Analysis

  • max time kernel
    149s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250410-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250410-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02/05/2025, 11:06

General

  • Target

    2025-05-02_24e7c1a8417dc201634e941d8b909cc9_black-basta_elex_luca-stealer.exe

  • Size

    9.1MB

  • MD5

    24e7c1a8417dc201634e941d8b909cc9

  • SHA1

    d5239624c22cbe561bd329a47990acf8be008315

  • SHA256

    3b322952e1c18e764d5d989406a13f4c2f4fcef039860d6cf45ba100a2abf76b

  • SHA512

    3c87c96300069756ec558532ea5965d8c67803684ed0f050227c3a2e2a3ed714430b3302b66f237ec0cd7843bc06fdc9c7bada32a0258a1826ba1190d7104d23

  • SSDEEP

    49152:FGyqWyWy0GyqWyWyMRPC1eHc785diLvQ8b1gt/Ido:FGyqWyWy0GyqWyWyMRPC1eHL5dGYSEYo

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 12 IoCs
  • Modifies visibility of file extensions in Explorer 2 TTPs 6 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 6 IoCs
  • UAC bypass 3 TTPs 6 IoCs
  • Disables RegEdit via registry modification 6 IoCs
  • Disables use of System Restore points 1 TTPs
  • Drops file in Drivers directory 24 IoCs
  • Event Triggered Execution: Image File Execution Options Injection 1 TTPs 64 IoCs
  • Executes dropped EXE 30 IoCs
  • Loads dropped DLL 18 IoCs
  • Adds Run key to start application 2 TTPs 24 IoCs
  • Checks whether UAC is enabled 1 TTPs 6 IoCs
  • Drops desktop.ini file(s) 64 IoCs
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops autorun.inf file 1 TTPs 64 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 39 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 6 IoCs
  • UPX packed file 64 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in Windows directory 64 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 36 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

  • Modifies Control Panel 64 IoCs
  • Modifies Internet Explorer settings 1 TTPs 12 IoCs
  • Modifies registry class 51 IoCs
  • Runs ping.exe 1 TTPs 36 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 30 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2025-05-02_24e7c1a8417dc201634e941d8b909cc9_black-basta_elex_luca-stealer.exe
    "C:\Users\Admin\AppData\Local\Temp\2025-05-02_24e7c1a8417dc201634e941d8b909cc9_black-basta_elex_luca-stealer.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Modifies visibility of file extensions in Explorer
    • Modifies visiblity of hidden/system files in Explorer
    • UAC bypass
    • Disables RegEdit via registry modification
    • Drops file in Drivers directory
    • Event Triggered Execution: Image File Execution Options Injection
    • Adds Run key to start application
    • Checks whether UAC is enabled
    • Drops desktop.ini file(s)
    • Enumerates connected drives
    • Drops autorun.inf file
    • Drops file in System32 directory
    • Sets desktop wallpaper using registry
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Modifies Control Panel
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:5096
    • C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe
      "C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • UAC bypass
      • Disables RegEdit via registry modification
      • Drops file in Drivers directory
      • Event Triggered Execution: Image File Execution Options Injection
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Drops desktop.ini file(s)
      • Enumerates connected drives
      • Drops autorun.inf file
      • Drops file in System32 directory
      • Sets desktop wallpaper using registry
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Modifies Control Panel
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:2492
      • C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe
        "C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:4492
      • C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe
        "C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe"
        3⤵
        • Modifies WinLogon for persistence
        • Modifies visibility of file extensions in Explorer
        • Modifies visiblity of hidden/system files in Explorer
        • UAC bypass
        • Disables RegEdit via registry modification
        • Drops file in Drivers directory
        • Event Triggered Execution: Image File Execution Options Injection
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • Checks whether UAC is enabled
        • Drops desktop.ini file(s)
        • Enumerates connected drives
        • Drops autorun.inf file
        • Drops file in System32 directory
        • Sets desktop wallpaper using registry
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Modifies Control Panel
        • Modifies Internet Explorer settings
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        • System policy modification
        PID:4852
        • C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe
          "C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe"
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:4808
        • C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe
          "C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe"
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:6052
        • C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe
          "C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe"
          4⤵
          • Modifies WinLogon for persistence
          • Modifies visibility of file extensions in Explorer
          • Modifies visiblity of hidden/system files in Explorer
          • UAC bypass
          • Disables RegEdit via registry modification
          • Drops file in Drivers directory
          • Event Triggered Execution: Image File Execution Options Injection
          • Executes dropped EXE
          • Loads dropped DLL
          • Adds Run key to start application
          • Checks whether UAC is enabled
          • Drops desktop.ini file(s)
          • Enumerates connected drives
          • Drops autorun.inf file
          • Drops file in System32 directory
          • Sets desktop wallpaper using registry
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Modifies Control Panel
          • Modifies Internet Explorer settings
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:2976
          • C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe
            "C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe"
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • System Location Discovery: System Language Discovery
            • Suspicious use of SetWindowsHookEx
            PID:2796
          • C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe
            "C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe"
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • System Location Discovery: System Language Discovery
            • Suspicious use of SetWindowsHookEx
            PID:5336
          • C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe
            "C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe"
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • System Location Discovery: System Language Discovery
            • Suspicious use of SetWindowsHookEx
            PID:1372
          • C:\Windows\SysWOW64\drivers\Kazekage.exe
            C:\Windows\system32\drivers\Kazekage.exe
            5⤵
            • Modifies WinLogon for persistence
            • Modifies visibility of file extensions in Explorer
            • Modifies visiblity of hidden/system files in Explorer
            • UAC bypass
            • Disables RegEdit via registry modification
            • Drops file in Drivers directory
            • Event Triggered Execution: Image File Execution Options Injection
            • Executes dropped EXE
            • Adds Run key to start application
            • Checks whether UAC is enabled
            • Drops desktop.ini file(s)
            • Enumerates connected drives
            • Drops autorun.inf file
            • Drops file in System32 directory
            • Sets desktop wallpaper using registry
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Modifies Control Panel
            • Modifies Internet Explorer settings
            • Modifies registry class
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            • System policy modification
            PID:5260
            • C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe
              "C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe"
              6⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • System Location Discovery: System Language Discovery
              • Suspicious use of SetWindowsHookEx
              PID:6092
            • C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe
              "C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe"
              6⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • System Location Discovery: System Language Discovery
              • Suspicious use of SetWindowsHookEx
              PID:3460
            • C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe
              "C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe"
              6⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • System Location Discovery: System Language Discovery
              • Suspicious use of SetWindowsHookEx
              PID:2496
            • C:\Windows\SysWOW64\drivers\Kazekage.exe
              C:\Windows\system32\drivers\Kazekage.exe
              6⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Suspicious use of SetWindowsHookEx
              PID:5760
            • C:\Windows\SysWOW64\drivers\system32.exe
              C:\Windows\system32\drivers\system32.exe
              6⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Suspicious use of SetWindowsHookEx
              PID:5384
            • C:\Windows\SysWOW64\ping.exe
              ping -a -l www.rasasayang.com.my 65500
              6⤵
              • System Location Discovery: System Language Discovery
              • System Network Configuration Discovery: Internet Connection Discovery
              • Runs ping.exe
              PID:4368
            • C:\Windows\SysWOW64\ping.exe
              ping -a -l www.duniasex.com 65500
              6⤵
              • System Location Discovery: System Language Discovery
              • System Network Configuration Discovery: Internet Connection Discovery
              • Runs ping.exe
              PID:2808
            • C:\Windows\SysWOW64\ping.exe
              ping -a -l www.rasasayang.com.my 65500
              6⤵
              • System Location Discovery: System Language Discovery
              • System Network Configuration Discovery: Internet Connection Discovery
              • Runs ping.exe
              PID:5908
            • C:\Windows\SysWOW64\ping.exe
              ping -a -l www.duniasex.com 65500
              6⤵
              • System Location Discovery: System Language Discovery
              • System Network Configuration Discovery: Internet Connection Discovery
              • Runs ping.exe
              PID:5520
            • C:\Windows\SysWOW64\ping.exe
              ping -a -l www.rasasayang.com.my 65500
              6⤵
              • System Location Discovery: System Language Discovery
              • System Network Configuration Discovery: Internet Connection Discovery
              • Runs ping.exe
              PID:3796
            • C:\Windows\SysWOW64\ping.exe
              ping -a -l www.duniasex.com 65500
              6⤵
              • System Location Discovery: System Language Discovery
              • System Network Configuration Discovery: Internet Connection Discovery
              • Runs ping.exe
              PID:2496
          • C:\Windows\SysWOW64\drivers\system32.exe
            C:\Windows\system32\drivers\system32.exe
            5⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious use of SetWindowsHookEx
            PID:1604
          • C:\Windows\SysWOW64\ping.exe
            ping -a -l www.rasasayang.com.my 65500
            5⤵
            • System Location Discovery: System Language Discovery
            • System Network Configuration Discovery: Internet Connection Discovery
            • Runs ping.exe
            PID:5520
          • C:\Windows\SysWOW64\ping.exe
            ping -a -l www.duniasex.com 65500
            5⤵
            • System Location Discovery: System Language Discovery
            • System Network Configuration Discovery: Internet Connection Discovery
            • Runs ping.exe
            PID:5356
          • C:\Windows\SysWOW64\ping.exe
            ping -a -l www.rasasayang.com.my 65500
            5⤵
            • System Location Discovery: System Language Discovery
            • System Network Configuration Discovery: Internet Connection Discovery
            • Runs ping.exe
            PID:4188
          • C:\Windows\SysWOW64\ping.exe
            ping -a -l www.duniasex.com 65500
            5⤵
            • System Location Discovery: System Language Discovery
            • System Network Configuration Discovery: Internet Connection Discovery
            • Runs ping.exe
            PID:640
          • C:\Windows\SysWOW64\ping.exe
            ping -a -l www.rasasayang.com.my 65500
            5⤵
            • System Location Discovery: System Language Discovery
            • System Network Configuration Discovery: Internet Connection Discovery
            • Runs ping.exe
            PID:2244
          • C:\Windows\SysWOW64\ping.exe
            ping -a -l www.duniasex.com 65500
            5⤵
            • System Location Discovery: System Language Discovery
            • System Network Configuration Discovery: Internet Connection Discovery
            • Runs ping.exe
            PID:4500
        • C:\Windows\SysWOW64\drivers\Kazekage.exe
          C:\Windows\system32\drivers\Kazekage.exe
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:3516
        • C:\Windows\SysWOW64\drivers\system32.exe
          C:\Windows\system32\drivers\system32.exe
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:1048
        • C:\Windows\SysWOW64\ping.exe
          ping -a -l www.rasasayang.com.my 65500
          4⤵
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:956
        • C:\Windows\SysWOW64\ping.exe
          ping -a -l www.duniasex.com 65500
          4⤵
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:4700
        • C:\Windows\SysWOW64\ping.exe
          ping -a -l www.rasasayang.com.my 65500
          4⤵
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:4868
        • C:\Windows\SysWOW64\ping.exe
          ping -a -l www.duniasex.com 65500
          4⤵
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:3336
        • C:\Windows\SysWOW64\ping.exe
          ping -a -l www.rasasayang.com.my 65500
          4⤵
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:3680
        • C:\Windows\SysWOW64\ping.exe
          ping -a -l www.duniasex.com 65500
          4⤵
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:1780
      • C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe
        "C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:3416
      • C:\Windows\SysWOW64\drivers\Kazekage.exe
        C:\Windows\system32\drivers\Kazekage.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:3860
      • C:\Windows\SysWOW64\drivers\system32.exe
        C:\Windows\system32\drivers\system32.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:5912
      • C:\Windows\SysWOW64\ping.exe
        ping -a -l www.rasasayang.com.my 65500
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:3004
      • C:\Windows\SysWOW64\ping.exe
        ping -a -l www.duniasex.com 65500
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:4656
      • C:\Windows\SysWOW64\ping.exe
        ping -a -l www.rasasayang.com.my 65500
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:2764
      • C:\Windows\SysWOW64\ping.exe
        ping -a -l www.duniasex.com 65500
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:3560
      • C:\Windows\SysWOW64\ping.exe
        ping -a -l www.rasasayang.com.my 65500
        3⤵
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:4468
      • C:\Windows\SysWOW64\ping.exe
        ping -a -l www.duniasex.com 65500
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:4740
    • C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe
      "C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:232
    • C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe
      "C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:5624
    • C:\Windows\SysWOW64\drivers\Kazekage.exe
      C:\Windows\system32\drivers\Kazekage.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:5608
    • C:\Windows\SysWOW64\drivers\system32.exe
      C:\Windows\system32\drivers\system32.exe
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • UAC bypass
      • Disables RegEdit via registry modification
      • Drops file in Drivers directory
      • Event Triggered Execution: Image File Execution Options Injection
      • Executes dropped EXE
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Drops desktop.ini file(s)
      • Enumerates connected drives
      • Drops autorun.inf file
      • Drops file in System32 directory
      • Sets desktop wallpaper using registry
      • Drops file in Windows directory
      • Modifies Control Panel
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:1376
      • C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe
        "C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:452
      • C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe
        "C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:5252
      • C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe
        "C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:348
      • C:\Windows\SysWOW64\drivers\Kazekage.exe
        C:\Windows\system32\drivers\Kazekage.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:5924
      • C:\Windows\SysWOW64\drivers\system32.exe
        C:\Windows\system32\drivers\system32.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:4352
      • C:\Windows\SysWOW64\ping.exe
        ping -a -l www.rasasayang.com.my 65500
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:5472
      • C:\Windows\SysWOW64\ping.exe
        ping -a -l www.duniasex.com 65500
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:2860
      • C:\Windows\SysWOW64\ping.exe
        ping -a -l www.rasasayang.com.my 65500
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:3772
      • C:\Windows\SysWOW64\ping.exe
        ping -a -l www.duniasex.com 65500
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:2476
      • C:\Windows\SysWOW64\ping.exe
        ping -a -l www.rasasayang.com.my 65500
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:5924
      • C:\Windows\SysWOW64\ping.exe
        ping -a -l www.duniasex.com 65500
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:5716
    • C:\Windows\SysWOW64\ping.exe
      ping -a -l www.rasasayang.com.my 65500
      2⤵
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Internet Connection Discovery
      • Runs ping.exe
      PID:5604
    • C:\Windows\SysWOW64\ping.exe
      ping -a -l www.duniasex.com 65500
      2⤵
      • System Network Configuration Discovery: Internet Connection Discovery
      • Runs ping.exe
      PID:4732
    • C:\Windows\SysWOW64\ping.exe
      ping -a -l www.rasasayang.com.my 65500
      2⤵
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Internet Connection Discovery
      • Runs ping.exe
      PID:3232
    • C:\Windows\SysWOW64\ping.exe
      ping -a -l www.duniasex.com 65500
      2⤵
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Internet Connection Discovery
      • Runs ping.exe
      PID:232
    • C:\Windows\SysWOW64\ping.exe
      ping -a -l www.rasasayang.com.my 65500
      2⤵
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Internet Connection Discovery
      • Runs ping.exe
      PID:5404
    • C:\Windows\SysWOW64\ping.exe
      ping -a -l www.duniasex.com 65500
      2⤵
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Internet Connection Discovery
      • Runs ping.exe
      PID:4756
  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\smss.exe
    1⤵
      PID:5388
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\Gaara.exe
      1⤵
        PID:2036
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c 2-5-2025.exe
        1⤵
          PID:3444
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c drivers\csrss.exe
          1⤵
            PID:4944

          Network

                MITRE ATT&CK Enterprise v16

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Admin Games\Readme.txt

                  Filesize

                  736B

                  MD5

                  bb5d6abdf8d0948ac6895ce7fdfbc151

                  SHA1

                  9266b7a247a4685892197194d2b9b86c8f6dddbd

                  SHA256

                  5db2e0915b5464d32e83484f8ae5e3c73d2c78f238fde5f58f9b40dbb5322de8

                  SHA512

                  878444760e8df878d65bb62b4798177e168eb099def58ad3634f4348e96705c83f74324f9fa358f0eff389991976698a233ca53e9b72034ae11c86d42322a76c

                • C:\Autorun.inf

                  Filesize

                  196B

                  MD5

                  1564dfe69ffed40950e5cb644e0894d1

                  SHA1

                  201b6f7a01cc49bb698bea6d4945a082ed454ce4

                  SHA256

                  be114a2dbcc08540b314b01882aa836a772a883322a77b67aab31233e26dc184

                  SHA512

                  72df187e39674b657974392cfa268e71ef86dc101ebd2303896381ca56d3c05aa9db3f0ab7d0e428d7436e0108c8f19e94c2013814d30b0b95a23a6b9e341097

                • C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe

                  Filesize

                  9.1MB

                  MD5

                  bf800ffc0ff13cda9a5cb633f5c65d57

                  SHA1

                  6a173ec33fabd87c4aec58cd98ec82d95bad39e1

                  SHA256

                  8401fbd0e05e634f30287f1a31604b8f432139b8112407747a072996123a2b3b

                  SHA512

                  d5e6c7e06654e44b0702d0b34901267153db073558f22477b119d0d55f2ff83d8329f2dd807cf55fcecea945c935b80c65572edfa90825740af89ae719cf48e0

                • C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe

                  Filesize

                  9.1MB

                  MD5

                  24e7c1a8417dc201634e941d8b909cc9

                  SHA1

                  d5239624c22cbe561bd329a47990acf8be008315

                  SHA256

                  3b322952e1c18e764d5d989406a13f4c2f4fcef039860d6cf45ba100a2abf76b

                  SHA512

                  3c87c96300069756ec558532ea5965d8c67803684ed0f050227c3a2e2a3ed714430b3302b66f237ec0cd7843bc06fdc9c7bada32a0258a1826ba1190d7104d23

                • C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe

                  Filesize

                  9.1MB

                  MD5

                  e29eaf33fc952c843e007fdd0c068a14

                  SHA1

                  70434f3899cb17976277491543c9ecb7abc80340

                  SHA256

                  12d8e18c114deda6f4000ba939f789d3b79222b2f14e8c2cc580276f63dca9c4

                  SHA512

                  1ebc8048834b500cec41b5195cb37b44a9e6d3210c2b2a2c3c7c7d1e4cb85344e2e193f843e6ada70026ee103391fe9f47cc490ef8fd8677c52e30e1b6b2d072

                • C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe

                  Filesize

                  9.1MB

                  MD5

                  4674b3cae18063f058d3db42c1bde21b

                  SHA1

                  307fcd931ef8244741f4ff8789583f34728f202c

                  SHA256

                  ae620bb744ebbe992c14680b27d111910c323591f09b7e367e686b16fd8a9a54

                  SHA512

                  b30a5c84ae6fb035d741c9d0e83258a1803d407dc03f2ebc9a61abb61627552c3bb85bbea56a9364d01b48c35fb7f323ebe9096e813a7a3e7d4a059247c4f16c

                • C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe

                  Filesize

                  9.1MB

                  MD5

                  6ce7284de85d3acece3da910a6d3cb73

                  SHA1

                  243364f9a2bcbf5ad496ff86479e3ce5f1541909

                  SHA256

                  8c618964947dcd836d52de4ad671b2f6cd90bf9fc6ec85bf9aa0423b7479dc2a

                  SHA512

                  ad7c60efed40259327ca0a43310ce1ed7f7b7602595c38a52ae7e1fb1400f5566674d9a87e63f779a6a5ae2b69eccd6413b6251176ddd8349adeeb906ea58ce0

                • C:\Windows\Fonts\The Kazekage.jpg

                  Filesize

                  1.4MB

                  MD5

                  d6b05020d4a0ec2a3a8b687099e335df

                  SHA1

                  df239d830ebcd1cde5c68c46a7b76dad49d415f4

                  SHA256

                  9824b98dab6af65a9e84c2ea40e9df948f9766ce2096e81feecad7db8dd6080a

                  SHA512

                  78fd360faa4d34f5732056d6e9ad7b9930964441c69cf24535845d397de92179553b9377a25649c01eb5ac7d547c29cc964e69ede7f2af9fc677508a99251fff

                • C:\Windows\SysWOW64\2-5-2025.exe

                  Filesize

                  9.1MB

                  MD5

                  8967c1369f3d5286fe713e7a2b09c8e6

                  SHA1

                  709437271e4bcf282b74a14ed9a65ce548e00a61

                  SHA256

                  a0af974815a05df3c2176fa25ffc2f6ff31b9eec160e9da935d97792cebca9eb

                  SHA512

                  439bdf2ce88cf3561da40253caf6097e63f9864967615a22cc56b6c4442b20c04226bd9b3448c43cc51c7311aa8d15072483577e643562e716ee26ee9dff67ee

                • C:\Windows\SysWOW64\2-5-2025.exe

                  Filesize

                  9.1MB

                  MD5

                  fe21144bf71b7f69b82f9f272039e81e

                  SHA1

                  570d228ad457c079b14bb167080f6affaee99117

                  SHA256

                  cabf5136ccf9eca88ac8ff8d3f674d15d78067fe4e912617032a15f712064d34

                  SHA512

                  159419822ed62dda53540bce7dd933fe19f3218242c313385f760c4c667102b7521afa78bd42ed79db7078ca4a3ba8dd2c7934a9b5ea3e33e4e123461bfcd181

                • C:\Windows\SysWOW64\2-5-2025.exe

                  Filesize

                  9.1MB

                  MD5

                  b1f72e0bf39a31cdf59124e316a3a528

                  SHA1

                  fae2f3db30cf1d3228b827e70812a63e475e964a

                  SHA256

                  42d039dcb395e867e97657a342047c94ca04fe1e09574ecdd9392d88676d6e93

                  SHA512

                  311477221b05510dc1d9f87beb0054229b91f379896bbdcc50fbcb7d37d39ed073b8dc0a5f87e6f18177747397901afd85f0cc14efeca6c0c65d0e7050758cb3

                • C:\Windows\SysWOW64\2-5-2025.exe

                  Filesize

                  9.1MB

                  MD5

                  7f2154e9305d7f2c4bb22199f4815809

                  SHA1

                  6d2b832b85d65fcaefeb2d583cc3a09b6e565660

                  SHA256

                  db6c0a1a179a37465061622ad65d4a8672122aa08212e2fd99d07718c4907692

                  SHA512

                  bd32c2177948f375c3b0cb717cf66ad6fe652f30cadf1561c05fe76f726b052bee23e5bab28efb51d012788dffc282d1ae90fb00562a313bc98342300349e9cb

                • C:\Windows\SysWOW64\Desktop.ini

                  Filesize

                  65B

                  MD5

                  64acfa7e03b01f48294cf30d201a0026

                  SHA1

                  10facd995b38a095f30b4a800fa454c0bcbf8438

                  SHA256

                  ba8159d865d106e7b4d0043007a63d1541e1de455dc8d7ff0edd3013bd425c62

                  SHA512

                  65a9b2e639de74a2a7faa83463a03f5f5b526495e3c793ec1e144c422ed0b842dd304cd5ff4f8aec3d76d826507030c5916f70a231429cea636ec2d8ab43931a

                • C:\Windows\SysWOW64\drivers\Kazekage.exe

                  Filesize

                  9.1MB

                  MD5

                  efa9a0f5d742dd7a5c815228021fa7ab

                  SHA1

                  e9d4498fc4e07d4da93e937d7931718a12f9f70c

                  SHA256

                  f52f6041eff51b294c366b32cb8017641efdc85e6e77eb8ef763b1b1e0f50020

                  SHA512

                  8d558a20e09e746c25458981a43aa95f6fac32db2d68daefe51136f4062ebde7fe41186555344639d5891fb0723c087f6378ba7c32e220f0c136fdf9a13bf828

                • C:\Windows\SysWOW64\drivers\Kazekage.exe

                  Filesize

                  9.1MB

                  MD5

                  9f21b8f864ced7d7da1902beca1c6de4

                  SHA1

                  506dcd9f054b03d007942329291d4791628635d1

                  SHA256

                  65ebfb04eaabcae9f46933de4d7c8d381accc574820e2a72fc83fba464f352ba

                  SHA512

                  8c9749eb88914d9f1e79c5c499e66585e860ab22c98beda125fa34f89f3c71b061cf540909d615d9ab41eb66b9280e136305d45955fa7f9b561fdc78a463719b

                • C:\Windows\SysWOW64\drivers\system32.exe

                  Filesize

                  9.1MB

                  MD5

                  88c13dc651c9979a6750bf8f979385e8

                  SHA1

                  fe08f5caae349c91da9e3235f9fe18c379e311d2

                  SHA256

                  1bb4c5e49772b6e45bd63583e3b66056db1627005762293ef5e0c60e6111e6aa

                  SHA512

                  0d3325e24115ecb8d10f19c3ea2a56cd9674ac0cd2015a0e316da94b37a4de7ae0a4a4cb2c3b730c09428265a06c58217c3d573f83b8d6ba1092ac221afa53db

                • C:\Windows\SysWOW64\drivers\system32.exe

                  Filesize

                  9.1MB

                  MD5

                  f3b127bf4e0a06df17629039a745ad87

                  SHA1

                  aea63a7d978c1947babffab03d88b41894b1bd77

                  SHA256

                  1d2e9b08f369b55b8d1abeb8bdd84fcf09937a0ac4ed6e035c2946acc68546b7

                  SHA512

                  5a46436d6b0d969041b04756a6a6ad6b6659bfff837289e4bd55687a2f8b1328059006df1ce7fe7bb92d9e62562ece74772e5d647d818a27e0cc11030e382429

                • C:\Windows\SysWOW64\mscomctl.ocx

                  Filesize

                  9.1MB

                  MD5

                  5a6cc9ce188da8161fd0c906caaab3cc

                  SHA1

                  95522ebe8820e96590e80c0e9a4b77fed67d176b

                  SHA256

                  fcaf377663ab11cbe9b692f1bd9b9a16678652c010e2717078882e7158e1194a

                  SHA512

                  87d1ea7ae857e28cede0e68cfb56fb23fb9bf11baf18df7f28bf9cb2187de72d31f753d5e125c49910d6b48188097155daae2ca9485844c25974120abc63b930

                • C:\Windows\System\msvbvm60.dll

                  Filesize

                  1.4MB

                  MD5

                  25f62c02619174b35851b0e0455b3d94

                  SHA1

                  4e8ee85157f1769f6e3f61c0acbe59072209da71

                  SHA256

                  898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

                  SHA512

                  f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

                • memory/232-177-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/452-243-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/1048-301-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/1372-180-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/1376-544-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/1376-307-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/1376-268-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/1376-215-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/1604-292-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/2492-304-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/2492-152-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/2492-310-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/2492-32-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/2492-365-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/2496-242-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/2976-125-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/2976-308-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/2976-214-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/2976-539-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/3416-246-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/3416-222-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/3460-247-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/3516-294-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/3860-259-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/4352-302-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/4352-297-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/4492-75-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/4492-70-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/4852-173-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/4852-306-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/4852-496-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/4852-79-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/5096-364-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/5096-0-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/5096-303-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/5096-124-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/5096-309-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/5252-274-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/5252-256-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/5260-254-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/5260-305-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/5260-454-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/5260-186-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/5336-169-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/5384-283-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/5608-209-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/5608-188-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/5624-183-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/5760-270-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/5912-272-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/5912-255-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/5924-296-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/6052-114-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/6052-119-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB