Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20/10/2024, 23:06

General

  • Target

    6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe

  • Size

    145KB

  • MD5

    6e0a5bad73ddf8b05ea69aa6775df2a3

  • SHA1

    7185cfa795b13bfca5213af466aacc0ff4145968

  • SHA256

    6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34

  • SHA512

    58646b0234fd5377b5942eef4430bb9ac2187e802cfdd156cdd258940dbcb5951b91dc5882062d5f108f6e0900f6a3c5fcd6352940b4fa41318a8c3f9833b83b

  • SSDEEP

    1536:1Jo0IHgL2AHfb1mzaFXg+xsukl4Y17jsgS/jHagQNuXGpeVTVG:zx6AHjYzaFXg+w17jsgS/jHagQg19VG

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 12 IoCs
  • Modifies visibility of file extensions in Explorer 2 TTPs 6 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 6 IoCs
  • UAC bypass 3 TTPs 6 IoCs
  • Disables RegEdit via registry modification 6 IoCs
  • Disables use of System Restore points 1 TTPs
  • Drops file in Drivers directory 24 IoCs
  • Event Triggered Execution: Image File Execution Options Injection 1 TTPs 64 IoCs
  • Executes dropped EXE 30 IoCs
  • Loads dropped DLL 18 IoCs
  • Adds Run key to start application 2 TTPs 24 IoCs
  • Checks whether UAC is enabled 1 TTPs 6 IoCs
  • Drops desktop.ini file(s) 64 IoCs
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops autorun.inf file 1 TTPs 64 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 39 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 6 IoCs
  • Drops file in Windows directory 64 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 36 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

  • Modifies Control Panel 64 IoCs
  • Modifies Internet Explorer settings 1 TTPs 12 IoCs
  • Modifies registry class 51 IoCs
  • Runs ping.exe 1 TTPs 36 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 30 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe
    "C:\Users\Admin\AppData\Local\Temp\6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Modifies visibility of file extensions in Explorer
    • Modifies visiblity of hidden/system files in Explorer
    • UAC bypass
    • Disables RegEdit via registry modification
    • Drops file in Drivers directory
    • Event Triggered Execution: Image File Execution Options Injection
    • Adds Run key to start application
    • Checks whether UAC is enabled
    • Drops desktop.ini file(s)
    • Enumerates connected drives
    • Drops autorun.inf file
    • Drops file in System32 directory
    • Sets desktop wallpaper using registry
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Modifies Control Panel
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2364
    • C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe
      "C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • UAC bypass
      • Disables RegEdit via registry modification
      • Drops file in Drivers directory
      • Event Triggered Execution: Image File Execution Options Injection
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Drops desktop.ini file(s)
      • Enumerates connected drives
      • Drops autorun.inf file
      • Drops file in System32 directory
      • Sets desktop wallpaper using registry
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Modifies Control Panel
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:3316
      • C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe
        "C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:4800
      • C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe
        "C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe"
        3⤵
        • Modifies WinLogon for persistence
        • Modifies visibility of file extensions in Explorer
        • Modifies visiblity of hidden/system files in Explorer
        • UAC bypass
        • Disables RegEdit via registry modification
        • Drops file in Drivers directory
        • Event Triggered Execution: Image File Execution Options Injection
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • Checks whether UAC is enabled
        • Drops desktop.ini file(s)
        • Enumerates connected drives
        • Drops autorun.inf file
        • Drops file in System32 directory
        • Sets desktop wallpaper using registry
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Modifies Control Panel
        • Modifies Internet Explorer settings
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        • System policy modification
        PID:3532
        • C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe
          "C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe"
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:4324
        • C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe
          "C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe"
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:5100
        • C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe
          "C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe"
          4⤵
          • Modifies WinLogon for persistence
          • Modifies visibility of file extensions in Explorer
          • Modifies visiblity of hidden/system files in Explorer
          • UAC bypass
          • Disables RegEdit via registry modification
          • Drops file in Drivers directory
          • Event Triggered Execution: Image File Execution Options Injection
          • Executes dropped EXE
          • Loads dropped DLL
          • Adds Run key to start application
          • Checks whether UAC is enabled
          • Drops desktop.ini file(s)
          • Enumerates connected drives
          • Drops autorun.inf file
          • Drops file in System32 directory
          • Sets desktop wallpaper using registry
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Modifies Control Panel
          • Modifies Internet Explorer settings
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:4236
          • C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe
            "C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe"
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • System Location Discovery: System Language Discovery
            • Suspicious use of SetWindowsHookEx
            PID:1952
          • C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe
            "C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe"
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • System Location Discovery: System Language Discovery
            • Suspicious use of SetWindowsHookEx
            PID:3720
          • C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe
            "C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe"
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • System Location Discovery: System Language Discovery
            • Suspicious use of SetWindowsHookEx
            PID:3412
          • C:\Windows\SysWOW64\drivers\Kazekage.exe
            C:\Windows\system32\drivers\Kazekage.exe
            5⤵
            • Modifies WinLogon for persistence
            • Modifies visibility of file extensions in Explorer
            • Modifies visiblity of hidden/system files in Explorer
            • UAC bypass
            • Disables RegEdit via registry modification
            • Drops file in Drivers directory
            • Event Triggered Execution: Image File Execution Options Injection
            • Executes dropped EXE
            • Adds Run key to start application
            • Checks whether UAC is enabled
            • Drops desktop.ini file(s)
            • Enumerates connected drives
            • Drops autorun.inf file
            • Drops file in System32 directory
            • Sets desktop wallpaper using registry
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Modifies Control Panel
            • Modifies Internet Explorer settings
            • Modifies registry class
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            • System policy modification
            PID:3768
            • C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe
              "C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe"
              6⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • System Location Discovery: System Language Discovery
              • Suspicious use of SetWindowsHookEx
              PID:4472
            • C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe
              "C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe"
              6⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • System Location Discovery: System Language Discovery
              • Suspicious use of SetWindowsHookEx
              PID:368
            • C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe
              "C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe"
              6⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • System Location Discovery: System Language Discovery
              • Suspicious use of SetWindowsHookEx
              PID:4680
            • C:\Windows\SysWOW64\drivers\Kazekage.exe
              C:\Windows\system32\drivers\Kazekage.exe
              6⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Suspicious use of SetWindowsHookEx
              PID:32
            • C:\Windows\SysWOW64\drivers\system32.exe
              C:\Windows\system32\drivers\system32.exe
              6⤵
              • Modifies WinLogon for persistence
              • Modifies visibility of file extensions in Explorer
              • Modifies visiblity of hidden/system files in Explorer
              • UAC bypass
              • Disables RegEdit via registry modification
              • Drops file in Drivers directory
              • Event Triggered Execution: Image File Execution Options Injection
              • Executes dropped EXE
              • Adds Run key to start application
              • Checks whether UAC is enabled
              • Drops desktop.ini file(s)
              • Enumerates connected drives
              • Drops autorun.inf file
              • Drops file in System32 directory
              • Sets desktop wallpaper using registry
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Modifies Control Panel
              • Modifies Internet Explorer settings
              • Modifies registry class
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              • System policy modification
              PID:488
              • C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe
                "C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe"
                7⤵
                • Executes dropped EXE
                • Loads dropped DLL
                • System Location Discovery: System Language Discovery
                • Suspicious use of SetWindowsHookEx
                PID:4768
              • C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe
                "C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe"
                7⤵
                • Executes dropped EXE
                • Loads dropped DLL
                • System Location Discovery: System Language Discovery
                • Suspicious use of SetWindowsHookEx
                PID:2656
              • C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe
                "C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe"
                7⤵
                • Executes dropped EXE
                • Loads dropped DLL
                • System Location Discovery: System Language Discovery
                • Suspicious use of SetWindowsHookEx
                PID:2212
              • C:\Windows\SysWOW64\drivers\Kazekage.exe
                C:\Windows\system32\drivers\Kazekage.exe
                7⤵
                • Executes dropped EXE
                • System Location Discovery: System Language Discovery
                • Suspicious use of SetWindowsHookEx
                PID:1016
              • C:\Windows\SysWOW64\drivers\system32.exe
                C:\Windows\system32\drivers\system32.exe
                7⤵
                • Executes dropped EXE
                • System Location Discovery: System Language Discovery
                PID:4060
              • C:\Windows\SysWOW64\ping.exe
                ping -a -l www.rasasayang.com.my 65500
                7⤵
                • System Location Discovery: System Language Discovery
                • System Network Configuration Discovery: Internet Connection Discovery
                • Runs ping.exe
                PID:980
              • C:\Windows\SysWOW64\ping.exe
                ping -a -l www.duniasex.com 65500
                7⤵
                • System Location Discovery: System Language Discovery
                • System Network Configuration Discovery: Internet Connection Discovery
                • Runs ping.exe
                PID:2576
              • C:\Windows\SysWOW64\ping.exe
                ping -a -l www.rasasayang.com.my 65500
                7⤵
                • System Location Discovery: System Language Discovery
                • System Network Configuration Discovery: Internet Connection Discovery
                • Runs ping.exe
                PID:4512
              • C:\Windows\SysWOW64\ping.exe
                ping -a -l www.duniasex.com 65500
                7⤵
                • System Location Discovery: System Language Discovery
                • System Network Configuration Discovery: Internet Connection Discovery
                • Runs ping.exe
                PID:2356
              • C:\Windows\SysWOW64\ping.exe
                ping -a -l www.rasasayang.com.my 65500
                7⤵
                • System Location Discovery: System Language Discovery
                • System Network Configuration Discovery: Internet Connection Discovery
                • Runs ping.exe
                PID:1164
              • C:\Windows\SysWOW64\ping.exe
                ping -a -l www.duniasex.com 65500
                7⤵
                • System Location Discovery: System Language Discovery
                • System Network Configuration Discovery: Internet Connection Discovery
                • Runs ping.exe
                PID:1136
            • C:\Windows\SysWOW64\ping.exe
              ping -a -l www.rasasayang.com.my 65500
              6⤵
              • System Location Discovery: System Language Discovery
              • System Network Configuration Discovery: Internet Connection Discovery
              • Runs ping.exe
              PID:4340
            • C:\Windows\SysWOW64\ping.exe
              ping -a -l www.duniasex.com 65500
              6⤵
              • System Location Discovery: System Language Discovery
              • System Network Configuration Discovery: Internet Connection Discovery
              • Runs ping.exe
              PID:1828
            • C:\Windows\SysWOW64\ping.exe
              ping -a -l www.rasasayang.com.my 65500
              6⤵
              • System Location Discovery: System Language Discovery
              • System Network Configuration Discovery: Internet Connection Discovery
              • Runs ping.exe
              PID:4060
            • C:\Windows\SysWOW64\ping.exe
              ping -a -l www.duniasex.com 65500
              6⤵
              • System Location Discovery: System Language Discovery
              • System Network Configuration Discovery: Internet Connection Discovery
              • Runs ping.exe
              PID:2516
            • C:\Windows\SysWOW64\ping.exe
              ping -a -l www.rasasayang.com.my 65500
              6⤵
              • System Location Discovery: System Language Discovery
              • System Network Configuration Discovery: Internet Connection Discovery
              • Runs ping.exe
              PID:3412
            • C:\Windows\SysWOW64\ping.exe
              ping -a -l www.duniasex.com 65500
              6⤵
              • System Location Discovery: System Language Discovery
              • System Network Configuration Discovery: Internet Connection Discovery
              • Runs ping.exe
              PID:2908
          • C:\Windows\SysWOW64\drivers\system32.exe
            C:\Windows\system32\drivers\system32.exe
            5⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious use of SetWindowsHookEx
            PID:2816
          • C:\Windows\SysWOW64\ping.exe
            ping -a -l www.rasasayang.com.my 65500
            5⤵
            • System Location Discovery: System Language Discovery
            • System Network Configuration Discovery: Internet Connection Discovery
            • Runs ping.exe
            PID:32
          • C:\Windows\SysWOW64\ping.exe
            ping -a -l www.duniasex.com 65500
            5⤵
            • System Network Configuration Discovery: Internet Connection Discovery
            • Runs ping.exe
            PID:1668
          • C:\Windows\SysWOW64\ping.exe
            ping -a -l www.rasasayang.com.my 65500
            5⤵
            • System Location Discovery: System Language Discovery
            • System Network Configuration Discovery: Internet Connection Discovery
            • Runs ping.exe
            PID:672
          • C:\Windows\SysWOW64\ping.exe
            ping -a -l www.duniasex.com 65500
            5⤵
            • System Location Discovery: System Language Discovery
            • System Network Configuration Discovery: Internet Connection Discovery
            • Runs ping.exe
            PID:4476
          • C:\Windows\SysWOW64\ping.exe
            ping -a -l www.rasasayang.com.my 65500
            5⤵
            • System Location Discovery: System Language Discovery
            • System Network Configuration Discovery: Internet Connection Discovery
            • Runs ping.exe
            PID:4048
          • C:\Windows\SysWOW64\ping.exe
            ping -a -l www.duniasex.com 65500
            5⤵
            • System Location Discovery: System Language Discovery
            • System Network Configuration Discovery: Internet Connection Discovery
            • Runs ping.exe
            PID:3344
        • C:\Windows\SysWOW64\drivers\Kazekage.exe
          C:\Windows\system32\drivers\Kazekage.exe
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:4280
        • C:\Windows\SysWOW64\drivers\system32.exe
          C:\Windows\system32\drivers\system32.exe
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:3912
        • C:\Windows\SysWOW64\ping.exe
          ping -a -l www.rasasayang.com.my 65500
          4⤵
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:4404
        • C:\Windows\SysWOW64\ping.exe
          ping -a -l www.duniasex.com 65500
          4⤵
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:1384
        • C:\Windows\SysWOW64\ping.exe
          ping -a -l www.rasasayang.com.my 65500
          4⤵
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:4352
        • C:\Windows\SysWOW64\ping.exe
          ping -a -l www.duniasex.com 65500
          4⤵
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:4228
        • C:\Windows\SysWOW64\ping.exe
          ping -a -l www.rasasayang.com.my 65500
          4⤵
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:3596
        • C:\Windows\SysWOW64\ping.exe
          ping -a -l www.duniasex.com 65500
          4⤵
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:552
      • C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe
        "C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:1048
      • C:\Windows\SysWOW64\drivers\Kazekage.exe
        C:\Windows\system32\drivers\Kazekage.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:1440
      • C:\Windows\SysWOW64\drivers\system32.exe
        C:\Windows\system32\drivers\system32.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:1844
      • C:\Windows\SysWOW64\ping.exe
        ping -a -l www.rasasayang.com.my 65500
        3⤵
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:2576
      • C:\Windows\SysWOW64\ping.exe
        ping -a -l www.duniasex.com 65500
        3⤵
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:3492
      • C:\Windows\SysWOW64\ping.exe
        ping -a -l www.rasasayang.com.my 65500
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:3980
      • C:\Windows\SysWOW64\ping.exe
        ping -a -l www.duniasex.com 65500
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:2024
      • C:\Windows\SysWOW64\ping.exe
        ping -a -l www.rasasayang.com.my 65500
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:1976
      • C:\Windows\SysWOW64\ping.exe
        ping -a -l www.duniasex.com 65500
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:1944
    • C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe
      "C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:1796
    • C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe
      "C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:1944
    • C:\Windows\SysWOW64\drivers\Kazekage.exe
      C:\Windows\system32\drivers\Kazekage.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:636
    • C:\Windows\SysWOW64\drivers\system32.exe
      C:\Windows\system32\drivers\system32.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:4456
    • C:\Windows\SysWOW64\ping.exe
      ping -a -l www.rasasayang.com.my 65500
      2⤵
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Internet Connection Discovery
      • Runs ping.exe
      PID:3932
    • C:\Windows\SysWOW64\ping.exe
      ping -a -l www.duniasex.com 65500
      2⤵
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Internet Connection Discovery
      • Runs ping.exe
      PID:5000
    • C:\Windows\SysWOW64\ping.exe
      ping -a -l www.rasasayang.com.my 65500
      2⤵
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Internet Connection Discovery
      • Runs ping.exe
      PID:4452
    • C:\Windows\SysWOW64\ping.exe
      ping -a -l www.duniasex.com 65500
      2⤵
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Internet Connection Discovery
      • Runs ping.exe
      PID:756
    • C:\Windows\SysWOW64\ping.exe
      ping -a -l www.rasasayang.com.my 65500
      2⤵
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Internet Connection Discovery
      • Runs ping.exe
      PID:4448
    • C:\Windows\SysWOW64\ping.exe
      ping -a -l www.duniasex.com 65500
      2⤵
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Internet Connection Discovery
      • Runs ping.exe
      PID:1680

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Admin Games\Readme.txt

    Filesize

    736B

    MD5

    bb5d6abdf8d0948ac6895ce7fdfbc151

    SHA1

    9266b7a247a4685892197194d2b9b86c8f6dddbd

    SHA256

    5db2e0915b5464d32e83484f8ae5e3c73d2c78f238fde5f58f9b40dbb5322de8

    SHA512

    878444760e8df878d65bb62b4798177e168eb099def58ad3634f4348e96705c83f74324f9fa358f0eff389991976698a233ca53e9b72034ae11c86d42322a76c

  • C:\Autorun.inf

    Filesize

    196B

    MD5

    1564dfe69ffed40950e5cb644e0894d1

    SHA1

    201b6f7a01cc49bb698bea6d4945a082ed454ce4

    SHA256

    be114a2dbcc08540b314b01882aa836a772a883322a77b67aab31233e26dc184

    SHA512

    72df187e39674b657974392cfa268e71ef86dc101ebd2303896381ca56d3c05aa9db3f0ab7d0e428d7436e0108c8f19e94c2013814d30b0b95a23a6b9e341097

  • C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe

    Filesize

    145KB

    MD5

    633510bbd5a86789fc7e0c3b3a45f33e

    SHA1

    7a7927eda78fa6ee401c34a1ffc07a0cf081a363

    SHA256

    49c9bf332c2ca47355dc1ebca0d8b2d7ac9f6c9201ef5bb3bfdfae15d8dec25d

    SHA512

    c71f4c106ea271e953cd922eb8878b9789ecd1db7882813b697cf400bd36b3b8f70e87e61b6791d1c98d93afd6715465cd16a8479eb245d56c7e81569f8a9933

  • C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe

    Filesize

    145KB

    MD5

    2182e2b5a0ee539c29f1476ced3945aa

    SHA1

    bcd4ce4c503d7e5b4bf1f2d00944bc5e9e74bcae

    SHA256

    19793e7f6bde3a724b5f4a4142e1030f2bd581a5c20f8736181713399290dbe1

    SHA512

    1f12c33ae113fd83777a6ee0767a2b3caaca908ceeb97fe07fd267fd45d78c7f77373694741b199f61ab239936720fcd5585eddd183ea5535099b1161c319f2c

  • C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe

    Filesize

    145KB

    MD5

    8ca7fd368e196de5f535bc3f04bc13eb

    SHA1

    b6ccc8bfbbdc351fd9396dce713bacf136857105

    SHA256

    abbbab72654c7f58473a8c33f63e684938f6a3e1da346030b0e4249cddb0c6dd

    SHA512

    d50c9e7b3d302f28884c934cc67a113c1e81643457a24ab0833544d79267440efda110a91740b1996ec14aa0707ea2be2c9db83c041ee29b4f77c62c25ace61f

  • C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe

    Filesize

    145KB

    MD5

    733ab7bb6a01a2c24114ac103892e323

    SHA1

    b3288abcf4ac3f05524a8227a646193bb2512b8f

    SHA256

    5608e2e4ee633dbbeb2a609fbd3b9fd07935d12ac7376480cf71fa3e8a179715

    SHA512

    1cc36c32e92806e5f1847c41ea3564a6e10ca179c468c11e46de3b5049db1886cc6a6c9d7ed9e42e054dad1d8613d004c0a86551d3be9e2339bafebae6c5b7e0

  • C:\Windows\Fonts\The Kazekage.jpg

    Filesize

    1.4MB

    MD5

    d6b05020d4a0ec2a3a8b687099e335df

    SHA1

    df239d830ebcd1cde5c68c46a7b76dad49d415f4

    SHA256

    9824b98dab6af65a9e84c2ea40e9df948f9766ce2096e81feecad7db8dd6080a

    SHA512

    78fd360faa4d34f5732056d6e9ad7b9930964441c69cf24535845d397de92179553b9377a25649c01eb5ac7d547c29cc964e69ede7f2af9fc677508a99251fff

  • C:\Windows\SysWOW64\20-10-2024.exe

    Filesize

    145KB

    MD5

    539bd0b68837c20d3de4b981438e2f7d

    SHA1

    7eadd68e8bd626d22fd1f377a80ccb442a718ac1

    SHA256

    2c0a34d11272be4b0ac7782d8af2b424cd2963ed79a5e88062bd0f0ee5421580

    SHA512

    06febb93b64420c0307b7a180b06d47679ce9ddd1064624430155343e0681967e21a0ab5ff7d5d6715542f1a9c279c9c570d401a66f8c0f0d3eb5d6010bf9a2e

  • C:\Windows\SysWOW64\20-10-2024.exe

    Filesize

    145KB

    MD5

    2a66c2723852b380204d7b7e3da8fc78

    SHA1

    0ef0cf42fca1e30e12f78ba50240c85e2ea78d32

    SHA256

    aa0166fa461dd5e065c1d814e65eb93429c1a144a9d9d122330b851042efdc42

    SHA512

    46be6f3cc4eab1161febc3ba3392b652bd67088736381204899aadc6fdc3cf6d1948cc8daadb043abf5cc42fdb83faa5eb17c5ccd224f954db6b2d99389f729a

  • C:\Windows\SysWOW64\20-10-2024.exe

    Filesize

    145KB

    MD5

    451bd9b4668ecac963768bd123813464

    SHA1

    64ce9413815b970eae1287ecbd66e3ddf5064a8f

    SHA256

    41474114181d73f1d0e875986046b2d38243241cedd90919fa18e87bb3ca87fe

    SHA512

    44be9d51802a1b48ad7c3ee835dc6628c38168b7cb47d7b1ec04a9d834df9a657d40290562e4c412d86bf341ebab92cf36c72811f2f07627d8ed8a683352044a

  • C:\Windows\SysWOW64\20-10-2024.exe

    Filesize

    145KB

    MD5

    f7c894aa05ba47003327c73f655561ea

    SHA1

    b1be89c16d23f853bffb043c14c9c4cdd51e38d5

    SHA256

    497ec547110474f0e5da2d1439ea7e42e4a07fa02a1350daa63835f8a0133d5f

    SHA512

    897605d81aee63d5c6b909c70c45a6d777d4a1efe141cb924722743ccaaf467643d4541f5a626f4fa6365cf53a6befceb5c9e22db5991208c922186c2c0a3d74

  • C:\Windows\SysWOW64\20-10-2024.exe

    Filesize

    145KB

    MD5

    ff2fc709ddfd52e98369d0a54d054fc1

    SHA1

    592c4cc7903039edd0cca488fab41025c4e90b09

    SHA256

    21d3c036e3de347c46f199b13bc2635a56145e0ad3ca7343733c3ef925c2929c

    SHA512

    dc785f0ddb93490331b9f717bcfcbdcc0ec61bafbc0cfe1bdabf39135ef96ee7b397d71a146090e3dc5b070395d10fb5aa97152512a1802296271bc64c8c5b25

  • C:\Windows\SysWOW64\Desktop.ini

    Filesize

    65B

    MD5

    64acfa7e03b01f48294cf30d201a0026

    SHA1

    10facd995b38a095f30b4a800fa454c0bcbf8438

    SHA256

    ba8159d865d106e7b4d0043007a63d1541e1de455dc8d7ff0edd3013bd425c62

    SHA512

    65a9b2e639de74a2a7faa83463a03f5f5b526495e3c793ec1e144c422ed0b842dd304cd5ff4f8aec3d76d826507030c5916f70a231429cea636ec2d8ab43931a

  • C:\Windows\SysWOW64\drivers\Kazekage.exe

    Filesize

    145KB

    MD5

    3a3e7d374c313bea5ed152eb0c4b95ac

    SHA1

    70d8c7e2695d5dc06bf76902572a4c65d4bbc6c6

    SHA256

    b478793543ba58d50f33043c2ceec495b40d84225d9532e93a5e826dd744aba3

    SHA512

    9e51617439bf3478906dae7d3d8a99b0934fc9f5f9d2457ad026fd1c89fb11b740a3f329d8b09ffee317474f52bc14b141fa80df8560d67860cb7cd21e98ac0f

  • C:\Windows\SysWOW64\drivers\Kazekage.exe

    Filesize

    145KB

    MD5

    d4958bb437ea95e974e60e713c55d3f7

    SHA1

    644233d244cf571c856df22f9f430218f114d3c6

    SHA256

    bccb49124991ad6f3551c985be2cbc7c94dbfa0e03ab6b34abd621bf708358e5

    SHA512

    ce1e2f60e8d3310e5c83c626d3a2024e8c6bd5f398e184485cb31a61027c57021eaab803f527e74a5fb00ddcb4b5c6b88f4b4e681b0be041743b16fa4d07b154

  • C:\Windows\SysWOW64\drivers\Kazekage.exe

    Filesize

    145KB

    MD5

    9a8ded540a19c9782d578917f27d07ed

    SHA1

    2a4af2151b1c6dd4b46ab6ec58e76f85d5889cf7

    SHA256

    3d5b652fe6a3386ac3973c922ecab75071bfb1692745b63e50f5a0c17dc6c52b

    SHA512

    9b4fecab736cfa86b997379043919adfaa7586db865e8d3b15b2c62c90a406f837b4f4aec3907a0b9f944ff655f2529d30cd58812d3c9188aabfb1563a585a1a

  • C:\Windows\SysWOW64\drivers\Kazekage.exe

    Filesize

    145KB

    MD5

    7dcd365dbb501e43e07ef4912d2f0b03

    SHA1

    925671b0bbec96371a55f17a85099d03648b1c6e

    SHA256

    1a0cfff63045f29ffab2404d5abf830e123fcbf3ac67329530fcc4223b49fd01

    SHA512

    6d1e8eb6a6b102a29973205cfd772ef8c666e09db64717b8b63101a119548bd6de3e2354ae990e299c12f8d97f5387169f4ed5858a4da8f6d4c48b87107f1a36

  • C:\Windows\SysWOW64\drivers\system32.exe

    Filesize

    145KB

    MD5

    37008e8edf75ccaf2dbfd820acf3cbfe

    SHA1

    0aaf9e8f07e52ebe86cf002c6cb2f0c3c623acff

    SHA256

    cfef49fe33e0c920f86384c63f18f7e5d4f560b43a6d69cf80c0e41887ab0acf

    SHA512

    30cccf37cb797014972953132b0638c77c57d0bd26febbaf2601b6de30df4ca5a6862bc8db4b95d0363cf2d308d8b8468c6c95e813ea167a71a2ed9244b93737

  • C:\Windows\SysWOW64\drivers\system32.exe

    Filesize

    145KB

    MD5

    385c2cef8b4098d27641600853abc0d6

    SHA1

    12ce3789e7731f37fa081873a3d1771820b63989

    SHA256

    75b59da2ddb117d15ac97cc46ac2b967ac20b740791223b298f20989b1c99636

    SHA512

    89fbcdf71e25a87a15b583d0ac24a2118b0179ac8e10fa2931f7f5f3099b32449214bc0e18453025a8adaba7dc97fdedba55ab7cdd944124f063d0a1c3b86cf7

  • C:\Windows\SysWOW64\drivers\system32.exe

    Filesize

    145KB

    MD5

    39a702409c2cf297834eea43d0c9773d

    SHA1

    addf1c89fd11dc3d4ef5f2bedfd90bae1dcca082

    SHA256

    c03e73987b43dca5d51c7745fe2519bf0105cd4d1cf9c4ef25c19b95878a9c17

    SHA512

    02e06f9c768b7b45b9b115164caa43b3f7f29b937f2b6cf8c84d24d2159a92ea60ef21829104e492059b17022f0275e7f11cbccbcddcbd3e6bac6376ffb02b63

  • C:\Windows\SysWOW64\drivers\system32.exe

    Filesize

    145KB

    MD5

    f5a21dd6eb0ab1a8ca03b568bb7e51ae

    SHA1

    9a4e9d0856a1ee7ae58d2071aeb7d258ede1aa0f

    SHA256

    001ca731f696c1289eac2706d26e8c839963040ca5aa7acf463548de6c51d805

    SHA512

    23e938066f72989a31aaf8a4dd52f52d7b9356f44899f2738d9e6a84e5e565757a570157973136625fd243e771d4a51538bf9cf074adfba78f233cd41ab1502c

  • C:\Windows\System\msvbvm60.dll

    Filesize

    1.4MB

    MD5

    25f62c02619174b35851b0e0455b3d94

    SHA1

    4e8ee85157f1769f6e3f61c0acbe59072209da71

    SHA256

    898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

    SHA512

    f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

  • memory/32-205-0x0000000000400000-0x0000000000425000-memory.dmp

    Filesize

    148KB

  • memory/368-194-0x0000000000400000-0x0000000000425000-memory.dmp

    Filesize

    148KB

  • memory/488-529-0x0000000000400000-0x0000000000425000-memory.dmp

    Filesize

    148KB

  • memory/488-203-0x0000000000400000-0x0000000000425000-memory.dmp

    Filesize

    148KB

  • memory/636-266-0x0000000000400000-0x0000000000425000-memory.dmp

    Filesize

    148KB

  • memory/636-262-0x0000000000400000-0x0000000000425000-memory.dmp

    Filesize

    148KB

  • memory/1016-234-0x0000000000400000-0x0000000000425000-memory.dmp

    Filesize

    148KB

  • memory/1048-250-0x0000000000400000-0x0000000000425000-memory.dmp

    Filesize

    148KB

  • memory/1440-253-0x0000000000400000-0x0000000000425000-memory.dmp

    Filesize

    148KB

  • memory/1796-259-0x0000000000400000-0x0000000000425000-memory.dmp

    Filesize

    148KB

  • memory/1844-256-0x0000000000400000-0x0000000000425000-memory.dmp

    Filesize

    148KB

  • memory/1944-263-0x0000000000400000-0x0000000000425000-memory.dmp

    Filesize

    148KB

  • memory/1952-153-0x0000000000400000-0x0000000000425000-memory.dmp

    Filesize

    148KB

  • memory/2212-230-0x0000000000400000-0x0000000000425000-memory.dmp

    Filesize

    148KB

  • memory/2364-524-0x0000000000400000-0x0000000000425000-memory.dmp

    Filesize

    148KB

  • memory/2364-0-0x0000000000400000-0x0000000000425000-memory.dmp

    Filesize

    148KB

  • memory/2656-227-0x0000000000400000-0x0000000000425000-memory.dmp

    Filesize

    148KB

  • memory/2816-238-0x0000000000400000-0x0000000000425000-memory.dmp

    Filesize

    148KB

  • memory/3316-34-0x0000000000400000-0x0000000000425000-memory.dmp

    Filesize

    148KB

  • memory/3316-525-0x0000000000400000-0x0000000000425000-memory.dmp

    Filesize

    148KB

  • memory/3412-161-0x0000000000400000-0x0000000000425000-memory.dmp

    Filesize

    148KB

  • memory/3532-526-0x0000000000400000-0x0000000000425000-memory.dmp

    Filesize

    148KB

  • memory/3532-75-0x0000000000400000-0x0000000000425000-memory.dmp

    Filesize

    148KB

  • memory/3720-156-0x0000000000400000-0x0000000000425000-memory.dmp

    Filesize

    148KB

  • memory/3768-162-0x0000000000400000-0x0000000000425000-memory.dmp

    Filesize

    148KB

  • memory/3768-528-0x0000000000400000-0x0000000000425000-memory.dmp

    Filesize

    148KB

  • memory/3912-247-0x0000000000400000-0x0000000000425000-memory.dmp

    Filesize

    148KB

  • memory/4060-233-0x0000000000400000-0x0000000000425000-memory.dmp

    Filesize

    148KB

  • memory/4060-235-0x0000000000400000-0x0000000000425000-memory.dmp

    Filesize

    148KB

  • memory/4236-118-0x0000000000400000-0x0000000000425000-memory.dmp

    Filesize

    148KB

  • memory/4236-527-0x0000000000400000-0x0000000000425000-memory.dmp

    Filesize

    148KB

  • memory/4280-244-0x0000000000400000-0x0000000000425000-memory.dmp

    Filesize

    148KB

  • memory/4456-269-0x0000000000400000-0x0000000000425000-memory.dmp

    Filesize

    148KB

  • memory/4680-198-0x0000000000400000-0x0000000000425000-memory.dmp

    Filesize

    148KB

  • memory/4800-80-0x0000000000400000-0x0000000000425000-memory.dmp

    Filesize

    148KB

  • memory/4800-71-0x0000000000400000-0x0000000000425000-memory.dmp

    Filesize

    148KB

  • memory/5100-117-0x0000000000400000-0x0000000000425000-memory.dmp

    Filesize

    148KB