desktop.ini	Gaara.exe
File opened for modification	\??\H:\Desktop.ini	system32.exe
File opened for modification	\??\P:\Desktop.ini	Kazekage.exe
File opened for modification	\??\H:\Desktop.ini	smss.exe
File opened for modification	\??\I:\Desktop.ini	smss.exe
File opened for modification	\??\U:\Desktop.ini	smss.exe
File opened for modification	\??\I:\Desktop.ini	csrss.exe
File opened for modification	\??\R:\Desktop.ini	Gaara.exe
File opened for modification	\??\F:\Desktop.ini	csrss.exe
File opened for modification	\??\J:\Desktop.ini	csrss.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

Kazekage.exeGaara.execsrss.exesmss.exesystem32.exec9915631_by_Libranalysis.exe

description	ioc	process
File opened (read-only)	\??\U:	Kazekage.exe
File opened (read-only)	\??\E:	Gaara.exe
File opened (read-only)	\??\W:	Gaara.exe
File opened (read-only)	\??\X:	csrss.exe
File opened (read-only)	\??\Y:	csrss.exe
File opened (read-only)	\??\G:	Kazekage.exe
File opened (read-only)	\??\Q:	smss.exe
File opened (read-only)	\??\A:	Gaara.exe
File opened (read-only)	\??\S:	Kazekage.exe
File opened (read-only)	\??\T:	smss.exe
File opened (read-only)	\??\F:	Gaara.exe
File opened (read-only)	\??\V:	Gaara.exe
File opened (read-only)	\??\B:	Kazekage.exe
File opened (read-only)	\??\F:	Kazekage.exe
File opened (read-only)	\??\X:	Kazekage.exe
File opened (read-only)	\??\M:	system32.exe
File opened (read-only)	\??\V:	c9915631_by_Libranalysis.exe
File opened (read-only)	\??\I:	Kazekage.exe
File opened (read-only)	\??\R:	csrss.exe
File opened (read-only)	\??\L:	c9915631_by_Libranalysis.exe
File opened (read-only)	\??\R:	c9915631_by_Libranalysis.exe
File opened (read-only)	\??\O:	smss.exe
File opened (read-only)	\??\P:	smss.exe
File opened (read-only)	\??\T:	Gaara.exe
File opened (read-only)	\??\W:	Kazekage.exe
File opened (read-only)	\??\L:	system32.exe
File opened (read-only)	\??\S:	Gaara.exe
File opened (read-only)	\??\U:	system32.exe
File opened (read-only)	\??\H:	c9915631_by_Libranalysis.exe
File opened (read-only)	\??\T:	c9915631_by_Libranalysis.exe
File opened (read-only)	\??\I:	smss.exe
File opened (read-only)	\??\U:	Gaara.exe
File opened (read-only)	\??\X:	system32.exe
File opened (read-only)	\??\Z:	system32.exe
File opened (read-only)	\??\W:	smss.exe
File opened (read-only)	\??\X:	Gaara.exe
File opened (read-only)	\??\H:	csrss.exe
File opened (read-only)	\??\S:	smss.exe
File opened (read-only)	\??\G:	system32.exe
File opened (read-only)	\??\N:	system32.exe
File opened (read-only)	\??\Q:	system32.exe
File opened (read-only)	\??\K:	csrss.exe
File opened (read-only)	\??\Z:	csrss.exe
File opened (read-only)	\??\U:	c9915631_by_Libranalysis.exe
File opened (read-only)	\??\W:	c9915631_by_Libranalysis.exe
File opened (read-only)	\??\O:	Kazekage.exe
File opened (read-only)	\??\O:	csrss.exe
File opened (read-only)	\??\U:	csrss.exe
File opened (read-only)	\??\E:	c9915631_by_Libranalysis.exe
File opened (read-only)	\??\B:	smss.exe
File opened (read-only)	\??\J:	Kazekage.exe
File opened (read-only)	\??\U:	smss.exe
File opened (read-only)	\??\L:	smss.exe
File opened (read-only)	\??\X:	smss.exe
File opened (read-only)	\??\B:	Gaara.exe
File opened (read-only)	\??\Y:	Gaara.exe
File opened (read-only)	\??\S:	system32.exe
File opened (read-only)	\??\E:	Kazekage.exe
File opened (read-only)	\??\G:	smss.exe
File opened (read-only)	\??\K:	smss.exe
File opened (read-only)	\??\H:	Gaara.exe
File opened (read-only)	\??\E:	csrss.exe
File opened (read-only)	\??\N:	csrss.exe
File opened (read-only)	\??\N:	Kazekage.exe

Drops autorun.inf file 1 TTPs
Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media
T1091

Drops file in System32 directory 39 IoCs

Processes:

smss.execsrss.exeKazekage.exesystem32.exec9915631_by_Libranalysis.exeGaara.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\5-5-2021.exe	smss.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	csrss.exe
File opened for modification	C:\Windows\SysWOW64\mscomctl.ocx	smss.exe
File opened for modification	C:\Windows\SysWOW64\mscomctl.ocx	csrss.exe
File opened for modification	C:\Windows\SysWOW64\	csrss.exe
File opened for modification	C:\Windows\SysWOW64\	Kazekage.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	Kazekage.exe
File opened for modification	C:\Windows\SysWOW64\5-5-2021.exe	Kazekage.exe
File opened for modification	C:\Windows\SysWOW64\5-5-2021.exe	system32.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	system32.exe
File created	C:\Windows\SysWOW64\5-5-2021.exe	c9915631_by_Libranalysis.exe
File opened for modification	C:\Windows\SysWOW64\5-5-2021.exe	csrss.exe
File opened for modification	C:\Windows\SysWOW64\mscomctl.ocx	c9915631_by_Libranalysis.exe
File opened for modification	C:\Windows\SysWOW64\	system32.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	csrss.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	smss.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	Kazekage.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	system32.exe
File opened for modification	C:\Windows\SysWOW64\Desktop.ini	c9915631_by_Libranalysis.exe
File opened for modification	C:\Windows\SysWOW64\	c9915631_by_Libranalysis.exe
File opened for modification	C:\Windows\SysWOW64\Desktop.ini	smss.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	Gaara.exe
File opened for modification	C:\Windows\SysWOW64\Desktop.ini	system32.exe
File opened for modification	C:\Windows\SysWOW64\mscomctl.ocx	system32.exe
File opened for modification	C:\Windows\SysWOW64\5-5-2021.exe	Gaara.exe
File created	C:\Windows\SysWOW64\Desktop.ini	c9915631_by_Libranalysis.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	smss.exe
File opened for modification	C:\Windows\SysWOW64\Desktop.ini	csrss.exe
File opened for modification	C:\Windows\SysWOW64\5-5-2021.exe	c9915631_by_Libranalysis.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	c9915631_by_Libranalysis.exe
File opened for modification	C:\Windows\SysWOW64\msvbvm60.dll	c9915631_by_Libranalysis.exe
File opened for modification	C:\Windows\SysWOW64\	smss.exe
File opened for modification	C:\Windows\SysWOW64\Desktop.ini	Kazekage.exe
File opened for modification	C:\Windows\SysWOW64\	Gaara.exe
File created	C:\Windows\SysWOW64\msvbvm60.dll	Gaara.exe
File created	C:\Windows\SysWOW64\mscomctl.ocx	c9915631_by_Libranalysis.exe
File opened for modification	C:\Windows\SysWOW64\Desktop.ini	Gaara.exe
File opened for modification	C:\Windows\SysWOW64\mscomctl.ocx	Gaara.exe
File opened for modification	C:\Windows\SysWOW64\mscomctl.ocx	Kazekage.exe

Sets desktop wallpaper using registry 2 TTPs 6 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

Gaara.execsrss.exeKazekage.exesystem32.exec9915631_by_Libranalysis.exesmss.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg"	Gaara.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg"	csrss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg"	Kazekage.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg"	system32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg"	c9915631_by_Libranalysis.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg"	smss.exe

Drops file in Windows directory 64 IoCs

Processes:

c9915631_by_Libranalysis.exeGaara.execsrss.exesystem32.exesmss.exeKazekage.exe

description	ioc	process
File created	C:\Windows\Fonts\Admin 5 - 5 - 2021\msvbvm60.dll	c9915631_by_Libranalysis.exe
File opened for modification	C:\Windows\Fonts\Admin 5 - 5 - 2021\Gaara.exe	Gaara.exe
File opened for modification	C:\Windows\system\mscoree.dll	csrss.exe
File opened for modification	C:\Windows\Fonts\Admin 5 - 5 - 2021\csrss.exe	system32.exe
File opened for modification	C:\Windows\mscomctl.ocx	smss.exe
File opened for modification	C:\Windows\Fonts\Admin 5 - 5 - 2021\smss.exe	smss.exe
File created	C:\Windows\WBEM\msvbvm60.dll	csrss.exe
File created	C:\Windows\Fonts\Admin 5 - 5 - 2021\csrss.exe	smss.exe
File created	C:\Windows\Fonts\Admin 5 - 5 - 2021\smss.exe	c9915631_by_Libranalysis.exe
File opened for modification	C:\Windows\msvbvm60.dll	c9915631_by_Libranalysis.exe
File opened for modification	C:\Windows\Fonts\Admin 5 - 5 - 2021\csrss.exe	Gaara.exe
File opened for modification	C:\Windows\Fonts\Admin 5 - 5 - 2021\csrss.exe	csrss.exe
File opened for modification	C:\Windows\Fonts\Admin 5 - 5 - 2021\Gaara.exe	system32.exe
File opened for modification	C:\Windows\Fonts\The Kazekage.jpg	c9915631_by_Libranalysis.exe
File opened for modification	C:\Windows\Fonts\Admin 5 - 5 - 2021\Gaara.exe	c9915631_by_Libranalysis.exe
File opened for modification	C:\Windows\Fonts\Admin 5 - 5 - 2021\csrss.exe	c9915631_by_Libranalysis.exe
File created	C:\Windows\msvbvm60.dll	c9915631_by_Libranalysis.exe
File opened for modification	C:\Windows\Fonts\Admin 5 - 5 - 2021\csrss.exe	smss.exe
File created	C:\Windows\Fonts\Admin 5 - 5 - 2021\msvbvm60.dll	Gaara.exe
File created	C:\Windows\Fonts\Admin 5 - 5 - 2021\smss.exe	Kazekage.exe
File opened for modification	C:\Windows\system\msvbvm60.dll	Kazekage.exe
File created	C:\Windows\WBEM\msvbvm60.dll	Kazekage.exe
File opened for modification	C:\Windows\system\mscoree.dll	system32.exe
File created	C:\Windows\Fonts\Admin 5 - 5 - 2021\msvbvm60.dll	system32.exe
File opened for modification	C:\Windows\mscomctl.ocx	Gaara.exe
File opened for modification	C:\Windows\Fonts\Admin 5 - 5 - 2021\smss.exe	c9915631_by_Libranalysis.exe
File opened for modification	C:\Windows\Fonts\Admin 5 - 5 - 2021\smss.exe	csrss.exe
File opened for modification	C:\Windows\msvbvm60.dll	csrss.exe
File opened for modification	C:\Windows\msvbvm60.dll	Kazekage.exe
File opened for modification	C:\Windows\system\mscoree.dll	c9915631_by_Libranalysis.exe
File opened for modification	C:\Windows\system\mscoree.dll	Gaara.exe
File opened for modification	C:\Windows\msvbvm60.dll	Gaara.exe
File created	C:\Windows\Fonts\Admin 5 - 5 - 2021\smss.exe	csrss.exe
File opened for modification	C:\Windows\system\msvbvm60.dll	Gaara.exe
File created	C:\Windows\Fonts\Admin 5 - 5 - 2021\msvbvm60.dll	Kazekage.exe
File opened for modification	C:\Windows\Fonts\The Kazekage.jpg	system32.exe
File opened for modification	C:\Windows\msvbvm60.dll	system32.exe
File opened for modification	C:\Windows\mscomctl.ocx	c9915631_by_Libranalysis.exe
File opened for modification	C:\Windows\mscomctl.ocx	csrss.exe
File opened for modification	C:\Windows\mscomctl.ocx	Kazekage.exe
File opened for modification	C:\Windows\system\msvbvm60.dll	smss.exe
File opened for modification	C:\Windows\Fonts\The Kazekage.jpg	Gaara.exe
File created	C:\Windows\Fonts\Admin 5 - 5 - 2021\Gaara.exe	Gaara.exe
File opened for modification	C:\Windows\Fonts\Admin 5 - 5 - 2021\csrss.exe	Kazekage.exe
File opened for modification	C:\Windows\system\msvbvm60.dll	system32.exe
File created	C:\Windows\WBEM\msvbvm60.dll	system32.exe
File opened for modification	C:\Windows\Fonts\The Kazekage.jpg	csrss.exe
File created	C:\Windows\Fonts\Admin 5 - 5 - 2021\csrss.exe	Kazekage.exe
File opened for modification	C:\Windows\Fonts\Admin 5 - 5 - 2021\smss.exe	system32.exe
File created	C:\Windows\mscomctl.ocx	c9915631_by_Libranalysis.exe
File created	C:\Windows\Fonts\The Kazekage.jpg	c9915631_by_Libranalysis.exe
File created	C:\Windows\Fonts\Admin 5 - 5 - 2021\csrss.exe	c9915631_by_Libranalysis.exe
File opened for modification	C:\Windows\system\msvbvm60.dll	c9915631_by_Libranalysis.exe
File opened for modification	C:\Windows\Fonts\Admin 5 - 5 - 2021\Gaara.exe	smss.exe
File created	C:\Windows\Fonts\Admin 5 - 5 - 2021\Gaara.exe	csrss.exe
File created	C:\Windows\Fonts\Admin 5 - 5 - 2021\Gaara.exe	system32.exe
File opened for modification	C:\Windows\Fonts\Admin 5 - 5 - 2021\msvbvm60.dll	c9915631_by_Libranalysis.exe
File opened for modification	C:\Windows\system\mscoree.dll	smss.exe
File opened for modification	C:\Windows\Fonts\Admin 5 - 5 - 2021\smss.exe	Gaara.exe
File opened for modification	C:\Windows\system\mscoree.dll	Kazekage.exe
File created	C:\Windows\Fonts\Admin 5 - 5 - 2021\Gaara.exe	smss.exe
File opened for modification	C:\Windows\	Gaara.exe
File opened for modification	C:\Windows\	csrss.exe
File opened for modification	C:\Windows\	system32.exe

Modifies Control Panel 64 IoCs

evasion

Processes:

Gaara.execsrss.exesmss.exesystem32.exeKazekage.exec9915631_by_Libranalysis.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg"	Gaara.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0"	csrss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\Screen Saver.Marquee\Size = "72"	csrss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\Desktop\WallpaperStyle = "2"	csrss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC"	smss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr"	system32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )"	system32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg"	csrss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\Screen Saver.Marquee\Speed = "4"	system32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400"	system32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg"	csrss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\Desktop\WallpaperStyle = "2"	Gaara.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\Desktop	Kazekage.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\Desktop	system32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr"	Kazekage.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400"	Kazekage.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\Desktop\WallpaperStyle = "2"	smss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg"	smss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\Screen Saver.Marquee\Size = "72"	smss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\Screen Saver.Marquee\Size = "72"	c9915631_by_Libranalysis.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1"	Kazekage.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr"	Gaara.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0"	system32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )"	Kazekage.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg"	Gaara.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\Screen Saver.Marquee	system32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\Screen Saver.Marquee\Speed = "4"	csrss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0"	c9915631_by_Libranalysis.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg"	system32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\Screen Saver.Marquee\Speed = "4"	c9915631_by_Libranalysis.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\Screen Saver.Marquee\Speed = "4"	Kazekage.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )"	smss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400"	Gaara.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\Screen Saver.Marquee	Gaara.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\Screen Saver.Marquee\Speed = "4"	Gaara.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\Screen Saver.Marquee	csrss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC"	csrss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC"	c9915631_by_Libranalysis.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\Screen Saver.Marquee\Size = "72"	Kazekage.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400"	smss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0"	Gaara.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\Screen Saver.Marquee\Size = "72"	Gaara.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0"	system32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1"	c9915631_by_Libranalysis.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg"	Kazekage.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0"	Gaara.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1"	system32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400"	csrss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400"	c9915631_by_Libranalysis.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg"	system32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\Screen Saver.Marquee\Speed = "4"	smss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr"	csrss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1"	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\Screen Saver.Marquee	c9915631_by_Libranalysis.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\Desktop	csrss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg"	Kazekage.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\Screen Saver.Marquee	Kazekage.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\Screen Saver.Marquee	smss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0"	smss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\Screen Saver.Marquee\Size = "72"	system32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr"	c9915631_by_Libranalysis.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg"	c9915631_by_Libranalysis.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\Desktop	smss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\Desktop\WallpaperStyle = "2"	Kazekage.exe

Modifies Internet Explorer settings 1 TTPs 12 IoCs

adware spyware

Modify Registry

T1112

Processes:

Kazekage.execsrss.exec9915631_by_Libranalysis.exesmss.exeGaara.exesystem32.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!"	Kazekage.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main	csrss.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!"	c9915631_by_Libranalysis.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main	Kazekage.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!"	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main	Gaara.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!"	Gaara.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main	system32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!"	system32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!"	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main	c9915631_by_Libranalysis.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main	smss.exe

Modifies registry class 48 IoCs

Processes:

c9915631_by_Libranalysis.exeKazekage.exesystem32.execsrss.exeGaara.exesmss.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command	c9915631_by_Libranalysis.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe"	Kazekage.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command	system32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command	system32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe"	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command	Kazekage.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe"	Gaara.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command	c9915631_by_Libranalysis.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command	Gaara.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe"	c9915631_by_Libranalysis.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe"	Kazekage.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command	Kazekage.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0"	Kazekage.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe"	Gaara.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command	Kazekage.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command	Gaara.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command	Gaara.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe"	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe"	system32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe"	c9915631_by_Libranalysis.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command	c9915631_by_Libranalysis.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe"	Kazekage.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command	Kazekage.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0"	Gaara.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command	c9915631_by_Libranalysis.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0"	c9915631_by_Libranalysis.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0"	smss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe"	system32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command	system32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command	system32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe"	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command	Gaara.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe"	Gaara.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe"	system32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0"	system32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command	csrss.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe"	c9915631_by_Libranalysis.exe

Runs ping.exe 1 TTPs 32 IoCs

Remote System Discovery

T1018

Processes:

ping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exeping.exe

pid	process
760	ping.exe
3476	ping.exe
1172	ping.exe
216	ping.exe
4020	ping.exe
2100	ping.exe
3552	ping.exe
204	ping.exe
1288	ping.exe
836	ping.exe
3048	ping.exe
812	ping.exe
3916	ping.exe
3760	ping.exe
1972	ping.exe
2320	ping.exe
956	ping.exe
360	ping.exe
1036	ping.exe
2676	ping.exe
3256	ping.exe
2540	ping.exe
3552	ping.exe
3908	ping.exe
2288	ping.exe
3476	ping.exe
540	ping.exe
1020	ping.exe
664	ping.exe
2676	ping.exe
2388	ping.exe
3188	ping.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

Kazekage.exesmss.exeGaara.exe

pid	process
1624	Kazekage.exe
1624	Kazekage.exe
1624	Kazekage.exe
1624	Kazekage.exe
1624	Kazekage.exe
1624	Kazekage.exe
1624	Kazekage.exe
1624	Kazekage.exe
1624	Kazekage.exe
1624	Kazekage.exe
1624	Kazekage.exe
1624	Kazekage.exe
1624	Kazekage.exe
1624	Kazekage.exe
1624	Kazekage.exe
1624	Kazekage.exe
1624	Kazekage.exe
1624	Kazekage.exe
1624	Kazekage.exe
1624	Kazekage.exe
1624	Kazekage.exe
1624	Kazekage.exe
1624	Kazekage.exe
1624	Kazekage.exe
2384	smss.exe
2384	smss.exe
2384	smss.exe
2384	smss.exe
2384	smss.exe
2384	smss.exe
2384	smss.exe
2384	smss.exe
2384	smss.exe
2384	smss.exe
2384	smss.exe
2384	smss.exe
2384	smss.exe
2384	smss.exe
2384	smss.exe
2384	smss.exe
2384	smss.exe
2384	smss.exe
2384	smss.exe
2384	smss.exe
2384	smss.exe
2384	smss.exe
2384	smss.exe
2384	smss.exe
3100	Gaara.exe
3100	Gaara.exe
3100	Gaara.exe
3100	Gaara.exe
3100	Gaara.exe
3100	Gaara.exe
3100	Gaara.exe
3100	Gaara.exe
3100	Gaara.exe
3100	Gaara.exe
3100	Gaara.exe
3100	Gaara.exe
3100	Gaara.exe
3100	Gaara.exe
3100	Gaara.exe
3100	Gaara.exe

Suspicious use of SetWindowsHookEx 31 IoCs

Processes:

c9915631_by_Libranalysis.exesmss.exesmss.exeGaara.exesmss.exeGaara.execsrss.exesmss.exeGaara.execsrss.exeKazekage.exesmss.exeGaara.execsrss.exeKazekage.exesystem32.exesmss.exeGaara.execsrss.exeKazekage.exesystem32.exesystem32.exeKazekage.exesystem32.execsrss.exeKazekage.exesystem32.exeGaara.execsrss.exeKazekage.exesystem32.exe

pid	process
3896	c9915631_by_Libranalysis.exe
2384	smss.exe
2944	smss.exe
3100	Gaara.exe
1368	smss.exe
3784	Gaara.exe
1612	csrss.exe
1040	smss.exe
3816	Gaara.exe
2680	csrss.exe
1624	Kazekage.exe
200	smss.exe
3048	Gaara.exe
2528	csrss.exe
3312	Kazekage.exe
3676	system32.exe
1376	smss.exe
1040	Gaara.exe
3800	csrss.exe
1196	Kazekage.exe
200	system32.exe
3776	system32.exe
3484	Kazekage.exe
3976	system32.exe
1664	csrss.exe
2388	Kazekage.exe
2504	system32.exe
2632	Gaara.exe
3040	csrss.exe
1196	Kazekage.exe
3048	system32.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

c9915631_by_Libranalysis.exesmss.exeGaara.execsrss.exeKazekage.exesystem32.exe

description	pid	process	target process
PID 3896 wrote to memory of 2384	3896	c9915631_by_Libranalysis.exe	smss.exe
PID 3896 wrote to memory of 2384	3896	c9915631_by_Libranalysis.exe	smss.exe
PID 3896 wrote to memory of 2384	3896	c9915631_by_Libranalysis.exe	smss.exe
PID 2384 wrote to memory of 2944	2384	smss.exe	smss.exe
PID 2384 wrote to memory of 2944	2384	smss.exe	smss.exe
PID 2384 wrote to memory of 2944	2384	smss.exe	smss.exe
PID 2384 wrote to memory of 3100	2384	smss.exe	Gaara.exe
PID 2384 wrote to memory of 3100	2384	smss.exe	Gaara.exe
PID 2384 wrote to memory of 3100	2384	smss.exe	Gaara.exe
PID 3100 wrote to memory of 1368	3100	Gaara.exe	smss.exe
PID 3100 wrote to memory of 1368	3100	Gaara.exe	smss.exe
PID 3100 wrote to memory of 1368	3100	Gaara.exe	smss.exe
PID 3100 wrote to memory of 3784	3100	Gaara.exe	Gaara.exe
PID 3100 wrote to memory of 3784	3100	Gaara.exe	Gaara.exe
PID 3100 wrote to memory of 3784	3100	Gaara.exe	Gaara.exe
PID 3100 wrote to memory of 1612	3100	Gaara.exe	csrss.exe
PID 3100 wrote to memory of 1612	3100	Gaara.exe	csrss.exe
PID 3100 wrote to memory of 1612	3100	Gaara.exe	csrss.exe
PID 1612 wrote to memory of 1040	1612	csrss.exe	smss.exe
PID 1612 wrote to memory of 1040	1612	csrss.exe	smss.exe
PID 1612 wrote to memory of 1040	1612	csrss.exe	smss.exe
PID 1612 wrote to memory of 3816	1612	csrss.exe	Gaara.exe
PID 1612 wrote to memory of 3816	1612	csrss.exe	Gaara.exe
PID 1612 wrote to memory of 3816	1612	csrss.exe	Gaara.exe
PID 1612 wrote to memory of 2680	1612	csrss.exe	csrss.exe
PID 1612 wrote to memory of 2680	1612	csrss.exe	csrss.exe
PID 1612 wrote to memory of 2680	1612	csrss.exe	csrss.exe
PID 1612 wrote to memory of 1624	1612	csrss.exe	Kazekage.exe
PID 1612 wrote to memory of 1624	1612	csrss.exe	Kazekage.exe
PID 1612 wrote to memory of 1624	1612	csrss.exe	Kazekage.exe
PID 1624 wrote to memory of 200	1624	Kazekage.exe	smss.exe
PID 1624 wrote to memory of 200	1624	Kazekage.exe	smss.exe
PID 1624 wrote to memory of 200	1624	Kazekage.exe	smss.exe
PID 1624 wrote to memory of 3048	1624	Kazekage.exe	Gaara.exe
PID 1624 wrote to memory of 3048	1624	Kazekage.exe	Gaara.exe
PID 1624 wrote to memory of 3048	1624	Kazekage.exe	Gaara.exe
PID 1624 wrote to memory of 2528	1624	Kazekage.exe	csrss.exe
PID 1624 wrote to memory of 2528	1624	Kazekage.exe	csrss.exe
PID 1624 wrote to memory of 2528	1624	Kazekage.exe	csrss.exe
PID 1624 wrote to memory of 3312	1624	Kazekage.exe	Kazekage.exe
PID 1624 wrote to memory of 3312	1624	Kazekage.exe	Kazekage.exe
PID 1624 wrote to memory of 3312	1624	Kazekage.exe	Kazekage.exe
PID 1624 wrote to memory of 3676	1624	Kazekage.exe	system32.exe
PID 1624 wrote to memory of 3676	1624	Kazekage.exe	system32.exe
PID 1624 wrote to memory of 3676	1624	Kazekage.exe	system32.exe
PID 3676 wrote to memory of 1376	3676	system32.exe	smss.exe
PID 3676 wrote to memory of 1376	3676	system32.exe	smss.exe
PID 3676 wrote to memory of 1376	3676	system32.exe	smss.exe
PID 3676 wrote to memory of 1040	3676	system32.exe	Gaara.exe
PID 3676 wrote to memory of 1040	3676	system32.exe	Gaara.exe
PID 3676 wrote to memory of 1040	3676	system32.exe	Gaara.exe
PID 3676 wrote to memory of 3800	3676	system32.exe	csrss.exe
PID 3676 wrote to memory of 3800	3676	system32.exe	csrss.exe
PID 3676 wrote to memory of 3800	3676	system32.exe	csrss.exe
PID 3676 wrote to memory of 1196	3676	system32.exe	Kazekage.exe
PID 3676 wrote to memory of 1196	3676	system32.exe	Kazekage.exe
PID 3676 wrote to memory of 1196	3676	system32.exe	Kazekage.exe
PID 3676 wrote to memory of 200	3676	system32.exe	system32.exe
PID 3676 wrote to memory of 200	3676	system32.exe	system32.exe
PID 3676 wrote to memory of 200	3676	system32.exe	system32.exe
PID 1612 wrote to memory of 3776	1612	csrss.exe	system32.exe
PID 1612 wrote to memory of 3776	1612	csrss.exe	system32.exe
PID 1612 wrote to memory of 3776	1612	csrss.exe	system32.exe
PID 3100 wrote to memory of 3484	3100	Gaara.exe	Kazekage.exe

System policy modification 1 TTPs 12 IoCs

evasion

Modify Registry

T1112

Processes:

Gaara.exesystem32.exeKazekage.exesmss.execsrss.exec9915631_by_Libranalysis.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Gaara.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	system32.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	system32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	Kazekage.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Kazekage.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	smss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	smss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	Gaara.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	csrss.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	csrss.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	c9915631_by_Libranalysis.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	c9915631_by_Libranalysis.exe

C:\Users\Admin\AppData\Local\Temp\c9915631_by_Libranalysis.exe
"C:\Users\Admin\AppData\Local\Temp\c9915631_by_Libranalysis.exe"
1⤵
- Modifies WinLogon for persistence
- Drops file in Drivers directory
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3896

C:\Windows\Fonts\Admin 5 - 5 - 2021\smss.exe
"C:\Windows\Fonts\Admin 5 - 5 - 2021\smss.exe"
2⤵
- Modifies WinLogon for persistence
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2384

C:\Windows\Fonts\Admin 5 - 5 - 2021\smss.exe
"C:\Windows\Fonts\Admin 5 - 5 - 2021\smss.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2944

C:\Windows\Fonts\Admin 5 - 5 - 2021\Gaara.exe
"C:\Windows\Fonts\Admin 5 - 5 - 2021\Gaara.exe"
3⤵
- Modifies WinLogon for persistence
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3100

C:\Windows\Fonts\Admin 5 - 5 - 2021\smss.exe
"C:\Windows\Fonts\Admin 5 - 5 - 2021\smss.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1368

C:\Windows\Fonts\Admin 5 - 5 - 2021\Gaara.exe
"C:\Windows\Fonts\Admin 5 - 5 - 2021\Gaara.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:3784

C:\Windows\Fonts\Admin 5 - 5 - 2021\csrss.exe
"C:\Windows\Fonts\Admin 5 - 5 - 2021\csrss.exe"
4⤵
- Modifies WinLogon for persistence
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1612

C:\Windows\Fonts\Admin 5 - 5 - 2021\smss.exe
"C:\Windows\Fonts\Admin 5 - 5 - 2021\smss.exe"
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1040

C:\Windows\Fonts\Admin 5 - 5 - 2021\Gaara.exe
"C:\Windows\Fonts\Admin 5 - 5 - 2021\Gaara.exe"
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:3816

C:\Windows\Fonts\Admin 5 - 5 - 2021\csrss.exe
"C:\Windows\Fonts\Admin 5 - 5 - 2021\csrss.exe"
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2680

C:\Windows\SysWOW64\drivers\Kazekage.exe
C:\Windows\system32\drivers\Kazekage.exe
5⤵
- Modifies WinLogon for persistence
- Drops file in Drivers directory
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1624

C:\Windows\Fonts\Admin 5 - 5 - 2021\smss.exe
"C:\Windows\Fonts\Admin 5 - 5 - 2021\smss.exe"
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:200

C:\Windows\Fonts\Admin 5 - 5 - 2021\Gaara.exe
"C:\Windows\Fonts\Admin 5 - 5 - 2021\Gaara.exe"
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:3048

C:\Windows\Fonts\Admin 5 - 5 - 2021\csrss.exe
"C:\Windows\Fonts\Admin 5 - 5 - 2021\csrss.exe"
6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2528

C:\Windows\SysWOW64\drivers\Kazekage.exe
C:\Windows\system32\drivers\Kazekage.exe
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3312

C:\Windows\SysWOW64\drivers\system32.exe
C:\Windows\system32\drivers\system32.exe
6⤵
- Modifies WinLogon for persistence
- Drops file in Drivers directory
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3676

C:\Windows\Fonts\Admin 5 - 5 - 2021\smss.exe
"C:\Windows\Fonts\Admin 5 - 5 - 2021\smss.exe"
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1376

C:\Windows\Fonts\Admin 5 - 5 - 2021\Gaara.exe
"C:\Windows\Fonts\Admin 5 - 5 - 2021\Gaara.exe"
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1040

C:\Windows\Fonts\Admin 5 - 5 - 2021\csrss.exe
"C:\Windows\Fonts\Admin 5 - 5 - 2021\csrss.exe"
7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:3800

C:\Windows\SysWOW64\drivers\Kazekage.exe
C:\Windows\system32\drivers\Kazekage.exe
7⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1196

C:\Windows\SysWOW64\drivers\system32.exe
C:\Windows\system32\drivers\system32.exe
7⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:200

C:\Windows\SysWOW64\ping.exe
ping -a -l www.rasasayang.com.my 65500
7⤵
- Runs ping.exe
PID:2288

C:\Windows\SysWOW64\ping.exe
ping -a -l www.duniasex.com 65500
7⤵
- Runs ping.exe
PID:2320

C:\Windows\SysWOW64\ping.exe
ping -a -l www.rasasayang.com.my 65500
7⤵
- Runs ping.exe
PID:540

C:\Windows\SysWOW64\ping.exe
ping -a -l www.duniasex.com 65500
7⤵
- Runs ping.exe
PID:836

C:\Windows\SysWOW64\ping.exe
ping -a -l www.rasasayang.com.my 65500
7⤵
- Runs ping.exe
PID:3552

C:\Windows\SysWOW64\ping.exe
ping -a -l www.duniasex.com 65500
7⤵
- Runs ping.exe
PID:3048

C:\Windows\SysWOW64\ping.exe
ping -a -l www.rasasayang.com.my 65500
6⤵
- Runs ping.exe
PID:3188

C:\Windows\SysWOW64\ping.exe
ping -a -l www.duniasex.com 65500
6⤵
- Runs ping.exe
PID:204

C:\Windows\SysWOW64\ping.exe
ping -a -l www.rasasayang.com.my 65500
6⤵
- Runs ping.exe
PID:1172

C:\Windows\SysWOW64\ping.exe
ping -a -l www.duniasex.com 65500
6⤵
- Runs ping.exe
PID:216

C:\Windows\SysWOW64\ping.exe
ping -a -l www.rasasayang.com.my 65500
6⤵
- Runs ping.exe
PID:664

C:\Windows\SysWOW64\ping.exe
ping -a -l www.duniasex.com 65500
6⤵
- Runs ping.exe
PID:3908

C:\Windows\SysWOW64\drivers\system32.exe
C:\Windows\system32\drivers\system32.exe
5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3776

C:\Windows\SysWOW64\ping.exe
ping -a -l www.rasasayang.com.my 65500
5⤵
- Runs ping.exe
PID:2540

C:\Windows\SysWOW64\ping.exe
ping -a -l www.duniasex.com 65500
5⤵
- Runs ping.exe
PID:3760

C:\Windows\SysWOW64\ping.exe
ping -a -l www.rasasayang.com.my 65500
5⤵
- Runs ping.exe
PID:3476

C:\Windows\SysWOW64\ping.exe
ping -a -l www.duniasex.com 65500
5⤵
- Runs ping.exe
PID:360

C:\Windows\SysWOW64\ping.exe
ping -a -l www.rasasayang.com.my 65500
5⤵
- Runs ping.exe
PID:2100

C:\Windows\SysWOW64\ping.exe
ping -a -l www.duniasex.com 65500
5⤵
- Runs ping.exe
PID:1020

C:\Windows\SysWOW64\drivers\Kazekage.exe
C:\Windows\system32\drivers\Kazekage.exe
4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3484

C:\Windows\SysWOW64\drivers\system32.exe
C:\Windows\system32\drivers\system32.exe
4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3976

C:\Windows\SysWOW64\ping.exe
ping -a -l www.rasasayang.com.my 65500
4⤵
- Runs ping.exe
PID:3916

C:\Windows\SysWOW64\ping.exe
ping -a -l www.duniasex.com 65500
4⤵
- Runs ping.exe
PID:3552

C:\Windows\SysWOW64\ping.exe
ping -a -l www.duniasex.com 65500
4⤵
- Runs ping.exe
PID:3476

C:\Windows\SysWOW64\ping.exe
ping -a -l www.rasasayang.com.my 65500
4⤵
- Runs ping.exe
PID:2676

C:\Windows\Fonts\Admin 5 - 5 - 2021\csrss.exe
"C:\Windows\Fonts\Admin 5 - 5 - 2021\csrss.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1664

C:\Windows\SysWOW64\drivers\Kazekage.exe
C:\Windows\system32\drivers\Kazekage.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2388

C:\Windows\SysWOW64\drivers\system32.exe
C:\Windows\system32\drivers\system32.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2504

C:\Windows\SysWOW64\ping.exe
ping -a -l www.rasasayang.com.my 65500
3⤵
- Runs ping.exe
PID:3256

C:\Windows\SysWOW64\ping.exe
ping -a -l www.duniasex.com 65500
3⤵
- Runs ping.exe
PID:812

C:\Windows\SysWOW64\ping.exe
ping -a -l www.rasasayang.com.my 65500
3⤵
- Runs ping.exe
PID:1036

C:\Windows\SysWOW64\ping.exe
ping -a -l www.duniasex.com 65500
3⤵
- Runs ping.exe
PID:1288

C:\Windows\Fonts\Admin 5 - 5 - 2021\Gaara.exe
"C:\Windows\Fonts\Admin 5 - 5 - 2021\Gaara.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:2632

C:\Windows\Fonts\Admin 5 - 5 - 2021\csrss.exe
"C:\Windows\Fonts\Admin 5 - 5 - 2021\csrss.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:3040

C:\Windows\SysWOW64\drivers\Kazekage.exe
C:\Windows\system32\drivers\Kazekage.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1196

C:\Windows\SysWOW64\drivers\system32.exe
C:\Windows\system32\drivers\system32.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3048

C:\Windows\SysWOW64\ping.exe
ping -a -l www.rasasayang.com.my 65500
2⤵
- Runs ping.exe
PID:2676

C:\Windows\SysWOW64\ping.exe
ping -a -l www.duniasex.com 65500
2⤵
- Runs ping.exe
PID:2388

C:\Windows\SysWOW64\ping.exe
ping -a -l www.rasasayang.com.my 65500
2⤵
- Runs ping.exe
PID:956

C:\Windows\SysWOW64\ping.exe
ping -a -l www.duniasex.com 65500
2⤵
- Runs ping.exe
PID:1972

C:\Windows\SysWOW64\ping.exe
ping -a -l www.rasasayang.com.my 65500
2⤵
- Runs ping.exe
PID:760

C:\Windows\SysWOW64\ping.exe
ping -a -l www.duniasex.com 65500
2⤵
- Runs ping.exe
PID:4020

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Winlogon Helper DLL

T1004

Hidden Files and Directories

T1158

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Modify Registry

T1112

Hidden Files and Directories

T1158

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Remote System Discovery

T1018

Lateral Movement

Replication Through Removable Media

T1091

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

T1490

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Fonts\Admin 5 - 5 - 2021\Gaara.exe
MD5
b5ac95bf5f43ab2d14e3b9afdc7a9eef

SHA1
9602d66411548ec80be41dae7fdf3a200a54d33a

SHA256
df469daa56ed07c3fdc767a5122fb73f473f11af7811ceadd063027b7d89a723

SHA512
733aaf23ceb0d5f4bf8d6dba27b922d46b61d3e7008df2a2adfa7c39386fbac571555dc663e73a7e1ad98a42e85fe25cb22cc9a6931a6c0aa944207f21010987

Download Submit
C:\Windows\Fonts\Admin 5 - 5 - 2021\Gaara.exe
MD5
b5ac95bf5f43ab2d14e3b9afdc7a9eef

SHA1
9602d66411548ec80be41dae7fdf3a200a54d33a

SHA256
df469daa56ed07c3fdc767a5122fb73f473f11af7811ceadd063027b7d89a723

SHA512
733aaf23ceb0d5f4bf8d6dba27b922d46b61d3e7008df2a2adfa7c39386fbac571555dc663e73a7e1ad98a42e85fe25cb22cc9a6931a6c0aa944207f21010987

Download Submit
C:\Windows\Fonts\Admin 5 - 5 - 2021\Gaara.exe
MD5
b5ac95bf5f43ab2d14e3b9afdc7a9eef

SHA1
9602d66411548ec80be41dae7fdf3a200a54d33a

SHA256
df469daa56ed07c3fdc767a5122fb73f473f11af7811ceadd063027b7d89a723

SHA512
733aaf23ceb0d5f4bf8d6dba27b922d46b61d3e7008df2a2adfa7c39386fbac571555dc663e73a7e1ad98a42e85fe25cb22cc9a6931a6c0aa944207f21010987

Download Submit
C:\Windows\Fonts\Admin 5 - 5 - 2021\Gaara.exe
MD5
b5ac95bf5f43ab2d14e3b9afdc7a9eef

SHA1
9602d66411548ec80be41dae7fdf3a200a54d33a

SHA256
df469daa56ed07c3fdc767a5122fb73f473f11af7811ceadd063027b7d89a723

SHA512
733aaf23ceb0d5f4bf8d6dba27b922d46b61d3e7008df2a2adfa7c39386fbac571555dc663e73a7e1ad98a42e85fe25cb22cc9a6931a6c0aa944207f21010987

Download Submit
C:\Windows\Fonts\Admin 5 - 5 - 2021\Gaara.exe
MD5
b5ac95bf5f43ab2d14e3b9afdc7a9eef

SHA1
9602d66411548ec80be41dae7fdf3a200a54d33a

SHA256
df469daa56ed07c3fdc767a5122fb73f473f11af7811ceadd063027b7d89a723

SHA512
733aaf23ceb0d5f4bf8d6dba27b922d46b61d3e7008df2a2adfa7c39386fbac571555dc663e73a7e1ad98a42e85fe25cb22cc9a6931a6c0aa944207f21010987

Download Submit
C:\Windows\Fonts\Admin 5 - 5 - 2021\Gaara.exe
MD5
b5ac95bf5f43ab2d14e3b9afdc7a9eef

SHA1
9602d66411548ec80be41dae7fdf3a200a54d33a

SHA256
df469daa56ed07c3fdc767a5122fb73f473f11af7811ceadd063027b7d89a723

SHA512
733aaf23ceb0d5f4bf8d6dba27b922d46b61d3e7008df2a2adfa7c39386fbac571555dc663e73a7e1ad98a42e85fe25cb22cc9a6931a6c0aa944207f21010987

Download Submit
C:\Windows\Fonts\Admin 5 - 5 - 2021\MSVBVM60.DLL
MD5
9618e4752b19ce24efd729c662c8db1e

SHA1
e2fc41553e1f85472e3e4c6b20dea5430e500ef7

SHA256
3b2f5858bc5181506e84f6fa09eb755fb5b5e87f48c838bb125eb01fa13cf17e

SHA512
0c3c4f47b9321ffd06929f0358555d7376cf23f79aa5d1cf18d782062199f53baa55fd567862c76287917126020add7fa61bd3185be9dd99d85b70470d760bcb

Download Submit
C:\Windows\Fonts\Admin 5 - 5 - 2021\csrss.exe
MD5
cb37062f5487b3c6e4a97fc867ac6682

SHA1
e5f27c3ad525e9880e6f17582a4e3902b7dae620

SHA256
d774f71ab77bef7e57a683affeed9d888ca8949e2a7007fa73bce717c0be6e8b

SHA512
8e03e4988b136002797d1915b1688bca7f0ca06cb5d1e9f8119bba062ce2c6e6ba4db8000eb277c64787e112ca029c1dbb52edf3fddb88308073c5a77d5b36ce

Download Submit
C:\Windows\Fonts\Admin 5 - 5 - 2021\csrss.exe
MD5
19674aa489413717e589b30a782296e4

SHA1
fc4a4870956907f34fa5e9cac2f7cbade4c55033

SHA256
5c832390ad2a264895cbfe71f45f1b562622fba59b305bcdfda462cbacb4996a

SHA512
22c2ccde98aa0128cdd00bf1e4b00e8043eb266ed916650fd21c2503c8053d8b3bbb495c8d853ce80661013854db07b80e4cbaa7bf7b00f8bf8e94745865a5a3

Download Submit
C:\Windows\Fonts\Admin 5 - 5 - 2021\csrss.exe
MD5
19674aa489413717e589b30a782296e4

SHA1
fc4a4870956907f34fa5e9cac2f7cbade4c55033

SHA256
5c832390ad2a264895cbfe71f45f1b562622fba59b305bcdfda462cbacb4996a

SHA512
22c2ccde98aa0128cdd00bf1e4b00e8043eb266ed916650fd21c2503c8053d8b3bbb495c8d853ce80661013854db07b80e4cbaa7bf7b00f8bf8e94745865a5a3

Download Submit
C:\Windows\Fonts\Admin 5 - 5 - 2021\csrss.exe
MD5
19674aa489413717e589b30a782296e4

SHA1
fc4a4870956907f34fa5e9cac2f7cbade4c55033

SHA256
5c832390ad2a264895cbfe71f45f1b562622fba59b305bcdfda462cbacb4996a

SHA512
22c2ccde98aa0128cdd00bf1e4b00e8043eb266ed916650fd21c2503c8053d8b3bbb495c8d853ce80661013854db07b80e4cbaa7bf7b00f8bf8e94745865a5a3

Download Submit
C:\Windows\Fonts\Admin 5 - 5 - 2021\csrss.exe
MD5
19674aa489413717e589b30a782296e4

SHA1
fc4a4870956907f34fa5e9cac2f7cbade4c55033

SHA256
5c832390ad2a264895cbfe71f45f1b562622fba59b305bcdfda462cbacb4996a

SHA512
22c2ccde98aa0128cdd00bf1e4b00e8043eb266ed916650fd21c2503c8053d8b3bbb495c8d853ce80661013854db07b80e4cbaa7bf7b00f8bf8e94745865a5a3

Download Submit
C:\Windows\Fonts\Admin 5 - 5 - 2021\csrss.exe
MD5
19674aa489413717e589b30a782296e4

SHA1
fc4a4870956907f34fa5e9cac2f7cbade4c55033

SHA256
5c832390ad2a264895cbfe71f45f1b562622fba59b305bcdfda462cbacb4996a

SHA512
22c2ccde98aa0128cdd00bf1e4b00e8043eb266ed916650fd21c2503c8053d8b3bbb495c8d853ce80661013854db07b80e4cbaa7bf7b00f8bf8e94745865a5a3

Download Submit
C:\Windows\Fonts\Admin 5 - 5 - 2021\smss.exe
MD5
4a9a6e8ce1295ce906c9d678d33cd946

SHA1
f2ee6df1f6b308dff87cbd6af88c56549e65d579

SHA256
6274851cf01246a6ee2d8ee36c3acb51ac1197a9d850f6976019648f9274531b

SHA512
de7a6594d026dbd5fa4ae89661c03404ea07aab85c6d692fd7c8d75e5ca4c6ad6d76556b0f30bfca8a08f9d7bedc2ca5e8b652bf104e2d52d586d1043fa2faa4

Download Submit
C:\Windows\Fonts\Admin 5 - 5 - 2021\smss.exe
MD5
4a9a6e8ce1295ce906c9d678d33cd946

SHA1
f2ee6df1f6b308dff87cbd6af88c56549e65d579

SHA256
6274851cf01246a6ee2d8ee36c3acb51ac1197a9d850f6976019648f9274531b

SHA512
de7a6594d026dbd5fa4ae89661c03404ea07aab85c6d692fd7c8d75e5ca4c6ad6d76556b0f30bfca8a08f9d7bedc2ca5e8b652bf104e2d52d586d1043fa2faa4

Download Submit
C:\Windows\Fonts\Admin 5 - 5 - 2021\smss.exe
MD5
4a9a6e8ce1295ce906c9d678d33cd946

SHA1
f2ee6df1f6b308dff87cbd6af88c56549e65d579

SHA256
6274851cf01246a6ee2d8ee36c3acb51ac1197a9d850f6976019648f9274531b

SHA512
de7a6594d026dbd5fa4ae89661c03404ea07aab85c6d692fd7c8d75e5ca4c6ad6d76556b0f30bfca8a08f9d7bedc2ca5e8b652bf104e2d52d586d1043fa2faa4

Download Submit
C:\Windows\Fonts\Admin 5 - 5 - 2021\smss.exe
MD5
4a9a6e8ce1295ce906c9d678d33cd946

SHA1
f2ee6df1f6b308dff87cbd6af88c56549e65d579

SHA256
6274851cf01246a6ee2d8ee36c3acb51ac1197a9d850f6976019648f9274531b

SHA512
de7a6594d026dbd5fa4ae89661c03404ea07aab85c6d692fd7c8d75e5ca4c6ad6d76556b0f30bfca8a08f9d7bedc2ca5e8b652bf104e2d52d586d1043fa2faa4

Download Submit
C:\Windows\Fonts\Admin 5 - 5 - 2021\smss.exe
MD5
4a9a6e8ce1295ce906c9d678d33cd946

SHA1
f2ee6df1f6b308dff87cbd6af88c56549e65d579

SHA256
6274851cf01246a6ee2d8ee36c3acb51ac1197a9d850f6976019648f9274531b

SHA512
de7a6594d026dbd5fa4ae89661c03404ea07aab85c6d692fd7c8d75e5ca4c6ad6d76556b0f30bfca8a08f9d7bedc2ca5e8b652bf104e2d52d586d1043fa2faa4

Download Submit
C:\Windows\Fonts\Admin 5 - 5 - 2021\smss.exe
MD5
4a9a6e8ce1295ce906c9d678d33cd946

SHA1
f2ee6df1f6b308dff87cbd6af88c56549e65d579

SHA256
6274851cf01246a6ee2d8ee36c3acb51ac1197a9d850f6976019648f9274531b

SHA512
de7a6594d026dbd5fa4ae89661c03404ea07aab85c6d692fd7c8d75e5ca4c6ad6d76556b0f30bfca8a08f9d7bedc2ca5e8b652bf104e2d52d586d1043fa2faa4

Download Submit
C:\Windows\Fonts\Admin 5 - 5 - 2021\smss.exe
MD5
4a9a6e8ce1295ce906c9d678d33cd946

SHA1
f2ee6df1f6b308dff87cbd6af88c56549e65d579

SHA256
6274851cf01246a6ee2d8ee36c3acb51ac1197a9d850f6976019648f9274531b

SHA512
de7a6594d026dbd5fa4ae89661c03404ea07aab85c6d692fd7c8d75e5ca4c6ad6d76556b0f30bfca8a08f9d7bedc2ca5e8b652bf104e2d52d586d1043fa2faa4

Download Submit
C:\Windows\Fonts\The Kazekage.jpg
MD5
d6b05020d4a0ec2a3a8b687099e335df

SHA1
df239d830ebcd1cde5c68c46a7b76dad49d415f4

SHA256
9824b98dab6af65a9e84c2ea40e9df948f9766ce2096e81feecad7db8dd6080a

SHA512
78fd360faa4d34f5732056d6e9ad7b9930964441c69cf24535845d397de92179553b9377a25649c01eb5ac7d547c29cc964e69ede7f2af9fc677508a99251fff

Download Submit
C:\Windows\Fonts\The Kazekage.jpg
MD5
d6b05020d4a0ec2a3a8b687099e335df

SHA1
df239d830ebcd1cde5c68c46a7b76dad49d415f4

SHA256
9824b98dab6af65a9e84c2ea40e9df948f9766ce2096e81feecad7db8dd6080a

SHA512
78fd360faa4d34f5732056d6e9ad7b9930964441c69cf24535845d397de92179553b9377a25649c01eb5ac7d547c29cc964e69ede7f2af9fc677508a99251fff

Download Submit
C:\Windows\Fonts\The Kazekage.jpg
MD5
d6b05020d4a0ec2a3a8b687099e335df

SHA1
df239d830ebcd1cde5c68c46a7b76dad49d415f4

SHA256
9824b98dab6af65a9e84c2ea40e9df948f9766ce2096e81feecad7db8dd6080a

SHA512
78fd360faa4d34f5732056d6e9ad7b9930964441c69cf24535845d397de92179553b9377a25649c01eb5ac7d547c29cc964e69ede7f2af9fc677508a99251fff

Download Submit
C:\Windows\Fonts\The Kazekage.jpg
MD5
d6b05020d4a0ec2a3a8b687099e335df

SHA1
df239d830ebcd1cde5c68c46a7b76dad49d415f4

SHA256
9824b98dab6af65a9e84c2ea40e9df948f9766ce2096e81feecad7db8dd6080a

SHA512
78fd360faa4d34f5732056d6e9ad7b9930964441c69cf24535845d397de92179553b9377a25649c01eb5ac7d547c29cc964e69ede7f2af9fc677508a99251fff

Download Submit
C:\Windows\Fonts\The Kazekage.jpg
MD5
d6b05020d4a0ec2a3a8b687099e335df

SHA1
df239d830ebcd1cde5c68c46a7b76dad49d415f4

SHA256
9824b98dab6af65a9e84c2ea40e9df948f9766ce2096e81feecad7db8dd6080a

SHA512
78fd360faa4d34f5732056d6e9ad7b9930964441c69cf24535845d397de92179553b9377a25649c01eb5ac7d547c29cc964e69ede7f2af9fc677508a99251fff

Download Submit
C:\Windows\SysWOW64\5-5-2021.exe
MD5
a02ecd48bbf30a5cc641961bb2dd21f8

SHA1
9bc0ad2240c161db76f722707cb5fc1206aea74e

SHA256
907a9e50fe5be9b9921a9a87956d362d6e5d044edaa67d95203da31b74c20f9e

SHA512
39a10d76be199dc5fe52ddf3df02b47e094cf3c7535c088a871ec8a4046b01e9986e31d4d762086eac7e59ae1102ab155b5d34325a9b4ce6c7f46b1f4f214450

Download Submit
C:\Windows\SysWOW64\5-5-2021.exe
MD5
a57542ddac265f5e9ba3f8b83e78d3cf

SHA1
c3309f5f36da15ec6dd01868966a948e218aa591

SHA256
43648aa5a1b375e95303935c836298364152d3fc7a852dc5b23bb4301269cbe9

SHA512
d2aa11b046a2e1f60c22e59b04a3e601a8f2aee35bf1182e15487c8fbe276331ff35e7797e0f29fa3d5556670445a7d6c94e064f9d2445a9fc5e821dc89ca865

Download Submit
C:\Windows\SysWOW64\5-5-2021.exe
MD5
7532b61823bdf5be4a74a3058f10a634

SHA1
bacb0e4c478b3f5d50d44ebd562d3f1947b57ae4

SHA256
a4290e763c8cd56a12d009179e5757e826fd75bc829a6e3934c02293f44fd21d

SHA512
df121f83d90c4b108d501089b3248eb8fbdc82b0c2cbf59549a4be116d89b692ffd382f0571c1960028806ccf1814e12632e52b45fde557e043e4f6d8c56350a

Download Submit
C:\Windows\SysWOW64\5-5-2021.exe
MD5
9f4f45912393d9184a2d6ffefb8eb8a6

SHA1
7d9cb4c72aa1ec23c33ae96f3de4eccca55c9d26

SHA256
cdfb3bae25c0087ed69133dd9bd7c3da09bd5755ac0ed9ecc05bc04ed5f93d81

SHA512
8ea6dbd5fc864851bbaa9b77c5b5e4d8d67d7946dbfbfc916b03e9032dbb764eb51e8cd110cc70535d5e96235552a64a763f9f0a255cd41405c92a1be81bc76d

Download Submit
C:\Windows\SysWOW64\5-5-2021.exe
MD5
3daa9d5c5247dcc563ca072128d0ada4

SHA1
b5e474303deb3d64a146ef7a4e26934cd63af004

SHA256
f9d3e3ff07608ddd92104a4f822fc000dd302ffd06bb021238726fe59cfc2c25

SHA512
9cde7303819315db80746e0d37302ec4a68a95f3b8a7cb954fc9c24e08d6d72a427f9425b6da949a2df169491c79ff94dc3d56cfac309043570ca658dcc9ddce

Download Submit
C:\Windows\SysWOW64\drivers\Kazekage.exe
MD5
2eead6b2494b621b97f8732be3650eb6

SHA1
a7ffd9109ea795f05c520955e6ffd7449869f5fe

SHA256
a0a7999799e11e2f20743a60b9e2d47a285b3fdd0f23c9d256cf9c25626a4bef

SHA512
7fb843c5e47f64413d66ddc697faabb8ac94be26fd4eb1f5b5b06dcea8f11a6b6a1457fec68f7b0e18bdfb4bcf23cd7af9390ac0d5448042b03fbc9d93362756

Download Submit
C:\Windows\SysWOW64\drivers\Kazekage.exe
MD5
e26a3c331ab15872993b1e883d0d2f98

SHA1
ec8e9886bba7cc6bc1b69168cd405ab73f3abf99

SHA256
c14d8e563e8f7bd0181181ca0b5a01fb0f6c5a157683fb4d12b5bf68776d23eb

SHA512
e6add3290301567cf7a38faca46dc4d51e7516d6f4ceb282c10da435e06bc3bc6e1817e20cc66b696bba1cb90469c5d79c1fd0eeb84390fa32f0ba3e8d472b01

Download Submit
C:\Windows\SysWOW64\drivers\Kazekage.exe
MD5
144f8d82bf0e06d4ee3ea1a738892a22

SHA1
62e8ced46628e84df9381509d910316d902c326d

SHA256
86a1debb45ac49ddbcb45eca3825809c8b7ecf4a25f6d8fa3fd473623f0630a6

SHA512
be13807c0534523f3571148055f52eaff3231dca315e08f297aedd3aef10a05f96fc0c21f80556ce40fe0803b3282fd61896254b9c039170f8e0bd91e25a468b

Download Submit
C:\Windows\SysWOW64\drivers\Kazekage.exe
MD5
144f8d82bf0e06d4ee3ea1a738892a22

SHA1
62e8ced46628e84df9381509d910316d902c326d

SHA256
86a1debb45ac49ddbcb45eca3825809c8b7ecf4a25f6d8fa3fd473623f0630a6

SHA512
be13807c0534523f3571148055f52eaff3231dca315e08f297aedd3aef10a05f96fc0c21f80556ce40fe0803b3282fd61896254b9c039170f8e0bd91e25a468b

Download Submit
C:\Windows\SysWOW64\drivers\Kazekage.exe
MD5
144f8d82bf0e06d4ee3ea1a738892a22

SHA1
62e8ced46628e84df9381509d910316d902c326d

SHA256
86a1debb45ac49ddbcb45eca3825809c8b7ecf4a25f6d8fa3fd473623f0630a6

SHA512
be13807c0534523f3571148055f52eaff3231dca315e08f297aedd3aef10a05f96fc0c21f80556ce40fe0803b3282fd61896254b9c039170f8e0bd91e25a468b

Download Submit
C:\Windows\SysWOW64\drivers\Kazekage.exe
MD5
144f8d82bf0e06d4ee3ea1a738892a22

SHA1
62e8ced46628e84df9381509d910316d902c326d

SHA256
86a1debb45ac49ddbcb45eca3825809c8b7ecf4a25f6d8fa3fd473623f0630a6

SHA512
be13807c0534523f3571148055f52eaff3231dca315e08f297aedd3aef10a05f96fc0c21f80556ce40fe0803b3282fd61896254b9c039170f8e0bd91e25a468b

Download Submit
C:\Windows\SysWOW64\drivers\system32.exe
MD5
5978785c10b6583d942c592996747324

SHA1
494ac036e3e0cc89301e9b99e625849cb3dacf62

SHA256
144cfc297143c8fc2821e06d1281e0e182e4a9b6e9de924dfdd6066c1564fd37

SHA512
a75c5e674c76a105f277250bae02a9db5e8960e1c28fdf82010f7e8b4370b5da7c3483085560c2ddc7ba5d0c77c2a664dcd34b5879b57b20c27a91b90f5a3522

Download Submit
C:\Windows\SysWOW64\drivers\system32.exe
MD5
b697020c4fd85e067c3216c002df86d6

SHA1
46f1cea5fc2f334d7b346e0977dc5cd5717726b2

SHA256
9f2262a9bd5a22acf460561dab4d4187c9e690e7c3b77bc34df0e17796fa3177

SHA512
64d52350a20a795c2aaebeceaf147d134cdc453db71fa5682a1223542c491153dd0bf4ad6dc2c1a56448e4d7beae86e6cd0c2855f2e185d31a7b973e12a569b1

Download Submit
C:\Windows\SysWOW64\drivers\system32.exe
MD5
324465e8e906eeee9065ef9a94e48a18

SHA1
b2b3f3cb8fde22a8decdf0440320cf884e43c512

SHA256
18c8c9f7a6e89afd92f7e5be9418b18ac5f2c3e9a1bdf213b4ccbd6af733e85a

SHA512
18cddcd22fce346b5606f443793cbdc1e0efc77e5079d9acc9cd24cbfa8a43ae200b1893a30c13e076ac49d881df999b1c1c12b5eaa0a2b33f11baf38cfbfe38

Download Submit
C:\Windows\SysWOW64\drivers\system32.exe
MD5
d5100ba21b9c4126dc63342f38bb8961

SHA1
056dd7b3c148b71694e7f8ba8438b31c821d12f2

SHA256
9408c43441ef4d5359696e82d745e4960f3b2b68401faf4c666cb487b5c93c84

SHA512
339a4c234465856d8f8ec21b20a46f38a99ed4bf56e8450ec61afd5f6913411805d05b72e0e93607885b43347a26299842601640c89f02628760cbda18f7461d

Download Submit
C:\Windows\SysWOW64\drivers\system32.exe
MD5
d5100ba21b9c4126dc63342f38bb8961

SHA1
056dd7b3c148b71694e7f8ba8438b31c821d12f2

SHA256
9408c43441ef4d5359696e82d745e4960f3b2b68401faf4c666cb487b5c93c84

SHA512
339a4c234465856d8f8ec21b20a46f38a99ed4bf56e8450ec61afd5f6913411805d05b72e0e93607885b43347a26299842601640c89f02628760cbda18f7461d

Download Submit
C:\Windows\SysWOW64\drivers\system32.exe
MD5
d5100ba21b9c4126dc63342f38bb8961

SHA1
056dd7b3c148b71694e7f8ba8438b31c821d12f2

SHA256
9408c43441ef4d5359696e82d745e4960f3b2b68401faf4c666cb487b5c93c84

SHA512
339a4c234465856d8f8ec21b20a46f38a99ed4bf56e8450ec61afd5f6913411805d05b72e0e93607885b43347a26299842601640c89f02628760cbda18f7461d

Download Submit
C:\Windows\msvbvm60.dll
MD5
9618e4752b19ce24efd729c662c8db1e

SHA1
e2fc41553e1f85472e3e4c6b20dea5430e500ef7

SHA256
3b2f5858bc5181506e84f6fa09eb755fb5b5e87f48c838bb125eb01fa13cf17e

SHA512
0c3c4f47b9321ffd06929f0358555d7376cf23f79aa5d1cf18d782062199f53baa55fd567862c76287917126020add7fa61bd3185be9dd99d85b70470d760bcb

Download Submit
C:\Windows\msvbvm60.dll
MD5
9618e4752b19ce24efd729c662c8db1e

SHA1
e2fc41553e1f85472e3e4c6b20dea5430e500ef7

SHA256
3b2f5858bc5181506e84f6fa09eb755fb5b5e87f48c838bb125eb01fa13cf17e

SHA512
0c3c4f47b9321ffd06929f0358555d7376cf23f79aa5d1cf18d782062199f53baa55fd567862c76287917126020add7fa61bd3185be9dd99d85b70470d760bcb

Download Submit
C:\Windows\msvbvm60.dll
MD5
9618e4752b19ce24efd729c662c8db1e

SHA1
e2fc41553e1f85472e3e4c6b20dea5430e500ef7

SHA256
3b2f5858bc5181506e84f6fa09eb755fb5b5e87f48c838bb125eb01fa13cf17e

SHA512
0c3c4f47b9321ffd06929f0358555d7376cf23f79aa5d1cf18d782062199f53baa55fd567862c76287917126020add7fa61bd3185be9dd99d85b70470d760bcb

Download Submit
C:\Windows\msvbvm60.dll
MD5
9618e4752b19ce24efd729c662c8db1e

SHA1
e2fc41553e1f85472e3e4c6b20dea5430e500ef7

SHA256
3b2f5858bc5181506e84f6fa09eb755fb5b5e87f48c838bb125eb01fa13cf17e

SHA512
0c3c4f47b9321ffd06929f0358555d7376cf23f79aa5d1cf18d782062199f53baa55fd567862c76287917126020add7fa61bd3185be9dd99d85b70470d760bcb

Download Submit
C:\Windows\msvbvm60.dll
MD5
9618e4752b19ce24efd729c662c8db1e

SHA1
e2fc41553e1f85472e3e4c6b20dea5430e500ef7

SHA256
3b2f5858bc5181506e84f6fa09eb755fb5b5e87f48c838bb125eb01fa13cf17e

SHA512
0c3c4f47b9321ffd06929f0358555d7376cf23f79aa5d1cf18d782062199f53baa55fd567862c76287917126020add7fa61bd3185be9dd99d85b70470d760bcb

Download Submit
C:\Windows\system\msvbvm60.dll
MD5
9618e4752b19ce24efd729c662c8db1e

SHA1
e2fc41553e1f85472e3e4c6b20dea5430e500ef7

SHA256
3b2f5858bc5181506e84f6fa09eb755fb5b5e87f48c838bb125eb01fa13cf17e

SHA512
0c3c4f47b9321ffd06929f0358555d7376cf23f79aa5d1cf18d782062199f53baa55fd567862c76287917126020add7fa61bd3185be9dd99d85b70470d760bcb

Download Submit
C:\Windows\system\msvbvm60.dll
MD5
9618e4752b19ce24efd729c662c8db1e

SHA1
e2fc41553e1f85472e3e4c6b20dea5430e500ef7

SHA256
3b2f5858bc5181506e84f6fa09eb755fb5b5e87f48c838bb125eb01fa13cf17e

SHA512
0c3c4f47b9321ffd06929f0358555d7376cf23f79aa5d1cf18d782062199f53baa55fd567862c76287917126020add7fa61bd3185be9dd99d85b70470d760bcb

Download Submit
C:\Windows\system\msvbvm60.dll
MD5
9618e4752b19ce24efd729c662c8db1e

SHA1
e2fc41553e1f85472e3e4c6b20dea5430e500ef7

SHA256
3b2f5858bc5181506e84f6fa09eb755fb5b5e87f48c838bb125eb01fa13cf17e

SHA512
0c3c4f47b9321ffd06929f0358555d7376cf23f79aa5d1cf18d782062199f53baa55fd567862c76287917126020add7fa61bd3185be9dd99d85b70470d760bcb

Download Submit
C:\Windows\system\msvbvm60.dll
MD5
9618e4752b19ce24efd729c662c8db1e

SHA1
e2fc41553e1f85472e3e4c6b20dea5430e500ef7

SHA256
3b2f5858bc5181506e84f6fa09eb755fb5b5e87f48c838bb125eb01fa13cf17e

SHA512
0c3c4f47b9321ffd06929f0358555d7376cf23f79aa5d1cf18d782062199f53baa55fd567862c76287917126020add7fa61bd3185be9dd99d85b70470d760bcb

Download Submit
C:\Windows\system\msvbvm60.dll
MD5
9618e4752b19ce24efd729c662c8db1e

SHA1
e2fc41553e1f85472e3e4c6b20dea5430e500ef7

SHA256
3b2f5858bc5181506e84f6fa09eb755fb5b5e87f48c838bb125eb01fa13cf17e

SHA512
0c3c4f47b9321ffd06929f0358555d7376cf23f79aa5d1cf18d782062199f53baa55fd567862c76287917126020add7fa61bd3185be9dd99d85b70470d760bcb

Download Submit
\Windows\Fonts\Admin 5 - 5 - 2021\msvbvm60.dll
MD5
9618e4752b19ce24efd729c662c8db1e

SHA1
e2fc41553e1f85472e3e4c6b20dea5430e500ef7

SHA256
3b2f5858bc5181506e84f6fa09eb755fb5b5e87f48c838bb125eb01fa13cf17e

SHA512
0c3c4f47b9321ffd06929f0358555d7376cf23f79aa5d1cf18d782062199f53baa55fd567862c76287917126020add7fa61bd3185be9dd99d85b70470d760bcb

Download Submit
\Windows\Fonts\Admin 5 - 5 - 2021\msvbvm60.dll
MD5
9618e4752b19ce24efd729c662c8db1e

SHA1
e2fc41553e1f85472e3e4c6b20dea5430e500ef7

SHA256
3b2f5858bc5181506e84f6fa09eb755fb5b5e87f48c838bb125eb01fa13cf17e

SHA512
0c3c4f47b9321ffd06929f0358555d7376cf23f79aa5d1cf18d782062199f53baa55fd567862c76287917126020add7fa61bd3185be9dd99d85b70470d760bcb

Download Submit
\Windows\Fonts\Admin 5 - 5 - 2021\msvbvm60.dll
MD5
9618e4752b19ce24efd729c662c8db1e

SHA1
e2fc41553e1f85472e3e4c6b20dea5430e500ef7

SHA256
3b2f5858bc5181506e84f6fa09eb755fb5b5e87f48c838bb125eb01fa13cf17e

SHA512
0c3c4f47b9321ffd06929f0358555d7376cf23f79aa5d1cf18d782062199f53baa55fd567862c76287917126020add7fa61bd3185be9dd99d85b70470d760bcb

Download Submit
\Windows\Fonts\Admin 5 - 5 - 2021\msvbvm60.dll
MD5
9618e4752b19ce24efd729c662c8db1e

SHA1
e2fc41553e1f85472e3e4c6b20dea5430e500ef7

SHA256
3b2f5858bc5181506e84f6fa09eb755fb5b5e87f48c838bb125eb01fa13cf17e

SHA512
0c3c4f47b9321ffd06929f0358555d7376cf23f79aa5d1cf18d782062199f53baa55fd567862c76287917126020add7fa61bd3185be9dd99d85b70470d760bcb

Download Submit
\Windows\Fonts\Admin 5 - 5 - 2021\msvbvm60.dll
MD5
9618e4752b19ce24efd729c662c8db1e

SHA1
e2fc41553e1f85472e3e4c6b20dea5430e500ef7

SHA256
3b2f5858bc5181506e84f6fa09eb755fb5b5e87f48c838bb125eb01fa13cf17e

SHA512
0c3c4f47b9321ffd06929f0358555d7376cf23f79aa5d1cf18d782062199f53baa55fd567862c76287917126020add7fa61bd3185be9dd99d85b70470d760bcb

Download Submit
\Windows\Fonts\Admin 5 - 5 - 2021\msvbvm60.dll
MD5
9618e4752b19ce24efd729c662c8db1e

SHA1
e2fc41553e1f85472e3e4c6b20dea5430e500ef7

SHA256
3b2f5858bc5181506e84f6fa09eb755fb5b5e87f48c838bb125eb01fa13cf17e

SHA512
0c3c4f47b9321ffd06929f0358555d7376cf23f79aa5d1cf18d782062199f53baa55fd567862c76287917126020add7fa61bd3185be9dd99d85b70470d760bcb

Download Submit
\Windows\Fonts\Admin 5 - 5 - 2021\msvbvm60.dll
MD5
9618e4752b19ce24efd729c662c8db1e

SHA1
e2fc41553e1f85472e3e4c6b20dea5430e500ef7

SHA256
3b2f5858bc5181506e84f6fa09eb755fb5b5e87f48c838bb125eb01fa13cf17e

SHA512
0c3c4f47b9321ffd06929f0358555d7376cf23f79aa5d1cf18d782062199f53baa55fd567862c76287917126020add7fa61bd3185be9dd99d85b70470d760bcb

Download Submit
\Windows\Fonts\Admin 5 - 5 - 2021\msvbvm60.dll
MD5
9618e4752b19ce24efd729c662c8db1e

SHA1
e2fc41553e1f85472e3e4c6b20dea5430e500ef7

SHA256
3b2f5858bc5181506e84f6fa09eb755fb5b5e87f48c838bb125eb01fa13cf17e

SHA512
0c3c4f47b9321ffd06929f0358555d7376cf23f79aa5d1cf18d782062199f53baa55fd567862c76287917126020add7fa61bd3185be9dd99d85b70470d760bcb

Download Submit
\Windows\Fonts\Admin 5 - 5 - 2021\msvbvm60.dll
MD5
9618e4752b19ce24efd729c662c8db1e

SHA1
e2fc41553e1f85472e3e4c6b20dea5430e500ef7

SHA256
3b2f5858bc5181506e84f6fa09eb755fb5b5e87f48c838bb125eb01fa13cf17e

SHA512
0c3c4f47b9321ffd06929f0358555d7376cf23f79aa5d1cf18d782062199f53baa55fd567862c76287917126020add7fa61bd3185be9dd99d85b70470d760bcb

Download Submit
\Windows\Fonts\Admin 5 - 5 - 2021\msvbvm60.dll
MD5
9618e4752b19ce24efd729c662c8db1e

SHA1
e2fc41553e1f85472e3e4c6b20dea5430e500ef7

SHA256
3b2f5858bc5181506e84f6fa09eb755fb5b5e87f48c838bb125eb01fa13cf17e

SHA512
0c3c4f47b9321ffd06929f0358555d7376cf23f79aa5d1cf18d782062199f53baa55fd567862c76287917126020add7fa61bd3185be9dd99d85b70470d760bcb

Download Submit
\Windows\Fonts\Admin 5 - 5 - 2021\msvbvm60.dll
MD5
9618e4752b19ce24efd729c662c8db1e

SHA1
e2fc41553e1f85472e3e4c6b20dea5430e500ef7

SHA256
3b2f5858bc5181506e84f6fa09eb755fb5b5e87f48c838bb125eb01fa13cf17e

SHA512
0c3c4f47b9321ffd06929f0358555d7376cf23f79aa5d1cf18d782062199f53baa55fd567862c76287917126020add7fa61bd3185be9dd99d85b70470d760bcb

Download Submit
\Windows\Fonts\Admin 5 - 5 - 2021\msvbvm60.dll
MD5
9618e4752b19ce24efd729c662c8db1e

SHA1
e2fc41553e1f85472e3e4c6b20dea5430e500ef7

SHA256
3b2f5858bc5181506e84f6fa09eb755fb5b5e87f48c838bb125eb01fa13cf17e

SHA512
0c3c4f47b9321ffd06929f0358555d7376cf23f79aa5d1cf18d782062199f53baa55fd567862c76287917126020add7fa61bd3185be9dd99d85b70470d760bcb

Download Submit
memory/200-196-0x0000000000000000-mapping.dmp

Download
memory/200-237-0x0000000000000000-mapping.dmp

Download
memory/204-279-0x0000000000000000-mapping.dmp

Download
memory/216-287-0x0000000000000000-mapping.dmp

Download
memory/360-285-0x0000000000000000-mapping.dmp

Download
memory/540-288-0x0000000000000000-mapping.dmp

Download
memory/664-298-0x0000000000000000-mapping.dmp

Download
memory/760-292-0x0000000000000000-mapping.dmp

Download
memory/812-273-0x0000000000000000-mapping.dmp

Download
memory/836-289-0x0000000000000000-mapping.dmp

Download
memory/956-282-0x0000000000000000-mapping.dmp

Download
memory/1020-297-0x0000000000000000-mapping.dmp

Download
memory/1036-290-0x0000000000000000-mapping.dmp

Download
memory/1040-228-0x0000000000000000-mapping.dmp

Download
memory/1040-171-0x0000000000000000-mapping.dmp

Download
memory/1172-286-0x0000000000000000-mapping.dmp

Download
memory/1196-264-0x0000000000000000-mapping.dmp

Download
memory/1196-234-0x0000000000000000-mapping.dmp

Download
memory/1288-291-0x0000000000000000-mapping.dmp

Download
memory/1368-149-0x0000000000000000-mapping.dmp

Download
memory/1376-224-0x0000000000000000-mapping.dmp

Download
memory/1612-159-0x0000000000000000-mapping.dmp

Download
memory/1624-186-0x0000000000000000-mapping.dmp

Download
memory/1664-249-0x0000000000000000-mapping.dmp

Download
memory/1972-283-0x0000000000000000-mapping.dmp

Download
memory/2100-296-0x0000000000000000-mapping.dmp

Download
memory/2288-280-0x0000000000000000-mapping.dmp

Download
memory/2320-281-0x0000000000000000-mapping.dmp

Download
memory/2384-116-0x0000000000000000-mapping.dmp

Download
memory/2388-271-0x0000000000000000-mapping.dmp

Download
memory/2388-252-0x0000000000000000-mapping.dmp

Download
memory/2504-255-0x0000000000000000-mapping.dmp

Download
memory/2528-206-0x0000000000000000-mapping.dmp

Download
memory/2540-276-0x0000000000000000-mapping.dmp

Download
memory/2632-258-0x0000000000000000-mapping.dmp

Download
memory/2676-270-0x0000000000000000-mapping.dmp

Download
memory/2676-294-0x0000000000000000-mapping.dmp

Download
memory/2680-181-0x0000000000000000-mapping.dmp

Download
memory/2944-131-0x0000000000000000-mapping.dmp

Download
memory/3040-261-0x0000000000000000-mapping.dmp

Download
memory/3048-267-0x0000000000000000-mapping.dmp

Download
memory/3048-301-0x0000000000000000-mapping.dmp

Download
memory/3048-201-0x0000000000000000-mapping.dmp

Download
memory/3100-136-0x0000000000000000-mapping.dmp

Download
memory/3188-278-0x0000000000000000-mapping.dmp

Download
memory/3256-272-0x0000000000000000-mapping.dmp

Download
memory/3312-211-0x0000000000000000-mapping.dmp

Download
memory/3476-284-0x0000000000000000-mapping.dmp

Download
memory/3476-295-0x0000000000000000-mapping.dmp

Download
memory/3484-243-0x0000000000000000-mapping.dmp

Download
memory/3552-275-0x0000000000000000-mapping.dmp

Download
memory/3552-300-0x0000000000000000-mapping.dmp

Download
memory/3676-215-0x0000000000000000-mapping.dmp

Download
memory/3760-277-0x0000000000000000-mapping.dmp

Download
memory/3776-240-0x0000000000000000-mapping.dmp

Download
memory/3784-154-0x0000000000000000-mapping.dmp

Download
memory/3800-231-0x0000000000000000-mapping.dmp

Download
memory/3816-176-0x0000000000000000-mapping.dmp

Download
memory/3908-299-0x0000000000000000-mapping.dmp

Download
memory/3916-274-0x0000000000000000-mapping.dmp

Download
memory/3976-246-0x0000000000000000-mapping.dmp

Download
memory/4020-293-0x0000000000000000-mapping.dmp

Download