Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    86s
  • max time network
    133s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    20/10/2024, 23:06

General

  • Target

    6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe

  • Size

    145KB

  • MD5

    6e0a5bad73ddf8b05ea69aa6775df2a3

  • SHA1

    7185cfa795b13bfca5213af466aacc0ff4145968

  • SHA256

    6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34

  • SHA512

    58646b0234fd5377b5942eef4430bb9ac2187e802cfdd156cdd258940dbcb5951b91dc5882062d5f108f6e0900f6a3c5fcd6352940b4fa41318a8c3f9833b83b

  • SSDEEP

    1536:1Jo0IHgL2AHfb1mzaFXg+xsukl4Y17jsgS/jHagQNuXGpeVTVG:zx6AHjYzaFXg+w17jsgS/jHagQg19VG

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 12 IoCs
  • Modifies visibility of file extensions in Explorer 2 TTPs 6 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 6 IoCs
  • UAC bypass 3 TTPs 6 IoCs
  • Disables RegEdit via registry modification 6 IoCs
  • Disables use of System Restore points 1 TTPs
  • Drops file in Drivers directory 24 IoCs
  • Event Triggered Execution: Image File Execution Options Injection 1 TTPs 64 IoCs
  • Executes dropped EXE 30 IoCs
  • Loads dropped DLL 61 IoCs
  • Adds Run key to start application 2 TTPs 24 IoCs
  • Checks whether UAC is enabled 1 TTPs 6 IoCs
  • Drops desktop.ini file(s) 64 IoCs
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops autorun.inf file 1 TTPs 64 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 38 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 6 IoCs
  • Drops file in Windows directory 64 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 45 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 30 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

  • Modifies Control Panel 64 IoCs
  • Modifies Internet Explorer settings 1 TTPs 12 IoCs
  • Modifies registry class 48 IoCs
  • Runs ping.exe 1 TTPs 30 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 31 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe
    "C:\Users\Admin\AppData\Local\Temp\6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Modifies visibility of file extensions in Explorer
    • Modifies visiblity of hidden/system files in Explorer
    • UAC bypass
    • Disables RegEdit via registry modification
    • Drops file in Drivers directory
    • Event Triggered Execution: Image File Execution Options Injection
    • Loads dropped DLL
    • Adds Run key to start application
    • Checks whether UAC is enabled
    • Drops desktop.ini file(s)
    • Enumerates connected drives
    • Drops autorun.inf file
    • Drops file in System32 directory
    • Sets desktop wallpaper using registry
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Modifies Control Panel
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2768
    • C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe
      "C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • UAC bypass
      • Disables RegEdit via registry modification
      • Drops file in Drivers directory
      • Event Triggered Execution: Image File Execution Options Injection
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Drops desktop.ini file(s)
      • Enumerates connected drives
      • Drops autorun.inf file
      • Drops file in System32 directory
      • Sets desktop wallpaper using registry
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Modifies Control Panel
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:2900
      • C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe
        "C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2600
      • C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe
        "C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe"
        3⤵
        • Modifies WinLogon for persistence
        • Modifies visibility of file extensions in Explorer
        • Modifies visiblity of hidden/system files in Explorer
        • UAC bypass
        • Disables RegEdit via registry modification
        • Drops file in Drivers directory
        • Event Triggered Execution: Image File Execution Options Injection
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • Checks whether UAC is enabled
        • Drops desktop.ini file(s)
        • Enumerates connected drives
        • Drops autorun.inf file
        • Drops file in System32 directory
        • Sets desktop wallpaper using registry
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Modifies Control Panel
        • Modifies Internet Explorer settings
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        • System policy modification
        PID:1916
        • C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe
          "C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe"
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:2680
        • C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe
          "C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe"
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:2708
        • C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe
          "C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe"
          4⤵
          • Modifies WinLogon for persistence
          • Modifies visibility of file extensions in Explorer
          • Modifies visiblity of hidden/system files in Explorer
          • UAC bypass
          • Disables RegEdit via registry modification
          • Drops file in Drivers directory
          • Event Triggered Execution: Image File Execution Options Injection
          • Executes dropped EXE
          • Loads dropped DLL
          • Adds Run key to start application
          • Checks whether UAC is enabled
          • Drops desktop.ini file(s)
          • Enumerates connected drives
          • Drops autorun.inf file
          • Drops file in System32 directory
          • Sets desktop wallpaper using registry
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Modifies Control Panel
          • Modifies Internet Explorer settings
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:1304
          • C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe
            "C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe"
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • System Location Discovery: System Language Discovery
            • Suspicious use of SetWindowsHookEx
            PID:1488
          • C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe
            "C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe"
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • System Location Discovery: System Language Discovery
            • Suspicious use of SetWindowsHookEx
            PID:1744
          • C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe
            "C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe"
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • System Location Discovery: System Language Discovery
            • Suspicious use of SetWindowsHookEx
            PID:2192
          • C:\Windows\SysWOW64\drivers\Kazekage.exe
            C:\Windows\system32\drivers\Kazekage.exe
            5⤵
            • Modifies WinLogon for persistence
            • Modifies visibility of file extensions in Explorer
            • Modifies visiblity of hidden/system files in Explorer
            • UAC bypass
            • Disables RegEdit via registry modification
            • Drops file in Drivers directory
            • Event Triggered Execution: Image File Execution Options Injection
            • Executes dropped EXE
            • Loads dropped DLL
            • Adds Run key to start application
            • Checks whether UAC is enabled
            • Drops desktop.ini file(s)
            • Enumerates connected drives
            • Drops autorun.inf file
            • Drops file in System32 directory
            • Sets desktop wallpaper using registry
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Modifies Control Panel
            • Modifies Internet Explorer settings
            • Modifies registry class
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            • System policy modification
            PID:1840
            • C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe
              "C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe"
              6⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • System Location Discovery: System Language Discovery
              • Suspicious use of SetWindowsHookEx
              PID:1580
            • C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe
              "C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe"
              6⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • System Location Discovery: System Language Discovery
              • Suspicious use of SetWindowsHookEx
              PID:1328
            • C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe
              "C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe"
              6⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • System Location Discovery: System Language Discovery
              • Suspicious use of SetWindowsHookEx
              PID:1768
            • C:\Windows\SysWOW64\drivers\Kazekage.exe
              C:\Windows\system32\drivers\Kazekage.exe
              6⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Suspicious use of SetWindowsHookEx
              PID:972
            • C:\Windows\SysWOW64\drivers\system32.exe
              C:\Windows\system32\drivers\system32.exe
              6⤵
              • Modifies WinLogon for persistence
              • Modifies visibility of file extensions in Explorer
              • Modifies visiblity of hidden/system files in Explorer
              • UAC bypass
              • Disables RegEdit via registry modification
              • Drops file in Drivers directory
              • Event Triggered Execution: Image File Execution Options Injection
              • Executes dropped EXE
              • Loads dropped DLL
              • Adds Run key to start application
              • Checks whether UAC is enabled
              • Drops desktop.ini file(s)
              • Enumerates connected drives
              • Drops autorun.inf file
              • Drops file in System32 directory
              • Sets desktop wallpaper using registry
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Modifies Control Panel
              • Modifies Internet Explorer settings
              • Modifies registry class
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              • System policy modification
              PID:2012
              • C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe
                "C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe"
                7⤵
                • Executes dropped EXE
                • Loads dropped DLL
                • System Location Discovery: System Language Discovery
                • Suspicious use of SetWindowsHookEx
                PID:1756
              • C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe
                "C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe"
                7⤵
                • Executes dropped EXE
                • Loads dropped DLL
                • System Location Discovery: System Language Discovery
                • Suspicious use of SetWindowsHookEx
                PID:1688
              • C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe
                "C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe"
                7⤵
                • Executes dropped EXE
                • Loads dropped DLL
                • System Location Discovery: System Language Discovery
                • Suspicious use of SetWindowsHookEx
                PID:2016
              • C:\Windows\SysWOW64\drivers\Kazekage.exe
                C:\Windows\system32\drivers\Kazekage.exe
                7⤵
                • Executes dropped EXE
                • System Location Discovery: System Language Discovery
                • Suspicious use of SetWindowsHookEx
                PID:360
              • C:\Windows\SysWOW64\drivers\system32.exe
                C:\Windows\system32\drivers\system32.exe
                7⤵
                • Executes dropped EXE
                • System Location Discovery: System Language Discovery
                • Suspicious use of SetWindowsHookEx
                PID:1788
              • C:\Windows\SysWOW64\ping.exe
                ping -a -l www.rasasayang.com.my 65500
                7⤵
                • System Location Discovery: System Language Discovery
                • System Network Configuration Discovery: Internet Connection Discovery
                • Runs ping.exe
                PID:2800
              • C:\Windows\SysWOW64\ping.exe
                ping -a -l www.duniasex.com 65500
                7⤵
                • System Location Discovery: System Language Discovery
                • System Network Configuration Discovery: Internet Connection Discovery
                • Runs ping.exe
                PID:2756
              • C:\Windows\SysWOW64\ping.exe
                ping -a -l www.rasasayang.com.my 65500
                7⤵
                • System Network Configuration Discovery: Internet Connection Discovery
                • Runs ping.exe
                PID:2472
              • C:\Windows\SysWOW64\ping.exe
                ping -a -l www.duniasex.com 65500
                7⤵
                • System Network Configuration Discovery: Internet Connection Discovery
                • Runs ping.exe
                PID:1292
              • C:\Windows\SysWOW64\ping.exe
                ping -a -l www.rasasayang.com.my 65500
                7⤵
                • System Network Configuration Discovery: Internet Connection Discovery
                • Runs ping.exe
                PID:1008
              • C:\Windows\SysWOW64\ping.exe
                ping -a -l www.duniasex.com 65500
                7⤵
                • System Network Configuration Discovery: Internet Connection Discovery
                • Runs ping.exe
                PID:2720
            • C:\Windows\SysWOW64\ping.exe
              ping -a -l www.rasasayang.com.my 65500
              6⤵
              • System Location Discovery: System Language Discovery
              • System Network Configuration Discovery: Internet Connection Discovery
              • Runs ping.exe
              PID:1320
            • C:\Windows\SysWOW64\ping.exe
              ping -a -l www.duniasex.com 65500
              6⤵
              • System Location Discovery: System Language Discovery
              • System Network Configuration Discovery: Internet Connection Discovery
              • Runs ping.exe
              PID:3052
            • C:\Windows\SysWOW64\ping.exe
              ping -a -l www.rasasayang.com.my 65500
              6⤵
              • System Network Configuration Discovery: Internet Connection Discovery
              • Runs ping.exe
              PID:2256
            • C:\Windows\SysWOW64\ping.exe
              ping -a -l www.duniasex.com 65500
              6⤵
              • System Network Configuration Discovery: Internet Connection Discovery
              • Runs ping.exe
              PID:2260
          • C:\Windows\SysWOW64\drivers\system32.exe
            C:\Windows\system32\drivers\system32.exe
            5⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious use of SetWindowsHookEx
            PID:2228
          • C:\Windows\SysWOW64\ping.exe
            ping -a -l www.rasasayang.com.my 65500
            5⤵
            • System Location Discovery: System Language Discovery
            • System Network Configuration Discovery: Internet Connection Discovery
            • Runs ping.exe
            PID:2504
          • C:\Windows\SysWOW64\ping.exe
            ping -a -l www.duniasex.com 65500
            5⤵
            • System Location Discovery: System Language Discovery
            • System Network Configuration Discovery: Internet Connection Discovery
            • Runs ping.exe
            PID:2284
          • C:\Windows\SysWOW64\ping.exe
            ping -a -l www.rasasayang.com.my 65500
            5⤵
            • System Network Configuration Discovery: Internet Connection Discovery
            • Runs ping.exe
            PID:1712
          • C:\Windows\SysWOW64\ping.exe
            ping -a -l www.duniasex.com 65500
            5⤵
            • System Network Configuration Discovery: Internet Connection Discovery
            • Runs ping.exe
            PID:2280
          • C:\Windows\SysWOW64\ping.exe
            ping -a -l www.rasasayang.com.my 65500
            5⤵
            • System Network Configuration Discovery: Internet Connection Discovery
            • Runs ping.exe
            PID:2052
          • C:\Windows\SysWOW64\ping.exe
            ping -a -l www.duniasex.com 65500
            5⤵
            • System Network Configuration Discovery: Internet Connection Discovery
            • Runs ping.exe
            PID:2220
        • C:\Windows\SysWOW64\drivers\Kazekage.exe
          C:\Windows\system32\drivers\Kazekage.exe
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:2532
        • C:\Windows\SysWOW64\drivers\system32.exe
          C:\Windows\system32\drivers\system32.exe
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:3052
        • C:\Windows\SysWOW64\ping.exe
          ping -a -l www.rasasayang.com.my 65500
          4⤵
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:2164
        • C:\Windows\SysWOW64\ping.exe
          ping -a -l www.duniasex.com 65500
          4⤵
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:2144
        • C:\Windows\SysWOW64\ping.exe
          ping -a -l www.rasasayang.com.my 65500
          4⤵
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:2724
        • C:\Windows\SysWOW64\ping.exe
          ping -a -l www.duniasex.com 65500
          4⤵
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:2436
        • C:\Windows\SysWOW64\ping.exe
          ping -a -l www.rasasayang.com.my 65500
          4⤵
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:1492
        • C:\Windows\SysWOW64\ping.exe
          ping -a -l www.duniasex.com 65500
          4⤵
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:2088
      • C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe
        "C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2280
      • C:\Windows\SysWOW64\drivers\Kazekage.exe
        C:\Windows\system32\drivers\Kazekage.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2216
      • C:\Windows\SysWOW64\drivers\system32.exe
        C:\Windows\system32\drivers\system32.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:1028
      • C:\Windows\SysWOW64\ping.exe
        ping -a -l www.rasasayang.com.my 65500
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:3060
      • C:\Windows\SysWOW64\ping.exe
        ping -a -l www.duniasex.com 65500
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:2680
      • C:\Windows\SysWOW64\ping.exe
        ping -a -l www.rasasayang.com.my 65500
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:668
      • C:\Windows\SysWOW64\ping.exe
        ping -a -l www.duniasex.com 65500
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:1616
    • C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe
      "C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:2248
    • C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe
      "C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:1552
    • C:\Windows\SysWOW64\drivers\Kazekage.exe
      C:\Windows\system32\drivers\Kazekage.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:2772
    • C:\Windows\SysWOW64\drivers\system32.exe
      C:\Windows\system32\drivers\system32.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:2628
    • C:\Windows\SysWOW64\ping.exe
      ping -a -l www.rasasayang.com.my 65500
      2⤵
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Internet Connection Discovery
      • Runs ping.exe
      PID:2888
    • C:\Windows\SysWOW64\ping.exe
      ping -a -l www.duniasex.com 65500
      2⤵
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Internet Connection Discovery
      • Runs ping.exe
      PID:2224
    • C:\Windows\SysWOW64\ping.exe
      ping -a -l www.rasasayang.com.my 65500
      2⤵
      • System Network Configuration Discovery: Internet Connection Discovery
      • Runs ping.exe
      PID:2044
    • C:\Windows\SysWOW64\ping.exe
      ping -a -l www.duniasex.com 65500
      2⤵
      • System Network Configuration Discovery: Internet Connection Discovery
      • Runs ping.exe
      PID:2444

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Admin Games\Readme.txt

    Filesize

    736B

    MD5

    bb5d6abdf8d0948ac6895ce7fdfbc151

    SHA1

    9266b7a247a4685892197194d2b9b86c8f6dddbd

    SHA256

    5db2e0915b5464d32e83484f8ae5e3c73d2c78f238fde5f58f9b40dbb5322de8

    SHA512

    878444760e8df878d65bb62b4798177e168eb099def58ad3634f4348e96705c83f74324f9fa358f0eff389991976698a233ca53e9b72034ae11c86d42322a76c

  • C:\Autorun.inf

    Filesize

    196B

    MD5

    1564dfe69ffed40950e5cb644e0894d1

    SHA1

    201b6f7a01cc49bb698bea6d4945a082ed454ce4

    SHA256

    be114a2dbcc08540b314b01882aa836a772a883322a77b67aab31233e26dc184

    SHA512

    72df187e39674b657974392cfa268e71ef86dc101ebd2303896381ca56d3c05aa9db3f0ab7d0e428d7436e0108c8f19e94c2013814d30b0b95a23a6b9e341097

  • C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe

    Filesize

    145KB

    MD5

    f87349a8c0f8a259fff33cb5c8ce481c

    SHA1

    a916c27bf93a378f69852cd9cb7d60b2324a568c

    SHA256

    2d417ce16825fb5709a610d2c60568184836506018ed523bf17fa10e8ddf82c2

    SHA512

    a0db1085f1eafb368e5630106d6c95dad67fb67c46754775313584b3c163663b9721439c86f6d76ac01c2b9faae0c324104800706b380ac5d460eddae0312229

  • C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe

    Filesize

    145KB

    MD5

    6e0a5bad73ddf8b05ea69aa6775df2a3

    SHA1

    7185cfa795b13bfca5213af466aacc0ff4145968

    SHA256

    6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34

    SHA512

    58646b0234fd5377b5942eef4430bb9ac2187e802cfdd156cdd258940dbcb5951b91dc5882062d5f108f6e0900f6a3c5fcd6352940b4fa41318a8c3f9833b83b

  • C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe

    Filesize

    145KB

    MD5

    fd215c7833a4193f7457a2382434d53b

    SHA1

    97682ac9428effc6c2e5136e054299a53a1aaf32

    SHA256

    c7628c37e3c3d4a59e40b94e8b912d1e376766c2977ff9159150bacec821d669

    SHA512

    cc8cb4d3aa3108f9b5c471cc1e2d6fb0d674e83c9d42820aed2b635975a6261bde61076b2a2d8e3403b0fba8777b3df9eac68230d53a1b04d65f356c28283d26

  • C:\Windows\Fonts\The Kazekage.jpg

    Filesize

    192KB

    MD5

    ca8609f3eb4c6e461d3582ff9234b309

    SHA1

    702ccf95aaa1a5de3982d3d8a2d58d95fea3e7a5

    SHA256

    277d5e607db233f135fd637900124c7f315dc0ce4a86fe5b65ca9d03040e41f3

    SHA512

    54432d2b7abffbac97d8a1768d081c874120ea86c3e2335e880acf54280f5ec7bca38016e6c51d4dc3115270edb9680c29487895a4d236ee140d8bd73836201d

  • C:\Windows\Fonts\The Kazekage.jpg

    Filesize

    1.4MB

    MD5

    d6b05020d4a0ec2a3a8b687099e335df

    SHA1

    df239d830ebcd1cde5c68c46a7b76dad49d415f4

    SHA256

    9824b98dab6af65a9e84c2ea40e9df948f9766ce2096e81feecad7db8dd6080a

    SHA512

    78fd360faa4d34f5732056d6e9ad7b9930964441c69cf24535845d397de92179553b9377a25649c01eb5ac7d547c29cc964e69ede7f2af9fc677508a99251fff

  • C:\Windows\SysWOW64\20-10-2024.exe

    Filesize

    145KB

    MD5

    f7aa242a6911a1a03df41e741a5dda3c

    SHA1

    e24478a02745472be2a5530f4f76da2cdcbc15c4

    SHA256

    9904e0baa3094494dcb67df4b9a2fafd9450d7147eba0a4eeaa3003fcbe27ee3

    SHA512

    56c1043638ecd7df7398a45e429babc74a0d0e9f9b48b9bd65f971b261240918c51a68cfd9fe79c7b3f02ad9b66c78c6e4d3d53d8f53fc119f7fd01b34cee788

  • C:\Windows\SysWOW64\20-10-2024.exe

    Filesize

    145KB

    MD5

    a005d41c944a073ab6e676eed606040a

    SHA1

    066c85400252a2141da31f3c9bfe87ad335673d8

    SHA256

    fb6327ddef45ff6f8385af982105a7966576966604243d5c7c65fc58c5d0f14c

    SHA512

    3c83a35a5de0f92b1c6ed07e4f348d56c80d362318a6292479f8f918da096df9d2a9248108eeec37e67e9833806b9d08969934ed6d7610c065803b6773c87be6

  • C:\Windows\SysWOW64\Desktop.ini

    Filesize

    65B

    MD5

    64acfa7e03b01f48294cf30d201a0026

    SHA1

    10facd995b38a095f30b4a800fa454c0bcbf8438

    SHA256

    ba8159d865d106e7b4d0043007a63d1541e1de455dc8d7ff0edd3013bd425c62

    SHA512

    65a9b2e639de74a2a7faa83463a03f5f5b526495e3c793ec1e144c422ed0b842dd304cd5ff4f8aec3d76d826507030c5916f70a231429cea636ec2d8ab43931a

  • C:\Windows\SysWOW64\drivers\Kazekage.exe

    Filesize

    145KB

    MD5

    22f869b912e9faf53f6e99d411ba49ac

    SHA1

    493f524389c315edcc8fa369c9cf1ed8e8af7f95

    SHA256

    afc17587a442f8bac6247ef6b4e99eed21f31603a25ca23fab3684e178c2a95d

    SHA512

    26b489d7d4b6c55a6b2dce92c5c08527f50d50638bc646c3a99430ad93d955fcd9472836bfc5afa85a0c9ff3224f0c92deae4a9dabf1860a0d2f516fdc98f331

  • C:\Windows\SysWOW64\drivers\Kazekage.exe

    Filesize

    145KB

    MD5

    5dcda7a5489d6ece3bea4dadaed85e20

    SHA1

    ba58c5a2e0559feb7ad27d709beb9f0409bee4dd

    SHA256

    de1a216f27111a148a492157c3e948cfed933cb24fbeec58cc5f76742c2d3cfb

    SHA512

    44860e2f1942b8f8fd46a0f1ad8fc4e040902f350ec10df80c4b3e55cea08dc9c9bdd5c03c9ee52fe8d7e765ccb134afbec9d9d16d9c1702c8b7182d865f1f99

  • C:\Windows\SysWOW64\drivers\system32.exe

    Filesize

    145KB

    MD5

    8ef6f05d4993334f64a4021ae1783d61

    SHA1

    c5226caa6724a64fc976ddba87a53764d1fd5f0c

    SHA256

    b3af573b68251cb26a8b125c17914935fadb078229204d0a5d363a8de71c66dc

    SHA512

    2f9c2e291aa0370af8dc0f10d55983d6ddc76a17678041679cac23eaee797a0216c9200afa459e17a0beab3f2f4afaf7f5a92cf7a0f3b45d63b644242c18d43f

  • C:\Windows\SysWOW64\drivers\system32.exe

    Filesize

    145KB

    MD5

    63c8e298b333d4ae0193516c97ced36d

    SHA1

    0693ca946e1cfe864357ea3b181fc17d90aad172

    SHA256

    bb2dafe896dd8997843eaa360bf200546bc093312bf655a87604112d3182953d

    SHA512

    80f22056320defe3409f989c7abee695f746c0c57611b1e52c3b93a6849bb248c95e13cc096791384de286dc2e6beaedf24c7a033bc8d628c630decf2208ff9b

  • C:\Windows\system\msvbvm60.dll

    Filesize

    1.3MB

    MD5

    5343a19c618bc515ceb1695586c6c137

    SHA1

    4dedae8cbde066f31c8e6b52c0baa3f8b1117742

    SHA256

    2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

    SHA512

    708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

  • \Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe

    Filesize

    145KB

    MD5

    67d9ead8124ddadb319f31a1f3fe0025

    SHA1

    c2cb3be7f47cfcee9a9674f2714bcf7030a4f257

    SHA256

    2004c1df2ccc7414bbfbbfafe49022cffa3b91435b5858c306a6cefe42d4c3c5

    SHA512

    6793afeef95f9f7290cc75f61906c3c9dfba2840ee76c46f9a77192de9c4910420ec4d539d5f2bb8ae863a3e9e10e195b2cd58144bbaca35cb56137883a4c31d

  • \Windows\Fonts\Admin 20 - 10 - 2024\smss.exe

    Filesize

    145KB

    MD5

    f4fbd6e6719093d10850aa00a18ebff1

    SHA1

    b6a323bc539a0c4ed21c2af1fc99074c6b38383b

    SHA256

    8fa7378162232464adc723b3184ca558ccdb65c6cea1ccae90c5407f3db55752

    SHA512

    a102696d5482cac94d469475e85db35fc35589a4028ec971c1306f62bc9dceef7a03289393d30cc11d4acc7e3cc196a966b72a5c975b30cfd7cba9a9392f7108

  • memory/360-258-0x0000000000400000-0x0000000000425000-memory.dmp

    Filesize

    148KB

  • memory/972-228-0x0000000000400000-0x0000000000425000-memory.dmp

    Filesize

    148KB

  • memory/972-224-0x0000000000400000-0x0000000000425000-memory.dmp

    Filesize

    148KB

  • memory/1028-286-0x0000000000400000-0x0000000000425000-memory.dmp

    Filesize

    148KB

  • memory/1304-303-0x0000000000400000-0x0000000000425000-memory.dmp

    Filesize

    148KB

  • memory/1304-191-0x0000000000350000-0x0000000000375000-memory.dmp

    Filesize

    148KB

  • memory/1304-190-0x0000000000350000-0x0000000000375000-memory.dmp

    Filesize

    148KB

  • memory/1328-221-0x0000000000400000-0x0000000000425000-memory.dmp

    Filesize

    148KB

  • memory/1488-174-0x0000000000400000-0x0000000000425000-memory.dmp

    Filesize

    148KB

  • memory/1488-168-0x0000000000400000-0x0000000000425000-memory.dmp

    Filesize

    148KB

  • memory/1688-252-0x0000000000400000-0x0000000000425000-memory.dmp

    Filesize

    148KB

  • memory/1744-178-0x0000000000400000-0x0000000000425000-memory.dmp

    Filesize

    148KB

  • memory/1756-249-0x0000000000400000-0x0000000000425000-memory.dmp

    Filesize

    148KB

  • memory/1768-225-0x0000000000400000-0x0000000000425000-memory.dmp

    Filesize

    148KB

  • memory/1788-261-0x0000000000400000-0x0000000000425000-memory.dmp

    Filesize

    148KB

  • memory/1840-234-0x00000000005C0000-0x00000000005E5000-memory.dmp

    Filesize

    148KB

  • memory/1840-559-0x00000000005C0000-0x00000000005E5000-memory.dmp

    Filesize

    148KB

  • memory/1840-218-0x00000000005C0000-0x00000000005E5000-memory.dmp

    Filesize

    148KB

  • memory/1840-230-0x00000000005C0000-0x00000000005E5000-memory.dmp

    Filesize

    148KB

  • memory/1840-394-0x0000000000400000-0x0000000000425000-memory.dmp

    Filesize

    148KB

  • memory/1916-132-0x0000000000430000-0x0000000000455000-memory.dmp

    Filesize

    148KB

  • memory/1916-302-0x0000000000400000-0x0000000000425000-memory.dmp

    Filesize

    148KB

  • memory/1916-87-0x0000000000400000-0x0000000000425000-memory.dmp

    Filesize

    148KB

  • memory/1916-118-0x0000000000430000-0x0000000000455000-memory.dmp

    Filesize

    148KB

  • memory/1916-137-0x0000000000430000-0x0000000000455000-memory.dmp

    Filesize

    148KB

  • memory/1916-264-0x0000000000430000-0x0000000000455000-memory.dmp

    Filesize

    148KB

  • memory/2012-560-0x0000000000400000-0x0000000000425000-memory.dmp

    Filesize

    148KB

  • memory/2016-255-0x0000000000400000-0x0000000000425000-memory.dmp

    Filesize

    148KB

  • memory/2192-180-0x0000000000400000-0x0000000000425000-memory.dmp

    Filesize

    148KB

  • memory/2192-185-0x0000000000400000-0x0000000000425000-memory.dmp

    Filesize

    148KB

  • memory/2216-283-0x0000000000400000-0x0000000000425000-memory.dmp

    Filesize

    148KB

  • memory/2228-265-0x0000000000400000-0x0000000000425000-memory.dmp

    Filesize

    148KB

  • memory/2248-289-0x0000000000400000-0x0000000000425000-memory.dmp

    Filesize

    148KB

  • memory/2280-279-0x0000000000400000-0x0000000000425000-memory.dmp

    Filesize

    148KB

  • memory/2532-271-0x0000000000400000-0x0000000000425000-memory.dmp

    Filesize

    148KB

  • memory/2600-78-0x0000000000400000-0x0000000000425000-memory.dmp

    Filesize

    148KB

  • memory/2628-300-0x0000000000400000-0x0000000000425000-memory.dmp

    Filesize

    148KB

  • memory/2680-125-0x0000000000400000-0x0000000000425000-memory.dmp

    Filesize

    148KB

  • memory/2708-126-0x0000000000400000-0x0000000000425000-memory.dmp

    Filesize

    148KB

  • memory/2708-131-0x0000000000400000-0x0000000000425000-memory.dmp

    Filesize

    148KB

  • memory/2768-293-0x0000000000320000-0x0000000000345000-memory.dmp

    Filesize

    148KB

  • memory/2768-299-0x0000000000400000-0x0000000000425000-memory.dmp

    Filesize

    148KB

  • memory/2768-296-0x0000000000320000-0x0000000000345000-memory.dmp

    Filesize

    148KB

  • memory/2768-290-0x0000000000320000-0x0000000000345000-memory.dmp

    Filesize

    148KB

  • memory/2768-0-0x0000000000400000-0x0000000000425000-memory.dmp

    Filesize

    148KB

  • memory/2768-32-0x0000000000320000-0x0000000000345000-memory.dmp

    Filesize

    148KB

  • memory/2900-301-0x0000000000400000-0x0000000000425000-memory.dmp

    Filesize

    148KB

  • memory/2900-275-0x00000000002A0000-0x00000000002C5000-memory.dmp

    Filesize

    148KB

  • memory/2900-280-0x00000000002A0000-0x00000000002C5000-memory.dmp

    Filesize

    148KB

  • memory/3052-272-0x0000000000400000-0x0000000000425000-memory.dmp

    Filesize

    148KB

  • memory/3052-276-0x0000000000400000-0x0000000000425000-memory.dmp

    Filesize

    148KB