Analysis

  • max time kernel
    91s
  • max time network
    141s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14/01/2024, 05:28

General

  • Target

    5a6773f4b0ef8fa2c936e7e10c9e4ce5.exe

  • Size

    67KB

  • MD5

    5a6773f4b0ef8fa2c936e7e10c9e4ce5

  • SHA1

    d06db69a642e0dbbabd05ecf01baf34e5d5fdb7c

  • SHA256

    3d8286cdbd2fa89626de935fd278ae5c0f80198c9c7ba342e4c7c203651a8ae9

  • SHA512

    69f5309f8a52dec6698493fb9d900a155bc417eabfb991acabdec386de306ecbab5788f867fc732a4057d0379faa6e671be52e772e0eec9ac4d57a3ecd6b76d3

  • SSDEEP

    1536:/7OE59Vyzrc8K3WgFtKhJP+tcrVOXKzaJThZfaKhQiSEKNJh:jV5998K3WQ8fjEXKgZfnhfxuh

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 12 IoCs
  • Modifies visibility of file extensions in Explorer 2 TTPs 6 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 6 IoCs
  • UAC bypass 3 TTPs 6 IoCs
  • Disables RegEdit via registry modification 6 IoCs
  • Disables use of System Restore points 1 TTPs
  • Drops file in Drivers directory 24 IoCs
  • Sets file execution options in registry 2 TTPs 64 IoCs
  • Executes dropped EXE 30 IoCs
  • Loads dropped DLL 18 IoCs
  • UPX packed file 64 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Adds Run key to start application 2 TTPs 24 IoCs
  • Checks whether UAC is enabled 1 TTPs 6 IoCs
  • Drops desktop.ini file(s) 64 IoCs
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops autorun.inf file 1 TTPs 64 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 35 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 6 IoCs
  • Drops file in Windows directory 64 IoCs
  • Modifies Control Panel 64 IoCs
  • Modifies Internet Explorer settings 1 TTPs 12 IoCs
  • Modifies registry class 51 IoCs
  • Runs ping.exe 1 TTPs 32 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 30 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5a6773f4b0ef8fa2c936e7e10c9e4ce5.exe
    "C:\Users\Admin\AppData\Local\Temp\5a6773f4b0ef8fa2c936e7e10c9e4ce5.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Modifies visibility of file extensions in Explorer
    • Modifies visiblity of hidden/system files in Explorer
    • UAC bypass
    • Disables RegEdit via registry modification
    • Drops file in Drivers directory
    • Sets file execution options in registry
    • Adds Run key to start application
    • Checks whether UAC is enabled
    • Drops desktop.ini file(s)
    • Enumerates connected drives
    • Drops autorun.inf file
    • Drops file in System32 directory
    • Sets desktop wallpaper using registry
    • Drops file in Windows directory
    • Modifies Control Panel
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:4688
    • C:\Windows\Fonts\Admin 14 - 1 - 2024\smss.exe
      "C:\Windows\Fonts\Admin 14 - 1 - 2024\smss.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • UAC bypass
      • Disables RegEdit via registry modification
      • Drops file in Drivers directory
      • Sets file execution options in registry
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Drops desktop.ini file(s)
      • Enumerates connected drives
      • Drops autorun.inf file
      • Drops file in System32 directory
      • Sets desktop wallpaper using registry
      • Drops file in Windows directory
      • Modifies Control Panel
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:2628
      • C:\Windows\Fonts\Admin 14 - 1 - 2024\smss.exe
        "C:\Windows\Fonts\Admin 14 - 1 - 2024\smss.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetWindowsHookEx
        PID:2212
      • C:\Windows\Fonts\Admin 14 - 1 - 2024\Gaara.exe
        "C:\Windows\Fonts\Admin 14 - 1 - 2024\Gaara.exe"
        3⤵
        • Modifies WinLogon for persistence
        • Modifies visibility of file extensions in Explorer
        • Modifies visiblity of hidden/system files in Explorer
        • UAC bypass
        • Disables RegEdit via registry modification
        • Drops file in Drivers directory
        • Sets file execution options in registry
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • Checks whether UAC is enabled
        • Drops desktop.ini file(s)
        • Enumerates connected drives
        • Drops autorun.inf file
        • Drops file in System32 directory
        • Sets desktop wallpaper using registry
        • Drops file in Windows directory
        • Modifies Control Panel
        • Modifies Internet Explorer settings
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        • System policy modification
        PID:2120
        • C:\Windows\Fonts\Admin 14 - 1 - 2024\smss.exe
          "C:\Windows\Fonts\Admin 14 - 1 - 2024\smss.exe"
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of SetWindowsHookEx
          PID:1420
        • C:\Windows\Fonts\Admin 14 - 1 - 2024\Gaara.exe
          "C:\Windows\Fonts\Admin 14 - 1 - 2024\Gaara.exe"
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of SetWindowsHookEx
          PID:4704
        • C:\Windows\Fonts\Admin 14 - 1 - 2024\csrss.exe
          "C:\Windows\Fonts\Admin 14 - 1 - 2024\csrss.exe"
          4⤵
          • Modifies WinLogon for persistence
          • Modifies visibility of file extensions in Explorer
          • Modifies visiblity of hidden/system files in Explorer
          • UAC bypass
          • Disables RegEdit via registry modification
          • Drops file in Drivers directory
          • Sets file execution options in registry
          • Executes dropped EXE
          • Loads dropped DLL
          • Adds Run key to start application
          • Checks whether UAC is enabled
          • Drops desktop.ini file(s)
          • Enumerates connected drives
          • Drops autorun.inf file
          • Drops file in System32 directory
          • Sets desktop wallpaper using registry
          • Drops file in Windows directory
          • Modifies Control Panel
          • Modifies Internet Explorer settings
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:4828
          • C:\Windows\Fonts\Admin 14 - 1 - 2024\smss.exe
            "C:\Windows\Fonts\Admin 14 - 1 - 2024\smss.exe"
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Suspicious use of SetWindowsHookEx
            PID:2804
          • C:\Windows\Fonts\Admin 14 - 1 - 2024\Gaara.exe
            "C:\Windows\Fonts\Admin 14 - 1 - 2024\Gaara.exe"
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Suspicious use of SetWindowsHookEx
            PID:2632
          • C:\Windows\Fonts\Admin 14 - 1 - 2024\csrss.exe
            "C:\Windows\Fonts\Admin 14 - 1 - 2024\csrss.exe"
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Suspicious use of SetWindowsHookEx
            PID:4060
          • C:\Windows\SysWOW64\drivers\Kazekage.exe
            C:\Windows\system32\drivers\Kazekage.exe
            5⤵
            • Modifies WinLogon for persistence
            • Modifies visibility of file extensions in Explorer
            • Modifies visiblity of hidden/system files in Explorer
            • UAC bypass
            • Disables RegEdit via registry modification
            • Drops file in Drivers directory
            • Sets file execution options in registry
            • Executes dropped EXE
            • Adds Run key to start application
            • Checks whether UAC is enabled
            • Drops desktop.ini file(s)
            • Enumerates connected drives
            • Drops autorun.inf file
            • Drops file in System32 directory
            • Sets desktop wallpaper using registry
            • Drops file in Windows directory
            • Modifies Control Panel
            • Modifies Internet Explorer settings
            • Modifies registry class
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            • System policy modification
            PID:4500
            • C:\Windows\Fonts\Admin 14 - 1 - 2024\smss.exe
              "C:\Windows\Fonts\Admin 14 - 1 - 2024\smss.exe"
              6⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • Suspicious use of SetWindowsHookEx
              PID:4024
            • C:\Windows\Fonts\Admin 14 - 1 - 2024\Gaara.exe
              "C:\Windows\Fonts\Admin 14 - 1 - 2024\Gaara.exe"
              6⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • Suspicious use of SetWindowsHookEx
              PID:4440
            • C:\Windows\Fonts\Admin 14 - 1 - 2024\csrss.exe
              "C:\Windows\Fonts\Admin 14 - 1 - 2024\csrss.exe"
              6⤵
              • Executes dropped EXE
              • Loads dropped DLL
              PID:3704
            • C:\Windows\SysWOW64\drivers\Kazekage.exe
              C:\Windows\system32\drivers\Kazekage.exe
              6⤵
              • Executes dropped EXE
              • Suspicious use of SetWindowsHookEx
              PID:3864
            • C:\Windows\SysWOW64\drivers\system32.exe
              C:\Windows\system32\drivers\system32.exe
              6⤵
              • Modifies WinLogon for persistence
              • Modifies visibility of file extensions in Explorer
              • Modifies visiblity of hidden/system files in Explorer
              • UAC bypass
              • Disables RegEdit via registry modification
              • Drops file in Drivers directory
              • Sets file execution options in registry
              • Executes dropped EXE
              • Adds Run key to start application
              • Checks whether UAC is enabled
              • Drops desktop.ini file(s)
              • Enumerates connected drives
              • Drops file in System32 directory
              • Sets desktop wallpaper using registry
              • Drops file in Windows directory
              • Modifies Control Panel
              • Modifies Internet Explorer settings
              • Modifies registry class
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              • System policy modification
              PID:4968
              • C:\Windows\Fonts\Admin 14 - 1 - 2024\smss.exe
                "C:\Windows\Fonts\Admin 14 - 1 - 2024\smss.exe"
                7⤵
                • Executes dropped EXE
                • Loads dropped DLL
                • Suspicious use of SetWindowsHookEx
                PID:4956
              • C:\Windows\Fonts\Admin 14 - 1 - 2024\Gaara.exe
                "C:\Windows\Fonts\Admin 14 - 1 - 2024\Gaara.exe"
                7⤵
                • Executes dropped EXE
                • Loads dropped DLL
                • Suspicious use of SetWindowsHookEx
                PID:2380
              • C:\Windows\Fonts\Admin 14 - 1 - 2024\csrss.exe
                "C:\Windows\Fonts\Admin 14 - 1 - 2024\csrss.exe"
                7⤵
                • Executes dropped EXE
                • Loads dropped DLL
                • Suspicious use of SetWindowsHookEx
                PID:2724
              • C:\Windows\SysWOW64\drivers\Kazekage.exe
                C:\Windows\system32\drivers\Kazekage.exe
                7⤵
                • Executes dropped EXE
                • Suspicious use of SetWindowsHookEx
                PID:1596
              • C:\Windows\SysWOW64\drivers\system32.exe
                C:\Windows\system32\drivers\system32.exe
                7⤵
                • Executes dropped EXE
                • Suspicious use of SetWindowsHookEx
                PID:1684
              • C:\Windows\SysWOW64\ping.exe
                ping -a -l www.rasasayang.com.my 65500
                7⤵
                • Runs ping.exe
                PID:5000
              • C:\Windows\SysWOW64\ping.exe
                ping -a -l www.duniasex.com 65500
                7⤵
                • Runs ping.exe
                PID:216
              • C:\Windows\SysWOW64\ping.exe
                ping -a -l www.rasasayang.com.my 65500
                7⤵
                • Runs ping.exe
                PID:2936
              • C:\Windows\SysWOW64\ping.exe
                ping -a -l www.duniasex.com 65500
                7⤵
                • Runs ping.exe
                PID:4472
              • C:\Windows\SysWOW64\ping.exe
                ping -a -l www.duniasex.com 65500
                7⤵
                • Runs ping.exe
                PID:2936
              • C:\Windows\SysWOW64\ping.exe
                ping -a -l www.rasasayang.com.my 65500
                7⤵
                • Runs ping.exe
                PID:1488
            • C:\Windows\SysWOW64\ping.exe
              ping -a -l www.duniasex.com 65500
              6⤵
              • Runs ping.exe
              PID:2524
            • C:\Windows\SysWOW64\ping.exe
              ping -a -l www.rasasayang.com.my 65500
              6⤵
              • Runs ping.exe
              PID:2436
          • C:\Windows\SysWOW64\drivers\system32.exe
            C:\Windows\system32\drivers\system32.exe
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            PID:2428
          • C:\Windows\SysWOW64\ping.exe
            ping -a -l www.duniasex.com 65500
            5⤵
            • Runs ping.exe
            PID:5084
          • C:\Windows\SysWOW64\ping.exe
            ping -a -l www.rasasayang.com.my 65500
            5⤵
            • Runs ping.exe
            PID:4696
          • C:\Windows\SysWOW64\ping.exe
            ping -a -l www.duniasex.com 65500
            5⤵
            • Runs ping.exe
            PID:1464
          • C:\Windows\SysWOW64\ping.exe
            ping -a -l www.rasasayang.com.my 65500
            5⤵
            • Runs ping.exe
            PID:4300
          • C:\Windows\SysWOW64\ping.exe
            ping -a -l www.duniasex.com 65500
            5⤵
            • Runs ping.exe
            PID:208
          • C:\Windows\SysWOW64\ping.exe
            ping -a -l www.rasasayang.com.my 65500
            5⤵
            • Runs ping.exe
            PID:3184
        • C:\Windows\SysWOW64\drivers\Kazekage.exe
          C:\Windows\system32\drivers\Kazekage.exe
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetWindowsHookEx
          PID:4924
        • C:\Windows\SysWOW64\drivers\system32.exe
          C:\Windows\system32\drivers\system32.exe
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetWindowsHookEx
          PID:1028
        • C:\Windows\SysWOW64\ping.exe
          ping -a -l www.rasasayang.com.my 65500
          4⤵
          • Runs ping.exe
          PID:4892
        • C:\Windows\SysWOW64\ping.exe
          ping -a -l www.duniasex.com 65500
          4⤵
          • Runs ping.exe
          PID:3112
        • C:\Windows\SysWOW64\ping.exe
          ping -a -l www.duniasex.com 65500
          4⤵
          • Runs ping.exe
          PID:1716
        • C:\Windows\SysWOW64\ping.exe
          ping -a -l www.rasasayang.com.my 65500
          4⤵
          • Runs ping.exe
          PID:2412
        • C:\Windows\SysWOW64\ping.exe
          ping -a -l www.duniasex.com 65500
          4⤵
          • Runs ping.exe
          PID:1832
        • C:\Windows\SysWOW64\ping.exe
          ping -a -l www.rasasayang.com.my 65500
          4⤵
          • Runs ping.exe
          PID:3156
      • C:\Windows\Fonts\Admin 14 - 1 - 2024\csrss.exe
        "C:\Windows\Fonts\Admin 14 - 1 - 2024\csrss.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetWindowsHookEx
        PID:4312
      • C:\Windows\SysWOW64\drivers\Kazekage.exe
        C:\Windows\system32\drivers\Kazekage.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:3508
      • C:\Windows\SysWOW64\drivers\system32.exe
        C:\Windows\system32\drivers\system32.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:3860
      • C:\Windows\SysWOW64\ping.exe
        ping -a -l www.rasasayang.com.my 65500
        3⤵
        • Runs ping.exe
        PID:4924
      • C:\Windows\SysWOW64\ping.exe
        ping -a -l www.duniasex.com 65500
        3⤵
        • Runs ping.exe
        PID:2016
      • C:\Windows\SysWOW64\ping.exe
        ping -a -l www.duniasex.com 65500
        3⤵
        • Runs ping.exe
        PID:1000
      • C:\Windows\SysWOW64\ping.exe
        ping -a -l www.rasasayang.com.my 65500
        3⤵
        • Runs ping.exe
        PID:2596
      • C:\Windows\SysWOW64\ping.exe
        ping -a -l www.rasasayang.com.my 65500
        3⤵
        • Runs ping.exe
        PID:1492
      • C:\Windows\SysWOW64\ping.exe
        ping -a -l www.duniasex.com 65500
        3⤵
        • Runs ping.exe
        PID:3284
    • C:\Windows\Fonts\Admin 14 - 1 - 2024\Gaara.exe
      "C:\Windows\Fonts\Admin 14 - 1 - 2024\Gaara.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of SetWindowsHookEx
      PID:3364
    • C:\Windows\Fonts\Admin 14 - 1 - 2024\csrss.exe
      "C:\Windows\Fonts\Admin 14 - 1 - 2024\csrss.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of SetWindowsHookEx
      PID:1936
    • C:\Windows\SysWOW64\drivers\Kazekage.exe
      C:\Windows\system32\drivers\Kazekage.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:4224
    • C:\Windows\SysWOW64\drivers\system32.exe
      C:\Windows\system32\drivers\system32.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:4952
    • C:\Windows\SysWOW64\ping.exe
      ping -a -l www.rasasayang.com.my 65500
      2⤵
      • Runs ping.exe
      PID:2840
    • C:\Windows\SysWOW64\ping.exe
      ping -a -l www.duniasex.com 65500
      2⤵
      • Runs ping.exe
      PID:1340
    • C:\Windows\SysWOW64\ping.exe
      ping -a -l www.duniasex.com 65500
      2⤵
      • Runs ping.exe
      PID:4416
    • C:\Windows\SysWOW64\ping.exe
      ping -a -l www.rasasayang.com.my 65500
      2⤵
      • Runs ping.exe
      PID:2400
    • C:\Windows\SysWOW64\ping.exe
      ping -a -l www.rasasayang.com.my 65500
      2⤵
      • Runs ping.exe
      PID:4328
    • C:\Windows\SysWOW64\ping.exe
      ping -a -l www.duniasex.com 65500
      2⤵
      • Runs ping.exe
      PID:4144
  • C:\Windows\system32\BackgroundTransferHost.exe
    "BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
    1⤵
      PID:1000

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Windows\Fonts\Admin 14 - 1 - 2024\Gaara.exe

      Filesize

      67KB

      MD5

      8d3ab2c37a45175fdaf93fd1848a57a5

      SHA1

      46f5c9554e81adaa7f24f6c1475b44c4c581163a

      SHA256

      fe6e13728628ccd5174a8bd59de288974922c8ee177628ecc8318a4353c532ee

      SHA512

      373911844e0a46350b33a44f5b0510aa0f9ef2c80ac88d23b3a8fb1c67531f9568c8921ce93b5d0296fb00969579495aa8c6aeb10a9669de3cc114279f168aa7

    • C:\Windows\Fonts\Admin 14 - 1 - 2024\csrss.exe

      Filesize

      67KB

      MD5

      5a6773f4b0ef8fa2c936e7e10c9e4ce5

      SHA1

      d06db69a642e0dbbabd05ecf01baf34e5d5fdb7c

      SHA256

      3d8286cdbd2fa89626de935fd278ae5c0f80198c9c7ba342e4c7c203651a8ae9

      SHA512

      69f5309f8a52dec6698493fb9d900a155bc417eabfb991acabdec386de306ecbab5788f867fc732a4057d0379faa6e671be52e772e0eec9ac4d57a3ecd6b76d3

    • C:\Windows\Fonts\Admin 14 - 1 - 2024\csrss.exe

      Filesize

      67KB

      MD5

      4af9cbd56a7e6100e953ac598248c01b

      SHA1

      8d114358fcaddd58eab37a1cc3075ab35d7309d3

      SHA256

      5a7191218d35c00f5570b4173aa34658a9145c58676249898108bb4d800021e4

      SHA512

      b9957f3b93763e5f9e22d23f72c82dc9778e2b1a3da44ff457e982aad79bffc22117404bb56a74e1e1eff95be1fb4306e7e80c125616f67e114dc88271974bd9

    • C:\Windows\Fonts\Admin 14 - 1 - 2024\csrss.exe

      Filesize

      67KB

      MD5

      8b0d93f82deccdd702988f8c5c98ae4a

      SHA1

      a4e48594b0ebb9b14abb05936763fa9f20100306

      SHA256

      aefa8b730a3c3208ee1f95baa5467b202a7d07584d0167132afb24d655f900cd

      SHA512

      86f9fe864610c6cbb0e27880c9ece64875b089c175e170a071947e57894ef6e866345227691e57e17c6c71c6cb484478baf27f173412433f8556381363276853

    • C:\Windows\Fonts\Admin 14 - 1 - 2024\msvbvm60.dll

      Filesize

      384KB

      MD5

      a60291afb7ddd301868ec391e5c6a785

      SHA1

      e7a3d20c5eb799f17a7d258da3176204703fd65c

      SHA256

      cd49f3e4bcb625cfcb3f3e3ee022dfc659ddee60645b0e74c5630ed0a293ea53

      SHA512

      3f8df98b279d47fe0d79850131482d802d3fd205f175dc753fd4e8e995f669b9f9d9ee4f3a73fabc0c1836af02a0b5792dc9682ba6a6d19f5e866c225de530f0

    • C:\Windows\Fonts\Admin 14 - 1 - 2024\msvbvm60.dll

      Filesize

      512KB

      MD5

      88f65630193f8cfa564d25d54746b65d

      SHA1

      97b57d1b82325751e9ca48272a09eb52b92a577e

      SHA256

      9ff93b6faac3ec1f6d363a6a0027fc716539d7b0bd887a1d0cd48aee440cd471

      SHA512

      ff1761deb69c95dbac1d69b66a6998f6aa3f9a2448f58a3df8b631490ec637f60e82155f72486420982f47240f6c3e9b9e9701177ef89b4917fc718b043e5df3

    • C:\Windows\Fonts\Admin 14 - 1 - 2024\smss.exe

      Filesize

      67KB

      MD5

      c0d9f6c3e061fc32763ee0b7a36ace61

      SHA1

      aefb82aad6f6e855f53bc55cb3e70fbf2efd5522

      SHA256

      3a1d61a7ab6da2f3a129fa9dc6b3fcd6c51177c31f1774f854fe5837820eb134

      SHA512

      bc66354d2494cd8ec78401db79f316b82e54e3f96be2db7402e680c20f400c9337864eed26eb6fb5a054e969e8834afaafae16b6445088f9eb9e1010c31c5f37

    • C:\Windows\Fonts\The Kazekage.jpg

      Filesize

      1.4MB

      MD5

      d6b05020d4a0ec2a3a8b687099e335df

      SHA1

      df239d830ebcd1cde5c68c46a7b76dad49d415f4

      SHA256

      9824b98dab6af65a9e84c2ea40e9df948f9766ce2096e81feecad7db8dd6080a

      SHA512

      78fd360faa4d34f5732056d6e9ad7b9930964441c69cf24535845d397de92179553b9377a25649c01eb5ac7d547c29cc964e69ede7f2af9fc677508a99251fff

    • C:\Windows\SysWOW64\14-1-2024.exe

      Filesize

      67KB

      MD5

      8bfd3e7197ed03dc801ee79a88a3c7b6

      SHA1

      4fede5a82755d2b5f4edb58a6fc3c4f0a793a8bd

      SHA256

      3390695649c7685d2ea2dd922b818d266bf3da4856a3e99173772d1646ac5b6d

      SHA512

      097178696bda79446b0b80d565ef1998e91789a252eeae97771d8e2ee3591eab071a27377d4ab8114545c3b58bf2a301475ad55bb029f10f4edcb7be6b593ce4

    • C:\Windows\SysWOW64\14-1-2024.exe

      Filesize

      67KB

      MD5

      02ba7ac919752599819dd56bd870a97a

      SHA1

      8af5d3c6ca6185c816235350bb9626663ea8c341

      SHA256

      49e570b85ce376c0df86f0ed976fb83b259be7ce9401c618cd1b1543bb833b05

      SHA512

      60342b948e4cd7d2436ed10af1741287eb8d4cf5a664c7cccc85796575537530607fdca61e4f7bc86db99e446d1f08d5b1d12746e47e77ff3eabf8099573b9ea

    • C:\Windows\SysWOW64\14-1-2024.exe

      Filesize

      67KB

      MD5

      ca44bd19c0867878be54fef12b7e163d

      SHA1

      4d93076e2cb0eb89841e721df167f75b58b2ebb9

      SHA256

      850989dc43b03ec558772839446c85e96871f295ecf7151613a4e31abe233a70

      SHA512

      58af40a6e3abc58f217adc211a303b7a689980de74b00479894a15f4c4c20d7f0f1a347a56c985284e90742315bbca9e8a25c211317bea16d5e678c04ba93f78

    • C:\Windows\SysWOW64\14-1-2024.exe

      Filesize

      67KB

      MD5

      7a4c30b9afe07b45697740e006a3b21e

      SHA1

      e8b38136028755faf33eb999bd0f6509fdc5c1dd

      SHA256

      a77499573da1cb28252836e6074ce10a0775f76ce60d741757b34f086255e265

      SHA512

      0305d895f43a9a4b4d0ae12f95942c124f7c68d2d46f4ebfb943512333d44b44bb6ac555b0043d9ba0e10601155b94b951f5aa1f9cd5d56e2c91c223b7ec5f9f

    • C:\Windows\SysWOW64\Desktop.ini

      Filesize

      65B

      MD5

      64acfa7e03b01f48294cf30d201a0026

      SHA1

      10facd995b38a095f30b4a800fa454c0bcbf8438

      SHA256

      ba8159d865d106e7b4d0043007a63d1541e1de455dc8d7ff0edd3013bd425c62

      SHA512

      65a9b2e639de74a2a7faa83463a03f5f5b526495e3c793ec1e144c422ed0b842dd304cd5ff4f8aec3d76d826507030c5916f70a231429cea636ec2d8ab43931a

    • C:\Windows\SysWOW64\drivers\Kazekage.exe

      Filesize

      67KB

      MD5

      f1ba794701fc9aa52a9a4de73bb5ea32

      SHA1

      325c899a4a9e28e1b200507df6baa9409ac1907c

      SHA256

      cf0379a50488625c7e4775a5b8c2feefbf76439b29d606a6784a8f3e5e19520b

      SHA512

      f39e12b1b06a480bf6c97645b9198ad07a47cff1d65ff295603e269eaca0ae5cf69b3fe47355274cbf8b99c44464ed62b5fbd7ac391274dbae346f85b1ee8e30

    • C:\Windows\SysWOW64\drivers\Kazekage.exe

      Filesize

      67KB

      MD5

      3b9d5ee45e7d8e71b48669de4d0cd89e

      SHA1

      9ee07a44d5f37533a1db78ca88cb49563a600a8a

      SHA256

      208269341dcfd2dcf33345536d587bad55e8e5500ce91f07c00a9f6e674fb7e9

      SHA512

      82182b0c00ee1fd670993dcfbbe52da2df0973aa9711bab31f898bf968f57fb3aa066d451f232e29d8d49e9b30ea3d5c88aed6d59c0613a3842527fc97af07c3

    • C:\Windows\SysWOW64\drivers\Kazekage.exe

      Filesize

      67KB

      MD5

      631dccc9b4072b8a18f6df30876cf42f

      SHA1

      aa40f9efe82e4f47dd20c2a1e7860f627da2a1b3

      SHA256

      f45a46dc7acc584ef6668e67afc3209a7686240234b7e0f66c4d0bb7e23c94e7

      SHA512

      4a0e868abd08bfc63529858dce6a6ada7ff3beeeec3762c6c99fed0503cae809209825bc26961cbb9e50015796065435de25272b9fd1c3b0b99a9a6af9a58249

    • C:\Windows\SysWOW64\drivers\system32.exe

      Filesize

      67KB

      MD5

      0a2b970fc267750c9f26d7d538eb2fa1

      SHA1

      3360ff2e5f95a515e999bb64a2825ed439fcdba5

      SHA256

      bff27318b1e5ea0de783a536a395d5ccc9849dbaa43f9b2bbd3f2ca1ebad3878

      SHA512

      04a06031e236cb5bc9a686d34d3b863f92b00ab8b0248096dffe2cbf7010b558cbddc336e35893f4d43bf8299a6d01279d0d71535f4acf2a58a7d8e2220eac93

    • C:\Windows\SysWOW64\drivers\system32.exe

      Filesize

      67KB

      MD5

      1374b74bc7ca5f25912316c66e880e77

      SHA1

      797d75623370fa9da9aaae72ed9f670f3c3171d5

      SHA256

      cfe0203794e4616248ed19a7b170e483519baa995cb100e180b52a78b22e6992

      SHA512

      311ec2095da18240189dc4a518668956d0625db290fdabb199afb28a906019fd45171be81d524bc2e3b8de9c56ae34d3c8d0dd8adcc8e3a2b393da910784e29e

    • C:\Windows\SysWOW64\drivers\system32.exe

      Filesize

      67KB

      MD5

      1f5311506f25f463dd6f70a2d2ec975b

      SHA1

      9ff205159527aca3c7f443f91dd74b725f4ba6d7

      SHA256

      342f523c76e29e827b4d8597c38a3f46d1886cc33cd123baa7a5169ce54d19df

      SHA512

      ea9cf7e73f792e5ceabd711acb369b04784b575c029fb82da424eee481648c3d02dced432bb5e530ed23e2648f2d207c9782b8297ed47017bfd81dae5695df2d

    • C:\Windows\SysWOW64\drivers\system32.exe

      Filesize

      67KB

      MD5

      f2af699a5623cdbed52d6269133a4fc9

      SHA1

      6ae848ce45447a29f99872ae8b3bb184a7bb4cfc

      SHA256

      18dab84b4dda4e86e06efda805ca1d9ee00299e7da85d3360ee850cc00c082e0

      SHA512

      daf797f68abd48e27092d25c253dcce8ce366278564f08cd7677cab35735035d336c826b9f5df9946edd72fccb93e052798329cdc8d1bc1f3b8e7a408554d3f7

    • C:\Windows\System\msvbvm60.dll

      Filesize

      1.4MB

      MD5

      25f62c02619174b35851b0e0455b3d94

      SHA1

      4e8ee85157f1769f6e3f61c0acbe59072209da71

      SHA256

      898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

      SHA512

      f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

    • F:\Admin Games\Anbu Team Sampit (Nothing).exe

      Filesize

      67KB

      MD5

      b4826a9bc2a5043c437db574265505fe

      SHA1

      d0804d8c3924d13a00bde708063fe10235c33258

      SHA256

      6533b2899241d2435b6be29efebae1b09ff7d7a3690feb82737918b6c1f3fc97

      SHA512

      0407c1b1cbec6843229414239a0224f34f10a6267a3bb0faead65bbb70cb2ad4b0a353744e63a1cf1c2ab81768e2ad0774a28e5c15f8e229315215c924b6f48d

    • F:\Admin Games\Naruto games.exe

      Filesize

      67KB

      MD5

      093dca6a25864e4a20686ff366109cf1

      SHA1

      382dddc9290571d123674370467665d45d8a4a38

      SHA256

      1176d07a107aa5583d08407afaf3b3f81343467fc5a9b0ae575174e5127f0cee

      SHA512

      1e524af5213c8b808d07a9675e1b2e1ae594ad0a383d07a01f8f433fc751e7759109d28b3ad91ae7654e17de5be6eb5979417deb4d1a6d8a43239e279cd4af9b

    • F:\Admin Games\Readme.txt

      Filesize

      736B

      MD5

      bb5d6abdf8d0948ac6895ce7fdfbc151

      SHA1

      9266b7a247a4685892197194d2b9b86c8f6dddbd

      SHA256

      5db2e0915b5464d32e83484f8ae5e3c73d2c78f238fde5f58f9b40dbb5322de8

      SHA512

      878444760e8df878d65bb62b4798177e168eb099def58ad3634f4348e96705c83f74324f9fa358f0eff389991976698a233ca53e9b72034ae11c86d42322a76c

    • F:\Autorun.inf

      Filesize

      196B

      MD5

      1564dfe69ffed40950e5cb644e0894d1

      SHA1

      201b6f7a01cc49bb698bea6d4945a082ed454ce4

      SHA256

      be114a2dbcc08540b314b01882aa836a772a883322a77b67aab31233e26dc184

      SHA512

      72df187e39674b657974392cfa268e71ef86dc101ebd2303896381ca56d3c05aa9db3f0ab7d0e428d7436e0108c8f19e94c2013814d30b0b95a23a6b9e341097

    • memory/1028-274-0x0000000000400000-0x000000000042A000-memory.dmp

      Filesize

      168KB

    • memory/1420-114-0x0000000000400000-0x000000000042A000-memory.dmp

      Filesize

      168KB

    • memory/1596-252-0x0000000000400000-0x000000000042A000-memory.dmp

      Filesize

      168KB

    • memory/1684-257-0x0000000000400000-0x000000000042A000-memory.dmp

      Filesize

      168KB

    • memory/1684-254-0x0000000000400000-0x000000000042A000-memory.dmp

      Filesize

      168KB

    • memory/2120-280-0x0000000000400000-0x000000000042A000-memory.dmp

      Filesize

      168KB

    • memory/2120-203-0x0000000000400000-0x000000000042A000-memory.dmp

      Filesize

      168KB

    • memory/2120-302-0x0000000000400000-0x000000000042A000-memory.dmp

      Filesize

      168KB

    • memory/2120-75-0x0000000000400000-0x000000000042A000-memory.dmp

      Filesize

      168KB

    • memory/2120-516-0x0000000000400000-0x000000000042A000-memory.dmp

      Filesize

      168KB

    • memory/2212-70-0x0000000000400000-0x000000000042A000-memory.dmp

      Filesize

      168KB

    • memory/2212-107-0x0000000000400000-0x000000000042A000-memory.dmp

      Filesize

      168KB

    • memory/2380-246-0x0000000000400000-0x000000000042A000-memory.dmp

      Filesize

      168KB

    • memory/2428-263-0x0000000000400000-0x000000000042A000-memory.dmp

      Filesize

      168KB

    • memory/2628-33-0x0000000000400000-0x000000000042A000-memory.dmp

      Filesize

      168KB

    • memory/2628-193-0x0000000000400000-0x000000000042A000-memory.dmp

      Filesize

      168KB

    • memory/2628-315-0x0000000000400000-0x000000000042A000-memory.dmp

      Filesize

      168KB

    • memory/2628-301-0x0000000000400000-0x000000000042A000-memory.dmp

      Filesize

      168KB

    • memory/2632-163-0x0000000000400000-0x000000000042A000-memory.dmp

      Filesize

      168KB

    • memory/2632-158-0x0000000000400000-0x000000000042A000-memory.dmp

      Filesize

      168KB

    • memory/2804-155-0x0000000000400000-0x000000000042A000-memory.dmp

      Filesize

      168KB

    • memory/2804-149-0x0000000000400000-0x000000000042A000-memory.dmp

      Filesize

      168KB

    • memory/3364-276-0x0000000000400000-0x000000000042A000-memory.dmp

      Filesize

      168KB

    • memory/3508-291-0x0000000000400000-0x000000000042A000-memory.dmp

      Filesize

      168KB

    • memory/3508-282-0x0000000000400000-0x000000000042A000-memory.dmp

      Filesize

      168KB

    • memory/3704-204-0x0000000000400000-0x000000000042A000-memory.dmp

      Filesize

      168KB

    • memory/3860-297-0x0000000000400000-0x000000000042A000-memory.dmp

      Filesize

      168KB

    • memory/3860-290-0x0000000000400000-0x000000000042A000-memory.dmp

      Filesize

      168KB

    • memory/3864-222-0x0000000000400000-0x000000000042A000-memory.dmp

      Filesize

      168KB

    • memory/4060-166-0x0000000000400000-0x000000000042A000-memory.dmp

      Filesize

      168KB

    • memory/4060-161-0x0000000000400000-0x000000000042A000-memory.dmp

      Filesize

      168KB

    • memory/4224-289-0x0000000000400000-0x000000000042A000-memory.dmp

      Filesize

      168KB

    • memory/4440-205-0x0000000000400000-0x000000000042A000-memory.dmp

      Filesize

      168KB

    • memory/4500-170-0x0000000000400000-0x000000000042A000-memory.dmp

      Filesize

      168KB

    • memory/4500-253-0x0000000000400000-0x000000000042A000-memory.dmp

      Filesize

      168KB

    • memory/4500-299-0x0000000000400000-0x000000000042A000-memory.dmp

      Filesize

      168KB

    • memory/4688-484-0x0000000000400000-0x000000000042A000-memory.dmp

      Filesize

      168KB

    • memory/4688-0-0x0000000000400000-0x000000000042A000-memory.dmp

      Filesize

      168KB

    • memory/4688-154-0x0000000000400000-0x000000000042A000-memory.dmp

      Filesize

      168KB

    • memory/4688-298-0x0000000000400000-0x000000000042A000-memory.dmp

      Filesize

      168KB

    • memory/4704-113-0x0000000000400000-0x000000000042A000-memory.dmp

      Filesize

      168KB

    • memory/4704-117-0x0000000000400000-0x000000000042A000-memory.dmp

      Filesize

      168KB

    • memory/4828-304-0x0000000000400000-0x000000000042A000-memory.dmp

      Filesize

      168KB

    • memory/4828-240-0x0000000000400000-0x000000000042A000-memory.dmp

      Filesize

      168KB

    • memory/4828-122-0x0000000000400000-0x000000000042A000-memory.dmp

      Filesize

      168KB

    • memory/4828-487-0x0000000000400000-0x000000000042A000-memory.dmp

      Filesize

      168KB

    • memory/4828-288-0x0000000000400000-0x000000000042A000-memory.dmp

      Filesize

      168KB

    • memory/4924-265-0x0000000000400000-0x000000000042A000-memory.dmp

      Filesize

      168KB

    • memory/4924-268-0x0000000000400000-0x000000000042A000-memory.dmp

      Filesize

      168KB

    • memory/4952-296-0x0000000000400000-0x000000000042A000-memory.dmp

      Filesize

      168KB

    • memory/4956-244-0x0000000000400000-0x000000000042A000-memory.dmp

      Filesize

      168KB

    • memory/4968-220-0x0000000000400000-0x000000000042A000-memory.dmp

      Filesize

      168KB

    • memory/4968-514-0x0000000000400000-0x000000000042A000-memory.dmp

      Filesize

      168KB

    • memory/4968-300-0x0000000000400000-0x000000000042A000-memory.dmp

      Filesize

      168KB

    • memory/4968-273-0x0000000000400000-0x000000000042A000-memory.dmp

      Filesize

      168KB