Overview

overview

10

Static

static

3

7595ece9b4...9b.exe

windows7-x64

10

7595ece9b4...9b.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240215-en
  • resource tags

    arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
  • submitted
    23-05-2024 02:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7595ece9b4c9b2ffce99ea6568f094371b8b271ec646701c7088e7e46c702d9b.exe

  • Size

    145KB

  • MD5

    1e458539f873b0f37c852300ba68c930

  • SHA1

    910928cebfeff0046100391013c4d899024e71ac

  • SHA256

    7595ece9b4c9b2ffce99ea6568f094371b8b271ec646701c7088e7e46c702d9b

  • SHA512

    6347a201cb2222972eab551d98ac9e5b7fbc709dba0016c57483d8de83e142e11203e388b36c928589c3d3537b3d6648845fce4cc4ba44b6bac1af15d3cb3343

  • SSDEEP

    3072:mx6AHjYzaFXg+w17jsgS/jHagQg1dxiEV:mxzYzaFXi17jW

Score
10/10
evasionpersistenceransomwaretrojan

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 12 IoCs
    persistence
  • Modifies visibility of file extensions in Explorer 2 TTPs 6 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 6 IoCs
    evasion
  • UAC bypass 3 TTPs 6 IoCs
    evasiontrojan
  • Disables RegEdit via registry modification 6 IoCs
    evasion
  • Disables use of System Restore points 1 TTPs
    evasion
  • Drops file in Drivers directory 24 IoCs
  • Sets file execution options in registry 2 TTPs 64 IoCs
    persistence
  • Executes dropped EXE 30 IoCs
  • Loads dropped DLL 64 IoCs
  • Adds Run key to start application 2 TTPs 24 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 6 IoCs
    evasiontrojan
  • Drops desktop.ini file(s) 64 IoCs
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops autorun.inf file 1 TTPs 64 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 38 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 6 IoCs
    ransomware
  • Drops file in Windows directory 64 IoCs
  • Modifies Control Panel 64 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 12 IoCs
    adwarespyware
  • Modifies registry class 48 IoCs
  • Runs ping.exe 1 TTPs 36 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 31 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 12 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\7595ece9b4c9b2ffce99ea6568f094371b8b271ec646701c7088e7e46c702d9b.exe
    "C:\Users\Admin\AppData\Local\Temp\7595ece9b4c9b2ffce99ea6568f094371b8b271ec646701c7088e7e46c702d9b.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Modifies visibility of file extensions in Explorer
    • Modifies visiblity of hidden/system files in Explorer
    • UAC bypass
    • Disables RegEdit via registry modification
    • Drops file in Drivers directory
    • Sets file execution options in registry
    • Loads dropped DLL
    • Adds Run key to start application
    • Checks whether UAC is enabled
    • Drops desktop.ini file(s)
    • Enumerates connected drives
    • Drops autorun.inf file
    • Drops file in System32 directory
    • Sets desktop wallpaper using registry
    • Drops file in Windows directory
    • Modifies Control Panel
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2824
    • C:\Windows\Fonts\Admin 23 - 5 - 2024\smss.exe
      "C:\Windows\Fonts\Admin 23 - 5 - 2024\smss.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • UAC bypass
      • Disables RegEdit via registry modification
      • Drops file in Drivers directory
      • Sets file execution options in registry
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Drops desktop.ini file(s)
      • Enumerates connected drives
      • Drops autorun.inf file
      • Drops file in System32 directory
      • Sets desktop wallpaper using registry
      • Drops file in Windows directory
      • Modifies Control Panel
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:2680
      • C:\Windows\Fonts\Admin 23 - 5 - 2024\smss.exe
        "C:\Windows\Fonts\Admin 23 - 5 - 2024\smss.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetWindowsHookEx
        PID:1560
      • C:\Windows\Fonts\Admin 23 - 5 - 2024\Gaara.exe
        "C:\Windows\Fonts\Admin 23 - 5 - 2024\Gaara.exe"
        3⤵
        • Modifies WinLogon for persistence
        • Modifies visibility of file extensions in Explorer
        • Modifies visiblity of hidden/system files in Explorer
        • UAC bypass
        • Disables RegEdit via registry modification
        • Drops file in Drivers directory
        • Sets file execution options in registry
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • Checks whether UAC is enabled
        • Drops desktop.ini file(s)
        • Enumerates connected drives
        • Drops autorun.inf file
        • Drops file in System32 directory
        • Sets desktop wallpaper using registry
        • Drops file in Windows directory
        • Modifies Control Panel
        • Modifies Internet Explorer settings
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        • System policy modification
        PID:2716
        • C:\Windows\Fonts\Admin 23 - 5 - 2024\smss.exe
          "C:\Windows\Fonts\Admin 23 - 5 - 2024\smss.exe"
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of SetWindowsHookEx
          PID:1908
        • C:\Windows\Fonts\Admin 23 - 5 - 2024\Gaara.exe
          "C:\Windows\Fonts\Admin 23 - 5 - 2024\Gaara.exe"
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of SetWindowsHookEx
          PID:2168
        • C:\Windows\Fonts\Admin 23 - 5 - 2024\csrss.exe
          "C:\Windows\Fonts\Admin 23 - 5 - 2024\csrss.exe"
          4⤵
          • Modifies WinLogon for persistence
          • Modifies visibility of file extensions in Explorer
          • Modifies visiblity of hidden/system files in Explorer
          • UAC bypass
          • Disables RegEdit via registry modification
          • Drops file in Drivers directory
          • Sets file execution options in registry
          • Executes dropped EXE
          • Loads dropped DLL
          • Adds Run key to start application
          • Checks whether UAC is enabled
          • Drops desktop.ini file(s)
          • Enumerates connected drives
          • Drops autorun.inf file
          • Drops file in System32 directory
          • Sets desktop wallpaper using registry
          • Drops file in Windows directory
          • Modifies Control Panel
          • Modifies Internet Explorer settings
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:2372
          • C:\Windows\Fonts\Admin 23 - 5 - 2024\smss.exe
            "C:\Windows\Fonts\Admin 23 - 5 - 2024\smss.exe"
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Suspicious use of SetWindowsHookEx
            PID:876
          • C:\Windows\Fonts\Admin 23 - 5 - 2024\Gaara.exe
            "C:\Windows\Fonts\Admin 23 - 5 - 2024\Gaara.exe"
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Suspicious use of SetWindowsHookEx
            PID:300
          • C:\Windows\Fonts\Admin 23 - 5 - 2024\csrss.exe
            "C:\Windows\Fonts\Admin 23 - 5 - 2024\csrss.exe"
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Suspicious use of SetWindowsHookEx
            PID:3020
          • C:\Windows\SysWOW64\drivers\Kazekage.exe
            C:\Windows\system32\drivers\Kazekage.exe
            5⤵
            • Modifies WinLogon for persistence
            • Modifies visibility of file extensions in Explorer
            • Modifies visiblity of hidden/system files in Explorer
            • UAC bypass
            • Disables RegEdit via registry modification
            • Drops file in Drivers directory
            • Sets file execution options in registry
            • Executes dropped EXE
            • Loads dropped DLL
            • Adds Run key to start application
            • Checks whether UAC is enabled
            • Drops desktop.ini file(s)
            • Enumerates connected drives
            • Drops autorun.inf file
            • Drops file in System32 directory
            • Sets desktop wallpaper using registry
            • Drops file in Windows directory
            • Modifies Control Panel
            • Modifies Internet Explorer settings
            • Modifies registry class
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            • System policy modification
            PID:1056
            • C:\Windows\Fonts\Admin 23 - 5 - 2024\smss.exe
              "C:\Windows\Fonts\Admin 23 - 5 - 2024\smss.exe"
              6⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • Suspicious use of SetWindowsHookEx
              PID:1432
            • C:\Windows\Fonts\Admin 23 - 5 - 2024\Gaara.exe
              "C:\Windows\Fonts\Admin 23 - 5 - 2024\Gaara.exe"
              6⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • Suspicious use of SetWindowsHookEx
              PID:2116
            • C:\Windows\Fonts\Admin 23 - 5 - 2024\csrss.exe
              "C:\Windows\Fonts\Admin 23 - 5 - 2024\csrss.exe"
              6⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • Suspicious use of SetWindowsHookEx
              PID:328
            • C:\Windows\SysWOW64\drivers\Kazekage.exe
              C:\Windows\system32\drivers\Kazekage.exe
              6⤵
              • Executes dropped EXE
              • Suspicious use of SetWindowsHookEx
              PID:1200
            • C:\Windows\SysWOW64\drivers\system32.exe
              C:\Windows\system32\drivers\system32.exe
              6⤵
              • Modifies WinLogon for persistence
              • Modifies visibility of file extensions in Explorer
              • Modifies visiblity of hidden/system files in Explorer
              • UAC bypass
              • Disables RegEdit via registry modification
              • Drops file in Drivers directory
              • Sets file execution options in registry
              • Executes dropped EXE
              • Loads dropped DLL
              • Adds Run key to start application
              • Checks whether UAC is enabled
              • Drops desktop.ini file(s)
              • Enumerates connected drives
              • Drops autorun.inf file
              • Drops file in System32 directory
              • Sets desktop wallpaper using registry
              • Drops file in Windows directory
              • Modifies Control Panel
              • Modifies Internet Explorer settings
              • Modifies registry class
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              • System policy modification
              PID:1688
              • C:\Windows\Fonts\Admin 23 - 5 - 2024\smss.exe
                "C:\Windows\Fonts\Admin 23 - 5 - 2024\smss.exe"
                7⤵
                • Executes dropped EXE
                • Loads dropped DLL
                • Suspicious use of SetWindowsHookEx
                PID:1276
              • C:\Windows\Fonts\Admin 23 - 5 - 2024\Gaara.exe
                "C:\Windows\Fonts\Admin 23 - 5 - 2024\Gaara.exe"
                7⤵
                • Executes dropped EXE
                • Loads dropped DLL
                • Suspicious use of SetWindowsHookEx
                PID:820
              • C:\Windows\Fonts\Admin 23 - 5 - 2024\csrss.exe
                "C:\Windows\Fonts\Admin 23 - 5 - 2024\csrss.exe"
                7⤵
                • Executes dropped EXE
                • Loads dropped DLL
                • Suspicious use of SetWindowsHookEx
                PID:1716
              • C:\Windows\SysWOW64\drivers\Kazekage.exe
                C:\Windows\system32\drivers\Kazekage.exe
                7⤵
                • Executes dropped EXE
                • Suspicious use of SetWindowsHookEx
                PID:1604
              • C:\Windows\SysWOW64\drivers\system32.exe
                C:\Windows\system32\drivers\system32.exe
                7⤵
                • Executes dropped EXE
                • Suspicious use of SetWindowsHookEx
                PID:980
              • C:\Windows\SysWOW64\ping.exe
                ping -a -l www.rasasayang.com.my 65500
                7⤵
                • Runs ping.exe
                PID:2844
              • C:\Windows\SysWOW64\ping.exe
                ping -a -l www.duniasex.com 65500
                7⤵
                • Runs ping.exe
                PID:2912
              • C:\Windows\SysWOW64\ping.exe
                ping -a -l www.rasasayang.com.my 65500
                7⤵
                • Runs ping.exe
                PID:1760
              • C:\Windows\SysWOW64\ping.exe
                ping -a -l www.duniasex.com 65500
                7⤵
                • Runs ping.exe
                PID:2340
              • C:\Windows\SysWOW64\ping.exe
                ping -a -l www.rasasayang.com.my 65500
                7⤵
                • Runs ping.exe
                PID:3028
              • C:\Windows\SysWOW64\ping.exe
                ping -a -l www.duniasex.com 65500
                7⤵
                • Runs ping.exe
                PID:2476
            • C:\Windows\SysWOW64\ping.exe
              ping -a -l www.rasasayang.com.my 65500
              6⤵
              • Runs ping.exe
              PID:1984
            • C:\Windows\SysWOW64\ping.exe
              ping -a -l www.duniasex.com 65500
              6⤵
              • Runs ping.exe
              PID:1664
            • C:\Windows\SysWOW64\ping.exe
              ping -a -l www.rasasayang.com.my 65500
              6⤵
              • Runs ping.exe
              PID:1460
            • C:\Windows\SysWOW64\ping.exe
              ping -a -l www.duniasex.com 65500
              6⤵
              • Runs ping.exe
              PID:2536
            • C:\Windows\SysWOW64\ping.exe
              ping -a -l www.rasasayang.com.my 65500
              6⤵
              • Runs ping.exe
              PID:1976
            • C:\Windows\SysWOW64\ping.exe
              ping -a -l www.duniasex.com 65500
              6⤵
              • Runs ping.exe
              PID:2304
          • C:\Windows\SysWOW64\drivers\system32.exe
            C:\Windows\system32\drivers\system32.exe
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            PID:1912
          • C:\Windows\SysWOW64\ping.exe
            ping -a -l www.rasasayang.com.my 65500
            5⤵
            • Runs ping.exe
            PID:2584
          • C:\Windows\SysWOW64\ping.exe
            ping -a -l www.duniasex.com 65500
            5⤵
            • Runs ping.exe
            PID:2396
          • C:\Windows\SysWOW64\ping.exe
            ping -a -l www.rasasayang.com.my 65500
            5⤵
            • Runs ping.exe
            PID:404
          • C:\Windows\SysWOW64\ping.exe
            ping -a -l www.duniasex.com 65500
            5⤵
            • Runs ping.exe
            PID:2752
          • C:\Windows\SysWOW64\ping.exe
            ping -a -l www.rasasayang.com.my 65500
            5⤵
            • Runs ping.exe
            PID:1848
          • C:\Windows\SysWOW64\ping.exe
            ping -a -l www.duniasex.com 65500
            5⤵
            • Runs ping.exe
            PID:1640
        • C:\Windows\SysWOW64\drivers\Kazekage.exe
          C:\Windows\system32\drivers\Kazekage.exe
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetWindowsHookEx
          PID:2924
        • C:\Windows\SysWOW64\drivers\system32.exe
          C:\Windows\system32\drivers\system32.exe
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetWindowsHookEx
          PID:1864
        • C:\Windows\SysWOW64\ping.exe
          ping -a -l www.rasasayang.com.my 65500
          4⤵
          • Runs ping.exe
          PID:2000
        • C:\Windows\SysWOW64\ping.exe
          ping -a -l www.duniasex.com 65500
          4⤵
          • Runs ping.exe
          PID:2508
        • C:\Windows\SysWOW64\ping.exe
          ping -a -l www.rasasayang.com.my 65500
          4⤵
          • Runs ping.exe
          PID:2464
        • C:\Windows\SysWOW64\ping.exe
          ping -a -l www.duniasex.com 65500
          4⤵
          • Runs ping.exe
          PID:2176
        • C:\Windows\SysWOW64\ping.exe
          ping -a -l www.rasasayang.com.my 65500
          4⤵
          • Runs ping.exe
          PID:2800
        • C:\Windows\SysWOW64\ping.exe
          ping -a -l www.duniasex.com 65500
          4⤵
          • Runs ping.exe
          PID:2700
      • C:\Windows\Fonts\Admin 23 - 5 - 2024\csrss.exe
        "C:\Windows\Fonts\Admin 23 - 5 - 2024\csrss.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetWindowsHookEx
        PID:1576
      • C:\Windows\SysWOW64\drivers\Kazekage.exe
        C:\Windows\system32\drivers\Kazekage.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:3016
      • C:\Windows\SysWOW64\drivers\system32.exe
        C:\Windows\system32\drivers\system32.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:2232
      • C:\Windows\SysWOW64\ping.exe
        ping -a -l www.rasasayang.com.my 65500
        3⤵
        • Runs ping.exe
        PID:1296
      • C:\Windows\SysWOW64\ping.exe
        ping -a -l www.duniasex.com 65500
        3⤵
        • Runs ping.exe
        PID:2628
      • C:\Windows\SysWOW64\ping.exe
        ping -a -l www.rasasayang.com.my 65500
        3⤵
        • Runs ping.exe
        PID:1812
      • C:\Windows\SysWOW64\ping.exe
        ping -a -l www.duniasex.com 65500
        3⤵
        • Runs ping.exe
        PID:1824
      • C:\Windows\SysWOW64\ping.exe
        ping -a -l www.rasasayang.com.my 65500
        3⤵
        • Runs ping.exe
        PID:1872
      • C:\Windows\SysWOW64\ping.exe
        ping -a -l www.duniasex.com 65500
        3⤵
        • Runs ping.exe
        PID:2888
    • C:\Windows\Fonts\Admin 23 - 5 - 2024\Gaara.exe
      "C:\Windows\Fonts\Admin 23 - 5 - 2024\Gaara.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of SetWindowsHookEx
      PID:2076
    • C:\Windows\Fonts\Admin 23 - 5 - 2024\csrss.exe
      "C:\Windows\Fonts\Admin 23 - 5 - 2024\csrss.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of SetWindowsHookEx
      PID:868
    • C:\Windows\SysWOW64\drivers\Kazekage.exe
      C:\Windows\system32\drivers\Kazekage.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:2736
    • C:\Windows\SysWOW64\drivers\system32.exe
      C:\Windows\system32\drivers\system32.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:2752
    • C:\Windows\SysWOW64\ping.exe
      ping -a -l www.rasasayang.com.my 65500
      2⤵
      • Runs ping.exe
      PID:2556
    • C:\Windows\SysWOW64\ping.exe
      ping -a -l www.duniasex.com 65500
      2⤵
      • Runs ping.exe
      PID:2536
    • C:\Windows\SysWOW64\ping.exe
      ping -a -l www.rasasayang.com.my 65500
      2⤵
      • Runs ping.exe
      PID:1848
    • C:\Windows\SysWOW64\ping.exe
      ping -a -l www.duniasex.com 65500
      2⤵
      • Runs ping.exe
      PID:1600
    • C:\Windows\SysWOW64\ping.exe
      ping -a -l www.rasasayang.com.my 65500
      2⤵
      • Runs ping.exe
      PID:788
    • C:\Windows\SysWOW64\ping.exe
      ping -a -l www.duniasex.com 65500
      2⤵
      • Runs ping.exe
      PID:652

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Replication Through Removable Media

1
T1091

Execution

Persistence

Boot or Logon Autostart Execution

3
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Winlogon Helper DLL

1
T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

3
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Winlogon Helper DLL

1
T1547.004

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Defense Evasion

Modify Registry

9
T1112

Hide Artifacts

2
T1564

Hidden Files and Directories

2
T1564.001

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Impair Defenses

1
T1562

Disable or Modify Tools

1
T1562.001

Credential Access

Discovery

System Information Discovery

2
T1082

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

Remote System Discovery

1
T1018

Lateral Movement

Replication Through Removable Media

1
T1091

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

1
T1490

Defacement

1
T1491

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Admin Games\Readme.txt
    Filesize

    736B

    MD5

    bb5d6abdf8d0948ac6895ce7fdfbc151

    SHA1

    9266b7a247a4685892197194d2b9b86c8f6dddbd

    SHA256

    5db2e0915b5464d32e83484f8ae5e3c73d2c78f238fde5f58f9b40dbb5322de8

    SHA512

    878444760e8df878d65bb62b4798177e168eb099def58ad3634f4348e96705c83f74324f9fa358f0eff389991976698a233ca53e9b72034ae11c86d42322a76c

    Download Submit
  • C:\Autorun.inf
    Filesize

    196B

    MD5

    1564dfe69ffed40950e5cb644e0894d1

    SHA1

    201b6f7a01cc49bb698bea6d4945a082ed454ce4

    SHA256

    be114a2dbcc08540b314b01882aa836a772a883322a77b67aab31233e26dc184

    SHA512

    72df187e39674b657974392cfa268e71ef86dc101ebd2303896381ca56d3c05aa9db3f0ab7d0e428d7436e0108c8f19e94c2013814d30b0b95a23a6b9e341097

    Download Submit
  • C:\Windows\Fonts\Admin 23 - 5 - 2024\csrss.exe
    Filesize

    145KB

    MD5

    1e458539f873b0f37c852300ba68c930

    SHA1

    910928cebfeff0046100391013c4d899024e71ac

    SHA256

    7595ece9b4c9b2ffce99ea6568f094371b8b271ec646701c7088e7e46c702d9b

    SHA512

    6347a201cb2222972eab551d98ac9e5b7fbc709dba0016c57483d8de83e142e11203e388b36c928589c3d3537b3d6648845fce4cc4ba44b6bac1af15d3cb3343

    Download Submit
  • C:\Windows\Fonts\The Kazekage.jpg
    Filesize

    192KB

    MD5

    ca8609f3eb4c6e461d3582ff9234b309

    SHA1

    702ccf95aaa1a5de3982d3d8a2d58d95fea3e7a5

    SHA256

    277d5e607db233f135fd637900124c7f315dc0ce4a86fe5b65ca9d03040e41f3

    SHA512

    54432d2b7abffbac97d8a1768d081c874120ea86c3e2335e880acf54280f5ec7bca38016e6c51d4dc3115270edb9680c29487895a4d236ee140d8bd73836201d

    Download Submit
  • C:\Windows\Fonts\The Kazekage.jpg
    MD5

    d41d8cd98f00b204e9800998ecf8427e

    SHA1

    da39a3ee5e6b4b0d3255bfef95601890afd80709

    SHA256

    e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

    SHA512

    cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

    Download Submit
  • C:\Windows\Fonts\The Kazekage.jpg
    Filesize

    1.4MB

    MD5

    d6b05020d4a0ec2a3a8b687099e335df

    SHA1

    df239d830ebcd1cde5c68c46a7b76dad49d415f4

    SHA256

    9824b98dab6af65a9e84c2ea40e9df948f9766ce2096e81feecad7db8dd6080a

    SHA512

    78fd360faa4d34f5732056d6e9ad7b9930964441c69cf24535845d397de92179553b9377a25649c01eb5ac7d547c29cc964e69ede7f2af9fc677508a99251fff

    Download Submit
  • C:\Windows\SysWOW64\23-5-2024.exe
    Filesize

    145KB

    MD5

    75da4e6d421e20af4575161200d70653

    SHA1

    68e0e7378bcb27fc072f1c26b2a7f5b21ad2c65f

    SHA256

    47670962be48b5e4c98ad53dca52a4e6574baab4f8ff3671aea8d167d42ef2bd

    SHA512

    20f224d13f12a849911f343e8def4f4c1c759a4f6c7f940f00187a9fe053ad81df4b2786f5517ee7961a07ecc8b34f011cc4ce424c78d62483f2c2038ad8cd20

    Download Submit
  • C:\Windows\SysWOW64\23-5-2024.exe
    Filesize

    145KB

    MD5

    7937c0f661828d33aa0a49999f68572e

    SHA1

    a8e52a65b1aac7bf4f2678432f30a425cd0bcbf7

    SHA256

    c78d6f310db7a096b2718710ed7fb8ab86fc043427088db08e270aa4e6148a4e

    SHA512

    c9163b434e7b0c8ac577085da57111efc6ea8c8672d22eb6089f53f9391a0c9fe1ee4792ee09eb8f946a137b47026c8207159d32c4260facac8549217e0d00f3

    Download Submit
  • C:\Windows\SysWOW64\23-5-2024.exe
    Filesize

    145KB

    MD5

    eb2385545e5201f15374bcc97dc501f2

    SHA1

    a483316de11fdf2bf14b2f54dfb4e381ba3836fd

    SHA256

    d4cf3e9e1ecd12b2b4df53c432f4a47c2cccf0dbbb870affdcafe82672d51df6

    SHA512

    d8ed9f75d2c806ae94bb3e13f13e8555e3d1c9a4acfd10f3312fe421013478e38035d10a8a474bbf0a9cbc76b579480c2ddb750781390f2255396987c26e6fe5

    Download Submit
  • C:\Windows\SysWOW64\Desktop.ini
    Filesize

    65B

    MD5

    64acfa7e03b01f48294cf30d201a0026

    SHA1

    10facd995b38a095f30b4a800fa454c0bcbf8438

    SHA256

    ba8159d865d106e7b4d0043007a63d1541e1de455dc8d7ff0edd3013bd425c62

    SHA512

    65a9b2e639de74a2a7faa83463a03f5f5b526495e3c793ec1e144c422ed0b842dd304cd5ff4f8aec3d76d826507030c5916f70a231429cea636ec2d8ab43931a

    Download Submit
  • C:\Windows\SysWOW64\drivers\Kazekage.exe
    Filesize

    145KB

    MD5

    e8533bfbfb8a2054b1b8473b14d4db6d

    SHA1

    fa5ec7b298e41f1c6d693db78fb6e7438e0b18b8

    SHA256

    d557e5513193772c163b0fdfc0f0da7fb5b886c5c9d168f073523760dcbf75ec

    SHA512

    f4dea81fe58df452e29d1e77c4216f581cb4251eb18143440142f248d4d62e76a92989460b2c2fa4df66e95dc95c9ae74b3944756d5fa1d56ad630ddaf7a6a75

    Download Submit
  • C:\Windows\SysWOW64\drivers\Kazekage.exe
    Filesize

    145KB

    MD5

    9a12d2a45d0dc96b1850202b9d8dd65a

    SHA1

    1484fec6b433c4bdf493ed26112df371aaa69472

    SHA256

    902313fbd2b6551d53df93f758b0790199d4076f3c3a9d7d3c1fa395a072752c

    SHA512

    59cc4e283d226ef78d92568786ab06b22b9cdc965ce2cc45cb18c25cb9f9db361052833d0965edfe2fd36b2f0d346278870b6f8e8d78f6c0c7bb7749aad0ab66

    Download Submit
  • C:\Windows\SysWOW64\drivers\Kazekage.exe
    Filesize

    145KB

    MD5

    aaf07b8f5342ec8f60c2417e139fa764

    SHA1

    0ff117ae26a5929b4fc38027acba30add02dc3f2

    SHA256

    27eddb04fcd58e862dced0145cdcfd163eaa622c89406adab6980644524890c3

    SHA512

    fe648505970e3aee6434d0913dd3bdcbd922e61e9f37d8b9a6cc4cf4b68c49ae938ed6acdc205adca88ea9fec6d861bd1539512abdd16a099d1cadff187ee708

    Download Submit
  • C:\Windows\SysWOW64\drivers\system32.exe
    Filesize

    145KB

    MD5

    e9948d50748fa86442e9cd915eb6fec0

    SHA1

    382d98a4b3253283515771db3ddd35a38627f540

    SHA256

    5b5c597a06a9cf09628bda96373bae3deeb57ac1fa0e6ec5d6cb8f1c297c1256

    SHA512

    e0b7be2522d8da85ed2204314d9d69800f4c0e67688f988fd682cae98bab94a9b2a7943cd20bf3f9ea3f44162edef86c68809b22af930c40465081d30b07ef48

    Download Submit
  • C:\Windows\SysWOW64\drivers\system32.exe
    Filesize

    145KB

    MD5

    2a3a0c316fa83de4d20da1d14d8f0839

    SHA1

    2466c7a24fb19c9ee33a4487fd19904491ccea91

    SHA256

    3a6bca239cf9b426a6c29f9816d2722eb3fc1b330641ca3f1149134b09bf746a

    SHA512

    5bd19ee140092ba92da2ad171fc645f80ec272aee1ee207a85a433c335717f0cfcca4702d54d734f1314c96f7e2ccca9cb2a608e33a7d27c8a7f5ad2cd684074

    Download Submit
  • C:\Windows\SysWOW64\drivers\system32.exe
    Filesize

    145KB

    MD5

    b9389181b81b96575f623135fbffa0d3

    SHA1

    0b51c8a5041af8abfb1866954b6de02b8998a12d

    SHA256

    d0d18ef3e3d00a69e29c98ff7969366ef479e265c46191bcbd57e28f883ac86e

    SHA512

    c2207e59211a1c41aa098df86204add97752fe74d7fb436d480d1c94278442cb3f08d463a3bf5d75cba3b7f1e28aad124e1e8cdde5846940c69085d1c16d033c

    Download Submit
  • C:\Windows\SysWOW64\drivers\system32.exe
    Filesize

    145KB

    MD5

    20d212a23c0567b72cecf482cb921132

    SHA1

    fa4ef35561c6dcd1cb075ca4529e01241ffa2c80

    SHA256

    fd676bb816eabba84a7c45260469c248a861a535179152d1351b502ee643227d

    SHA512

    1b5e9577a01e96e821b4d6d8b9d39f81e454608d39c8a1cb179d53825e0e237d32209aede3b6141f5a1369313392298069272632e54a25acd397f7f7404034f0

    Download Submit
  • C:\Windows\system\msvbvm60.dll
    Filesize

    1.3MB

    MD5

    5343a19c618bc515ceb1695586c6c137

    SHA1

    4dedae8cbde066f31c8e6b52c0baa3f8b1117742

    SHA256

    2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

    SHA512

    708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

    Download Submit
  • \Windows\Fonts\Admin 23 - 5 - 2024\Gaara.exe
    Filesize

    145KB

    MD5

    7145db32bcf7ca81e2654da1fc146ffe

    SHA1

    e6ec2f2c8ed8327315d4c02b40e03fc018d429f0

    SHA256

    543da97ee21e6868d1b7eb8bcc3a977fe9ae9a11d760bc71394a24769c6c7799

    SHA512

    be0311ca1dda653cfc78347d763c011ebb909881d24d7b9cb698a937554ba230bbb979c852a288ea57bbe480fe4407184ac0072189d51f8724fac6f0c123ee1c

    Download Submit
  • \Windows\Fonts\Admin 23 - 5 - 2024\csrss.exe
    Filesize

    145KB

    MD5

    6ec47451cf4926dff6d74be32312aa09

    SHA1

    c1602941fcded9c7324f22875c05208f85f8eec3

    SHA256

    cb1d7c1c551c04357fb588e2a28ac39df50368678b6145ad77a3f219d6544263

    SHA512

    e8ccca43e5ffe7b2bd41a2f918c47dda8a7071c288f8f464c0b4d641c2d859695b2f256f4b12b73cd260d19818d76edbd9d5b842a3cd3d089d7a280560aeb8c6

    Download Submit
  • \Windows\Fonts\Admin 23 - 5 - 2024\smss.exe
    Filesize

    145KB

    MD5

    4ee4f4a06d61fecb8cf2f8d4c4805309

    SHA1

    a9795ed2d2e139b43e0ce1759c5ccf72ecffba94

    SHA256

    002e726d9692a11379e9ff1290352da618ce1537c5aa9aed030647e8fe6d9b2c

    SHA512

    082e47203e6f6e8184b576eaa1e8c8b4a320cd8f5ea48d74821199196badb6e06a8c92ba32f9ddf16d0453c4fdb3acfde68952b1b520297fcb475d1f66e8bb56

    Download Submit
  • memory/300-187-0x0000000000400000-0x0000000000425000-memory.dmp
    Filesize

    148KB

    Download
  • memory/328-226-0x0000000000400000-0x0000000000425000-memory.dmp
    Filesize

    148KB

    Download
  • memory/328-229-0x0000000000400000-0x0000000000425000-memory.dmp
    Filesize

    148KB

    Download
  • memory/868-292-0x0000000000400000-0x0000000000425000-memory.dmp
    Filesize

    148KB

    Download
  • memory/876-180-0x0000000000400000-0x0000000000425000-memory.dmp
    Filesize

    148KB

    Download
  • memory/980-265-0x0000000000400000-0x0000000000425000-memory.dmp
    Filesize

    148KB

    Download
  • memory/1056-219-0x0000000000450000-0x0000000000475000-memory.dmp
    Filesize

    148KB

    Download
  • memory/1056-1050-0x0000000000400000-0x0000000000425000-memory.dmp
    Filesize

    148KB

    Download
  • memory/1056-199-0x0000000000400000-0x0000000000425000-memory.dmp
    Filesize

    148KB

    Download
  • memory/1056-234-0x0000000000450000-0x0000000000475000-memory.dmp
    Filesize

    148KB

    Download
  • memory/1200-232-0x0000000000400000-0x0000000000425000-memory.dmp
    Filesize

    148KB

    Download
  • memory/1432-222-0x0000000000400000-0x0000000000425000-memory.dmp
    Filesize

    148KB

    Download
  • memory/1560-83-0x0000000000400000-0x0000000000425000-memory.dmp
    Filesize

    148KB

    Download
  • memory/1560-78-0x0000000000400000-0x0000000000425000-memory.dmp
    Filesize

    148KB

    Download
  • memory/1576-280-0x0000000000400000-0x0000000000425000-memory.dmp
    Filesize

    148KB

    Download
  • memory/1604-262-0x0000000000400000-0x0000000000425000-memory.dmp
    Filesize

    148KB

    Download
  • memory/1604-261-0x0000000000400000-0x0000000000425000-memory.dmp
    Filesize

    148KB

    Download
  • memory/1688-1051-0x0000000000400000-0x0000000000425000-memory.dmp
    Filesize

    148KB

    Download
  • memory/1688-239-0x0000000000400000-0x0000000000425000-memory.dmp
    Filesize

    148KB

    Download
  • memory/1716-257-0x0000000000400000-0x0000000000425000-memory.dmp
    Filesize

    148KB

    Download
  • memory/1716-258-0x0000000000400000-0x0000000000425000-memory.dmp
    Filesize

    148KB

    Download
  • memory/1864-277-0x0000000000400000-0x0000000000425000-memory.dmp
    Filesize

    148KB

    Download
  • memory/1864-276-0x0000000000400000-0x0000000000425000-memory.dmp
    Filesize

    148KB

    Download
  • memory/1908-130-0x0000000000400000-0x0000000000425000-memory.dmp
    Filesize

    148KB

    Download
  • memory/1912-268-0x0000000000400000-0x0000000000425000-memory.dmp
    Filesize

    148KB

    Download
  • memory/1912-269-0x0000000000400000-0x0000000000425000-memory.dmp
    Filesize

    148KB

    Download
  • memory/2076-289-0x0000000000400000-0x0000000000425000-memory.dmp
    Filesize

    148KB

    Download
  • memory/2116-225-0x0000000000400000-0x0000000000425000-memory.dmp
    Filesize

    148KB

    Download
  • memory/2168-135-0x0000000000400000-0x0000000000425000-memory.dmp
    Filesize

    148KB

    Download
  • memory/2232-286-0x0000000000400000-0x0000000000425000-memory.dmp
    Filesize

    148KB

    Download
  • memory/2372-803-0x0000000000400000-0x0000000000425000-memory.dmp
    Filesize

    148KB

    Download
  • memory/2372-174-0x0000000000340000-0x0000000000365000-memory.dmp
    Filesize

    148KB

    Download
  • memory/2372-198-0x0000000000340000-0x0000000000365000-memory.dmp
    Filesize

    148KB

    Download
  • memory/2680-75-0x00000000004D0000-0x00000000004F5000-memory.dmp
    Filesize

    148KB

    Download
  • memory/2680-800-0x0000000000400000-0x0000000000425000-memory.dmp
    Filesize

    148KB

    Download
  • memory/2680-84-0x00000000004D0000-0x00000000004F5000-memory.dmp
    Filesize

    148KB

    Download
  • memory/2680-801-0x00000000004D0000-0x00000000004F5000-memory.dmp
    Filesize

    148KB

    Download
  • memory/2716-138-0x00000000004C0000-0x00000000004E5000-memory.dmp
    Filesize

    148KB

    Download
  • memory/2716-125-0x00000000004C0000-0x00000000004E5000-memory.dmp
    Filesize

    148KB

    Download
  • memory/2716-91-0x0000000000400000-0x0000000000425000-memory.dmp
    Filesize

    148KB

    Download
  • memory/2716-802-0x0000000000400000-0x0000000000425000-memory.dmp
    Filesize

    148KB

    Download
  • memory/2716-122-0x00000000004C0000-0x00000000004E5000-memory.dmp
    Filesize

    148KB

    Download
  • memory/2716-144-0x00000000004C0000-0x00000000004E5000-memory.dmp
    Filesize

    148KB

    Download
  • memory/2736-295-0x0000000000400000-0x0000000000425000-memory.dmp
    Filesize

    148KB

    Download
  • memory/2752-298-0x0000000000400000-0x0000000000425000-memory.dmp
    Filesize

    148KB

    Download
  • memory/2824-0-0x0000000000400000-0x0000000000425000-memory.dmp
    Filesize

    148KB

    Download
  • memory/2824-756-0x0000000000400000-0x0000000000425000-memory.dmp
    Filesize

    148KB

    Download
  • memory/2824-757-0x0000000002570000-0x0000000002595000-memory.dmp
    Filesize

    148KB

    Download
  • memory/2824-799-0x0000000002570000-0x0000000002595000-memory.dmp
    Filesize

    148KB

    Download
  • memory/2824-37-0x0000000002570000-0x0000000002595000-memory.dmp
    Filesize

    148KB

    Download
  • memory/2824-34-0x0000000002570000-0x0000000002595000-memory.dmp
    Filesize

    148KB

    Download
  • memory/2924-273-0x0000000000400000-0x0000000000425000-memory.dmp
    Filesize

    148KB

    Download
  • memory/2924-271-0x0000000000400000-0x0000000000425000-memory.dmp
    Filesize

    148KB

    Download
  • memory/3016-283-0x0000000000400000-0x0000000000425000-memory.dmp
    Filesize

    148KB

    Download
  • memory/3020-190-0x0000000000400000-0x0000000000425000-memory.dmp
    Filesize

    148KB

    Download