Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    20/10/2024, 22:56

General

  • Target

    6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe

  • Size

    145KB

  • MD5

    6e0a5bad73ddf8b05ea69aa6775df2a3

  • SHA1

    7185cfa795b13bfca5213af466aacc0ff4145968

  • SHA256

    6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34

  • SHA512

    58646b0234fd5377b5942eef4430bb9ac2187e802cfdd156cdd258940dbcb5951b91dc5882062d5f108f6e0900f6a3c5fcd6352940b4fa41318a8c3f9833b83b

  • SSDEEP

    1536:1Jo0IHgL2AHfb1mzaFXg+xsukl4Y17jsgS/jHagQNuXGpeVTVG:zx6AHjYzaFXg+w17jsgS/jHagQg19VG

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 12 IoCs
  • Modifies visibility of file extensions in Explorer 2 TTPs 6 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 6 IoCs
  • UAC bypass 3 TTPs 6 IoCs
  • Disables RegEdit via registry modification 6 IoCs
  • Disables use of System Restore points 1 TTPs
  • Drops file in Drivers directory 24 IoCs
  • Event Triggered Execution: Image File Execution Options Injection 1 TTPs 64 IoCs
  • Executes dropped EXE 30 IoCs
  • Loads dropped DLL 62 IoCs
  • Adds Run key to start application 2 TTPs 24 IoCs
  • Checks whether UAC is enabled 1 TTPs 6 IoCs
  • Drops desktop.ini file(s) 64 IoCs
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops autorun.inf file 1 TTPs 64 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 38 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 6 IoCs
  • Drops file in Windows directory 64 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 34 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

  • Modifies Control Panel 64 IoCs
  • Modifies Internet Explorer settings 1 TTPs 12 IoCs
  • Modifies registry class 48 IoCs
  • Runs ping.exe 1 TTPs 34 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 31 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe
    "C:\Users\Admin\AppData\Local\Temp\6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Modifies visibility of file extensions in Explorer
    • Modifies visiblity of hidden/system files in Explorer
    • UAC bypass
    • Disables RegEdit via registry modification
    • Drops file in Drivers directory
    • Event Triggered Execution: Image File Execution Options Injection
    • Loads dropped DLL
    • Adds Run key to start application
    • Checks whether UAC is enabled
    • Drops desktop.ini file(s)
    • Enumerates connected drives
    • Drops autorun.inf file
    • Drops file in System32 directory
    • Sets desktop wallpaper using registry
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Modifies Control Panel
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2956
    • C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe
      "C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • UAC bypass
      • Disables RegEdit via registry modification
      • Drops file in Drivers directory
      • Event Triggered Execution: Image File Execution Options Injection
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Drops desktop.ini file(s)
      • Enumerates connected drives
      • Drops autorun.inf file
      • Drops file in System32 directory
      • Sets desktop wallpaper using registry
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Modifies Control Panel
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:2724
      • C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe
        "C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2900
      • C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe
        "C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe"
        3⤵
        • Modifies WinLogon for persistence
        • Modifies visibility of file extensions in Explorer
        • Modifies visiblity of hidden/system files in Explorer
        • UAC bypass
        • Disables RegEdit via registry modification
        • Drops file in Drivers directory
        • Event Triggered Execution: Image File Execution Options Injection
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • Checks whether UAC is enabled
        • Drops desktop.ini file(s)
        • Enumerates connected drives
        • Drops autorun.inf file
        • Drops file in System32 directory
        • Sets desktop wallpaper using registry
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Modifies Control Panel
        • Modifies Internet Explorer settings
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        • System policy modification
        PID:528
        • C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe
          "C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe"
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:1268
        • C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe
          "C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe"
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:2520
        • C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe
          "C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe"
          4⤵
          • Modifies WinLogon for persistence
          • Modifies visibility of file extensions in Explorer
          • Modifies visiblity of hidden/system files in Explorer
          • UAC bypass
          • Disables RegEdit via registry modification
          • Drops file in Drivers directory
          • Event Triggered Execution: Image File Execution Options Injection
          • Executes dropped EXE
          • Loads dropped DLL
          • Adds Run key to start application
          • Checks whether UAC is enabled
          • Drops desktop.ini file(s)
          • Enumerates connected drives
          • Drops autorun.inf file
          • Drops file in System32 directory
          • Sets desktop wallpaper using registry
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Modifies Control Panel
          • Modifies Internet Explorer settings
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:3056
          • C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe
            "C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe"
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • System Location Discovery: System Language Discovery
            • Suspicious use of SetWindowsHookEx
            PID:2492
          • C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe
            "C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe"
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • System Location Discovery: System Language Discovery
            • Suspicious use of SetWindowsHookEx
            PID:2032
          • C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe
            "C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe"
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • System Location Discovery: System Language Discovery
            • Suspicious use of SetWindowsHookEx
            PID:1988
          • C:\Windows\SysWOW64\drivers\Kazekage.exe
            C:\Windows\system32\drivers\Kazekage.exe
            5⤵
            • Modifies WinLogon for persistence
            • Modifies visibility of file extensions in Explorer
            • Modifies visiblity of hidden/system files in Explorer
            • UAC bypass
            • Disables RegEdit via registry modification
            • Drops file in Drivers directory
            • Event Triggered Execution: Image File Execution Options Injection
            • Executes dropped EXE
            • Loads dropped DLL
            • Adds Run key to start application
            • Checks whether UAC is enabled
            • Drops desktop.ini file(s)
            • Enumerates connected drives
            • Drops autorun.inf file
            • Drops file in System32 directory
            • Sets desktop wallpaper using registry
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Modifies Control Panel
            • Modifies Internet Explorer settings
            • Modifies registry class
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            • System policy modification
            PID:2316
            • C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe
              "C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe"
              6⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • System Location Discovery: System Language Discovery
              • Suspicious use of SetWindowsHookEx
              PID:1760
            • C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe
              "C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe"
              6⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • System Location Discovery: System Language Discovery
              • Suspicious use of SetWindowsHookEx
              PID:872
            • C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe
              "C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe"
              6⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • System Location Discovery: System Language Discovery
              • Suspicious use of SetWindowsHookEx
              PID:1848
            • C:\Windows\SysWOW64\drivers\Kazekage.exe
              C:\Windows\system32\drivers\Kazekage.exe
              6⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Suspicious use of SetWindowsHookEx
              PID:2180
            • C:\Windows\SysWOW64\drivers\system32.exe
              C:\Windows\system32\drivers\system32.exe
              6⤵
              • Modifies WinLogon for persistence
              • Modifies visibility of file extensions in Explorer
              • Modifies visiblity of hidden/system files in Explorer
              • UAC bypass
              • Disables RegEdit via registry modification
              • Drops file in Drivers directory
              • Event Triggered Execution: Image File Execution Options Injection
              • Executes dropped EXE
              • Loads dropped DLL
              • Adds Run key to start application
              • Checks whether UAC is enabled
              • Drops desktop.ini file(s)
              • Enumerates connected drives
              • Drops autorun.inf file
              • Drops file in System32 directory
              • Sets desktop wallpaper using registry
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Modifies Control Panel
              • Modifies Internet Explorer settings
              • Modifies registry class
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              • System policy modification
              PID:1068
              • C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe
                "C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe"
                7⤵
                • Executes dropped EXE
                • Loads dropped DLL
                • System Location Discovery: System Language Discovery
                • Suspicious use of SetWindowsHookEx
                PID:1652
              • C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe
                "C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe"
                7⤵
                • Executes dropped EXE
                • Loads dropped DLL
                • System Location Discovery: System Language Discovery
                • Suspicious use of SetWindowsHookEx
                PID:1524
              • C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe
                "C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe"
                7⤵
                • Executes dropped EXE
                • Loads dropped DLL
                • System Location Discovery: System Language Discovery
                • Suspicious use of SetWindowsHookEx
                PID:1336
              • C:\Windows\SysWOW64\drivers\Kazekage.exe
                C:\Windows\system32\drivers\Kazekage.exe
                7⤵
                • Executes dropped EXE
                • System Location Discovery: System Language Discovery
                • Suspicious use of SetWindowsHookEx
                PID:2064
              • C:\Windows\SysWOW64\drivers\system32.exe
                C:\Windows\system32\drivers\system32.exe
                7⤵
                • Executes dropped EXE
                • System Location Discovery: System Language Discovery
                • Suspicious use of SetWindowsHookEx
                PID:1060
              • C:\Windows\SysWOW64\ping.exe
                ping -a -l www.rasasayang.com.my 65500
                7⤵
                • System Location Discovery: System Language Discovery
                • System Network Configuration Discovery: Internet Connection Discovery
                • Runs ping.exe
                PID:1800
              • C:\Windows\SysWOW64\ping.exe
                ping -a -l www.duniasex.com 65500
                7⤵
                • System Location Discovery: System Language Discovery
                • System Network Configuration Discovery: Internet Connection Discovery
                • Runs ping.exe
                PID:2068
              • C:\Windows\SysWOW64\ping.exe
                ping -a -l www.rasasayang.com.my 65500
                7⤵
                • System Location Discovery: System Language Discovery
                • System Network Configuration Discovery: Internet Connection Discovery
                • Runs ping.exe
                PID:2096
              • C:\Windows\SysWOW64\ping.exe
                ping -a -l www.duniasex.com 65500
                7⤵
                • System Location Discovery: System Language Discovery
                • System Network Configuration Discovery: Internet Connection Discovery
                • Runs ping.exe
                PID:1056
              • C:\Windows\SysWOW64\ping.exe
                ping -a -l www.rasasayang.com.my 65500
                7⤵
                • System Location Discovery: System Language Discovery
                • System Network Configuration Discovery: Internet Connection Discovery
                • Runs ping.exe
                PID:2180
              • C:\Windows\SysWOW64\ping.exe
                ping -a -l www.duniasex.com 65500
                7⤵
                • System Location Discovery: System Language Discovery
                • System Network Configuration Discovery: Internet Connection Discovery
                • Runs ping.exe
                PID:1508
            • C:\Windows\SysWOW64\ping.exe
              ping -a -l www.rasasayang.com.my 65500
              6⤵
              • System Location Discovery: System Language Discovery
              • System Network Configuration Discovery: Internet Connection Discovery
              • Runs ping.exe
              PID:1768
            • C:\Windows\SysWOW64\ping.exe
              ping -a -l www.duniasex.com 65500
              6⤵
              • System Location Discovery: System Language Discovery
              • System Network Configuration Discovery: Internet Connection Discovery
              • Runs ping.exe
              PID:1888
            • C:\Windows\SysWOW64\ping.exe
              ping -a -l www.rasasayang.com.my 65500
              6⤵
              • System Location Discovery: System Language Discovery
              • System Network Configuration Discovery: Internet Connection Discovery
              • Runs ping.exe
              PID:424
            • C:\Windows\SysWOW64\ping.exe
              ping -a -l www.duniasex.com 65500
              6⤵
              • System Location Discovery: System Language Discovery
              • System Network Configuration Discovery: Internet Connection Discovery
              • Runs ping.exe
              PID:1188
            • C:\Windows\SysWOW64\ping.exe
              ping -a -l www.rasasayang.com.my 65500
              6⤵
              • System Location Discovery: System Language Discovery
              • System Network Configuration Discovery: Internet Connection Discovery
              • Runs ping.exe
              PID:1936
            • C:\Windows\SysWOW64\ping.exe
              ping -a -l www.duniasex.com 65500
              6⤵
              • System Location Discovery: System Language Discovery
              • System Network Configuration Discovery: Internet Connection Discovery
              • Runs ping.exe
              PID:1484
          • C:\Windows\SysWOW64\drivers\system32.exe
            C:\Windows\system32\drivers\system32.exe
            5⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious use of SetWindowsHookEx
            PID:648
          • C:\Windows\SysWOW64\ping.exe
            ping -a -l www.rasasayang.com.my 65500
            5⤵
            • System Location Discovery: System Language Discovery
            • System Network Configuration Discovery: Internet Connection Discovery
            • Runs ping.exe
            PID:984
          • C:\Windows\SysWOW64\ping.exe
            ping -a -l www.duniasex.com 65500
            5⤵
            • System Location Discovery: System Language Discovery
            • System Network Configuration Discovery: Internet Connection Discovery
            • Runs ping.exe
            PID:1640
          • C:\Windows\SysWOW64\ping.exe
            ping -a -l www.rasasayang.com.my 65500
            5⤵
            • System Location Discovery: System Language Discovery
            • System Network Configuration Discovery: Internet Connection Discovery
            • Runs ping.exe
            PID:2772
          • C:\Windows\SysWOW64\ping.exe
            ping -a -l www.duniasex.com 65500
            5⤵
            • System Location Discovery: System Language Discovery
            • System Network Configuration Discovery: Internet Connection Discovery
            • Runs ping.exe
            PID:2780
        • C:\Windows\SysWOW64\drivers\Kazekage.exe
          C:\Windows\system32\drivers\Kazekage.exe
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:2600
        • C:\Windows\SysWOW64\drivers\system32.exe
          C:\Windows\system32\drivers\system32.exe
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:2000
        • C:\Windows\SysWOW64\ping.exe
          ping -a -l www.rasasayang.com.my 65500
          4⤵
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:2204
        • C:\Windows\SysWOW64\ping.exe
          ping -a -l www.duniasex.com 65500
          4⤵
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:1680
        • C:\Windows\SysWOW64\ping.exe
          ping -a -l www.rasasayang.com.my 65500
          4⤵
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:2964
        • C:\Windows\SysWOW64\ping.exe
          ping -a -l www.duniasex.com 65500
          4⤵
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:2604
        • C:\Windows\SysWOW64\ping.exe
          ping -a -l www.rasasayang.com.my 65500
          4⤵
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:2020
        • C:\Windows\SysWOW64\ping.exe
          ping -a -l www.duniasex.com 65500
          4⤵
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:2136
      • C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe
        "C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:1920
      • C:\Windows\SysWOW64\drivers\Kazekage.exe
        C:\Windows\system32\drivers\Kazekage.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2332
      • C:\Windows\SysWOW64\drivers\system32.exe
        C:\Windows\system32\drivers\system32.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:1252
      • C:\Windows\SysWOW64\ping.exe
        ping -a -l www.rasasayang.com.my 65500
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:2144
      • C:\Windows\SysWOW64\ping.exe
        ping -a -l www.duniasex.com 65500
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:1904
      • C:\Windows\SysWOW64\ping.exe
        ping -a -l www.rasasayang.com.my 65500
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:1556
      • C:\Windows\SysWOW64\ping.exe
        ping -a -l www.duniasex.com 65500
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:2760
      • C:\Windows\SysWOW64\ping.exe
        ping -a -l www.rasasayang.com.my 65500
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:2248
      • C:\Windows\SysWOW64\ping.exe
        ping -a -l www.duniasex.com 65500
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:1680
    • C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe
      "C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:704
    • C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe
      "C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:2964
    • C:\Windows\SysWOW64\drivers\Kazekage.exe
      C:\Windows\system32\drivers\Kazekage.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:2616
    • C:\Windows\SysWOW64\drivers\system32.exe
      C:\Windows\system32\drivers\system32.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:2800
    • C:\Windows\SysWOW64\ping.exe
      ping -a -l www.rasasayang.com.my 65500
      2⤵
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Internet Connection Discovery
      • Runs ping.exe
      PID:920
    • C:\Windows\SysWOW64\ping.exe
      ping -a -l www.duniasex.com 65500
      2⤵
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Internet Connection Discovery
      • Runs ping.exe
      PID:580
    • C:\Windows\SysWOW64\ping.exe
      ping -a -l www.rasasayang.com.my 65500
      2⤵
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Internet Connection Discovery
      • Runs ping.exe
      PID:2164
    • C:\Windows\SysWOW64\ping.exe
      ping -a -l www.duniasex.com 65500
      2⤵
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Internet Connection Discovery
      • Runs ping.exe
      PID:2272
    • C:\Windows\SysWOW64\ping.exe
      ping -a -l www.rasasayang.com.my 65500
      2⤵
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Internet Connection Discovery
      • Runs ping.exe
      PID:1544
    • C:\Windows\SysWOW64\ping.exe
      ping -a -l www.duniasex.com 65500
      2⤵
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Internet Connection Discovery
      • Runs ping.exe
      PID:3064

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Admin Games\Readme.txt

    Filesize

    736B

    MD5

    bb5d6abdf8d0948ac6895ce7fdfbc151

    SHA1

    9266b7a247a4685892197194d2b9b86c8f6dddbd

    SHA256

    5db2e0915b5464d32e83484f8ae5e3c73d2c78f238fde5f58f9b40dbb5322de8

    SHA512

    878444760e8df878d65bb62b4798177e168eb099def58ad3634f4348e96705c83f74324f9fa358f0eff389991976698a233ca53e9b72034ae11c86d42322a76c

  • C:\Autorun.inf

    Filesize

    196B

    MD5

    1564dfe69ffed40950e5cb644e0894d1

    SHA1

    201b6f7a01cc49bb698bea6d4945a082ed454ce4

    SHA256

    be114a2dbcc08540b314b01882aa836a772a883322a77b67aab31233e26dc184

    SHA512

    72df187e39674b657974392cfa268e71ef86dc101ebd2303896381ca56d3c05aa9db3f0ab7d0e428d7436e0108c8f19e94c2013814d30b0b95a23a6b9e341097

  • C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe

    Filesize

    145KB

    MD5

    a29f5849837c5cf16d9bc7b9b6c2c6d1

    SHA1

    a483837302f64b8d9df42981c60ee8ce0cdba2de

    SHA256

    44ac7c7db112c899b9921d67036ec2ae63f36b8d1d456f354fa6d3d75472e62f

    SHA512

    ed87234170801357f9b6e3c4b5770418b7b51237ff7ac0e18a8ceed545047e1d44cabd30da05ba63b3c7159e5fe1e8c7fde4330e53dc74eb986b845286b87cc2

  • C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe

    Filesize

    145KB

    MD5

    e2e24b204e58e16848e4678218173efc

    SHA1

    6e952126c7f84599f9a7014d979b6d24413c5ace

    SHA256

    7dfa145b92874212c8de21f5140a0b7924798874deafd1b2a19baaa344e9a164

    SHA512

    469b7a73638c4d2adfe4193666a70db9c42011572eb728a098829a489c7734750aa71e3c473b107460b91286ff6370044fc44d11d366b0f311746ebbd9d0854e

  • C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe

    Filesize

    145KB

    MD5

    844864ae07faca0a236ff2fc17e60ab8

    SHA1

    522a58c1af85a478fa8b6964fc24dae9f5a15f66

    SHA256

    791aae2fc70654086f4cb7f31ecde14ac8b1d57ac2f2fc918b2b96518dad84a5

    SHA512

    6a2e5c9a5bafa5cc79ab28a10cebbcb905ab71b2d2ff9396da7dfc5e3f0b439ec81f5bf019dcd7c11de776a71220fd18960d631caeb2388b59094f6897abd0b7

  • C:\Windows\Fonts\The Kazekage.jpg

    Filesize

    320KB

    MD5

    f15940eb1d95d53941a0819198280dd4

    SHA1

    3c7314d9dbb92aa500a12c218a06f7d7c6ea0a72

    SHA256

    c278c91e4a2b2f2fa837a6cdd75f61462c1b89fb007e0d29bad144939cd29b20

    SHA512

    525b9b44e808b9900b8c22dac12b109f1b9ef44df56e853d4079e79365ff498e07b0616834c954c0d95be164f0e2aad778bf7f00e2c079a1d83c850dc007caac

  • C:\Windows\Fonts\The Kazekage.jpg

    Filesize

    1.4MB

    MD5

    d6b05020d4a0ec2a3a8b687099e335df

    SHA1

    df239d830ebcd1cde5c68c46a7b76dad49d415f4

    SHA256

    9824b98dab6af65a9e84c2ea40e9df948f9766ce2096e81feecad7db8dd6080a

    SHA512

    78fd360faa4d34f5732056d6e9ad7b9930964441c69cf24535845d397de92179553b9377a25649c01eb5ac7d547c29cc964e69ede7f2af9fc677508a99251fff

  • C:\Windows\SysWOW64\20-10-2024.exe

    Filesize

    145KB

    MD5

    6e0a5bad73ddf8b05ea69aa6775df2a3

    SHA1

    7185cfa795b13bfca5213af466aacc0ff4145968

    SHA256

    6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34

    SHA512

    58646b0234fd5377b5942eef4430bb9ac2187e802cfdd156cdd258940dbcb5951b91dc5882062d5f108f6e0900f6a3c5fcd6352940b4fa41318a8c3f9833b83b

  • C:\Windows\SysWOW64\20-10-2024.exe

    Filesize

    145KB

    MD5

    c9507bc981d027da82011957485749bd

    SHA1

    2bc0b5a4948039fa6ed5b85f1d3700396f0ac4db

    SHA256

    841207a3b710c1413bba975b183878053841e5f2ea64f33d622460549ef4360b

    SHA512

    b9c2c4bdad1fc482d81eafea8dc0ef713471ab968dad569084ab70a07d34bbdd41662bd70479663b3b27d000185989f1d48627ba194acacc5a1ef04f8d6870fc

  • C:\Windows\SysWOW64\20-10-2024.exe

    Filesize

    145KB

    MD5

    fbdcc2c9fb41faf4bc4a5714115b0c03

    SHA1

    399e356fe590f67179611b53ce3323bcb4e7c2ad

    SHA256

    8217787d9c4b093d8e8b76f4dc635216b145c96ff2f0bcba78eb6b2e29eabb7a

    SHA512

    dcb7ad69fa5afcf89a73c1624ee576d175ef10bf1d4c969561260581a5ffc065fe7a57804960b98476b7d760a81b4e3c85fd9cf35a5e38bbb48e3685be5af306

  • C:\Windows\SysWOW64\20-10-2024.exe

    Filesize

    145KB

    MD5

    f87361bce6160b18368208e13a7b0faa

    SHA1

    5905a2c4d1cca58ce4d9f121d9753cdde4dde174

    SHA256

    71c828fbc172ab3fa5c2aae65896dbd20096f9c6c1942890bc12f8be5cf494a9

    SHA512

    787a1b65f0cd5f6aafbc3649561d1475d00027d950a344369064aa4a19199a257a40f9251d750caa59cdd3ed213085fd166c958abee8e5f6e46db758003682cc

  • C:\Windows\SysWOW64\Desktop.ini

    Filesize

    65B

    MD5

    64acfa7e03b01f48294cf30d201a0026

    SHA1

    10facd995b38a095f30b4a800fa454c0bcbf8438

    SHA256

    ba8159d865d106e7b4d0043007a63d1541e1de455dc8d7ff0edd3013bd425c62

    SHA512

    65a9b2e639de74a2a7faa83463a03f5f5b526495e3c793ec1e144c422ed0b842dd304cd5ff4f8aec3d76d826507030c5916f70a231429cea636ec2d8ab43931a

  • C:\Windows\SysWOW64\drivers\Kazekage.exe

    Filesize

    145KB

    MD5

    4b5538130b031062f82947403b9cb9d3

    SHA1

    ca29a91fb5ddf4414f34469a359523f9d8715fe7

    SHA256

    06fd06548b9f40a582a01e63e1cb4aa4f712247fb2887c344553828ae6e9d83d

    SHA512

    a8106ac10d6a69e89ce0fd88800b7b8b41f95f995e28b24d009e9231dd405b5e795d28a19b60151c63e150ba36a859827f3658d800c29403d3c5a3261d7718f9

  • C:\Windows\SysWOW64\drivers\Kazekage.exe

    Filesize

    145KB

    MD5

    7d6c6e4b4f05c5df7686c20deb07e8e7

    SHA1

    55b9382d83b12dbef782ada33ec1ea981f298419

    SHA256

    72fec5c7d15b13c32c5cc1de3baffa28e2b23251fa9cdfddfe0d811b529c1cd4

    SHA512

    cc3ba46e7beac4497fe5ed49959a4524e3cc4e67f54d367e9eff649fcac72ca0770e142d0eedd2d9d9e1e2307ebc78c4d33392284c6df9518313248bc2304bee

  • C:\Windows\SysWOW64\drivers\Kazekage.exe

    Filesize

    145KB

    MD5

    39b9371bd53c9f754b0acd23e67e4d82

    SHA1

    46c264cc4910e520ec9736ba187a626ff0078715

    SHA256

    171d5835c5b1ad152bc4bfb5b36e9b93fd19032fa809f48863a5d8e4cfab8d68

    SHA512

    d5b59b846e46826e6a49584ce43aacd76d9661a8c787ef072c396b34ad45ea11cc05a5bad9a13bb2fde0e29f0bdf8635f90a1d0b2215dc58201f0097625fdaf0

  • C:\Windows\SysWOW64\drivers\system32.exe

    Filesize

    145KB

    MD5

    2fd5b59c2ef085d3a83cb24371360fd2

    SHA1

    12fa8fe4474e063eb5dc8bea2cd74f591eefe87b

    SHA256

    8017052e03410378ae138abfe646da642cb433119207f78ad6e8fb36f24a621b

    SHA512

    1fc4a0f45c5bbeb9b61b34ffb59b0224f28bda969652b2d22107f5bb24e8a574bdcaa54d3192358b5b713f91cf070c66f3b61512f6c7ff238b6413158b2362a9

  • C:\Windows\SysWOW64\drivers\system32.exe

    Filesize

    145KB

    MD5

    163a4e40fe2fbbef5c322cbfd26aa0bf

    SHA1

    a48278bba568f025164eb7632eede4ebe15681ed

    SHA256

    7beb1cf4ae9e7b360af6a5cb4ab68fa0d725c4783460b4d99bb8c5fb357c66b0

    SHA512

    89a4048307ae5b7d2b3684a1542952f65c5031830c0a53a17e9c43015eb195be626d04f0b295cfefc4845d58c4c038a6a256b45da1d99cbdecf983be66d73c7f

  • C:\Windows\SysWOW64\drivers\system32.exe

    Filesize

    145KB

    MD5

    79f3856873ee41659442bf14f498c9cb

    SHA1

    51fce9d06ece6a23f262559918744785fe463734

    SHA256

    41631be670bbc8aa957c590b6938e14c424f2141db945973c109ae13538466e3

    SHA512

    fe433bf426f9f9a2dc4b15b90dc9d341c39ac5c94ef6f29ceed962ac4c49872ed347274eeaa594b36ff481d0129945211108b5d218d16e2a2d474cbd8538bb90

  • C:\Windows\SysWOW64\drivers\system32.exe

    Filesize

    145KB

    MD5

    b5416bc6811b03d3b8787825c9cb8868

    SHA1

    da05ec0798d327753b4e85440b010e8ee047d199

    SHA256

    4947480682ddf46663563410142099a1417a8c0fbeb9a1e781ba406b77993c62

    SHA512

    1ff66f41b39cc941045b2dee33922e81fd7df71648faaad1268b3a7d45d0ce4d752e2387a2f330a61c959bb1b4fef65311c1b030aac4442992ef56f06ebe5aeb

  • C:\Windows\system\msvbvm60.dll

    Filesize

    1.3MB

    MD5

    5343a19c618bc515ceb1695586c6c137

    SHA1

    4dedae8cbde066f31c8e6b52c0baa3f8b1117742

    SHA256

    2246b4feae199408ea66d4a90c1589026f4a5800ce5a28e583b94506a8a73dce

    SHA512

    708d8a252a167fa94e3e1a49e2630d07613ff75a9a3e779a0c1fcbec44aa853a68c401f31a2b84152f46a05f7d93f4e5e502afc7a60236a22ac58dea73fa5606

  • F:\Admin Games\Kazekage.exe

    Filesize

    145KB

    MD5

    19554fe2333f590281323d63c7ae9382

    SHA1

    d9f10ca9a1e1cd65741cd156a98d261c9ef9ade9

    SHA256

    fc8025c035ea8f57fff5fbddc0231e80df2de34e9cebc8ab6b4e689225d76c1f

    SHA512

    88f9aae4a067d983363cd2102fd270d36ee9796cb2db70f4b9ef152d53bad61d50c3dec31c9b8ce566f98d1d7ab9eba126e885773b2d342b0468d72de70427be

  • \Windows\Fonts\Admin 20 - 10 - 2024\smss.exe

    Filesize

    145KB

    MD5

    d366728f3533311010818fd568d5a037

    SHA1

    6d6cf2109bdc0c8aaadd70714ece3370cdec49d7

    SHA256

    452c0412462dafc7240d94d015b4f95cb9fae3c58c0df2632ff8449c462953b4

    SHA512

    584c09353e799142d832ec6ee3d1175b76c509595b51f9e43e025bd78defdc7fcb7dfbc48e8feaaefdc2e74a725b5ee93cd118fef1aad3802b2f30f880487c55

  • memory/528-300-0x0000000000430000-0x0000000000455000-memory.dmp

    Filesize

    148KB

  • memory/528-87-0x0000000000400000-0x0000000000425000-memory.dmp

    Filesize

    148KB

  • memory/528-301-0x0000000000430000-0x0000000000455000-memory.dmp

    Filesize

    148KB

  • memory/528-118-0x0000000000430000-0x0000000000455000-memory.dmp

    Filesize

    148KB

  • memory/528-120-0x0000000000430000-0x0000000000455000-memory.dmp

    Filesize

    148KB

  • memory/528-299-0x0000000000430000-0x0000000000455000-memory.dmp

    Filesize

    148KB

  • memory/528-298-0x0000000000400000-0x0000000000425000-memory.dmp

    Filesize

    148KB

  • memory/528-263-0x0000000000430000-0x0000000000455000-memory.dmp

    Filesize

    148KB

  • memory/648-264-0x0000000000400000-0x0000000000425000-memory.dmp

    Filesize

    148KB

  • memory/704-284-0x0000000000400000-0x0000000000425000-memory.dmp

    Filesize

    148KB

  • memory/1060-256-0x0000000000400000-0x0000000000425000-memory.dmp

    Filesize

    148KB

  • memory/1060-259-0x0000000000400000-0x0000000000425000-memory.dmp

    Filesize

    148KB

  • memory/1068-243-0x0000000000500000-0x0000000000525000-memory.dmp

    Filesize

    148KB

  • memory/1068-228-0x0000000000400000-0x0000000000425000-memory.dmp

    Filesize

    148KB

  • memory/1068-553-0x0000000000400000-0x0000000000425000-memory.dmp

    Filesize

    148KB

  • memory/1252-281-0x0000000000400000-0x0000000000425000-memory.dmp

    Filesize

    148KB

  • memory/1268-127-0x0000000000400000-0x0000000000425000-memory.dmp

    Filesize

    148KB

  • memory/1336-252-0x0000000000400000-0x0000000000425000-memory.dmp

    Filesize

    148KB

  • memory/1336-248-0x0000000000400000-0x0000000000425000-memory.dmp

    Filesize

    148KB

  • memory/1524-247-0x0000000000400000-0x0000000000425000-memory.dmp

    Filesize

    148KB

  • memory/1652-244-0x0000000000400000-0x0000000000425000-memory.dmp

    Filesize

    148KB

  • memory/1848-220-0x0000000000400000-0x0000000000425000-memory.dmp

    Filesize

    148KB

  • memory/1920-274-0x0000000000400000-0x0000000000425000-memory.dmp

    Filesize

    148KB

  • memory/1988-185-0x0000000000400000-0x0000000000425000-memory.dmp

    Filesize

    148KB

  • memory/2000-269-0x0000000000400000-0x0000000000425000-memory.dmp

    Filesize

    148KB

  • memory/2032-180-0x0000000000400000-0x0000000000425000-memory.dmp

    Filesize

    148KB

  • memory/2064-251-0x0000000000400000-0x0000000000425000-memory.dmp

    Filesize

    148KB

  • memory/2064-255-0x0000000000400000-0x0000000000425000-memory.dmp

    Filesize

    148KB

  • memory/2180-223-0x0000000000400000-0x0000000000425000-memory.dmp

    Filesize

    148KB

  • memory/2316-191-0x0000000000400000-0x0000000000425000-memory.dmp

    Filesize

    148KB

  • memory/2316-304-0x0000000000400000-0x0000000000425000-memory.dmp

    Filesize

    148KB

  • memory/2332-278-0x0000000000400000-0x0000000000425000-memory.dmp

    Filesize

    148KB

  • memory/2492-174-0x0000000000400000-0x0000000000425000-memory.dmp

    Filesize

    148KB

  • memory/2492-169-0x0000000000400000-0x0000000000425000-memory.dmp

    Filesize

    148KB

  • memory/2520-137-0x0000000000400000-0x0000000000425000-memory.dmp

    Filesize

    148KB

  • memory/2520-128-0x0000000000400000-0x0000000000425000-memory.dmp

    Filesize

    148KB

  • memory/2616-291-0x0000000000400000-0x0000000000425000-memory.dmp

    Filesize

    148KB

  • memory/2724-296-0x0000000000400000-0x0000000000425000-memory.dmp

    Filesize

    148KB

  • memory/2724-297-0x0000000001D10000-0x0000000001D35000-memory.dmp

    Filesize

    148KB

  • memory/2724-555-0x0000000001D10000-0x0000000001D35000-memory.dmp

    Filesize

    148KB

  • memory/2800-294-0x0000000000400000-0x0000000000425000-memory.dmp

    Filesize

    148KB

  • memory/2900-78-0x0000000000400000-0x0000000000425000-memory.dmp

    Filesize

    148KB

  • memory/2956-295-0x0000000000400000-0x0000000000425000-memory.dmp

    Filesize

    148KB

  • memory/2956-32-0x0000000000440000-0x0000000000465000-memory.dmp

    Filesize

    148KB

  • memory/2956-0-0x0000000000400000-0x0000000000425000-memory.dmp

    Filesize

    148KB

  • memory/2956-288-0x0000000000440000-0x0000000000465000-memory.dmp

    Filesize

    148KB

  • memory/2964-287-0x0000000000400000-0x0000000000425000-memory.dmp

    Filesize

    148KB

  • memory/3056-302-0x0000000000400000-0x0000000000425000-memory.dmp

    Filesize

    148KB

  • memory/3056-303-0x0000000000380000-0x00000000003A5000-memory.dmp

    Filesize

    148KB

  • memory/3056-260-0x0000000000380000-0x00000000003A5000-memory.dmp

    Filesize

    148KB

  • memory/3056-139-0x0000000000400000-0x0000000000425000-memory.dmp

    Filesize

    148KB

  • memory/3056-554-0x0000000000380000-0x00000000003A5000-memory.dmp

    Filesize

    148KB