Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    122s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20/10/2024, 22:56

General

  • Target

    6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe

  • Size

    145KB

  • MD5

    6e0a5bad73ddf8b05ea69aa6775df2a3

  • SHA1

    7185cfa795b13bfca5213af466aacc0ff4145968

  • SHA256

    6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34

  • SHA512

    58646b0234fd5377b5942eef4430bb9ac2187e802cfdd156cdd258940dbcb5951b91dc5882062d5f108f6e0900f6a3c5fcd6352940b4fa41318a8c3f9833b83b

  • SSDEEP

    1536:1Jo0IHgL2AHfb1mzaFXg+xsukl4Y17jsgS/jHagQNuXGpeVTVG:zx6AHjYzaFXg+w17jsgS/jHagQg19VG

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 12 IoCs
  • Modifies visibility of file extensions in Explorer 2 TTPs 6 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 6 IoCs
  • UAC bypass 3 TTPs 6 IoCs
  • Disables RegEdit via registry modification 6 IoCs
  • Disables use of System Restore points 1 TTPs
  • Drops file in Drivers directory 24 IoCs
  • Event Triggered Execution: Image File Execution Options Injection 1 TTPs 64 IoCs
  • Executes dropped EXE 30 IoCs
  • Loads dropped DLL 18 IoCs
  • Adds Run key to start application 2 TTPs 24 IoCs
  • Checks whether UAC is enabled 1 TTPs 6 IoCs
  • Drops desktop.ini file(s) 64 IoCs
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops autorun.inf file 1 TTPs 64 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 39 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 6 IoCs
  • Drops file in Windows directory 64 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 34 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

  • Modifies Control Panel 64 IoCs
  • Modifies Internet Explorer settings 1 TTPs 12 IoCs
  • Modifies registry class 51 IoCs
  • Runs ping.exe 1 TTPs 34 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 31 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe
    "C:\Users\Admin\AppData\Local\Temp\6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Modifies visibility of file extensions in Explorer
    • Modifies visiblity of hidden/system files in Explorer
    • UAC bypass
    • Disables RegEdit via registry modification
    • Drops file in Drivers directory
    • Event Triggered Execution: Image File Execution Options Injection
    • Adds Run key to start application
    • Checks whether UAC is enabled
    • Drops desktop.ini file(s)
    • Enumerates connected drives
    • Drops autorun.inf file
    • Drops file in System32 directory
    • Sets desktop wallpaper using registry
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Modifies Control Panel
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2988
    • C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe
      "C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • UAC bypass
      • Disables RegEdit via registry modification
      • Drops file in Drivers directory
      • Event Triggered Execution: Image File Execution Options Injection
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Drops desktop.ini file(s)
      • Enumerates connected drives
      • Drops autorun.inf file
      • Drops file in System32 directory
      • Sets desktop wallpaper using registry
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Modifies Control Panel
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:116
      • C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe
        "C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:1196
      • C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe
        "C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe"
        3⤵
        • Modifies WinLogon for persistence
        • Modifies visibility of file extensions in Explorer
        • Modifies visiblity of hidden/system files in Explorer
        • UAC bypass
        • Disables RegEdit via registry modification
        • Drops file in Drivers directory
        • Event Triggered Execution: Image File Execution Options Injection
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • Checks whether UAC is enabled
        • Drops desktop.ini file(s)
        • Enumerates connected drives
        • Drops autorun.inf file
        • Drops file in System32 directory
        • Sets desktop wallpaper using registry
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Modifies Control Panel
        • Modifies Internet Explorer settings
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        • System policy modification
        PID:2076
        • C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe
          "C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe"
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:2436
        • C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe
          "C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe"
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:1936
        • C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe
          "C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe"
          4⤵
          • Modifies WinLogon for persistence
          • Modifies visibility of file extensions in Explorer
          • Modifies visiblity of hidden/system files in Explorer
          • UAC bypass
          • Disables RegEdit via registry modification
          • Drops file in Drivers directory
          • Event Triggered Execution: Image File Execution Options Injection
          • Executes dropped EXE
          • Loads dropped DLL
          • Adds Run key to start application
          • Checks whether UAC is enabled
          • Drops desktop.ini file(s)
          • Enumerates connected drives
          • Drops autorun.inf file
          • Drops file in System32 directory
          • Sets desktop wallpaper using registry
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Modifies Control Panel
          • Modifies Internet Explorer settings
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:2276
          • C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe
            "C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe"
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • System Location Discovery: System Language Discovery
            • Suspicious use of SetWindowsHookEx
            PID:5056
          • C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe
            "C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe"
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • System Location Discovery: System Language Discovery
            • Suspicious use of SetWindowsHookEx
            PID:4216
          • C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe
            "C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe"
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • System Location Discovery: System Language Discovery
            • Suspicious use of SetWindowsHookEx
            PID:1752
          • C:\Windows\SysWOW64\drivers\Kazekage.exe
            C:\Windows\system32\drivers\Kazekage.exe
            5⤵
            • Modifies WinLogon for persistence
            • Modifies visibility of file extensions in Explorer
            • Modifies visiblity of hidden/system files in Explorer
            • UAC bypass
            • Disables RegEdit via registry modification
            • Drops file in Drivers directory
            • Event Triggered Execution: Image File Execution Options Injection
            • Executes dropped EXE
            • Adds Run key to start application
            • Checks whether UAC is enabled
            • Drops desktop.ini file(s)
            • Enumerates connected drives
            • Drops autorun.inf file
            • Drops file in System32 directory
            • Sets desktop wallpaper using registry
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Modifies Control Panel
            • Modifies Internet Explorer settings
            • Modifies registry class
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            • System policy modification
            PID:756
            • C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe
              "C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe"
              6⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • System Location Discovery: System Language Discovery
              • Suspicious use of SetWindowsHookEx
              PID:2228
            • C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe
              "C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe"
              6⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • System Location Discovery: System Language Discovery
              • Suspicious use of SetWindowsHookEx
              PID:4928
            • C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe
              "C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe"
              6⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • System Location Discovery: System Language Discovery
              • Suspicious use of SetWindowsHookEx
              PID:4944
            • C:\Windows\SysWOW64\drivers\Kazekage.exe
              C:\Windows\system32\drivers\Kazekage.exe
              6⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Suspicious use of SetWindowsHookEx
              PID:3232
            • C:\Windows\SysWOW64\drivers\system32.exe
              C:\Windows\system32\drivers\system32.exe
              6⤵
              • Modifies WinLogon for persistence
              • Modifies visibility of file extensions in Explorer
              • Modifies visiblity of hidden/system files in Explorer
              • UAC bypass
              • Disables RegEdit via registry modification
              • Drops file in Drivers directory
              • Event Triggered Execution: Image File Execution Options Injection
              • Executes dropped EXE
              • Adds Run key to start application
              • Checks whether UAC is enabled
              • Drops desktop.ini file(s)
              • Enumerates connected drives
              • Drops autorun.inf file
              • Drops file in System32 directory
              • Sets desktop wallpaper using registry
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Modifies Control Panel
              • Modifies Internet Explorer settings
              • Modifies registry class
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              • System policy modification
              PID:3608
              • C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe
                "C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe"
                7⤵
                • Executes dropped EXE
                • Loads dropped DLL
                • System Location Discovery: System Language Discovery
                • Suspicious use of SetWindowsHookEx
                PID:2176
              • C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe
                "C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe"
                7⤵
                • Executes dropped EXE
                • Loads dropped DLL
                • System Location Discovery: System Language Discovery
                • Suspicious use of SetWindowsHookEx
                PID:2308
              • C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe
                "C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe"
                7⤵
                • Executes dropped EXE
                • Loads dropped DLL
                • System Location Discovery: System Language Discovery
                • Suspicious use of SetWindowsHookEx
                PID:4576
              • C:\Windows\SysWOW64\drivers\Kazekage.exe
                C:\Windows\system32\drivers\Kazekage.exe
                7⤵
                • Executes dropped EXE
                • System Location Discovery: System Language Discovery
                • Suspicious use of SetWindowsHookEx
                PID:1668
              • C:\Windows\SysWOW64\drivers\system32.exe
                C:\Windows\system32\drivers\system32.exe
                7⤵
                • Executes dropped EXE
                • System Location Discovery: System Language Discovery
                • Suspicious use of SetWindowsHookEx
                PID:4400
              • C:\Windows\SysWOW64\ping.exe
                ping -a -l www.rasasayang.com.my 65500
                7⤵
                • System Location Discovery: System Language Discovery
                • System Network Configuration Discovery: Internet Connection Discovery
                • Runs ping.exe
                PID:4296
              • C:\Windows\SysWOW64\ping.exe
                ping -a -l www.duniasex.com 65500
                7⤵
                • System Location Discovery: System Language Discovery
                • System Network Configuration Discovery: Internet Connection Discovery
                • Runs ping.exe
                PID:3744
              • C:\Windows\SysWOW64\ping.exe
                ping -a -l www.rasasayang.com.my 65500
                7⤵
                • System Location Discovery: System Language Discovery
                • System Network Configuration Discovery: Internet Connection Discovery
                • Runs ping.exe
                PID:804
              • C:\Windows\SysWOW64\ping.exe
                ping -a -l www.duniasex.com 65500
                7⤵
                • System Location Discovery: System Language Discovery
                • System Network Configuration Discovery: Internet Connection Discovery
                • Runs ping.exe
                PID:4228
              • C:\Windows\SysWOW64\ping.exe
                ping -a -l www.rasasayang.com.my 65500
                7⤵
                • System Location Discovery: System Language Discovery
                • System Network Configuration Discovery: Internet Connection Discovery
                • Runs ping.exe
                PID:3624
              • C:\Windows\SysWOW64\ping.exe
                ping -a -l www.duniasex.com 65500
                7⤵
                • System Network Configuration Discovery: Internet Connection Discovery
                • Runs ping.exe
                PID:1532
            • C:\Windows\SysWOW64\ping.exe
              ping -a -l www.rasasayang.com.my 65500
              6⤵
              • System Location Discovery: System Language Discovery
              • System Network Configuration Discovery: Internet Connection Discovery
              • Runs ping.exe
              PID:1336
            • C:\Windows\SysWOW64\ping.exe
              ping -a -l www.duniasex.com 65500
              6⤵
              • System Location Discovery: System Language Discovery
              • System Network Configuration Discovery: Internet Connection Discovery
              • Runs ping.exe
              PID:896
            • C:\Windows\SysWOW64\ping.exe
              ping -a -l www.rasasayang.com.my 65500
              6⤵
              • System Location Discovery: System Language Discovery
              • System Network Configuration Discovery: Internet Connection Discovery
              • Runs ping.exe
              PID:1196
            • C:\Windows\SysWOW64\ping.exe
              ping -a -l www.duniasex.com 65500
              6⤵
              • System Location Discovery: System Language Discovery
              • System Network Configuration Discovery: Internet Connection Discovery
              • Runs ping.exe
              PID:1532
            • C:\Windows\SysWOW64\ping.exe
              ping -a -l www.rasasayang.com.my 65500
              6⤵
              • System Location Discovery: System Language Discovery
              • System Network Configuration Discovery: Internet Connection Discovery
              • Runs ping.exe
              PID:2996
            • C:\Windows\SysWOW64\ping.exe
              ping -a -l www.duniasex.com 65500
              6⤵
              • System Location Discovery: System Language Discovery
              • System Network Configuration Discovery: Internet Connection Discovery
              • Runs ping.exe
              PID:4860
          • C:\Windows\SysWOW64\drivers\system32.exe
            C:\Windows\system32\drivers\system32.exe
            5⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious use of SetWindowsHookEx
            PID:1896
          • C:\Windows\SysWOW64\ping.exe
            ping -a -l www.rasasayang.com.my 65500
            5⤵
            • System Location Discovery: System Language Discovery
            • System Network Configuration Discovery: Internet Connection Discovery
            • Runs ping.exe
            PID:64
          • C:\Windows\SysWOW64\ping.exe
            ping -a -l www.duniasex.com 65500
            5⤵
            • System Location Discovery: System Language Discovery
            • System Network Configuration Discovery: Internet Connection Discovery
            • Runs ping.exe
            PID:704
          • C:\Windows\SysWOW64\ping.exe
            ping -a -l www.rasasayang.com.my 65500
            5⤵
            • System Location Discovery: System Language Discovery
            • System Network Configuration Discovery: Internet Connection Discovery
            • Runs ping.exe
            PID:1920
          • C:\Windows\SysWOW64\ping.exe
            ping -a -l www.duniasex.com 65500
            5⤵
            • System Location Discovery: System Language Discovery
            • System Network Configuration Discovery: Internet Connection Discovery
            • Runs ping.exe
            PID:1996
          • C:\Windows\SysWOW64\ping.exe
            ping -a -l www.rasasayang.com.my 65500
            5⤵
            • System Location Discovery: System Language Discovery
            • System Network Configuration Discovery: Internet Connection Discovery
            • Runs ping.exe
            PID:4156
          • C:\Windows\SysWOW64\ping.exe
            ping -a -l www.duniasex.com 65500
            5⤵
            • System Location Discovery: System Language Discovery
            • System Network Configuration Discovery: Internet Connection Discovery
            • Runs ping.exe
            PID:1952
        • C:\Windows\SysWOW64\drivers\Kazekage.exe
          C:\Windows\system32\drivers\Kazekage.exe
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:1688
        • C:\Windows\SysWOW64\drivers\system32.exe
          C:\Windows\system32\drivers\system32.exe
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:956
        • C:\Windows\SysWOW64\ping.exe
          ping -a -l www.rasasayang.com.my 65500
          4⤵
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:3052
        • C:\Windows\SysWOW64\ping.exe
          ping -a -l www.duniasex.com 65500
          4⤵
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:2324
        • C:\Windows\SysWOW64\ping.exe
          ping -a -l www.rasasayang.com.my 65500
          4⤵
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:1848
        • C:\Windows\SysWOW64\ping.exe
          ping -a -l www.duniasex.com 65500
          4⤵
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:2636
        • C:\Windows\SysWOW64\ping.exe
          ping -a -l www.rasasayang.com.my 65500
          4⤵
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:1584
        • C:\Windows\SysWOW64\ping.exe
          ping -a -l www.duniasex.com 65500
          4⤵
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:4228
      • C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe
        "C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:1588
      • C:\Windows\SysWOW64\drivers\Kazekage.exe
        C:\Windows\system32\drivers\Kazekage.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:3364
      • C:\Windows\SysWOW64\drivers\system32.exe
        C:\Windows\system32\drivers\system32.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:1660
      • C:\Windows\SysWOW64\ping.exe
        ping -a -l www.rasasayang.com.my 65500
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:2220
      • C:\Windows\SysWOW64\ping.exe
        ping -a -l www.duniasex.com 65500
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:1988
      • C:\Windows\SysWOW64\ping.exe
        ping -a -l www.rasasayang.com.my 65500
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:536
      • C:\Windows\SysWOW64\ping.exe
        ping -a -l www.duniasex.com 65500
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:5056
      • C:\Windows\SysWOW64\ping.exe
        ping -a -l www.rasasayang.com.my 65500
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:1532
      • C:\Windows\SysWOW64\ping.exe
        ping -a -l www.duniasex.com 65500
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:2000
    • C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe
      "C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:2432
    • C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe
      "C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:1172
    • C:\Windows\SysWOW64\drivers\Kazekage.exe
      C:\Windows\system32\drivers\Kazekage.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:2936
    • C:\Windows\SysWOW64\drivers\system32.exe
      C:\Windows\system32\drivers\system32.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:3944
    • C:\Windows\SysWOW64\ping.exe
      ping -a -l www.rasasayang.com.my 65500
      2⤵
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Internet Connection Discovery
      • Runs ping.exe
      PID:944
    • C:\Windows\SysWOW64\ping.exe
      ping -a -l www.duniasex.com 65500
      2⤵
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Internet Connection Discovery
      • Runs ping.exe
      PID:4892
    • C:\Windows\SysWOW64\ping.exe
      ping -a -l www.rasasayang.com.my 65500
      2⤵
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Internet Connection Discovery
      • Runs ping.exe
      PID:2112
    • C:\Windows\SysWOW64\ping.exe
      ping -a -l www.duniasex.com 65500
      2⤵
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Internet Connection Discovery
      • Runs ping.exe
      PID:1588

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Admin Games\Readme.txt

    Filesize

    736B

    MD5

    bb5d6abdf8d0948ac6895ce7fdfbc151

    SHA1

    9266b7a247a4685892197194d2b9b86c8f6dddbd

    SHA256

    5db2e0915b5464d32e83484f8ae5e3c73d2c78f238fde5f58f9b40dbb5322de8

    SHA512

    878444760e8df878d65bb62b4798177e168eb099def58ad3634f4348e96705c83f74324f9fa358f0eff389991976698a233ca53e9b72034ae11c86d42322a76c

  • C:\Autorun.inf

    Filesize

    196B

    MD5

    1564dfe69ffed40950e5cb644e0894d1

    SHA1

    201b6f7a01cc49bb698bea6d4945a082ed454ce4

    SHA256

    be114a2dbcc08540b314b01882aa836a772a883322a77b67aab31233e26dc184

    SHA512

    72df187e39674b657974392cfa268e71ef86dc101ebd2303896381ca56d3c05aa9db3f0ab7d0e428d7436e0108c8f19e94c2013814d30b0b95a23a6b9e341097

  • C:\Gaara.exe

    Filesize

    145KB

    MD5

    6e0a5bad73ddf8b05ea69aa6775df2a3

    SHA1

    7185cfa795b13bfca5213af466aacc0ff4145968

    SHA256

    6902aecc36502ad36f956dd6f6e6ee787d43ee6c38b8def8444779a282785a34

    SHA512

    58646b0234fd5377b5942eef4430bb9ac2187e802cfdd156cdd258940dbcb5951b91dc5882062d5f108f6e0900f6a3c5fcd6352940b4fa41318a8c3f9833b83b

  • C:\Windows\Fonts\Admin 20 - 10 - 2024\Gaara.exe

    Filesize

    145KB

    MD5

    a29f5849837c5cf16d9bc7b9b6c2c6d1

    SHA1

    a483837302f64b8d9df42981c60ee8ce0cdba2de

    SHA256

    44ac7c7db112c899b9921d67036ec2ae63f36b8d1d456f354fa6d3d75472e62f

    SHA512

    ed87234170801357f9b6e3c4b5770418b7b51237ff7ac0e18a8ceed545047e1d44cabd30da05ba63b3c7159e5fe1e8c7fde4330e53dc74eb986b845286b87cc2

  • C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe

    Filesize

    145KB

    MD5

    e2e24b204e58e16848e4678218173efc

    SHA1

    6e952126c7f84599f9a7014d979b6d24413c5ace

    SHA256

    7dfa145b92874212c8de21f5140a0b7924798874deafd1b2a19baaa344e9a164

    SHA512

    469b7a73638c4d2adfe4193666a70db9c42011572eb728a098829a489c7734750aa71e3c473b107460b91286ff6370044fc44d11d366b0f311746ebbd9d0854e

  • C:\Windows\Fonts\Admin 20 - 10 - 2024\csrss.exe

    Filesize

    145KB

    MD5

    844864ae07faca0a236ff2fc17e60ab8

    SHA1

    522a58c1af85a478fa8b6964fc24dae9f5a15f66

    SHA256

    791aae2fc70654086f4cb7f31ecde14ac8b1d57ac2f2fc918b2b96518dad84a5

    SHA512

    6a2e5c9a5bafa5cc79ab28a10cebbcb905ab71b2d2ff9396da7dfc5e3f0b439ec81f5bf019dcd7c11de776a71220fd18960d631caeb2388b59094f6897abd0b7

  • C:\Windows\Fonts\Admin 20 - 10 - 2024\smss.exe

    Filesize

    145KB

    MD5

    d366728f3533311010818fd568d5a037

    SHA1

    6d6cf2109bdc0c8aaadd70714ece3370cdec49d7

    SHA256

    452c0412462dafc7240d94d015b4f95cb9fae3c58c0df2632ff8449c462953b4

    SHA512

    584c09353e799142d832ec6ee3d1175b76c509595b51f9e43e025bd78defdc7fcb7dfbc48e8feaaefdc2e74a725b5ee93cd118fef1aad3802b2f30f880487c55

  • C:\Windows\Fonts\The Kazekage.jpg

    Filesize

    128KB

    MD5

    02770ec1a321e19ddd06cdb29d69ffe3

    SHA1

    d51b0b4d5de7a3c64dd320cfddd06614a2ab7af2

    SHA256

    72424cc8831eccd132639f5a2b6541c9bb2d638baf4397186a984bc353b7b579

    SHA512

    d816faa1abdee5c0879a4240b30abd156962a5dabb6d072bfcb84aae1d69d8c50ad8f8519db1db9a6fbdeee8a10c643f110800aed1c84957573501bcae178d4f

  • C:\Windows\Fonts\The Kazekage.jpg

    Filesize

    1.4MB

    MD5

    d6b05020d4a0ec2a3a8b687099e335df

    SHA1

    df239d830ebcd1cde5c68c46a7b76dad49d415f4

    SHA256

    9824b98dab6af65a9e84c2ea40e9df948f9766ce2096e81feecad7db8dd6080a

    SHA512

    78fd360faa4d34f5732056d6e9ad7b9930964441c69cf24535845d397de92179553b9377a25649c01eb5ac7d547c29cc964e69ede7f2af9fc677508a99251fff

  • C:\Windows\SysWOW64\20-10-2024.exe

    Filesize

    145KB

    MD5

    c9507bc981d027da82011957485749bd

    SHA1

    2bc0b5a4948039fa6ed5b85f1d3700396f0ac4db

    SHA256

    841207a3b710c1413bba975b183878053841e5f2ea64f33d622460549ef4360b

    SHA512

    b9c2c4bdad1fc482d81eafea8dc0ef713471ab968dad569084ab70a07d34bbdd41662bd70479663b3b27d000185989f1d48627ba194acacc5a1ef04f8d6870fc

  • C:\Windows\SysWOW64\20-10-2024.exe

    Filesize

    145KB

    MD5

    5a38cc5306fd2f6c6bb566f4c48bf4a0

    SHA1

    f8b31c96b1bc8ac0be33b6cb9cda26d6b034f165

    SHA256

    aff3aa590488cbe8f966fe484a0dbe5dd37241a142f12364bd50b86c1713e3c7

    SHA512

    7e7ce6de1f14cfc2b4912dfabc1c280985111229b278e05a75c8ca0f6d9457b02eb02710853479e7566bb45a66003a7d55df24d1a8c3a59aff83695bf09bdb56

  • C:\Windows\SysWOW64\20-10-2024.exe

    Filesize

    145KB

    MD5

    c824619f34e794bb0775397576b58737

    SHA1

    91ef27688e4943faf219a5a597535b9f35268a4d

    SHA256

    23f4fdc8a856203bf13c721e704c8afc0f65458fdfd890d20aa755d4af5c9037

    SHA512

    b79856f6d6465610c6bad096cf24d69f8186f1fd7551538296a0be7aa4ef69c7755fc9aa7a77048c147e8f9037de4e071930e134794956ae7b5baaeca9010b1e

  • C:\Windows\SysWOW64\20-10-2024.exe

    Filesize

    145KB

    MD5

    e59d46ad56d9bc203ff9f513bd933631

    SHA1

    d79423bd7d5bc18aa89ebc8eefc8bc942f2176b2

    SHA256

    8da15410ad5e8f8d96306ae069be3a58f3e7a5cbe2c7886ff075b60d71c7fb1a

    SHA512

    8c1c7d3c10e3b68392c917be9c5ff4fbebef17973b9560530efdff7b42c7fd20639fbd9980f8f4d9f7bb94d87f54c9373fe99332dccb57a65d0ee84c86573b39

  • C:\Windows\SysWOW64\20-10-2024.exe

    Filesize

    145KB

    MD5

    7293de8d455547acf064895c2ae3f6a0

    SHA1

    ceafaf5cd50c38beda48e33806d021e9e3cde8cc

    SHA256

    dd3fabc24c407b50fb49f60b224927809848d4328db567c1d37d016593e6447f

    SHA512

    4b741fd0dd94a32e30da7b5ccdb391fbe72a093bdca60efcace1a69b0be09b5d050628eaa5fbdbcb5107fa83901c1f7c9e49a5c1d4f4c13d7594ca1b7b0a4508

  • C:\Windows\SysWOW64\20-10-2024.exe

    Filesize

    145KB

    MD5

    6b9438734a95bb6015bcdd55f10823bf

    SHA1

    ea7beadef020b13106a563776f69bb9649d52162

    SHA256

    f15e4d241a0561cf731aefdad0748839ce70eb795afb9a5be186a2ebe471dd83

    SHA512

    cd965d4f83b0172d61d9ec8a045d0d2bd17558206860a9c8b39607e24a1d36f9dba27b6a4514c1ddec94a2c04e9ada9e71200a158d19e75365178659e6329b5c

  • C:\Windows\SysWOW64\20-10-2024.exe

    Filesize

    145KB

    MD5

    f87361bce6160b18368208e13a7b0faa

    SHA1

    5905a2c4d1cca58ce4d9f121d9753cdde4dde174

    SHA256

    71c828fbc172ab3fa5c2aae65896dbd20096f9c6c1942890bc12f8be5cf494a9

    SHA512

    787a1b65f0cd5f6aafbc3649561d1475d00027d950a344369064aa4a19199a257a40f9251d750caa59cdd3ed213085fd166c958abee8e5f6e46db758003682cc

  • C:\Windows\SysWOW64\Desktop.ini

    Filesize

    65B

    MD5

    64acfa7e03b01f48294cf30d201a0026

    SHA1

    10facd995b38a095f30b4a800fa454c0bcbf8438

    SHA256

    ba8159d865d106e7b4d0043007a63d1541e1de455dc8d7ff0edd3013bd425c62

    SHA512

    65a9b2e639de74a2a7faa83463a03f5f5b526495e3c793ec1e144c422ed0b842dd304cd5ff4f8aec3d76d826507030c5916f70a231429cea636ec2d8ab43931a

  • C:\Windows\SysWOW64\drivers\Kazekage.exe

    Filesize

    145KB

    MD5

    7d6c6e4b4f05c5df7686c20deb07e8e7

    SHA1

    55b9382d83b12dbef782ada33ec1ea981f298419

    SHA256

    72fec5c7d15b13c32c5cc1de3baffa28e2b23251fa9cdfddfe0d811b529c1cd4

    SHA512

    cc3ba46e7beac4497fe5ed49959a4524e3cc4e67f54d367e9eff649fcac72ca0770e142d0eedd2d9d9e1e2307ebc78c4d33392284c6df9518313248bc2304bee

  • C:\Windows\SysWOW64\drivers\Kazekage.exe

    Filesize

    145KB

    MD5

    b4b0b145dd8143af911d7fb35524a6cb

    SHA1

    cdf3b65281a22165ce240fe7475119d082facb89

    SHA256

    924ead6b4f68259243dbed55b80e6ff627cdd2d87461478f3307fb07aad6fc78

    SHA512

    57cf7678b50a236eb0f89549d162b42ade6985aedf2d7c5eef7cf1d01336447e77e82aed4f4851393555acfa99c68833a80ec1f02d716f2259547ee6b723891e

  • C:\Windows\SysWOW64\drivers\Kazekage.exe

    Filesize

    145KB

    MD5

    4b5538130b031062f82947403b9cb9d3

    SHA1

    ca29a91fb5ddf4414f34469a359523f9d8715fe7

    SHA256

    06fd06548b9f40a582a01e63e1cb4aa4f712247fb2887c344553828ae6e9d83d

    SHA512

    a8106ac10d6a69e89ce0fd88800b7b8b41f95f995e28b24d009e9231dd405b5e795d28a19b60151c63e150ba36a859827f3658d800c29403d3c5a3261d7718f9

  • C:\Windows\SysWOW64\drivers\system32.exe

    Filesize

    145KB

    MD5

    163a4e40fe2fbbef5c322cbfd26aa0bf

    SHA1

    a48278bba568f025164eb7632eede4ebe15681ed

    SHA256

    7beb1cf4ae9e7b360af6a5cb4ab68fa0d725c4783460b4d99bb8c5fb357c66b0

    SHA512

    89a4048307ae5b7d2b3684a1542952f65c5031830c0a53a17e9c43015eb195be626d04f0b295cfefc4845d58c4c038a6a256b45da1d99cbdecf983be66d73c7f

  • C:\Windows\SysWOW64\drivers\system32.exe

    Filesize

    145KB

    MD5

    a2c1369c97dc52cc118434b3e077f5b4

    SHA1

    f66e9efe96a59a1956eefb151a8b1ee467e5fe7b

    SHA256

    7b1505c50d3453c18c381b505fe5cfd861d906fd1b1609b6a89f826035f662f3

    SHA512

    da6b4abc636ef4e5ca967ab0d393463a80b092f39554dd6e54019b2c433de09da3d7122d06dee8961647af09052e8abd0acdf6e3f082e850591acac3d7581023

  • C:\Windows\SysWOW64\drivers\system32.exe

    Filesize

    145KB

    MD5

    21b0e664fdf04122801e4ff76652ec77

    SHA1

    2027555262ae351f1ec7863e6b05e239441a23ba

    SHA256

    143c54b89586a08ac734dd66ea449b180aa3089fba1cf5cf0acbfdb2739a0ffa

    SHA512

    96bdb1038b32236de71b700024ce0d8c6e334c0f98848f9292fcc1e18e3c94bffd192e801d403499bdb2689aa3b0a17d80ec11164ad920d52890e29a7fb83af2

  • C:\Windows\SysWOW64\drivers\system32.exe

    Filesize

    145KB

    MD5

    2fd5b59c2ef085d3a83cb24371360fd2

    SHA1

    12fa8fe4474e063eb5dc8bea2cd74f591eefe87b

    SHA256

    8017052e03410378ae138abfe646da642cb433119207f78ad6e8fb36f24a621b

    SHA512

    1fc4a0f45c5bbeb9b61b34ffb59b0224f28bda969652b2d22107f5bb24e8a574bdcaa54d3192358b5b713f91cf070c66f3b61512f6c7ff238b6413158b2362a9

  • C:\Windows\System\msvbvm60.dll

    Filesize

    1.4MB

    MD5

    25f62c02619174b35851b0e0455b3d94

    SHA1

    4e8ee85157f1769f6e3f61c0acbe59072209da71

    SHA256

    898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

    SHA512

    f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

  • F:\Admin Games\Hokage-Sampit (Nothing).exe

    Filesize

    145KB

    MD5

    8bcd1688202333e3f0708c8330394e78

    SHA1

    b00916f676da65ed698aa5a66fc74023baaadda0

    SHA256

    8197ceb951644b233a7b0ba93c1c9ece36e17f305e5aed568cb287f89b24f649

    SHA512

    46b75a316f1a124720649c7819b1c9cd4346e3e93f63d37104afebfed48464346324bac015d566653d81e6b2af665767a972969b6e7e237dfe40ee09e30a94ed

  • memory/116-527-0x0000000000400000-0x0000000000425000-memory.dmp

    Filesize

    148KB

  • memory/116-34-0x0000000000400000-0x0000000000425000-memory.dmp

    Filesize

    148KB

  • memory/756-163-0x0000000000400000-0x0000000000425000-memory.dmp

    Filesize

    148KB

  • memory/756-530-0x0000000000400000-0x0000000000425000-memory.dmp

    Filesize

    148KB

  • memory/956-252-0x0000000000400000-0x0000000000425000-memory.dmp

    Filesize

    148KB

  • memory/1196-70-0x0000000000400000-0x0000000000425000-memory.dmp

    Filesize

    148KB

  • memory/1196-79-0x0000000000400000-0x0000000000425000-memory.dmp

    Filesize

    148KB

  • memory/1660-260-0x0000000000400000-0x0000000000425000-memory.dmp

    Filesize

    148KB

  • memory/1668-237-0x0000000000400000-0x0000000000425000-memory.dmp

    Filesize

    148KB

  • memory/1688-249-0x0000000000400000-0x0000000000425000-memory.dmp

    Filesize

    148KB

  • memory/1752-165-0x0000000000400000-0x0000000000425000-memory.dmp

    Filesize

    148KB

  • memory/1752-156-0x0000000000400000-0x0000000000425000-memory.dmp

    Filesize

    148KB

  • memory/1896-244-0x0000000000400000-0x0000000000425000-memory.dmp

    Filesize

    148KB

  • memory/1936-121-0x0000000000400000-0x0000000000425000-memory.dmp

    Filesize

    148KB

  • memory/1936-113-0x0000000000400000-0x0000000000425000-memory.dmp

    Filesize

    148KB

  • memory/2076-75-0x0000000000400000-0x0000000000425000-memory.dmp

    Filesize

    148KB

  • memory/2076-528-0x0000000000400000-0x0000000000425000-memory.dmp

    Filesize

    148KB

  • memory/2176-228-0x0000000000400000-0x0000000000425000-memory.dmp

    Filesize

    148KB

  • memory/2228-192-0x0000000000400000-0x0000000000425000-memory.dmp

    Filesize

    148KB

  • memory/2276-529-0x0000000000400000-0x0000000000425000-memory.dmp

    Filesize

    148KB

  • memory/2276-122-0x0000000000400000-0x0000000000425000-memory.dmp

    Filesize

    148KB

  • memory/2308-231-0x0000000000400000-0x0000000000425000-memory.dmp

    Filesize

    148KB

  • memory/2432-263-0x0000000000400000-0x0000000000425000-memory.dmp

    Filesize

    148KB

  • memory/2436-115-0x0000000000400000-0x0000000000425000-memory.dmp

    Filesize

    148KB

  • memory/2936-268-0x0000000000400000-0x0000000000425000-memory.dmp

    Filesize

    148KB

  • memory/2988-0-0x0000000000400000-0x0000000000425000-memory.dmp

    Filesize

    148KB

  • memory/2988-526-0x0000000000400000-0x0000000000425000-memory.dmp

    Filesize

    148KB

  • memory/3232-208-0x0000000000400000-0x0000000000425000-memory.dmp

    Filesize

    148KB

  • memory/3364-257-0x0000000000400000-0x0000000000425000-memory.dmp

    Filesize

    148KB

  • memory/3608-206-0x0000000000400000-0x0000000000425000-memory.dmp

    Filesize

    148KB

  • memory/3608-531-0x0000000000400000-0x0000000000425000-memory.dmp

    Filesize

    148KB

  • memory/3944-271-0x0000000000400000-0x0000000000425000-memory.dmp

    Filesize

    148KB

  • memory/4216-158-0x0000000000400000-0x0000000000425000-memory.dmp

    Filesize

    148KB

  • memory/4400-240-0x0000000000400000-0x0000000000425000-memory.dmp

    Filesize

    148KB

  • memory/4576-234-0x0000000000400000-0x0000000000425000-memory.dmp

    Filesize

    148KB

  • memory/4928-197-0x0000000000400000-0x0000000000425000-memory.dmp

    Filesize

    148KB

  • memory/4944-201-0x0000000000400000-0x0000000000425000-memory.dmp

    Filesize

    148KB