Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27/06/2024, 18:52

General

  • Target

    116f6c6b6704dff23466e8174760bb2d5471558a294b455ffd000641d0587ee9.exe

  • Size

    145KB

  • MD5

    951e4f9266deb978742ca791b6929302

  • SHA1

    424e121d0c1a4da74c3707e866c535ae993861aa

  • SHA256

    116f6c6b6704dff23466e8174760bb2d5471558a294b455ffd000641d0587ee9

  • SHA512

    2cbd3b92590cb34ac9a4e85b6c8d8196c71b58db81f8487ee9822c65f1e01b996a2cb7e434f7ae83cd24a62292b6e29c33964e21509ea4bfeaf5e1ee46140492

  • SSDEEP

    1536:uJo0IHgL2AHfb1mzaFXg+xsukl4Y17jsgS/jHagQNuXGpeVTV:+x6AHjYzaFXg+w17jsgS/jHagQg19V

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 12 IoCs
  • Modifies visibility of file extensions in Explorer 2 TTPs 6 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 6 IoCs
  • UAC bypass 3 TTPs 6 IoCs
  • Disables RegEdit via registry modification 6 IoCs
  • Disables use of System Restore points 1 TTPs
  • Drops file in Drivers directory 24 IoCs
  • Event Triggered Execution: Image File Execution Options Injection 1 TTPs 64 IoCs
  • Executes dropped EXE 30 IoCs
  • Loads dropped DLL 18 IoCs
  • Adds Run key to start application 2 TTPs 24 IoCs
  • Checks whether UAC is enabled 1 TTPs 6 IoCs
  • Drops desktop.ini file(s) 64 IoCs
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops autorun.inf file 1 TTPs 64 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 39 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 6 IoCs
  • Drops file in Windows directory 64 IoCs
  • Modifies Control Panel 64 IoCs
  • Modifies Internet Explorer settings 1 TTPs 12 IoCs
  • Modifies registry class 51 IoCs
  • Runs ping.exe 1 TTPs 36 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 31 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\116f6c6b6704dff23466e8174760bb2d5471558a294b455ffd000641d0587ee9.exe
    "C:\Users\Admin\AppData\Local\Temp\116f6c6b6704dff23466e8174760bb2d5471558a294b455ffd000641d0587ee9.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Modifies visibility of file extensions in Explorer
    • Modifies visiblity of hidden/system files in Explorer
    • UAC bypass
    • Disables RegEdit via registry modification
    • Drops file in Drivers directory
    • Event Triggered Execution: Image File Execution Options Injection
    • Adds Run key to start application
    • Checks whether UAC is enabled
    • Drops desktop.ini file(s)
    • Enumerates connected drives
    • Drops autorun.inf file
    • Drops file in System32 directory
    • Sets desktop wallpaper using registry
    • Drops file in Windows directory
    • Modifies Control Panel
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2024
    • C:\Windows\Fonts\Admin 27 - 6 - 2024\smss.exe
      "C:\Windows\Fonts\Admin 27 - 6 - 2024\smss.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • UAC bypass
      • Disables RegEdit via registry modification
      • Drops file in Drivers directory
      • Event Triggered Execution: Image File Execution Options Injection
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Drops desktop.ini file(s)
      • Enumerates connected drives
      • Drops autorun.inf file
      • Drops file in System32 directory
      • Sets desktop wallpaper using registry
      • Drops file in Windows directory
      • Modifies Control Panel
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:1956
      • C:\Windows\Fonts\Admin 27 - 6 - 2024\smss.exe
        "C:\Windows\Fonts\Admin 27 - 6 - 2024\smss.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetWindowsHookEx
        PID:2196
      • C:\Windows\Fonts\Admin 27 - 6 - 2024\Gaara.exe
        "C:\Windows\Fonts\Admin 27 - 6 - 2024\Gaara.exe"
        3⤵
        • Modifies WinLogon for persistence
        • Modifies visibility of file extensions in Explorer
        • Modifies visiblity of hidden/system files in Explorer
        • UAC bypass
        • Disables RegEdit via registry modification
        • Drops file in Drivers directory
        • Event Triggered Execution: Image File Execution Options Injection
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • Checks whether UAC is enabled
        • Drops desktop.ini file(s)
        • Enumerates connected drives
        • Drops autorun.inf file
        • Drops file in System32 directory
        • Sets desktop wallpaper using registry
        • Drops file in Windows directory
        • Modifies Control Panel
        • Modifies Internet Explorer settings
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        • System policy modification
        PID:4956
        • C:\Windows\Fonts\Admin 27 - 6 - 2024\smss.exe
          "C:\Windows\Fonts\Admin 27 - 6 - 2024\smss.exe"
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of SetWindowsHookEx
          PID:2532
        • C:\Windows\Fonts\Admin 27 - 6 - 2024\Gaara.exe
          "C:\Windows\Fonts\Admin 27 - 6 - 2024\Gaara.exe"
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of SetWindowsHookEx
          PID:1560
        • C:\Windows\Fonts\Admin 27 - 6 - 2024\csrss.exe
          "C:\Windows\Fonts\Admin 27 - 6 - 2024\csrss.exe"
          4⤵
          • Modifies WinLogon for persistence
          • Modifies visibility of file extensions in Explorer
          • Modifies visiblity of hidden/system files in Explorer
          • UAC bypass
          • Disables RegEdit via registry modification
          • Drops file in Drivers directory
          • Event Triggered Execution: Image File Execution Options Injection
          • Executes dropped EXE
          • Loads dropped DLL
          • Adds Run key to start application
          • Checks whether UAC is enabled
          • Drops desktop.ini file(s)
          • Enumerates connected drives
          • Drops autorun.inf file
          • Drops file in System32 directory
          • Sets desktop wallpaper using registry
          • Drops file in Windows directory
          • Modifies Control Panel
          • Modifies Internet Explorer settings
          • Modifies registry class
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:3104
          • C:\Windows\Fonts\Admin 27 - 6 - 2024\smss.exe
            "C:\Windows\Fonts\Admin 27 - 6 - 2024\smss.exe"
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Suspicious use of SetWindowsHookEx
            PID:2612
          • C:\Windows\Fonts\Admin 27 - 6 - 2024\Gaara.exe
            "C:\Windows\Fonts\Admin 27 - 6 - 2024\Gaara.exe"
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Suspicious use of SetWindowsHookEx
            PID:3548
          • C:\Windows\Fonts\Admin 27 - 6 - 2024\csrss.exe
            "C:\Windows\Fonts\Admin 27 - 6 - 2024\csrss.exe"
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Suspicious use of SetWindowsHookEx
            PID:3196
          • C:\Windows\SysWOW64\drivers\Kazekage.exe
            C:\Windows\system32\drivers\Kazekage.exe
            5⤵
            • Modifies WinLogon for persistence
            • Modifies visibility of file extensions in Explorer
            • Modifies visiblity of hidden/system files in Explorer
            • UAC bypass
            • Disables RegEdit via registry modification
            • Drops file in Drivers directory
            • Event Triggered Execution: Image File Execution Options Injection
            • Executes dropped EXE
            • Adds Run key to start application
            • Checks whether UAC is enabled
            • Drops desktop.ini file(s)
            • Enumerates connected drives
            • Drops autorun.inf file
            • Drops file in System32 directory
            • Sets desktop wallpaper using registry
            • Drops file in Windows directory
            • Modifies Control Panel
            • Modifies Internet Explorer settings
            • Modifies registry class
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            • System policy modification
            PID:3688
            • C:\Windows\Fonts\Admin 27 - 6 - 2024\smss.exe
              "C:\Windows\Fonts\Admin 27 - 6 - 2024\smss.exe"
              6⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • Suspicious use of SetWindowsHookEx
              PID:952
            • C:\Windows\Fonts\Admin 27 - 6 - 2024\Gaara.exe
              "C:\Windows\Fonts\Admin 27 - 6 - 2024\Gaara.exe"
              6⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • Suspicious use of SetWindowsHookEx
              PID:2596
            • C:\Windows\Fonts\Admin 27 - 6 - 2024\csrss.exe
              "C:\Windows\Fonts\Admin 27 - 6 - 2024\csrss.exe"
              6⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • Suspicious use of SetWindowsHookEx
              PID:3700
            • C:\Windows\SysWOW64\drivers\Kazekage.exe
              C:\Windows\system32\drivers\Kazekage.exe
              6⤵
              • Executes dropped EXE
              • Suspicious use of SetWindowsHookEx
              PID:1176
            • C:\Windows\SysWOW64\drivers\system32.exe
              C:\Windows\system32\drivers\system32.exe
              6⤵
              • Modifies WinLogon for persistence
              • Modifies visibility of file extensions in Explorer
              • Modifies visiblity of hidden/system files in Explorer
              • UAC bypass
              • Disables RegEdit via registry modification
              • Drops file in Drivers directory
              • Event Triggered Execution: Image File Execution Options Injection
              • Executes dropped EXE
              • Adds Run key to start application
              • Checks whether UAC is enabled
              • Drops desktop.ini file(s)
              • Enumerates connected drives
              • Drops autorun.inf file
              • Drops file in System32 directory
              • Sets desktop wallpaper using registry
              • Drops file in Windows directory
              • Modifies Control Panel
              • Modifies Internet Explorer settings
              • Modifies registry class
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              • System policy modification
              PID:2168
              • C:\Windows\Fonts\Admin 27 - 6 - 2024\smss.exe
                "C:\Windows\Fonts\Admin 27 - 6 - 2024\smss.exe"
                7⤵
                • Executes dropped EXE
                • Loads dropped DLL
                • Suspicious use of SetWindowsHookEx
                PID:3876
              • C:\Windows\Fonts\Admin 27 - 6 - 2024\Gaara.exe
                "C:\Windows\Fonts\Admin 27 - 6 - 2024\Gaara.exe"
                7⤵
                • Executes dropped EXE
                • Loads dropped DLL
                • Suspicious use of SetWindowsHookEx
                PID:764
              • C:\Windows\Fonts\Admin 27 - 6 - 2024\csrss.exe
                "C:\Windows\Fonts\Admin 27 - 6 - 2024\csrss.exe"
                7⤵
                • Executes dropped EXE
                • Loads dropped DLL
                • Suspicious use of SetWindowsHookEx
                PID:3264
              • C:\Windows\SysWOW64\drivers\Kazekage.exe
                C:\Windows\system32\drivers\Kazekage.exe
                7⤵
                • Executes dropped EXE
                • Suspicious use of SetWindowsHookEx
                PID:2296
              • C:\Windows\SysWOW64\drivers\system32.exe
                C:\Windows\system32\drivers\system32.exe
                7⤵
                • Executes dropped EXE
                • Suspicious use of SetWindowsHookEx
                PID:4524
              • C:\Windows\SysWOW64\ping.exe
                ping -a -l www.rasasayang.com.my 65500
                7⤵
                • Runs ping.exe
                PID:3300
              • C:\Windows\SysWOW64\ping.exe
                ping -a -l www.duniasex.com 65500
                7⤵
                • Runs ping.exe
                PID:4276
              • C:\Windows\SysWOW64\ping.exe
                ping -a -l www.rasasayang.com.my 65500
                7⤵
                • Runs ping.exe
                PID:884
              • C:\Windows\SysWOW64\ping.exe
                ping -a -l www.duniasex.com 65500
                7⤵
                • Runs ping.exe
                PID:4320
              • C:\Windows\SysWOW64\ping.exe
                ping -a -l www.rasasayang.com.my 65500
                7⤵
                • Runs ping.exe
                PID:3208
              • C:\Windows\SysWOW64\ping.exe
                ping -a -l www.duniasex.com 65500
                7⤵
                • Runs ping.exe
                PID:2716
            • C:\Windows\SysWOW64\ping.exe
              ping -a -l www.rasasayang.com.my 65500
              6⤵
              • Runs ping.exe
              PID:3600
            • C:\Windows\SysWOW64\ping.exe
              ping -a -l www.duniasex.com 65500
              6⤵
              • Runs ping.exe
              PID:1452
            • C:\Windows\SysWOW64\ping.exe
              ping -a -l www.rasasayang.com.my 65500
              6⤵
              • Runs ping.exe
              PID:2652
            • C:\Windows\SysWOW64\ping.exe
              ping -a -l www.duniasex.com 65500
              6⤵
              • Runs ping.exe
              PID:2160
            • C:\Windows\SysWOW64\ping.exe
              ping -a -l www.rasasayang.com.my 65500
              6⤵
              • Runs ping.exe
              PID:1388
            • C:\Windows\SysWOW64\ping.exe
              ping -a -l www.duniasex.com 65500
              6⤵
              • Runs ping.exe
              PID:1408
          • C:\Windows\SysWOW64\drivers\system32.exe
            C:\Windows\system32\drivers\system32.exe
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            PID:3184
          • C:\Windows\SysWOW64\ping.exe
            ping -a -l www.rasasayang.com.my 65500
            5⤵
            • Runs ping.exe
            PID:2108
          • C:\Windows\SysWOW64\ping.exe
            ping -a -l www.duniasex.com 65500
            5⤵
            • Runs ping.exe
            PID:3840
          • C:\Windows\SysWOW64\ping.exe
            ping -a -l www.rasasayang.com.my 65500
            5⤵
            • Runs ping.exe
            PID:4268
          • C:\Windows\SysWOW64\ping.exe
            ping -a -l www.duniasex.com 65500
            5⤵
            • Runs ping.exe
            PID:680
          • C:\Windows\SysWOW64\ping.exe
            ping -a -l www.rasasayang.com.my 65500
            5⤵
            • Runs ping.exe
            PID:3036
          • C:\Windows\SysWOW64\ping.exe
            ping -a -l www.duniasex.com 65500
            5⤵
            • Runs ping.exe
            PID:1472
        • C:\Windows\SysWOW64\drivers\Kazekage.exe
          C:\Windows\system32\drivers\Kazekage.exe
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetWindowsHookEx
          PID:2368
        • C:\Windows\SysWOW64\drivers\system32.exe
          C:\Windows\system32\drivers\system32.exe
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetWindowsHookEx
          PID:3768
        • C:\Windows\SysWOW64\ping.exe
          ping -a -l www.rasasayang.com.my 65500
          4⤵
          • Runs ping.exe
          PID:2936
        • C:\Windows\SysWOW64\ping.exe
          ping -a -l www.duniasex.com 65500
          4⤵
          • Runs ping.exe
          PID:4540
        • C:\Windows\SysWOW64\ping.exe
          ping -a -l www.rasasayang.com.my 65500
          4⤵
          • Runs ping.exe
          PID:3684
        • C:\Windows\SysWOW64\ping.exe
          ping -a -l www.duniasex.com 65500
          4⤵
          • Runs ping.exe
          PID:2256
        • C:\Windows\SysWOW64\ping.exe
          ping -a -l www.rasasayang.com.my 65500
          4⤵
          • Runs ping.exe
          PID:2588
        • C:\Windows\SysWOW64\ping.exe
          ping -a -l www.duniasex.com 65500
          4⤵
          • Runs ping.exe
          PID:952
      • C:\Windows\Fonts\Admin 27 - 6 - 2024\csrss.exe
        "C:\Windows\Fonts\Admin 27 - 6 - 2024\csrss.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetWindowsHookEx
        PID:684
      • C:\Windows\SysWOW64\drivers\Kazekage.exe
        C:\Windows\system32\drivers\Kazekage.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:2548
      • C:\Windows\SysWOW64\drivers\system32.exe
        C:\Windows\system32\drivers\system32.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:3568
      • C:\Windows\SysWOW64\ping.exe
        ping -a -l www.rasasayang.com.my 65500
        3⤵
        • Runs ping.exe
        PID:3468
      • C:\Windows\SysWOW64\ping.exe
        ping -a -l www.duniasex.com 65500
        3⤵
        • Runs ping.exe
        PID:968
      • C:\Windows\SysWOW64\ping.exe
        ping -a -l www.rasasayang.com.my 65500
        3⤵
        • Runs ping.exe
        PID:4988
      • C:\Windows\SysWOW64\ping.exe
        ping -a -l www.duniasex.com 65500
        3⤵
        • Runs ping.exe
        PID:924
      • C:\Windows\SysWOW64\ping.exe
        ping -a -l www.rasasayang.com.my 65500
        3⤵
        • Runs ping.exe
        PID:2844
      • C:\Windows\SysWOW64\ping.exe
        ping -a -l www.duniasex.com 65500
        3⤵
        • Runs ping.exe
        PID:1744
    • C:\Windows\Fonts\Admin 27 - 6 - 2024\Gaara.exe
      "C:\Windows\Fonts\Admin 27 - 6 - 2024\Gaara.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of SetWindowsHookEx
      PID:4764
    • C:\Windows\Fonts\Admin 27 - 6 - 2024\csrss.exe
      "C:\Windows\Fonts\Admin 27 - 6 - 2024\csrss.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of SetWindowsHookEx
      PID:2204
    • C:\Windows\SysWOW64\drivers\Kazekage.exe
      C:\Windows\system32\drivers\Kazekage.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:4580
    • C:\Windows\SysWOW64\drivers\system32.exe
      C:\Windows\system32\drivers\system32.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetWindowsHookEx
      PID:4876
    • C:\Windows\SysWOW64\ping.exe
      ping -a -l www.rasasayang.com.my 65500
      2⤵
      • Runs ping.exe
      PID:1136
    • C:\Windows\SysWOW64\ping.exe
      ping -a -l www.duniasex.com 65500
      2⤵
      • Runs ping.exe
      PID:3596
    • C:\Windows\SysWOW64\ping.exe
      ping -a -l www.rasasayang.com.my 65500
      2⤵
      • Runs ping.exe
      PID:2088
    • C:\Windows\SysWOW64\ping.exe
      ping -a -l www.duniasex.com 65500
      2⤵
      • Runs ping.exe
      PID:656
    • C:\Windows\SysWOW64\ping.exe
      ping -a -l www.rasasayang.com.my 65500
      2⤵
      • Runs ping.exe
      PID:3248
    • C:\Windows\SysWOW64\ping.exe
      ping -a -l www.duniasex.com 65500
      2⤵
      • Runs ping.exe
      PID:4760

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Admin Games\Hokage-Sampit (Nothing).exe

          Filesize

          145KB

          MD5

          560b89771ded58252e464093474be899

          SHA1

          79f39b46a35616eb3ca91b9e43231ea75edd186d

          SHA256

          30bb6b4518e4d4509eeecf4259d6d5d3fd9c3c2a6970e22f11707766a81f21e3

          SHA512

          bb4bad515894ac43774313c5c41a1f42ce0dc628c4cfd83c6d6837b3d62fb1c602a133f9aa6f29e010544d715047fa4dce3da46f8a1e2f0314126c5c86064e89

        • C:\Admin Games\Readme.txt

          Filesize

          736B

          MD5

          bb5d6abdf8d0948ac6895ce7fdfbc151

          SHA1

          9266b7a247a4685892197194d2b9b86c8f6dddbd

          SHA256

          5db2e0915b5464d32e83484f8ae5e3c73d2c78f238fde5f58f9b40dbb5322de8

          SHA512

          878444760e8df878d65bb62b4798177e168eb099def58ad3634f4348e96705c83f74324f9fa358f0eff389991976698a233ca53e9b72034ae11c86d42322a76c

        • C:\Autorun.inf

          Filesize

          196B

          MD5

          1564dfe69ffed40950e5cb644e0894d1

          SHA1

          201b6f7a01cc49bb698bea6d4945a082ed454ce4

          SHA256

          be114a2dbcc08540b314b01882aa836a772a883322a77b67aab31233e26dc184

          SHA512

          72df187e39674b657974392cfa268e71ef86dc101ebd2303896381ca56d3c05aa9db3f0ab7d0e428d7436e0108c8f19e94c2013814d30b0b95a23a6b9e341097

        • C:\Windows\Fonts\Admin 27 - 6 - 2024\Gaara.exe

          Filesize

          145KB

          MD5

          f13ee8a088728f4a74bd5249617c9222

          SHA1

          5e5a1b0e9272f32c0850d38decdba132fbab94d9

          SHA256

          0593b5ae978e6b87afc5cd173c09e04d5805f71874121f42baa89cf13e10c989

          SHA512

          9f67a2602241d26ef01295d353525b1bcde413c50d97fee9a2971d1f15511b48f72386c793c5b9ef19836feccbc7f53854a5dd5c7ef6b0ffb854eda9ba30305c

        • C:\Windows\Fonts\Admin 27 - 6 - 2024\csrss.exe

          Filesize

          145KB

          MD5

          e586edfedba9bdb477bcc47cbee22ad7

          SHA1

          e772bdf57af253e29e3c6408e5dce7f390d22407

          SHA256

          fb342937a094e844d8bfcb888429eb06314c92929927cf13642eeeb46b4d9a8b

          SHA512

          15f1080d56520ce25f629019711159fe0322101963cb88eedd66393015268e97ccb29931e8b98ae6f77865895b45a01370bfa02481dea643052b3b540f11f86a

        • C:\Windows\Fonts\Admin 27 - 6 - 2024\smss.exe

          Filesize

          145KB

          MD5

          64650cb2087fa4ebca9bd63b0f288172

          SHA1

          e777a8f7714784a18f1cb13fd0bc1a3483bc6c7b

          SHA256

          ea23f4919d44e16d176be7feb9ea6169bd42ff24b9656a5d2fd3f2a4c6cacf9b

          SHA512

          14ea4aa8bdeeb9044ae6a6e216e22a02adfce9ae24950d2eaf6eb4aca3370e32ae40c2524245232184be688e6315fc799e4865bca1c9ed520ac963767d0afe4e

        • C:\Windows\Fonts\The Kazekage.jpg

          Filesize

          1.4MB

          MD5

          d6b05020d4a0ec2a3a8b687099e335df

          SHA1

          df239d830ebcd1cde5c68c46a7b76dad49d415f4

          SHA256

          9824b98dab6af65a9e84c2ea40e9df948f9766ce2096e81feecad7db8dd6080a

          SHA512

          78fd360faa4d34f5732056d6e9ad7b9930964441c69cf24535845d397de92179553b9377a25649c01eb5ac7d547c29cc964e69ede7f2af9fc677508a99251fff

        • C:\Windows\SysWOW64\27-6-2024.exe

          Filesize

          145KB

          MD5

          479ff6e79af3224e21864b9cc4de6d6e

          SHA1

          07c35fdbb7c78b5a1949982e54746cca6f80d569

          SHA256

          a770aabee0db5136b4011cf529573a6e7c99f6ad982563e60ac0204675e3879c

          SHA512

          df0184491457608b2eac866f0ef67b796de9f97cb94fe71189028a34cc45f26c5aae87e6a6556d550990ebb83c4b7101b570a1a0b1661b4b97642ffd022c9693

        • C:\Windows\SysWOW64\27-6-2024.exe

          Filesize

          145KB

          MD5

          50399d862d7f93c417132e74d1b5c73c

          SHA1

          74235578e0ce7058846f106ee631763193dac1bf

          SHA256

          f368bdc53a6cd22e208fca9ab2053ee74a5ee29802e1932665cbc76b642ff094

          SHA512

          7a3636a187c02a58fffbdb4edbd0c824bf8c0212a487bc3e7db1a1913488d1859ad8bcd931ff840aaf78a4ce6fad7768c3326b9355965252d0e71948d80c95de

        • C:\Windows\SysWOW64\27-6-2024.exe

          Filesize

          145KB

          MD5

          b3310ec249bffaabeedadeda55355cbc

          SHA1

          ea81e7232017d5e9c7aee2aefa2dbd420532a10e

          SHA256

          4700d9cf9f291a09abafb3b0c3cd781241e00eccd35a28a7f401a4b4178d3f72

          SHA512

          e3029c9379e08ee786dcbcee07fac3a705e841a46917b329df3092053770ba35fe98359ae1caac20cac026b50758599c6abcbad171e2fc769cc7cf8aa4caaeb2

        • C:\Windows\SysWOW64\Desktop.ini

          Filesize

          65B

          MD5

          64acfa7e03b01f48294cf30d201a0026

          SHA1

          10facd995b38a095f30b4a800fa454c0bcbf8438

          SHA256

          ba8159d865d106e7b4d0043007a63d1541e1de455dc8d7ff0edd3013bd425c62

          SHA512

          65a9b2e639de74a2a7faa83463a03f5f5b526495e3c793ec1e144c422ed0b842dd304cd5ff4f8aec3d76d826507030c5916f70a231429cea636ec2d8ab43931a

        • C:\Windows\SysWOW64\drivers\Kazekage.exe

          Filesize

          145KB

          MD5

          60d856fe80f0ade9ed57a0bb9c3eb3f3

          SHA1

          6acc442af99dd3a2e14e89f446678044a6d09dda

          SHA256

          f4e992ff5b4212ce17872e2e5c549909772926a47163f223ab1ee34551d21f94

          SHA512

          f7c98591743a24d899e74496183134e65a6f414f8d7c877d948794bc2817fd870aea30ffb6baabe3264f7bb2d3ab904fac4e9aabbba59c1c98d541438565ebfc

        • C:\Windows\SysWOW64\drivers\Kazekage.exe

          Filesize

          145KB

          MD5

          f5105f98775210ae957a7659bd9f144e

          SHA1

          5259e91c5dbb68f4b8acd84967016df5955b735d

          SHA256

          b87df36a197cefecce2a8fa0c7d730098e6480a6819dfffe9640e0e8f64dae60

          SHA512

          299649bbd210d0fc4384e1ca7789432f174a956693cde9c90411eac0100fa2d67d9e6ea6241cfdc66188b34fed22a4c0467d813ac68d5c2dccbe0862e9bd0545

        • C:\Windows\SysWOW64\drivers\Kazekage.exe

          Filesize

          145KB

          MD5

          af45dc162012284fb40a9a0a5f088fd6

          SHA1

          5af0f8abb88908cd43ea1477df2f2ffe0e2c3781

          SHA256

          6850d79765af65bad0cf65aa6157a8fe080ab11ff0534e2210fa74cfc55ac35c

          SHA512

          a6c07e1ce92f91274afb93d361755d0ae56e597bdafb0782c571a098f09dec3f3a6df0847ae2ed07b71adfe31b85f1805afc0fd72cbfc92800c7c64bbcac77c5

        • C:\Windows\SysWOW64\drivers\system32.exe

          Filesize

          145KB

          MD5

          5dc88b90ba778dbc244a4610b272aa70

          SHA1

          45966c0d83ee945cc628b1bfd19b3bc4685a619e

          SHA256

          b8ea9e0ad3288b6a3bfcaae02202d38751d48c610c6fd3a8527815665a4c6b76

          SHA512

          2c8b95a5aaf2a0d77234133b011a79ac1ad42c225766dc85bb605508db857ac468473501b50eb28e02bada4696f040913a277aaa13e4991c03754a96f7a083c3

        • C:\Windows\SysWOW64\drivers\system32.exe

          Filesize

          145KB

          MD5

          3360513cd0f91cc73dd67e133b715b9e

          SHA1

          64ce7ed3cc8c2f4f1e1c0caf998353e2f386f552

          SHA256

          e605a1687d845a1b7febbf5e9c155d692cb447ce10d745f30c460c05ff9fcb8b

          SHA512

          dd2aeaec02544ec7e5ed50abccc83d500da5bc90473cec73cf6b224ef665ef9e9a93b24e3f7ca8ee86fc1403104339dca8923acedaa712d3d618ffceb08a40cb

        • C:\Windows\SysWOW64\drivers\system32.exe

          Filesize

          145KB

          MD5

          e260a4b65cafb764086bd87e68afbb48

          SHA1

          29e8af3530ca5326f5ac7b42dbc777f928885123

          SHA256

          4cf51c557058d98462420cbd965ef76bfc3b080a6dce744e006041a8e8111db6

          SHA512

          6f9197bd29ca0a43a633e10f3b86dbaf97191020ecb37b8e4fdbe5548a11aef54321d08384d7d84b963cfa6ed15db6b767331de6339c5707b1736027fcd7dd5c

        • C:\Windows\SysWOW64\drivers\system32.exe

          Filesize

          145KB

          MD5

          32cd348974188713696cb2d88f56a4ea

          SHA1

          18b8cbee59738916b692c00f9373d880dcca8666

          SHA256

          0dc2b0d671c808468fa4b5111758c790593447440689dcfc4b6cca0ac829620f

          SHA512

          4b5fb93da12776cf0fe119ba3d5515111badab08e2281136fbcff69ef040e49728dc4ba8bedbf60c41090a4fe570c2e15753d9a55f88d69e06648b91d88d5e79

        • C:\Windows\System\msvbvm60.dll

          Filesize

          1.4MB

          MD5

          25f62c02619174b35851b0e0455b3d94

          SHA1

          4e8ee85157f1769f6e3f61c0acbe59072209da71

          SHA256

          898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

          SHA512

          f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

        • F:\Gaara.exe

          Filesize

          145KB

          MD5

          951e4f9266deb978742ca791b6929302

          SHA1

          424e121d0c1a4da74c3707e866c535ae993861aa

          SHA256

          116f6c6b6704dff23466e8174760bb2d5471558a294b455ffd000641d0587ee9

          SHA512

          2cbd3b92590cb34ac9a4e85b6c8d8196c71b58db81f8487ee9822c65f1e01b996a2cb7e434f7ae83cd24a62292b6e29c33964e21509ea4bfeaf5e1ee46140492

        • memory/684-257-0x0000000000400000-0x0000000000425000-memory.dmp

          Filesize

          148KB

        • memory/764-232-0x0000000000400000-0x0000000000425000-memory.dmp

          Filesize

          148KB

        • memory/952-192-0x0000000000400000-0x0000000000425000-memory.dmp

          Filesize

          148KB

        • memory/1176-201-0x0000000000400000-0x0000000000425000-memory.dmp

          Filesize

          148KB

        • memory/1176-207-0x0000000000400000-0x0000000000425000-memory.dmp

          Filesize

          148KB

        • memory/1560-123-0x0000000000400000-0x0000000000425000-memory.dmp

          Filesize

          148KB

        • memory/1956-34-0x0000000000400000-0x0000000000425000-memory.dmp

          Filesize

          148KB

        • memory/1956-983-0x0000000000400000-0x0000000000425000-memory.dmp

          Filesize

          148KB

        • memory/2024-943-0x0000000000400000-0x0000000000425000-memory.dmp

          Filesize

          148KB

        • memory/2024-0-0x0000000000400000-0x0000000000425000-memory.dmp

          Filesize

          148KB

        • memory/2168-208-0x0000000000400000-0x0000000000425000-memory.dmp

          Filesize

          148KB

        • memory/2196-70-0x0000000000400000-0x0000000000425000-memory.dmp

          Filesize

          148KB

        • memory/2196-78-0x0000000000400000-0x0000000000425000-memory.dmp

          Filesize

          148KB

        • memory/2204-270-0x0000000000400000-0x0000000000425000-memory.dmp

          Filesize

          148KB

        • memory/2204-269-0x0000000000400000-0x0000000000425000-memory.dmp

          Filesize

          148KB

        • memory/2296-239-0x0000000000400000-0x0000000000425000-memory.dmp

          Filesize

          148KB

        • memory/2368-248-0x0000000000400000-0x0000000000425000-memory.dmp

          Filesize

          148KB

        • memory/2532-113-0x0000000000400000-0x0000000000425000-memory.dmp

          Filesize

          148KB

        • memory/2548-260-0x0000000000400000-0x0000000000425000-memory.dmp

          Filesize

          148KB

        • memory/2596-195-0x0000000000400000-0x0000000000425000-memory.dmp

          Filesize

          148KB

        • memory/2612-152-0x0000000000400000-0x0000000000425000-memory.dmp

          Filesize

          148KB

        • memory/3104-985-0x0000000000400000-0x0000000000425000-memory.dmp

          Filesize

          148KB

        • memory/3104-120-0x0000000000400000-0x0000000000425000-memory.dmp

          Filesize

          148KB

        • memory/3184-245-0x0000000000400000-0x0000000000425000-memory.dmp

          Filesize

          148KB

        • memory/3196-163-0x0000000000400000-0x0000000000425000-memory.dmp

          Filesize

          148KB

        • memory/3196-157-0x0000000000400000-0x0000000000425000-memory.dmp

          Filesize

          148KB

        • memory/3264-235-0x0000000000400000-0x0000000000425000-memory.dmp

          Filesize

          148KB

        • memory/3548-159-0x0000000000400000-0x0000000000425000-memory.dmp

          Filesize

          148KB

        • memory/3568-263-0x0000000000400000-0x0000000000425000-memory.dmp

          Filesize

          148KB

        • memory/3688-165-0x0000000000400000-0x0000000000425000-memory.dmp

          Filesize

          148KB

        • memory/3688-986-0x0000000000400000-0x0000000000425000-memory.dmp

          Filesize

          148KB

        • memory/3700-202-0x0000000000400000-0x0000000000425000-memory.dmp

          Filesize

          148KB

        • memory/3768-251-0x0000000000400000-0x0000000000425000-memory.dmp

          Filesize

          148KB

        • memory/3876-229-0x0000000000400000-0x0000000000425000-memory.dmp

          Filesize

          148KB

        • memory/4524-242-0x0000000000400000-0x0000000000425000-memory.dmp

          Filesize

          148KB

        • memory/4524-238-0x0000000000400000-0x0000000000425000-memory.dmp

          Filesize

          148KB

        • memory/4580-273-0x0000000000400000-0x0000000000425000-memory.dmp

          Filesize

          148KB

        • memory/4764-266-0x0000000000400000-0x0000000000425000-memory.dmp

          Filesize

          148KB

        • memory/4876-276-0x0000000000400000-0x0000000000425000-memory.dmp

          Filesize

          148KB

        • memory/4956-77-0x0000000000400000-0x0000000000425000-memory.dmp

          Filesize

          148KB

        • memory/4956-984-0x0000000000400000-0x0000000000425000-memory.dmp

          Filesize

          148KB