Overview

overview

10

Static

static

3

320867c337...cs.exe

windows7-x64

10

320867c337...cs.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    25-05-2024 23:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    320867c337db174c60200b23d21a16a0_NeikiAnalytics.exe

  • Size

    146KB

  • MD5

    320867c337db174c60200b23d21a16a0

  • SHA1

    49032d1539d5cb93d4bd0dbf28f40cf983c5e004

  • SHA256

    1cf92536c3efe3af302b54ecd48cea8a301ce1a0b68a6c6231c7783aa4866a95

  • SHA512

    8d171fc12e6c0d11babab2b0b3badfa677c269b41ba5087fb96c234ded97a4ee33a398b87745233fbd994d8d49d14e0a34faa16f8ad82c0574c6b91e72b9b7ba

  • SSDEEP

    3072:tx6AHjYzaFXg+w17jsgS/jHagQg1dxiEVO:txzYzaFXi17jWO

Score
10/10
evasionpersistenceransomwaretrojan

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 12 IoCs
    persistence
  • Modifies visibility of file extensions in Explorer 2 TTPs 6 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 6 IoCs
    evasion
  • UAC bypass 3 TTPs 6 IoCs
    evasiontrojan
  • Disables RegEdit via registry modification 6 IoCs
    evasion
  • Disables use of System Restore points 1 TTPs
    evasion
  • Drops file in Drivers directory 24 IoCs
  • Sets file execution options in registry 2 TTPs 64 IoCs
    persistence
  • Executes dropped EXE 30 IoCs
  • Loads dropped DLL 64 IoCs
  • Adds Run key to start application 2 TTPs 24 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 6 IoCs
    evasiontrojan
  • Drops desktop.ini file(s) 64 IoCs
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops autorun.inf file 1 TTPs 64 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 38 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 6 IoCs
    ransomware
  • Drops file in Windows directory 64 IoCs
  • Modifies Control Panel 64 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 12 IoCs
    adwarespyware
  • Modifies registry class 48 IoCs
  • Runs ping.exe 1 TTPs 34 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 31 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 12 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\320867c337db174c60200b23d21a16a0_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\320867c337db174c60200b23d21a16a0_NeikiAnalytics.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Modifies visibility of file extensions in Explorer
    • Modifies visiblity of hidden/system files in Explorer
    • UAC bypass
    • Disables RegEdit via registry modification
    • Drops file in Drivers directory
    • Sets file execution options in registry
    • Loads dropped DLL
    • Adds Run key to start application
    • Checks whether UAC is enabled
    • Drops desktop.ini file(s)
    • Enumerates connected drives
    • Drops autorun.inf file
    • Drops file in System32 directory
    • Sets desktop wallpaper using registry
    • Drops file in Windows directory
    • Modifies Control Panel
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:1660
    • C:\Windows\Fonts\Admin 25 - 5 - 2024\smss.exe
      "C:\Windows\Fonts\Admin 25 - 5 - 2024\smss.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • UAC bypass
      • Disables RegEdit via registry modification
      • Drops file in Drivers directory
      • Sets file execution options in registry
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Drops desktop.ini file(s)
      • Enumerates connected drives
      • Drops autorun.inf file
      • Drops file in System32 directory
      • Sets desktop wallpaper using registry
      • Drops file in Windows directory
      • Modifies Control Panel
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:1212
      • C:\Windows\Fonts\Admin 25 - 5 - 2024\smss.exe
        "C:\Windows\Fonts\Admin 25 - 5 - 2024\smss.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetWindowsHookEx
        PID:2464
      • C:\Windows\Fonts\Admin 25 - 5 - 2024\Gaara.exe
        "C:\Windows\Fonts\Admin 25 - 5 - 2024\Gaara.exe"
        3⤵
        • Modifies WinLogon for persistence
        • Modifies visibility of file extensions in Explorer
        • Modifies visiblity of hidden/system files in Explorer
        • UAC bypass
        • Disables RegEdit via registry modification
        • Drops file in Drivers directory
        • Sets file execution options in registry
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • Checks whether UAC is enabled
        • Drops desktop.ini file(s)
        • Enumerates connected drives
        • Drops autorun.inf file
        • Drops file in System32 directory
        • Sets desktop wallpaper using registry
        • Drops file in Windows directory
        • Modifies Control Panel
        • Modifies Internet Explorer settings
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        • System policy modification
        PID:2480
        • C:\Windows\Fonts\Admin 25 - 5 - 2024\smss.exe
          "C:\Windows\Fonts\Admin 25 - 5 - 2024\smss.exe"
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of SetWindowsHookEx
          PID:2736
        • C:\Windows\Fonts\Admin 25 - 5 - 2024\Gaara.exe
          "C:\Windows\Fonts\Admin 25 - 5 - 2024\Gaara.exe"
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of SetWindowsHookEx
          PID:2532
        • C:\Windows\Fonts\Admin 25 - 5 - 2024\csrss.exe
          "C:\Windows\Fonts\Admin 25 - 5 - 2024\csrss.exe"
          4⤵
          • Modifies WinLogon for persistence
          • Modifies visibility of file extensions in Explorer
          • Modifies visiblity of hidden/system files in Explorer
          • UAC bypass
          • Disables RegEdit via registry modification
          • Drops file in Drivers directory
          • Sets file execution options in registry
          • Executes dropped EXE
          • Loads dropped DLL
          • Adds Run key to start application
          • Checks whether UAC is enabled
          • Drops desktop.ini file(s)
          • Enumerates connected drives
          • Drops autorun.inf file
          • Drops file in System32 directory
          • Sets desktop wallpaper using registry
          • Drops file in Windows directory
          • Modifies Control Panel
          • Modifies Internet Explorer settings
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:1092
          • C:\Windows\Fonts\Admin 25 - 5 - 2024\smss.exe
            "C:\Windows\Fonts\Admin 25 - 5 - 2024\smss.exe"
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Suspicious use of SetWindowsHookEx
            PID:2836
          • C:\Windows\Fonts\Admin 25 - 5 - 2024\Gaara.exe
            "C:\Windows\Fonts\Admin 25 - 5 - 2024\Gaara.exe"
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Suspicious use of SetWindowsHookEx
            PID:768
          • C:\Windows\Fonts\Admin 25 - 5 - 2024\csrss.exe
            "C:\Windows\Fonts\Admin 25 - 5 - 2024\csrss.exe"
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Suspicious use of SetWindowsHookEx
            PID:2284
          • C:\Windows\SysWOW64\drivers\Kazekage.exe
            C:\Windows\system32\drivers\Kazekage.exe
            5⤵
            • Modifies WinLogon for persistence
            • Modifies visibility of file extensions in Explorer
            • Modifies visiblity of hidden/system files in Explorer
            • UAC bypass
            • Disables RegEdit via registry modification
            • Drops file in Drivers directory
            • Sets file execution options in registry
            • Executes dropped EXE
            • Loads dropped DLL
            • Adds Run key to start application
            • Checks whether UAC is enabled
            • Drops desktop.ini file(s)
            • Enumerates connected drives
            • Drops autorun.inf file
            • Drops file in System32 directory
            • Sets desktop wallpaper using registry
            • Drops file in Windows directory
            • Modifies Control Panel
            • Modifies Internet Explorer settings
            • Modifies registry class
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            • System policy modification
            PID:1740
            • C:\Windows\Fonts\Admin 25 - 5 - 2024\smss.exe
              "C:\Windows\Fonts\Admin 25 - 5 - 2024\smss.exe"
              6⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • Suspicious use of SetWindowsHookEx
              PID:1100
            • C:\Windows\Fonts\Admin 25 - 5 - 2024\Gaara.exe
              "C:\Windows\Fonts\Admin 25 - 5 - 2024\Gaara.exe"
              6⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • Suspicious use of SetWindowsHookEx
              PID:624
            • C:\Windows\Fonts\Admin 25 - 5 - 2024\csrss.exe
              "C:\Windows\Fonts\Admin 25 - 5 - 2024\csrss.exe"
              6⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • Suspicious use of SetWindowsHookEx
              PID:648
            • C:\Windows\SysWOW64\drivers\Kazekage.exe
              C:\Windows\system32\drivers\Kazekage.exe
              6⤵
              • Executes dropped EXE
              • Suspicious use of SetWindowsHookEx
              PID:572
            • C:\Windows\SysWOW64\drivers\system32.exe
              C:\Windows\system32\drivers\system32.exe
              6⤵
              • Modifies WinLogon for persistence
              • Modifies visibility of file extensions in Explorer
              • Modifies visiblity of hidden/system files in Explorer
              • UAC bypass
              • Disables RegEdit via registry modification
              • Drops file in Drivers directory
              • Sets file execution options in registry
              • Executes dropped EXE
              • Loads dropped DLL
              • Adds Run key to start application
              • Checks whether UAC is enabled
              • Drops desktop.ini file(s)
              • Enumerates connected drives
              • Drops autorun.inf file
              • Drops file in System32 directory
              • Sets desktop wallpaper using registry
              • Drops file in Windows directory
              • Modifies Control Panel
              • Modifies Internet Explorer settings
              • Modifies registry class
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              • System policy modification
              PID:1984
              • C:\Windows\Fonts\Admin 25 - 5 - 2024\smss.exe
                "C:\Windows\Fonts\Admin 25 - 5 - 2024\smss.exe"
                7⤵
                • Executes dropped EXE
                • Loads dropped DLL
                • Suspicious use of SetWindowsHookEx
                PID:2888
              • C:\Windows\Fonts\Admin 25 - 5 - 2024\Gaara.exe
                "C:\Windows\Fonts\Admin 25 - 5 - 2024\Gaara.exe"
                7⤵
                • Executes dropped EXE
                • Loads dropped DLL
                • Suspicious use of SetWindowsHookEx
                PID:2880
              • C:\Windows\Fonts\Admin 25 - 5 - 2024\csrss.exe
                "C:\Windows\Fonts\Admin 25 - 5 - 2024\csrss.exe"
                7⤵
                • Executes dropped EXE
                • Loads dropped DLL
                • Suspicious use of SetWindowsHookEx
                PID:792
              • C:\Windows\SysWOW64\drivers\Kazekage.exe
                C:\Windows\system32\drivers\Kazekage.exe
                7⤵
                • Executes dropped EXE
                • Suspicious use of SetWindowsHookEx
                PID:1672
              • C:\Windows\SysWOW64\drivers\system32.exe
                C:\Windows\system32\drivers\system32.exe
                7⤵
                • Executes dropped EXE
                • Suspicious use of SetWindowsHookEx
                PID:1440
              • C:\Windows\SysWOW64\ping.exe
                ping -a -l www.rasasayang.com.my 65500
                7⤵
                • Runs ping.exe
                PID:1636
              • C:\Windows\SysWOW64\ping.exe
                ping -a -l www.duniasex.com 65500
                7⤵
                • Runs ping.exe
                PID:108
              • C:\Windows\SysWOW64\ping.exe
                ping -a -l www.rasasayang.com.my 65500
                7⤵
                • Runs ping.exe
                PID:2676
              • C:\Windows\SysWOW64\ping.exe
                ping -a -l www.duniasex.com 65500
                7⤵
                • Runs ping.exe
                PID:2560
              • C:\Windows\SysWOW64\ping.exe
                ping -a -l www.rasasayang.com.my 65500
                7⤵
                • Runs ping.exe
                PID:3024
              • C:\Windows\SysWOW64\ping.exe
                ping -a -l www.duniasex.com 65500
                7⤵
                • Runs ping.exe
                PID:2856
            • C:\Windows\SysWOW64\ping.exe
              ping -a -l www.rasasayang.com.my 65500
              6⤵
              • Runs ping.exe
              PID:2928
            • C:\Windows\SysWOW64\ping.exe
              ping -a -l www.duniasex.com 65500
              6⤵
              • Runs ping.exe
              PID:2900
            • C:\Windows\SysWOW64\ping.exe
              ping -a -l www.rasasayang.com.my 65500
              6⤵
              • Runs ping.exe
              PID:2664
            • C:\Windows\SysWOW64\ping.exe
              ping -a -l www.duniasex.com 65500
              6⤵
              • Runs ping.exe
              PID:2448
            • C:\Windows\SysWOW64\ping.exe
              ping -a -l www.rasasayang.com.my 65500
              6⤵
              • Runs ping.exe
              PID:2136
            • C:\Windows\SysWOW64\ping.exe
              ping -a -l www.duniasex.com 65500
              6⤵
              • Runs ping.exe
              PID:2584
          • C:\Windows\SysWOW64\drivers\system32.exe
            C:\Windows\system32\drivers\system32.exe
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            PID:1308
          • C:\Windows\SysWOW64\ping.exe
            ping -a -l www.rasasayang.com.my 65500
            5⤵
            • Runs ping.exe
            PID:1728
          • C:\Windows\SysWOW64\ping.exe
            ping -a -l www.duniasex.com 65500
            5⤵
            • Runs ping.exe
            PID:2104
          • C:\Windows\SysWOW64\ping.exe
            ping -a -l www.rasasayang.com.my 65500
            5⤵
            • Runs ping.exe
            PID:2876
          • C:\Windows\SysWOW64\ping.exe
            ping -a -l www.duniasex.com 65500
            5⤵
            • Runs ping.exe
            PID:2888
          • C:\Windows\SysWOW64\ping.exe
            ping -a -l www.rasasayang.com.my 65500
            5⤵
            • Runs ping.exe
            PID:320
          • C:\Windows\SysWOW64\ping.exe
            ping -a -l www.duniasex.com 65500
            5⤵
            • Runs ping.exe
            PID:2504
        • C:\Windows\SysWOW64\drivers\Kazekage.exe
          C:\Windows\system32\drivers\Kazekage.exe
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetWindowsHookEx
          PID:1824
        • C:\Windows\SysWOW64\drivers\system32.exe
          C:\Windows\system32\drivers\system32.exe
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetWindowsHookEx
          PID:1636
        • C:\Windows\SysWOW64\ping.exe
          ping -a -l www.rasasayang.com.my 65500
          4⤵
          • Runs ping.exe
          PID:2952
        • C:\Windows\SysWOW64\ping.exe
          ping -a -l www.duniasex.com 65500
          4⤵
          • Runs ping.exe
          PID:2140
        • C:\Windows\SysWOW64\ping.exe
          ping -a -l www.rasasayang.com.my 65500
          4⤵
          • Runs ping.exe
          PID:2284
        • C:\Windows\SysWOW64\ping.exe
          ping -a -l www.duniasex.com 65500
          4⤵
          • Runs ping.exe
          PID:1952
        • C:\Windows\SysWOW64\ping.exe
          ping -a -l www.rasasayang.com.my 65500
          4⤵
          • Runs ping.exe
          PID:1544
        • C:\Windows\SysWOW64\ping.exe
          ping -a -l www.duniasex.com 65500
          4⤵
          • Runs ping.exe
          PID:1628
      • C:\Windows\Fonts\Admin 25 - 5 - 2024\csrss.exe
        "C:\Windows\Fonts\Admin 25 - 5 - 2024\csrss.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetWindowsHookEx
        PID:2268
      • C:\Windows\SysWOW64\drivers\Kazekage.exe
        C:\Windows\system32\drivers\Kazekage.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:984
      • C:\Windows\SysWOW64\drivers\system32.exe
        C:\Windows\system32\drivers\system32.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:896
      • C:\Windows\SysWOW64\ping.exe
        ping -a -l www.rasasayang.com.my 65500
        3⤵
        • Runs ping.exe
        PID:2440
      • C:\Windows\SysWOW64\ping.exe
        ping -a -l www.duniasex.com 65500
        3⤵
        • Runs ping.exe
        PID:2500
      • C:\Windows\SysWOW64\ping.exe
        ping -a -l www.rasasayang.com.my 65500
        3⤵
        • Runs ping.exe
        PID:2740
      • C:\Windows\SysWOW64\ping.exe
        ping -a -l www.duniasex.com 65500
        3⤵
        • Runs ping.exe
        PID:2808
    • C:\Windows\Fonts\Admin 25 - 5 - 2024\Gaara.exe
      "C:\Windows\Fonts\Admin 25 - 5 - 2024\Gaara.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of SetWindowsHookEx
      PID:2988
    • C:\Windows\Fonts\Admin 25 - 5 - 2024\csrss.exe
      "C:\Windows\Fonts\Admin 25 - 5 - 2024\csrss.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of SetWindowsHookEx
      PID:2968
    • C:\Windows\SysWOW64\drivers\Kazekage.exe
      C:\Windows\system32\drivers\Kazekage.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:872
    • C:\Windows\SysWOW64\drivers\system32.exe
      C:\Windows\system32\drivers\system32.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:3000
    • C:\Windows\SysWOW64\ping.exe
      ping -a -l www.rasasayang.com.my 65500
      2⤵
      • Runs ping.exe
      PID:2692
    • C:\Windows\SysWOW64\ping.exe
      ping -a -l www.duniasex.com 65500
      2⤵
      • Runs ping.exe
      PID:2588
    • C:\Windows\SysWOW64\ping.exe
      ping -a -l www.rasasayang.com.my 65500
      2⤵
      • Runs ping.exe
      PID:2412
    • C:\Windows\SysWOW64\ping.exe
      ping -a -l www.duniasex.com 65500
      2⤵
      • Runs ping.exe
      PID:1820
    • C:\Windows\SysWOW64\ping.exe
      ping -a -l www.rasasayang.com.my 65500
      2⤵
      • Runs ping.exe
      PID:2800
    • C:\Windows\SysWOW64\ping.exe
      ping -a -l www.duniasex.com 65500
      2⤵
      • Runs ping.exe
      PID:2956

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Replication Through Removable Media

1
T1091

Execution

Persistence

Boot or Logon Autostart Execution

3
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Winlogon Helper DLL

1
T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

3
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Winlogon Helper DLL

1
T1547.004

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Defense Evasion

Modify Registry

9
T1112

Hide Artifacts

2
T1564

Hidden Files and Directories

2
T1564.001

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Impair Defenses

1
T1562

Disable or Modify Tools

1
T1562.001

Credential Access

Discovery

System Information Discovery

2
T1082

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

Remote System Discovery

1
T1018

Lateral Movement

Replication Through Removable Media

1
T1091

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

1
T1490

Defacement

1
T1491

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Admin Games\Readme.txt
    Filesize

    736B

    MD5

    bb5d6abdf8d0948ac6895ce7fdfbc151

    SHA1

    9266b7a247a4685892197194d2b9b86c8f6dddbd

    SHA256

    5db2e0915b5464d32e83484f8ae5e3c73d2c78f238fde5f58f9b40dbb5322de8

    SHA512

    878444760e8df878d65bb62b4798177e168eb099def58ad3634f4348e96705c83f74324f9fa358f0eff389991976698a233ca53e9b72034ae11c86d42322a76c

    Download Submit
  • C:\Autorun.inf
    Filesize

    196B

    MD5

    1564dfe69ffed40950e5cb644e0894d1

    SHA1

    201b6f7a01cc49bb698bea6d4945a082ed454ce4

    SHA256

    be114a2dbcc08540b314b01882aa836a772a883322a77b67aab31233e26dc184

    SHA512

    72df187e39674b657974392cfa268e71ef86dc101ebd2303896381ca56d3c05aa9db3f0ab7d0e428d7436e0108c8f19e94c2013814d30b0b95a23a6b9e341097

    Download Submit
  • C:\Windows\Fonts\Admin 25 - 5 - 2024\Gaara.exe
    Filesize

    146KB

    MD5

    1b74d4e1f99038da1048c25c62b35e01

    SHA1

    0d693263c71691b0c1a9d67ce959893c692eda9d

    SHA256

    5219034d0f788f667fd7175e7e72f814a161d3f0b73e1928f48809a8e1f3d852

    SHA512

    b86c489bb4e52a452b8ec89ad47e053f3ac5a574bf4435f95029fcc221ce1540d034c07fc47e0a9f9621c0bac755a1f8d67fcdbfe9c908ed8d755462983fc652

    Download Submit
  • C:\Windows\Fonts\Admin 25 - 5 - 2024\csrss.exe
    Filesize

    146KB

    MD5

    36185ca18ad1ffba96ebbcda31665d96

    SHA1

    b2a9fe3f8afcf5166e8c22a9a0f2b2854b0c1db3

    SHA256

    c4fdd65ea05bdcd0a2b7db0eef96a949a2575e4cf7713f31c38239a5877c0774

    SHA512

    f04e2abb70b080dc0680253aef851ece80a07fd6518a842ae2d9c44426a91c6a9179433e583f55d9dd7731d37c5c747fb1f60359e2ed06092af39525bdde8224

    Download Submit
  • C:\Windows\Fonts\Admin 25 - 5 - 2024\csrss.exe
    Filesize

    146KB

    MD5

    52c2b99769c7d46c8dca177012f178aa

    SHA1

    e83e9255eae0f19c296481edbb24bb325a9ae4da

    SHA256

    054e7cfa013f4ad609fb8fefe18fc96de86a71434ab1c692d090722c111547f1

    SHA512

    20e1f85ffe03c39b09176604cd18df8e53ead36affcb27cc3cbabb68522390931029cdd1147a123893ba2fc99503bba0d9bf91b1eebebbf13ff83475325dd246

    Download Submit
  • C:\Windows\Fonts\The Kazekage.jpg
    MD5

    d41d8cd98f00b204e9800998ecf8427e

    SHA1

    da39a3ee5e6b4b0d3255bfef95601890afd80709

    SHA256

    e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

    SHA512

    cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

    Download Submit
  • C:\Windows\Fonts\The Kazekage.jpg
    Filesize

    1.4MB

    MD5

    d6b05020d4a0ec2a3a8b687099e335df

    SHA1

    df239d830ebcd1cde5c68c46a7b76dad49d415f4

    SHA256

    9824b98dab6af65a9e84c2ea40e9df948f9766ce2096e81feecad7db8dd6080a

    SHA512

    78fd360faa4d34f5732056d6e9ad7b9930964441c69cf24535845d397de92179553b9377a25649c01eb5ac7d547c29cc964e69ede7f2af9fc677508a99251fff

    Download Submit
  • C:\Windows\SysWOW64\25-5-2024.exe
    Filesize

    146KB

    MD5

    9ab0b577603933310cf1b45098fb05de

    SHA1

    6666a9b4570ec3e1c9f2107ed309466a96afb89b

    SHA256

    7ff285c38f8d4bfd5db39673b1e97379b6aa48ab0b505fc3e35c1ba88d61c8b2

    SHA512

    51045abe93ce8bb4f0c81d630515afaae399686cde4a5a81ac1f841c2ef69fe923ac5d28d5e2040d45820d3ab15831579e05241a02338b174d2b575930f5c067

    Download Submit
  • C:\Windows\SysWOW64\25-5-2024.exe
    Filesize

    146KB

    MD5

    69b4221e3f78141b1a2ea07135575849

    SHA1

    a28d71e5fda1f2517c4f59baa7efd42cac07fbd3

    SHA256

    a46295144a5f7c13b716bb75ced5d0607b57b18c35f883c4ae05b62c38706966

    SHA512

    f89f4578f9f5f148c65ee20dbf02ff0163af2162169162904610f39adb6dab8693d11df6e6750d8b8dcad1e45cf4988a004740d9f0a12abe4f9e9e5737913b1c

    Download Submit
  • C:\Windows\SysWOW64\Desktop.ini
    Filesize

    65B

    MD5

    64acfa7e03b01f48294cf30d201a0026

    SHA1

    10facd995b38a095f30b4a800fa454c0bcbf8438

    SHA256

    ba8159d865d106e7b4d0043007a63d1541e1de455dc8d7ff0edd3013bd425c62

    SHA512

    65a9b2e639de74a2a7faa83463a03f5f5b526495e3c793ec1e144c422ed0b842dd304cd5ff4f8aec3d76d826507030c5916f70a231429cea636ec2d8ab43931a

    Download Submit
  • C:\Windows\SysWOW64\drivers\Kazekage.exe
    Filesize

    146KB

    MD5

    9ef0af01deb95e48fedb0fbb865c9d90

    SHA1

    5a9a532e96bc4fbb3fcf940aeb122ced744c3ea5

    SHA256

    b37646f76720d16868913d1b4bade3de2756882757ccf5ec469581712afe0dfd

    SHA512

    5f58c5784857c2fa255ba250b1fcc84854e4c09a4ebe334a48cb60e529b43ec54b1b1f438173fcaa36831bf245b06163701ea6319ab777468191226a2e99a33d

    Download Submit
  • C:\Windows\SysWOW64\drivers\Kazekage.exe
    Filesize

    146KB

    MD5

    629396c312c277e9c8eeb79b169fbdfb

    SHA1

    7b44f29a1befbd5fd1146afe0010d353d9b806f0

    SHA256

    8f47a3fc18f3daaeab6c68529558a0d2b452062f40f7c2859cf0b6acda649e9f

    SHA512

    5cc178fa680a11af964cdd2061cce6ecc3248268e8f778565f730aa4d6970b7358b01bdf81347c98f316ec60ee1a1cf0c9de701e214ba2707e97c88a2e84ebd0

    Download Submit
  • C:\Windows\SysWOW64\drivers\system32.exe
    Filesize

    146KB

    MD5

    4460fac61ce3f5e1e80f594af92eaad0

    SHA1

    9d0fafbb1b4e80fc71d628348d3bf909d4c6708c

    SHA256

    0489159557ffd529db272fc21048bf5d478709e980247a1188542dbbe493059b

    SHA512

    f8dfb4293b7aa7c2daca2a23bab8bc8883c56c7e5a919d98c7753b58d82d70f8f366b6aa8f1e5d8b7ea58eb653d5a247c73f0687aa0531f2e8cee1350962deb0

    Download Submit
  • C:\Windows\SysWOW64\drivers\system32.exe
    Filesize

    127KB

    MD5

    c43e07ffb861f31fcea32d8c2c5b074e

    SHA1

    e7cbc3e585819397caa47ff57608632f2533d706

    SHA256

    bd3c74ad0d7ef1c9c1a22dc79cb64f024a65c3289d27d45bb0bceb67e5f728ca

    SHA512

    5d290df7333ef829bcfcb0336527082650fb811250e00c161dc8c022d56a1006325810ded953755c4a9285f94c2d5a3fe7b5ed429c22bb5eea282bc14b48260e

    Download Submit
  • C:\Windows\SysWOW64\drivers\system32.exe
    Filesize

    146KB

    MD5

    320867c337db174c60200b23d21a16a0

    SHA1

    49032d1539d5cb93d4bd0dbf28f40cf983c5e004

    SHA256

    1cf92536c3efe3af302b54ecd48cea8a301ce1a0b68a6c6231c7783aa4866a95

    SHA512

    8d171fc12e6c0d11babab2b0b3badfa677c269b41ba5087fb96c234ded97a4ee33a398b87745233fbd994d8d49d14e0a34faa16f8ad82c0574c6b91e72b9b7ba

    Download Submit
  • C:\Windows\SysWOW64\drivers\system32.exe
    Filesize

    146KB

    MD5

    c263d0ee445baf1e92dc32e17bef70a0

    SHA1

    42bf1cc86305f18f4253a1bb0a4460ca1ebc7fb2

    SHA256

    94e6d299675d8025600d2f5a998b625d886758a2b19d70ebc334e2c8206ed3a3

    SHA512

    7b8f3105551736d782186cdbaf7b0f22d2c06aa3010f65539d5d00b7e10504e9fef79cc6437d9166a51a42f07ababbca03a9a8fc10a320c2dc6a0aa87578885b

    Download Submit
  • C:\Windows\SysWOW64\drivers\system32.exe
    Filesize

    146KB

    MD5

    a9690225f6d2ec77a948c5a8356ebab7

    SHA1

    1408bb029b0b8629cf893c511f345e2d27a2261a

    SHA256

    fd0322287cebfef67f55971147befcb8b315186e106bc02334f860397468f2a7

    SHA512

    ac157a739c23c8e6f99127ae7eaca3339e3833e78c44fe2dcd4bad4c04b4e4a6a5a25c936ee6621f67ad5f30872dfc97c2b5ea94e0196c8621c4c79c3c2c7bde

    Download Submit
  • C:\Windows\mscomctl.ocx
    Filesize

    146KB

    MD5

    b9811442f970a2f4d7d0d30778f81692

    SHA1

    b8da05aa29b0bb6696b329b3d37866d546becf7b

    SHA256

    2868d9b349a1bc1175ebc33b1af13d3ef6512dd23674d0c3bc5f8e15b94c2d37

    SHA512

    b670cc56a664e876d02911497c873b8da9252d4410a3a02c88109c875e9017e89060975fac1cd2bb792e4be36a14322230a2c65036a0517c8b4a8077e718d43c

    Download Submit
  • C:\Windows\system\msvbvm60.dll
    Filesize

    1.3MB

    MD5

    5343a19c618bc515ceb1695586c6c137

    SHA1

    4dedae8cbde066f31c8e6b52c0baa3f8b1117742

    SHA256

    2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

    SHA512

    708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

    Download Submit
  • \Windows\Fonts\Admin 25 - 5 - 2024\smss.exe
    Filesize

    146KB

    MD5

    ea77830aacb8dc7b1c1b6a853c7f5034

    SHA1

    501f6f4299782a448e2d83e26fc2611ff33e60eb

    SHA256

    f193bb79b2d76d0c9959a85f91ba106de4ef6b032f0a0709055d8f19bc5e1f3e

    SHA512

    d9b44d4c7f5bfd86c476c1a5365d5ddf841f8a1a9ff5a2d421da488863b90e4c0f5a5eac66b12dbbea5a1646e2db4205fb560971cd6350911d89ec68dbf91eb2

    Download Submit
  • \Windows\SysWOW64\drivers\Kazekage.exe
    Filesize

    146KB

    MD5

    42aa21d0eef2f537fb9578cf41ad164a

    SHA1

    252475fc21fe627b0e49394a60eb2e8c72f28951

    SHA256

    a22a3cbfe6f4a0e8ca80830f1d957646e89946ce8db3c9bf100a2057d5036835

    SHA512

    897adadf38e8b7e4c96e1b315d01525a7ec79e6e126e00629acdd97640ecfc87c6144bc48f495a304c32e77b82c8b4468bbc81463bdac127f9b1980ac92878ca

    Download Submit
  • memory/572-230-0x0000000000400000-0x0000000000425000-memory.dmp
    Filesize

    148KB

    Download
  • memory/624-222-0x0000000000400000-0x0000000000425000-memory.dmp
    Filesize

    148KB

    Download
  • memory/648-226-0x0000000000400000-0x0000000000425000-memory.dmp
    Filesize

    148KB

    Download
  • memory/648-223-0x0000000000400000-0x0000000000425000-memory.dmp
    Filesize

    148KB

    Download
  • memory/768-179-0x0000000000400000-0x0000000000425000-memory.dmp
    Filesize

    148KB

    Download
  • memory/768-184-0x0000000000400000-0x0000000000425000-memory.dmp
    Filesize

    148KB

    Download
  • memory/792-257-0x0000000000400000-0x0000000000425000-memory.dmp
    Filesize

    148KB

    Download
  • memory/872-292-0x0000000000400000-0x0000000000425000-memory.dmp
    Filesize

    148KB

    Download
  • memory/896-283-0x0000000000400000-0x0000000000425000-memory.dmp
    Filesize

    148KB

    Download
  • memory/984-280-0x0000000000400000-0x0000000000425000-memory.dmp
    Filesize

    148KB

    Download
  • memory/1092-1005-0x0000000000390000-0x00000000003B5000-memory.dmp
    Filesize

    148KB

    Download
  • memory/1092-758-0x0000000000400000-0x0000000000425000-memory.dmp
    Filesize

    148KB

    Download
  • memory/1092-145-0x0000000000400000-0x0000000000425000-memory.dmp
    Filesize

    148KB

    Download
  • memory/1100-219-0x0000000000400000-0x0000000000425000-memory.dmp
    Filesize

    148KB

    Download
  • memory/1212-77-0x00000000002D0000-0x00000000002F5000-memory.dmp
    Filesize

    148KB

    Download
  • memory/1212-754-0x0000000000400000-0x0000000000425000-memory.dmp
    Filesize

    148KB

    Download
  • memory/1212-755-0x00000000002D0000-0x00000000002F5000-memory.dmp
    Filesize

    148KB

    Download
  • memory/1212-88-0x00000000002D0000-0x00000000002F5000-memory.dmp
    Filesize

    148KB

    Download
  • memory/1308-268-0x0000000000400000-0x0000000000425000-memory.dmp
    Filesize

    148KB

    Download
  • memory/1440-265-0x0000000000400000-0x0000000000425000-memory.dmp
    Filesize

    148KB

    Download
  • memory/1440-262-0x0000000000400000-0x0000000000425000-memory.dmp
    Filesize

    148KB

    Download
  • memory/1636-274-0x0000000000400000-0x0000000000425000-memory.dmp
    Filesize

    148KB

    Download
  • memory/1660-39-0x00000000004B0000-0x00000000004D5000-memory.dmp
    Filesize

    148KB

    Download
  • memory/1660-0-0x0000000000400000-0x0000000000425000-memory.dmp
    Filesize

    148KB

    Download
  • memory/1660-32-0x00000000004B0000-0x00000000004D5000-memory.dmp
    Filesize

    148KB

    Download
  • memory/1660-753-0x00000000004B0000-0x00000000004D5000-memory.dmp
    Filesize

    148KB

    Download
  • memory/1660-752-0x0000000000400000-0x0000000000425000-memory.dmp
    Filesize

    148KB

    Download
  • memory/1672-260-0x0000000000400000-0x0000000000425000-memory.dmp
    Filesize

    148KB

    Download
  • memory/1672-261-0x0000000000400000-0x0000000000425000-memory.dmp
    Filesize

    148KB

    Download
  • memory/1740-234-0x00000000003D0000-0x00000000003F5000-memory.dmp
    Filesize

    148KB

    Download
  • memory/1740-1007-0x00000000003D0000-0x00000000003F5000-memory.dmp
    Filesize

    148KB

    Download
  • memory/1740-196-0x0000000000400000-0x0000000000425000-memory.dmp
    Filesize

    148KB

    Download
  • memory/1740-1006-0x0000000000400000-0x0000000000425000-memory.dmp
    Filesize

    148KB

    Download
  • memory/1740-1008-0x00000000003D0000-0x00000000003F5000-memory.dmp
    Filesize

    148KB

    Download
  • memory/1824-271-0x0000000000400000-0x0000000000425000-memory.dmp
    Filesize

    148KB

    Download
  • memory/1984-235-0x0000000000400000-0x0000000000425000-memory.dmp
    Filesize

    148KB

    Download
  • memory/1984-1009-0x0000000000400000-0x0000000000425000-memory.dmp
    Filesize

    148KB

    Download
  • memory/2268-279-0x0000000000400000-0x0000000000425000-memory.dmp
    Filesize

    148KB

    Download
  • memory/2284-190-0x0000000000400000-0x0000000000425000-memory.dmp
    Filesize

    148KB

    Download
  • memory/2284-185-0x0000000000400000-0x0000000000425000-memory.dmp
    Filesize

    148KB

    Download
  • memory/2464-80-0x0000000000400000-0x0000000000425000-memory.dmp
    Filesize

    148KB

    Download
  • memory/2480-89-0x0000000000400000-0x0000000000425000-memory.dmp
    Filesize

    148KB

    Download
  • memory/2480-757-0x00000000005C0000-0x00000000005E5000-memory.dmp
    Filesize

    148KB

    Download
  • memory/2480-123-0x00000000005C0000-0x00000000005E5000-memory.dmp
    Filesize

    148KB

    Download
  • memory/2480-125-0x00000000005C0000-0x00000000005E5000-memory.dmp
    Filesize

    148KB

    Download
  • memory/2480-756-0x0000000000400000-0x0000000000425000-memory.dmp
    Filesize

    148KB

    Download
  • memory/2532-134-0x0000000000400000-0x0000000000425000-memory.dmp
    Filesize

    148KB

    Download
  • memory/2736-130-0x0000000000400000-0x0000000000425000-memory.dmp
    Filesize

    148KB

    Download
  • memory/2836-177-0x0000000000400000-0x0000000000425000-memory.dmp
    Filesize

    148KB

    Download
  • memory/2880-253-0x0000000000400000-0x0000000000425000-memory.dmp
    Filesize

    148KB

    Download
  • memory/2880-254-0x0000000000400000-0x0000000000425000-memory.dmp
    Filesize

    148KB

    Download
  • memory/2888-250-0x0000000000400000-0x0000000000425000-memory.dmp
    Filesize

    148KB

    Download
  • memory/2968-289-0x0000000000400000-0x0000000000425000-memory.dmp
    Filesize

    148KB

    Download
  • memory/2988-286-0x0000000000400000-0x0000000000425000-memory.dmp
    Filesize

    148KB

    Download
  • memory/3000-295-0x0000000000400000-0x0000000000425000-memory.dmp
    Filesize

    148KB

    Download