Overview

overview

10

Static

static

3

25d275c0b0...cs.exe

windows7-x64

10

25d275c0b0...cs.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27/05/2024, 07:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    25d275c0b0991a4a233962bf50f548d0_NeikiAnalytics.exe

  • Size

    148KB

  • MD5

    25d275c0b0991a4a233962bf50f548d0

  • SHA1

    33afd1c97465362a22f35da8214d89c79af1c6d9

  • SHA256

    37201cc2a0949ea182ebe018d7c0003b6f980f3b01ba816c8516b74e1268407f

  • SHA512

    d375cc432fc2340af79d503143839ca282621052111e482385fe189dc2f9d6c3af7d38b28007e9b823616691f5c6bba2ccf0eff03fb6625ca3cf614463e3e38e

  • SSDEEP

    1536:8Jo0IHgL2AHfb1mzaFXg+xsukl4Y17jsgS/jHagQNuXGpeVTV:Yx6AHjYzaFXg+w17jsgS/jHagQg19V

Score
10/10
evasionpersistenceransomwaretrojan

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 12 IoCs
    persistence
  • Modifies visibility of file extensions in Explorer 2 TTPs 6 IoCs
    evasion
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 6 IoCs
    evasion
  • UAC bypass 3 TTPs 6 IoCs
    evasiontrojan
  • Disables RegEdit via registry modification 6 IoCs
    evasion
  • Disables use of System Restore points 1 TTPs
    evasion
  • Drops file in Drivers directory 24 IoCs
  • Sets file execution options in registry 2 TTPs 64 IoCs
    persistence
  • Executes dropped EXE 30 IoCs
  • Loads dropped DLL 18 IoCs
  • Adds Run key to start application 2 TTPs 24 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 6 IoCs
    evasiontrojan
  • Drops desktop.ini file(s) 64 IoCs
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops autorun.inf file 1 TTPs 64 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 39 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 6 IoCs
    ransomware
  • Drops file in Windows directory 64 IoCs
  • Modifies Control Panel 64 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 12 IoCs
    adwarespyware
  • Modifies registry class 51 IoCs
  • Runs ping.exe 1 TTPs 32 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 31 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 12 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\25d275c0b0991a4a233962bf50f548d0_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\25d275c0b0991a4a233962bf50f548d0_NeikiAnalytics.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Modifies visibility of file extensions in Explorer
    • Modifies visiblity of hidden/system files in Explorer
    • UAC bypass
    • Disables RegEdit via registry modification
    • Drops file in Drivers directory
    • Sets file execution options in registry
    • Adds Run key to start application
    • Checks whether UAC is enabled
    • Drops desktop.ini file(s)
    • Enumerates connected drives
    • Drops autorun.inf file
    • Drops file in System32 directory
    • Sets desktop wallpaper using registry
    • Drops file in Windows directory
    • Modifies Control Panel
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:4664
    • C:\Windows\Fonts\Admin 27 - 5 - 2024\smss.exe
      "C:\Windows\Fonts\Admin 27 - 5 - 2024\smss.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • UAC bypass
      • Disables RegEdit via registry modification
      • Drops file in Drivers directory
      • Sets file execution options in registry
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Drops desktop.ini file(s)
      • Enumerates connected drives
      • Drops autorun.inf file
      • Drops file in System32 directory
      • Sets desktop wallpaper using registry
      • Drops file in Windows directory
      • Modifies Control Panel
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:4124
      • C:\Windows\Fonts\Admin 27 - 5 - 2024\smss.exe
        "C:\Windows\Fonts\Admin 27 - 5 - 2024\smss.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetWindowsHookEx
        PID:3480
      • C:\Windows\Fonts\Admin 27 - 5 - 2024\Gaara.exe
        "C:\Windows\Fonts\Admin 27 - 5 - 2024\Gaara.exe"
        3⤵
        • Modifies WinLogon for persistence
        • Modifies visibility of file extensions in Explorer
        • Modifies visiblity of hidden/system files in Explorer
        • UAC bypass
        • Disables RegEdit via registry modification
        • Drops file in Drivers directory
        • Sets file execution options in registry
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • Checks whether UAC is enabled
        • Drops desktop.ini file(s)
        • Enumerates connected drives
        • Drops autorun.inf file
        • Drops file in System32 directory
        • Sets desktop wallpaper using registry
        • Drops file in Windows directory
        • Modifies Control Panel
        • Modifies Internet Explorer settings
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        • System policy modification
        PID:4536
        • C:\Windows\Fonts\Admin 27 - 5 - 2024\smss.exe
          "C:\Windows\Fonts\Admin 27 - 5 - 2024\smss.exe"
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of SetWindowsHookEx
          PID:4936
        • C:\Windows\Fonts\Admin 27 - 5 - 2024\Gaara.exe
          "C:\Windows\Fonts\Admin 27 - 5 - 2024\Gaara.exe"
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of SetWindowsHookEx
          PID:1184
        • C:\Windows\Fonts\Admin 27 - 5 - 2024\csrss.exe
          "C:\Windows\Fonts\Admin 27 - 5 - 2024\csrss.exe"
          4⤵
          • Modifies WinLogon for persistence
          • Modifies visibility of file extensions in Explorer
          • Modifies visiblity of hidden/system files in Explorer
          • UAC bypass
          • Disables RegEdit via registry modification
          • Drops file in Drivers directory
          • Sets file execution options in registry
          • Executes dropped EXE
          • Loads dropped DLL
          • Adds Run key to start application
          • Checks whether UAC is enabled
          • Drops desktop.ini file(s)
          • Enumerates connected drives
          • Drops autorun.inf file
          • Drops file in System32 directory
          • Sets desktop wallpaper using registry
          • Drops file in Windows directory
          • Modifies Control Panel
          • Modifies Internet Explorer settings
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:2824
          • C:\Windows\Fonts\Admin 27 - 5 - 2024\smss.exe
            "C:\Windows\Fonts\Admin 27 - 5 - 2024\smss.exe"
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Suspicious use of SetWindowsHookEx
            PID:4864
          • C:\Windows\Fonts\Admin 27 - 5 - 2024\Gaara.exe
            "C:\Windows\Fonts\Admin 27 - 5 - 2024\Gaara.exe"
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Suspicious use of SetWindowsHookEx
            PID:928
          • C:\Windows\Fonts\Admin 27 - 5 - 2024\csrss.exe
            "C:\Windows\Fonts\Admin 27 - 5 - 2024\csrss.exe"
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Suspicious use of SetWindowsHookEx
            PID:2864
          • C:\Windows\SysWOW64\drivers\Kazekage.exe
            C:\Windows\system32\drivers\Kazekage.exe
            5⤵
            • Modifies WinLogon for persistence
            • Modifies visibility of file extensions in Explorer
            • Modifies visiblity of hidden/system files in Explorer
            • UAC bypass
            • Disables RegEdit via registry modification
            • Drops file in Drivers directory
            • Sets file execution options in registry
            • Executes dropped EXE
            • Adds Run key to start application
            • Checks whether UAC is enabled
            • Drops desktop.ini file(s)
            • Enumerates connected drives
            • Drops autorun.inf file
            • Drops file in System32 directory
            • Sets desktop wallpaper using registry
            • Drops file in Windows directory
            • Modifies Control Panel
            • Modifies Internet Explorer settings
            • Modifies registry class
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            • System policy modification
            PID:1788
            • C:\Windows\Fonts\Admin 27 - 5 - 2024\smss.exe
              "C:\Windows\Fonts\Admin 27 - 5 - 2024\smss.exe"
              6⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • Suspicious use of SetWindowsHookEx
              PID:1344
            • C:\Windows\Fonts\Admin 27 - 5 - 2024\Gaara.exe
              "C:\Windows\Fonts\Admin 27 - 5 - 2024\Gaara.exe"
              6⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • Suspicious use of SetWindowsHookEx
              PID:2892
            • C:\Windows\Fonts\Admin 27 - 5 - 2024\csrss.exe
              "C:\Windows\Fonts\Admin 27 - 5 - 2024\csrss.exe"
              6⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • Suspicious use of SetWindowsHookEx
              PID:2944
            • C:\Windows\SysWOW64\drivers\Kazekage.exe
              C:\Windows\system32\drivers\Kazekage.exe
              6⤵
              • Executes dropped EXE
              • Suspicious use of SetWindowsHookEx
              PID:5092
            • C:\Windows\SysWOW64\drivers\system32.exe
              C:\Windows\system32\drivers\system32.exe
              6⤵
              • Modifies WinLogon for persistence
              • Modifies visibility of file extensions in Explorer
              • Modifies visiblity of hidden/system files in Explorer
              • UAC bypass
              • Disables RegEdit via registry modification
              • Drops file in Drivers directory
              • Sets file execution options in registry
              • Executes dropped EXE
              • Adds Run key to start application
              • Checks whether UAC is enabled
              • Drops desktop.ini file(s)
              • Enumerates connected drives
              • Drops autorun.inf file
              • Drops file in System32 directory
              • Sets desktop wallpaper using registry
              • Drops file in Windows directory
              • Modifies Control Panel
              • Modifies Internet Explorer settings
              • Modifies registry class
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              • System policy modification
              PID:3320
              • C:\Windows\Fonts\Admin 27 - 5 - 2024\smss.exe
                "C:\Windows\Fonts\Admin 27 - 5 - 2024\smss.exe"
                7⤵
                • Executes dropped EXE
                • Loads dropped DLL
                • Suspicious use of SetWindowsHookEx
                PID:3424
              • C:\Windows\Fonts\Admin 27 - 5 - 2024\Gaara.exe
                "C:\Windows\Fonts\Admin 27 - 5 - 2024\Gaara.exe"
                7⤵
                • Executes dropped EXE
                • Loads dropped DLL
                • Suspicious use of SetWindowsHookEx
                PID:1528
              • C:\Windows\Fonts\Admin 27 - 5 - 2024\csrss.exe
                "C:\Windows\Fonts\Admin 27 - 5 - 2024\csrss.exe"
                7⤵
                • Executes dropped EXE
                • Loads dropped DLL
                • Suspicious use of SetWindowsHookEx
                PID:1236
              • C:\Windows\SysWOW64\drivers\Kazekage.exe
                C:\Windows\system32\drivers\Kazekage.exe
                7⤵
                • Executes dropped EXE
                • Suspicious use of SetWindowsHookEx
                PID:2904
              • C:\Windows\SysWOW64\drivers\system32.exe
                C:\Windows\system32\drivers\system32.exe
                7⤵
                • Executes dropped EXE
                • Suspicious use of SetWindowsHookEx
                PID:4492
              • C:\Windows\SysWOW64\ping.exe
                ping -a -l www.rasasayang.com.my 65500
                7⤵
                • Runs ping.exe
                PID:684
              • C:\Windows\SysWOW64\ping.exe
                ping -a -l www.duniasex.com 65500
                7⤵
                • Runs ping.exe
                PID:1008
              • C:\Windows\SysWOW64\ping.exe
                ping -a -l www.rasasayang.com.my 65500
                7⤵
                • Runs ping.exe
                PID:228
              • C:\Windows\SysWOW64\ping.exe
                ping -a -l www.duniasex.com 65500
                7⤵
                • Runs ping.exe
                PID:1512
            • C:\Windows\SysWOW64\ping.exe
              ping -a -l www.rasasayang.com.my 65500
              6⤵
              • Runs ping.exe
              PID:3868
            • C:\Windows\SysWOW64\ping.exe
              ping -a -l www.duniasex.com 65500
              6⤵
              • Runs ping.exe
              PID:4660
            • C:\Windows\SysWOW64\ping.exe
              ping -a -l www.rasasayang.com.my 65500
              6⤵
              • Runs ping.exe
              PID:960
            • C:\Windows\SysWOW64\ping.exe
              ping -a -l www.duniasex.com 65500
              6⤵
              • Runs ping.exe
              PID:116
            • C:\Windows\SysWOW64\ping.exe
              ping -a -l www.rasasayang.com.my 65500
              6⤵
              • Runs ping.exe
              PID:3688
            • C:\Windows\SysWOW64\ping.exe
              ping -a -l www.duniasex.com 65500
              6⤵
              • Runs ping.exe
              PID:1712
          • C:\Windows\SysWOW64\drivers\system32.exe
            C:\Windows\system32\drivers\system32.exe
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            PID:792
          • C:\Windows\SysWOW64\ping.exe
            ping -a -l www.rasasayang.com.my 65500
            5⤵
            • Runs ping.exe
            PID:1764
          • C:\Windows\SysWOW64\ping.exe
            ping -a -l www.duniasex.com 65500
            5⤵
            • Runs ping.exe
            PID:868
          • C:\Windows\SysWOW64\ping.exe
            ping -a -l www.rasasayang.com.my 65500
            5⤵
            • Runs ping.exe
            PID:2904
          • C:\Windows\SysWOW64\ping.exe
            ping -a -l www.duniasex.com 65500
            5⤵
            • Runs ping.exe
            PID:3012
          • C:\Windows\SysWOW64\ping.exe
            ping -a -l www.rasasayang.com.my 65500
            5⤵
            • Runs ping.exe
            PID:116
          • C:\Windows\SysWOW64\ping.exe
            ping -a -l www.duniasex.com 65500
            5⤵
            • Runs ping.exe
            PID:4744
        • C:\Windows\SysWOW64\drivers\Kazekage.exe
          C:\Windows\system32\drivers\Kazekage.exe
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetWindowsHookEx
          PID:4856
        • C:\Windows\SysWOW64\drivers\system32.exe
          C:\Windows\system32\drivers\system32.exe
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetWindowsHookEx
          PID:4300
        • C:\Windows\SysWOW64\ping.exe
          ping -a -l www.rasasayang.com.my 65500
          4⤵
          • Runs ping.exe
          PID:2952
        • C:\Windows\SysWOW64\ping.exe
          ping -a -l www.duniasex.com 65500
          4⤵
          • Runs ping.exe
          PID:3684
        • C:\Windows\SysWOW64\ping.exe
          ping -a -l www.rasasayang.com.my 65500
          4⤵
          • Runs ping.exe
          PID:4284
        • C:\Windows\SysWOW64\ping.exe
          ping -a -l www.duniasex.com 65500
          4⤵
          • Runs ping.exe
          PID:4584
      • C:\Windows\Fonts\Admin 27 - 5 - 2024\csrss.exe
        "C:\Windows\Fonts\Admin 27 - 5 - 2024\csrss.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetWindowsHookEx
        PID:2928
      • C:\Windows\SysWOW64\drivers\Kazekage.exe
        C:\Windows\system32\drivers\Kazekage.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:4700
      • C:\Windows\SysWOW64\drivers\system32.exe
        C:\Windows\system32\drivers\system32.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:1468
      • C:\Windows\SysWOW64\ping.exe
        ping -a -l www.rasasayang.com.my 65500
        3⤵
        • Runs ping.exe
        PID:412
      • C:\Windows\SysWOW64\ping.exe
        ping -a -l www.duniasex.com 65500
        3⤵
        • Runs ping.exe
        PID:880
      • C:\Windows\SysWOW64\ping.exe
        ping -a -l www.rasasayang.com.my 65500
        3⤵
        • Runs ping.exe
        PID:464
      • C:\Windows\SysWOW64\ping.exe
        ping -a -l www.duniasex.com 65500
        3⤵
        • Runs ping.exe
        PID:3576
      • C:\Windows\SysWOW64\ping.exe
        ping -a -l www.rasasayang.com.my 65500
        3⤵
        • Runs ping.exe
        PID:1540
      • C:\Windows\SysWOW64\ping.exe
        ping -a -l www.duniasex.com 65500
        3⤵
        • Runs ping.exe
        PID:3020
    • C:\Windows\Fonts\Admin 27 - 5 - 2024\Gaara.exe
      "C:\Windows\Fonts\Admin 27 - 5 - 2024\Gaara.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of SetWindowsHookEx
      PID:2828
    • C:\Windows\Fonts\Admin 27 - 5 - 2024\csrss.exe
      "C:\Windows\Fonts\Admin 27 - 5 - 2024\csrss.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of SetWindowsHookEx
      PID:332
    • C:\Windows\SysWOW64\drivers\Kazekage.exe
      C:\Windows\system32\drivers\Kazekage.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:3480
    • C:\Windows\SysWOW64\drivers\system32.exe
      C:\Windows\system32\drivers\system32.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:4792
    • C:\Windows\SysWOW64\ping.exe
      ping -a -l www.rasasayang.com.my 65500
      2⤵
      • Runs ping.exe
      PID:3500
    • C:\Windows\SysWOW64\ping.exe
      ping -a -l www.duniasex.com 65500
      2⤵
      • Runs ping.exe
      PID:3592
    • C:\Windows\SysWOW64\ping.exe
      ping -a -l www.rasasayang.com.my 65500
      2⤵
      • Runs ping.exe
      PID:2360
    • C:\Windows\SysWOW64\ping.exe
      ping -a -l www.duniasex.com 65500
      2⤵
      • Runs ping.exe
      PID:2820
    • C:\Windows\SysWOW64\ping.exe
      ping -a -l www.rasasayang.com.my 65500
      2⤵
      • Runs ping.exe
      PID:2140
    • C:\Windows\SysWOW64\ping.exe
      ping -a -l www.duniasex.com 65500
      2⤵
      • Runs ping.exe
      PID:1028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

1
T1091

Execution

Persistence

Boot or Logon Autostart Execution

3
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Winlogon Helper DLL

1
T1547.004

Privilege Escalation

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Boot or Logon Autostart Execution

3
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Winlogon Helper DLL

1
T1547.004

Defense Evasion

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Hide Artifacts

2
T1564

Hidden Files and Directories

2
T1564.001

Impair Defenses

1
T1562

Disable or Modify Tools

1
T1562.001

Modify Registry

9
T1112

Credential Access

Discovery

Peripheral Device Discovery

1
T1120

Query Registry

1
T1012

Remote System Discovery

1
T1018

System Information Discovery

2
T1082

Lateral Movement

Replication Through Removable Media

1
T1091

Collection

Command and Control

Exfiltration

Impact

Defacement

1
T1491

Inhibit System Recovery

1
T1490

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Admin Games\Readme.txt
    Filesize

    736B

    MD5

    bb5d6abdf8d0948ac6895ce7fdfbc151

    SHA1

    9266b7a247a4685892197194d2b9b86c8f6dddbd

    SHA256

    5db2e0915b5464d32e83484f8ae5e3c73d2c78f238fde5f58f9b40dbb5322de8

    SHA512

    878444760e8df878d65bb62b4798177e168eb099def58ad3634f4348e96705c83f74324f9fa358f0eff389991976698a233ca53e9b72034ae11c86d42322a76c

    Download Submit

  • C:\Autorun.inf
    Filesize

    196B

    MD5

    1564dfe69ffed40950e5cb644e0894d1

    SHA1

    201b6f7a01cc49bb698bea6d4945a082ed454ce4

    SHA256

    be114a2dbcc08540b314b01882aa836a772a883322a77b67aab31233e26dc184

    SHA512

    72df187e39674b657974392cfa268e71ef86dc101ebd2303896381ca56d3c05aa9db3f0ab7d0e428d7436e0108c8f19e94c2013814d30b0b95a23a6b9e341097

    Download Submit

  • C:\Gaara.exe
    Filesize

    148KB

    MD5

    25d275c0b0991a4a233962bf50f548d0

    SHA1

    33afd1c97465362a22f35da8214d89c79af1c6d9

    SHA256

    37201cc2a0949ea182ebe018d7c0003b6f980f3b01ba816c8516b74e1268407f

    SHA512

    d375cc432fc2340af79d503143839ca282621052111e482385fe189dc2f9d6c3af7d38b28007e9b823616691f5c6bba2ccf0eff03fb6625ca3cf614463e3e38e

    Download Submit

  • C:\Windows\Fonts\Admin 27 - 5 - 2024\Gaara.exe
    Filesize

    148KB

    MD5

    754d6648736acb71299fbcec71a7d034

    SHA1

    dbc52b74ac4a25e6438ef4349ddd08242c5b4ff1

    SHA256

    51de4280f8d3ebef22bebb98f35d670404cdf3f7736b0af05704a89bb3abdd34

    SHA512

    4ea0b468d96ae4f94b53ff2279a2bb85661196f39a08df5311e306c2393cdf9b178e53530ce774abae501e4110c2ffed006e2f7dc7437824103252d5725ce89d

    Download Submit

  • C:\Windows\Fonts\Admin 27 - 5 - 2024\csrss.exe
    Filesize

    148KB

    MD5

    19d03824cb1b12f758f899b8a033d975

    SHA1

    2f4b23896ddec3d17d23cb5706c01a9351d2803e

    SHA256

    ef42916cf366c1e4719a1a1e49db89852fe6dd729e8e921286b9b5f5b3f21d45

    SHA512

    5ff44f64d8a5a084c216ce70a3d1a5b910204dc3636e6680de071fa81c0fa79d1d35aa56b219267d2797326d109223127edca7e2f323ccdf49f2575de2740c7a

    Download Submit

  • C:\Windows\Fonts\Admin 27 - 5 - 2024\csrss.exe
    Filesize

    148KB

    MD5

    6042f24ec052b3e8a33faffb55e60b57

    SHA1

    f37e24212e59a67ef56e770154fa0e6811bd16f3

    SHA256

    3060e77b01105b0fd420821353c2b5eb4f8800e72da387769bdf69395549a518

    SHA512

    5668813241a719236954268822538f50dc91d63d9f89b3daf5aba7aae9523d8b88c51424c1836e598a62701005d7505406022766c7b64fbb5b2a88723e0fb483

    Download Submit

  • C:\Windows\Fonts\Admin 27 - 5 - 2024\smss.exe
    Filesize

    148KB

    MD5

    b2e92483326dfa0ee9019732cdb326b2

    SHA1

    1e3a95283b63dd29e045d06c326aa51555594f6e

    SHA256

    994d2d2d7a412588a6eaabe1edeb79cb6b882b8a83d3ec235121b410bf3d44fc

    SHA512

    3ecfb155cbac61cdfdd588c470e3d9a3c2a477523b3f3ee4efaccebf1866f1fbac20866739ba3f010056a479a63ea3ca9a08b2204af091f96097455521e5e044

    Download Submit

  • C:\Windows\Fonts\The Kazekage.jpg
    Filesize

    1.4MB

    MD5

    d6b05020d4a0ec2a3a8b687099e335df

    SHA1

    df239d830ebcd1cde5c68c46a7b76dad49d415f4

    SHA256

    9824b98dab6af65a9e84c2ea40e9df948f9766ce2096e81feecad7db8dd6080a

    SHA512

    78fd360faa4d34f5732056d6e9ad7b9930964441c69cf24535845d397de92179553b9377a25649c01eb5ac7d547c29cc964e69ede7f2af9fc677508a99251fff

    Download Submit

  • C:\Windows\SysWOW64\27-5-2024.exe
    Filesize

    148KB

    MD5

    0b92d933324596f55a98996119833b23

    SHA1

    221d314ea7e366278b65c8d2ef308b93f71efe20

    SHA256

    7fc2a5386dd77a82b933cc26343f5db14d304f1ec62ab2e5b6d08499a1b2670c

    SHA512

    6cfd4d43192e1c1f20a72e58417874908ae6b4f93b8206e0c1fd6da2c2032a4bd0b0abc435e10009e7e9b835536e3367455535d73cd80ec541d4ca0a8fa394bd

    Download Submit

  • C:\Windows\SysWOW64\27-5-2024.exe
    Filesize

    148KB

    MD5

    f022e13addfc658b9b37ff3a5df31e68

    SHA1

    557fa51f26a510d1f8c031f7dc9736060095f0a6

    SHA256

    859c818832d714816001668e3f837e150c61b3aaa1bbfcc5ac85264943aba362

    SHA512

    9d171975bdb2932cacdf31c0fcdf5e28fb9ebba7a4668e961ea63cf2cac46bd9d53cbc9af6d952022cdf137cd9ed3368cb4428f160833b16fd6ab3af48bc2887

    Download Submit

  • C:\Windows\SysWOW64\27-5-2024.exe
    Filesize

    148KB

    MD5

    a2a1ba291b1876970e1d3e6903889526

    SHA1

    89d84f9cefbed774b1702a2a05bfabcac29821b3

    SHA256

    10064549f15020f3c043db1d1be6cbc7eb6cf1e743f80f7e58ab1da52801134b

    SHA512

    8b9ffe01885480ce86883348b02d58a0c02aacbfb6802e0060e8dedc141478d345e759557e9fade72c163aed4a2a785adb60068137ee65076f00cf2d6df318c0

    Download Submit

  • C:\Windows\SysWOW64\27-5-2024.exe
    Filesize

    148KB

    MD5

    49ac937f7280f7d9f5799b70e940b3d7

    SHA1

    91868da368d6fb052630fe58f1a4a605caff8f97

    SHA256

    47ab6084dc9f246a6db6277c88401a905e76b06e8c8965e5bcf55d001cd3c1e5

    SHA512

    9e1035cd6a9e5e18f0d032b197e0a27f6859eab1520c77d47897485199754567d63a101797820c2f2f7b3c8ea0eaa60ccc9e0bc46e30f630cc027520af515aa2

    Download Submit

  • C:\Windows\SysWOW64\27-5-2024.exe
    Filesize

    148KB

    MD5

    1bcd692a25f862cf578f36bcef952c60

    SHA1

    70cac767213ab2b07f26b6eb31f89ed1a40c25aa

    SHA256

    0eadaf0e77988be12039a85d088e881e35ef8ee27097e3d88771623087b4b463

    SHA512

    f01638ae15001c728a6b9cdb57750b6d6531f33e7ea06feca13ea1157b048bab27da4f1a68bf54ac94f704137f8276b3b1f347d561079e67f9ae5a983ecd457c

    Download Submit

  • C:\Windows\SysWOW64\Desktop.ini
    Filesize

    65B

    MD5

    64acfa7e03b01f48294cf30d201a0026

    SHA1

    10facd995b38a095f30b4a800fa454c0bcbf8438

    SHA256

    ba8159d865d106e7b4d0043007a63d1541e1de455dc8d7ff0edd3013bd425c62

    SHA512

    65a9b2e639de74a2a7faa83463a03f5f5b526495e3c793ec1e144c422ed0b842dd304cd5ff4f8aec3d76d826507030c5916f70a231429cea636ec2d8ab43931a

    Download Submit

  • C:\Windows\SysWOW64\drivers\Kazekage.exe
    Filesize

    148KB

    MD5

    ca0fa0ef897601a8af41c8b01d9255d5

    SHA1

    41ed67488c68761857150a63beb25c4a3a142dcd

    SHA256

    e70463e946f6180f7fed0a5cbadefee828a29a7d7b6689e4be1326d3b6729e97

    SHA512

    28af4a999e2e348cc36629bcb4ac523cbd10018280b1459799e1a5392b345b41e6953217883fd3ee624030ab89862b2c7c99dc5cd5895d664b72aded9c042f56

    Download Submit

  • C:\Windows\SysWOW64\drivers\Kazekage.exe
    Filesize

    148KB

    MD5

    c37811ff5d0e0170bf7616da6016c916

    SHA1

    535f46a89611facbebbe5e3786eb11ea0b87a647

    SHA256

    63f8a77748229ac9e7244121459c25d97fcd0bba97417b09399417f42510b142

    SHA512

    52ccf6bc9dddb184583a2cdeaf6042fee4d28a28ebcd871ac1567d47b397d885eeb2ce84394bd235835e17308afa3ba9b4eccc449e1ff1f25bc2af58833f31bb

    Download Submit

  • C:\Windows\SysWOW64\drivers\Kazekage.exe
    Filesize

    148KB

    MD5

    3f16d7e2fedaeeeb72895c6d95f1701d

    SHA1

    90b22cc453569c1f910f2336226909215dcad990

    SHA256

    6066b14b32885fb7e77fe19dd8caa22bb3e4ae44fbea62afa408b8cd1195f25b

    SHA512

    43a3772ceeab421a1a259f6b821fc7055425b00548da8d45c183c90d660e72238d7900f221ac7a94c6b98847cfa3105f94b2b32da36cbc34916c8aa1946cec96

    Download Submit

  • C:\Windows\SysWOW64\drivers\system32.exe
    Filesize

    148KB

    MD5

    4b74c0f714d0f72502898f1da6eee4c4

    SHA1

    423f7405c9738eaad200390552ba94048f4df774

    SHA256

    1e6ce98c094fa5c48b71840a6d2fa2749cbde5d13ba964386d6ccf1570f4a5a8

    SHA512

    bce049e4199fc49ab7fb165abbecc28fd9a2fd4f8d024deb1969fb297265646d0eba47126cc33f726821997e18d9b7d855714b0a816a691e3aa7acbb39febc57

    Download Submit

  • C:\Windows\SysWOW64\drivers\system32.exe
    Filesize

    148KB

    MD5

    13831e3daf892b88acd40f805b9cc183

    SHA1

    955f8955e3eae4983d0e0481f8dee6a7c6bcc846

    SHA256

    95108f395c58521aac959bae99035c3d616654db82dad16547944d1862ae2419

    SHA512

    c7e43059843717ba32bf27f7fdbaad43618281248a42c0ab286440574ddf9b4210da39d7fa501310f963773e98f9e8023733633e3d4879831f7ac3f7c45a1ec8

    Download Submit

  • C:\Windows\SysWOW64\drivers\system32.exe
    Filesize

    148KB

    MD5

    3b4b658538c213112c5b43c4f2c6205a

    SHA1

    ecf0413982e67ef548339eedadde98c50e9dbed3

    SHA256

    34999f94b115eebd113e595ac17ba73538d1502480b90e4311eec325afcc120a

    SHA512

    75161cafc0b6428066213d0730e2600de1a47f3c0150effdf8828ddca27512ef1716173e1c59d498632a02352ceda8911e03ae6ef2a58d993151d1a9da469fa6

    Download Submit

  • C:\Windows\SysWOW64\drivers\system32.exe
    Filesize

    148KB

    MD5

    05c6e9dd0e455f474a8da52653e6518e

    SHA1

    aecf0306527c94c58b757312c94801b3e6318f36

    SHA256

    055f7f64ff81e8f96e3dde006d5efa84d34d4df4e891394cd70c3831f8a0ad72

    SHA512

    7899968f3a339b7c6f62c16bb41a808766d2749db5857d46d7be983a422e5f359f6186065903251325274ad8457bb4b3e6a82ba0a09382155b9ac374bd51ad43

    Download Submit

  • C:\Windows\System\msvbvm60.dll
    Filesize

    1.4MB

    MD5

    25f62c02619174b35851b0e0455b3d94

    SHA1

    4e8ee85157f1769f6e3f61c0acbe59072209da71

    SHA256

    898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

    SHA512

    f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

    Download Submit

  • C:\Windows\mscomctl.ocx
    Filesize

    148KB

    MD5

    8ab93372015a66d3d0519074c5c4a796

    SHA1

    39e585045b9f8fbe7aa364baa4c3a121b6e62d19

    SHA256

    a1ee273e606fbafeb15e41c116515b5567306f41d5cb60c75e93638934ccc498

    SHA512

    749dc32a12036806725ab78ebcb1788ebedf32732d408364b6f1311a499bc98c385205f8208fceee5389d0446275cf7bcf26b32470f28d406bb12f3499493ba6

    Download Submit

  • F:\Admin Games\Hokage-Sampit (Nothing).exe
    Filesize

    148KB

    MD5

    2b80577de6ecbbe6dd8078b5ee55ce78

    SHA1

    1094a89ebd57f34f7e7d798183a351217f4c93bf

    SHA256

    25a7e5106910c409dc6f9d59395b941c0acacd26e9a82010fee8ad727f18ba8b

    SHA512

    c91a757ec1b0a453375c9173aae54f3c0b59d5d35d46bb104e96d12aab1c4602f6df5c48dd688f4b275aef9c49b94de22a61a1bbf9dfc16a11c6259637c6a2bd

    Download Submit

  • memory/332-269-0x0000000000400000-0x0000000000425000-memory.dmp

    Filesize

    148KB

    Download

  • memory/792-242-0x0000000000400000-0x0000000000425000-memory.dmp

    Filesize

    148KB

    Download

  • memory/792-245-0x0000000000400000-0x0000000000425000-memory.dmp

    Filesize

    148KB

    Download

  • memory/928-158-0x0000000000400000-0x0000000000425000-memory.dmp

    Filesize

    148KB

    Download

  • memory/1184-118-0x0000000000400000-0x0000000000425000-memory.dmp

    Filesize

    148KB

    Download

  • memory/1236-235-0x0000000000400000-0x0000000000425000-memory.dmp

    Filesize

    148KB

    Download

  • memory/1344-191-0x0000000000400000-0x0000000000425000-memory.dmp

    Filesize

    148KB

    Download

  • memory/1468-263-0x0000000000400000-0x0000000000425000-memory.dmp

    Filesize

    148KB

    Download

  • memory/1528-232-0x0000000000400000-0x0000000000425000-memory.dmp

    Filesize

    148KB

    Download

  • memory/1788-985-0x0000000000400000-0x0000000000425000-memory.dmp

    Filesize

    148KB

    Download

  • memory/1788-166-0x0000000000400000-0x0000000000425000-memory.dmp

    Filesize

    148KB

    Download

  • memory/2824-984-0x0000000000400000-0x0000000000425000-memory.dmp

    Filesize

    148KB

    Download

  • memory/2824-120-0x0000000000400000-0x0000000000425000-memory.dmp

    Filesize

    148KB

    Download

  • memory/2828-266-0x0000000000400000-0x0000000000425000-memory.dmp

    Filesize

    148KB

    Download

  • memory/2864-159-0x0000000000400000-0x0000000000425000-memory.dmp

    Filesize

    148KB

    Download

  • memory/2864-164-0x0000000000400000-0x0000000000425000-memory.dmp

    Filesize

    148KB

    Download

  • memory/2892-198-0x0000000000400000-0x0000000000425000-memory.dmp

    Filesize

    148KB

    Download

  • memory/2904-238-0x0000000000400000-0x0000000000425000-memory.dmp

    Filesize

    148KB

    Download

  • memory/2928-257-0x0000000000400000-0x0000000000425000-memory.dmp

    Filesize

    148KB

    Download

  • memory/3320-209-0x0000000000400000-0x0000000000425000-memory.dmp

    Filesize

    148KB

    Download

  • memory/3424-229-0x0000000000400000-0x0000000000425000-memory.dmp

    Filesize

    148KB

    Download

  • memory/3480-77-0x0000000000400000-0x0000000000425000-memory.dmp

    Filesize

    148KB

    Download

  • memory/3480-70-0x0000000000400000-0x0000000000425000-memory.dmp

    Filesize

    148KB

    Download

  • memory/3480-272-0x0000000000400000-0x0000000000425000-memory.dmp

    Filesize

    148KB

    Download

  • memory/4124-982-0x0000000000400000-0x0000000000425000-memory.dmp

    Filesize

    148KB

    Download

  • memory/4124-34-0x0000000000400000-0x0000000000425000-memory.dmp

    Filesize

    148KB

    Download

  • memory/4300-254-0x0000000000400000-0x0000000000425000-memory.dmp

    Filesize

    148KB

    Download

  • memory/4492-241-0x0000000000400000-0x0000000000425000-memory.dmp

    Filesize

    148KB

    Download

  • memory/4536-78-0x0000000000400000-0x0000000000425000-memory.dmp

    Filesize

    148KB

    Download

  • memory/4536-983-0x0000000000400000-0x0000000000425000-memory.dmp

    Filesize

    148KB

    Download

  • memory/4664-0-0x0000000000400000-0x0000000000425000-memory.dmp

    Filesize

    148KB

    Download

  • memory/4664-940-0x0000000000400000-0x0000000000425000-memory.dmp

    Filesize

    148KB

    Download

  • memory/4700-260-0x0000000000400000-0x0000000000425000-memory.dmp

    Filesize

    148KB

    Download

  • memory/4792-275-0x0000000000400000-0x0000000000425000-memory.dmp

    Filesize

    148KB

    Download

  • memory/4856-251-0x0000000000400000-0x0000000000425000-memory.dmp

    Filesize

    148KB

    Download

  • memory/4864-153-0x0000000000400000-0x0000000000425000-memory.dmp

    Filesize

    148KB

    Download

  • memory/4936-114-0x0000000000400000-0x0000000000425000-memory.dmp

    Filesize

    148KB

    Download

  • memory/4936-111-0x0000000000400000-0x0000000000425000-memory.dmp

    Filesize

    148KB

    Download

  • memory/5092-205-0x0000000000400000-0x0000000000425000-memory.dmp

    Filesize

    148KB

    Download

  • memory/5092-202-0x0000000000400000-0x0000000000425000-memory.dmp

    Filesize

    148KB

    Download