Analysis

  • max time kernel
    149s
  • max time network
    127s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250314-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02/05/2025, 10:34

General

  • Target

    2025-05-02_252daf427ff74462bacd78a31277eb08_black-basta_elex_luca-stealer.exe

  • Size

    8.3MB

  • MD5

    252daf427ff74462bacd78a31277eb08

  • SHA1

    0eb53676e022d38ea20f2f2290f1781ea7edd527

  • SHA256

    4a0a1ecc1e6ee951eda7f8b8944f551558384e7e6cf84b7e1348126271c572fe

  • SHA512

    4a49e17b195d74f301cc336922790032bda92dd783f38d1c4f3368d7552dfe520899c6354388496b3fc71e9157fa5d1fd466ce1948ecbf8f521c7a500ba0268b

  • SSDEEP

    49152:9GyqWyWy0GyqWyWyMRPC1eHc785diLvQ8b1gtj:9GyqWyWy0GyqWyWyMRPC1eHL5dGYSW

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 12 IoCs
  • Modifies visibility of file extensions in Explorer 2 TTPs 6 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 6 IoCs
  • UAC bypass 3 TTPs 6 IoCs
  • Disables RegEdit via registry modification 6 IoCs
  • Disables use of System Restore points 1 TTPs
  • Drops file in Drivers directory 24 IoCs
  • Event Triggered Execution: Image File Execution Options Injection 1 TTPs 64 IoCs
  • Executes dropped EXE 30 IoCs
  • Loads dropped DLL 18 IoCs
  • Adds Run key to start application 2 TTPs 24 IoCs
  • Checks whether UAC is enabled 1 TTPs 6 IoCs
  • Drops desktop.ini file(s) 64 IoCs
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops autorun.inf file 1 TTPs 64 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 39 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 6 IoCs
  • UPX packed file 64 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in Windows directory 64 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 63 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 32 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

  • Modifies Control Panel 64 IoCs
  • Modifies Internet Explorer settings 1 TTPs 12 IoCs
  • Modifies registry class 51 IoCs
  • Runs ping.exe 1 TTPs 32 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 31 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2025-05-02_252daf427ff74462bacd78a31277eb08_black-basta_elex_luca-stealer.exe
    "C:\Users\Admin\AppData\Local\Temp\2025-05-02_252daf427ff74462bacd78a31277eb08_black-basta_elex_luca-stealer.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Modifies visibility of file extensions in Explorer
    • Modifies visiblity of hidden/system files in Explorer
    • UAC bypass
    • Disables RegEdit via registry modification
    • Drops file in Drivers directory
    • Event Triggered Execution: Image File Execution Options Injection
    • Adds Run key to start application
    • Checks whether UAC is enabled
    • Drops desktop.ini file(s)
    • Enumerates connected drives
    • Drops autorun.inf file
    • Drops file in System32 directory
    • Sets desktop wallpaper using registry
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Modifies Control Panel
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:6008
    • C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe
      "C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • UAC bypass
      • Disables RegEdit via registry modification
      • Drops file in Drivers directory
      • Event Triggered Execution: Image File Execution Options Injection
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Drops desktop.ini file(s)
      • Enumerates connected drives
      • Drops autorun.inf file
      • Drops file in System32 directory
      • Sets desktop wallpaper using registry
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Modifies Control Panel
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:2456
      • C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe
        "C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:1456
      • C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe
        "C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe"
        3⤵
        • Modifies WinLogon for persistence
        • Modifies visibility of file extensions in Explorer
        • Modifies visiblity of hidden/system files in Explorer
        • UAC bypass
        • Disables RegEdit via registry modification
        • Drops file in Drivers directory
        • Event Triggered Execution: Image File Execution Options Injection
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • Checks whether UAC is enabled
        • Drops desktop.ini file(s)
        • Enumerates connected drives
        • Drops autorun.inf file
        • Drops file in System32 directory
        • Sets desktop wallpaper using registry
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Modifies Control Panel
        • Modifies Internet Explorer settings
        • Modifies registry class
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        • System policy modification
        PID:3064
        • C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe
          "C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe"
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:5972
        • C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe
          "C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe"
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:5376
        • C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe
          "C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe"
          4⤵
          • Modifies WinLogon for persistence
          • Modifies visibility of file extensions in Explorer
          • Modifies visiblity of hidden/system files in Explorer
          • UAC bypass
          • Disables RegEdit via registry modification
          • Drops file in Drivers directory
          • Event Triggered Execution: Image File Execution Options Injection
          • Executes dropped EXE
          • Loads dropped DLL
          • Adds Run key to start application
          • Checks whether UAC is enabled
          • Drops desktop.ini file(s)
          • Enumerates connected drives
          • Drops autorun.inf file
          • Drops file in System32 directory
          • Sets desktop wallpaper using registry
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Modifies Control Panel
          • Modifies Internet Explorer settings
          • Modifies registry class
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:4532
          • C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe
            "C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe"
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • System Location Discovery: System Language Discovery
            • Suspicious use of SetWindowsHookEx
            PID:4804
          • C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe
            "C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe"
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • System Location Discovery: System Language Discovery
            • Suspicious use of SetWindowsHookEx
            PID:4572
          • C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe
            "C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe"
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • System Location Discovery: System Language Discovery
            • Suspicious use of SetWindowsHookEx
            PID:3172
          • C:\Windows\SysWOW64\drivers\Kazekage.exe
            C:\Windows\system32\drivers\Kazekage.exe
            5⤵
            • Modifies WinLogon for persistence
            • Modifies visibility of file extensions in Explorer
            • Modifies visiblity of hidden/system files in Explorer
            • UAC bypass
            • Disables RegEdit via registry modification
            • Drops file in Drivers directory
            • Event Triggered Execution: Image File Execution Options Injection
            • Executes dropped EXE
            • Adds Run key to start application
            • Checks whether UAC is enabled
            • Drops desktop.ini file(s)
            • Enumerates connected drives
            • Drops autorun.inf file
            • Drops file in System32 directory
            • Sets desktop wallpaper using registry
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Modifies Control Panel
            • Modifies Internet Explorer settings
            • Modifies registry class
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            • System policy modification
            PID:4812
            • C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe
              "C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe"
              6⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • System Location Discovery: System Language Discovery
              • Suspicious use of SetWindowsHookEx
              PID:4768
            • C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe
              "C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe"
              6⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • System Location Discovery: System Language Discovery
              • Suspicious use of SetWindowsHookEx
              PID:4844
            • C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe
              "C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe"
              6⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • System Location Discovery: System Language Discovery
              • Suspicious use of SetWindowsHookEx
              PID:4948
            • C:\Windows\SysWOW64\drivers\Kazekage.exe
              C:\Windows\system32\drivers\Kazekage.exe
              6⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Suspicious use of SetWindowsHookEx
              PID:4892
            • C:\Windows\SysWOW64\drivers\system32.exe
              C:\Windows\system32\drivers\system32.exe
              6⤵
              • Modifies WinLogon for persistence
              • Modifies visibility of file extensions in Explorer
              • Modifies visiblity of hidden/system files in Explorer
              • UAC bypass
              • Disables RegEdit via registry modification
              • Drops file in Drivers directory
              • Event Triggered Execution: Image File Execution Options Injection
              • Executes dropped EXE
              • Adds Run key to start application
              • Checks whether UAC is enabled
              • Drops desktop.ini file(s)
              • Enumerates connected drives
              • Drops autorun.inf file
              • Drops file in System32 directory
              • Sets desktop wallpaper using registry
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Modifies Control Panel
              • Modifies Internet Explorer settings
              • Modifies registry class
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              • System policy modification
              PID:2416
              • C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe
                "C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe"
                7⤵
                • Executes dropped EXE
                • Loads dropped DLL
                • System Location Discovery: System Language Discovery
                • Suspicious use of SetWindowsHookEx
                PID:3308
              • C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe
                "C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe"
                7⤵
                • Executes dropped EXE
                • Loads dropped DLL
                • System Location Discovery: System Language Discovery
                • Suspicious use of SetWindowsHookEx
                PID:2088
              • C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe
                "C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe"
                7⤵
                • Executes dropped EXE
                • Loads dropped DLL
                • System Location Discovery: System Language Discovery
                • Suspicious use of SetWindowsHookEx
                PID:6080
              • C:\Windows\SysWOW64\drivers\Kazekage.exe
                C:\Windows\system32\drivers\Kazekage.exe
                7⤵
                • Executes dropped EXE
                • System Location Discovery: System Language Discovery
                • Suspicious use of SetWindowsHookEx
                PID:6112
              • C:\Windows\SysWOW64\drivers\system32.exe
                C:\Windows\system32\drivers\system32.exe
                7⤵
                • Executes dropped EXE
                • System Location Discovery: System Language Discovery
                • Suspicious use of SetWindowsHookEx
                PID:5612
              • C:\Windows\SysWOW64\ping.exe
                ping -a -l www.rasasayang.com.my 65500
                7⤵
                • System Location Discovery: System Language Discovery
                • System Network Configuration Discovery: Internet Connection Discovery
                • Runs ping.exe
                PID:5592
              • C:\Windows\SysWOW64\ping.exe
                ping -a -l www.duniasex.com 65500
                7⤵
                • System Location Discovery: System Language Discovery
                • System Network Configuration Discovery: Internet Connection Discovery
                • Runs ping.exe
                PID:2476
              • C:\Windows\SysWOW64\ping.exe
                ping -a -l www.rasasayang.com.my 65500
                7⤵
                • System Location Discovery: System Language Discovery
                • System Network Configuration Discovery: Internet Connection Discovery
                • Runs ping.exe
                PID:2232
              • C:\Windows\SysWOW64\ping.exe
                ping -a -l www.duniasex.com 65500
                7⤵
                • System Location Discovery: System Language Discovery
                • System Network Configuration Discovery: Internet Connection Discovery
                • Runs ping.exe
                PID:4952
            • C:\Windows\SysWOW64\ping.exe
              ping -a -l www.rasasayang.com.my 65500
              6⤵
              • System Location Discovery: System Language Discovery
              • System Network Configuration Discovery: Internet Connection Discovery
              • Runs ping.exe
              PID:1520
            • C:\Windows\SysWOW64\ping.exe
              ping -a -l www.duniasex.com 65500
              6⤵
              • System Location Discovery: System Language Discovery
              • System Network Configuration Discovery: Internet Connection Discovery
              • Runs ping.exe
              PID:732
            • C:\Windows\SysWOW64\ping.exe
              ping -a -l www.rasasayang.com.my 65500
              6⤵
              • System Location Discovery: System Language Discovery
              • System Network Configuration Discovery: Internet Connection Discovery
              • Runs ping.exe
              PID:4440
            • C:\Windows\SysWOW64\ping.exe
              ping -a -l www.duniasex.com 65500
              6⤵
              • System Location Discovery: System Language Discovery
              • System Network Configuration Discovery: Internet Connection Discovery
              • Runs ping.exe
              PID:1160
            • C:\Windows\SysWOW64\ping.exe
              ping -a -l www.rasasayang.com.my 65500
              6⤵
              • System Location Discovery: System Language Discovery
              • System Network Configuration Discovery: Internet Connection Discovery
              • Runs ping.exe
              PID:448
            • C:\Windows\SysWOW64\ping.exe
              ping -a -l www.duniasex.com 65500
              6⤵
              • System Location Discovery: System Language Discovery
              • System Network Configuration Discovery: Internet Connection Discovery
              • Runs ping.exe
              PID:3256
          • C:\Windows\SysWOW64\drivers\system32.exe
            C:\Windows\system32\drivers\system32.exe
            5⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious use of SetWindowsHookEx
            PID:5432
          • C:\Windows\SysWOW64\ping.exe
            ping -a -l www.rasasayang.com.my 65500
            5⤵
            • System Location Discovery: System Language Discovery
            • System Network Configuration Discovery: Internet Connection Discovery
            • Runs ping.exe
            PID:2056
          • C:\Windows\SysWOW64\ping.exe
            ping -a -l www.duniasex.com 65500
            5⤵
            • System Location Discovery: System Language Discovery
            • System Network Configuration Discovery: Internet Connection Discovery
            • Runs ping.exe
            PID:5088
          • C:\Windows\SysWOW64\ping.exe
            ping -a -l www.rasasayang.com.my 65500
            5⤵
            • System Location Discovery: System Language Discovery
            • System Network Configuration Discovery: Internet Connection Discovery
            • Runs ping.exe
            PID:3436
          • C:\Windows\SysWOW64\ping.exe
            ping -a -l www.duniasex.com 65500
            5⤵
            • System Location Discovery: System Language Discovery
            • System Network Configuration Discovery: Internet Connection Discovery
            • Runs ping.exe
            PID:3904
          • C:\Windows\SysWOW64\ping.exe
            ping -a -l www.rasasayang.com.my 65500
            5⤵
            • System Location Discovery: System Language Discovery
            • System Network Configuration Discovery: Internet Connection Discovery
            • Runs ping.exe
            PID:3076
          • C:\Windows\SysWOW64\ping.exe
            ping -a -l www.duniasex.com 65500
            5⤵
            • System Location Discovery: System Language Discovery
            • System Network Configuration Discovery: Internet Connection Discovery
            • Runs ping.exe
            PID:4228
        • C:\Windows\SysWOW64\drivers\Kazekage.exe
          C:\Windows\system32\drivers\Kazekage.exe
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:2084
        • C:\Windows\SysWOW64\drivers\system32.exe
          C:\Windows\system32\drivers\system32.exe
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:5728
        • C:\Windows\SysWOW64\ping.exe
          ping -a -l www.rasasayang.com.my 65500
          4⤵
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:4580
        • C:\Windows\SysWOW64\ping.exe
          ping -a -l www.duniasex.com 65500
          4⤵
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:4608
        • C:\Windows\SysWOW64\ping.exe
          ping -a -l www.rasasayang.com.my 65500
          4⤵
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:5504
        • C:\Windows\SysWOW64\ping.exe
          ping -a -l www.duniasex.com 65500
          4⤵
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:3928
        • C:\Windows\SysWOW64\ping.exe
          ping -a -l www.rasasayang.com.my 65500
          4⤵
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:2056
        • C:\Windows\SysWOW64\ping.exe
          ping -a -l www.duniasex.com 65500
          4⤵
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:4692
      • C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe
        "C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:3524
      • C:\Windows\SysWOW64\drivers\Kazekage.exe
        C:\Windows\system32\drivers\Kazekage.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:4164
      • C:\Windows\SysWOW64\drivers\system32.exe
        C:\Windows\system32\drivers\system32.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2648
      • C:\Windows\SysWOW64\ping.exe
        ping -a -l www.rasasayang.com.my 65500
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:6088
      • C:\Windows\SysWOW64\ping.exe
        ping -a -l www.duniasex.com 65500
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:5472
      • C:\Windows\SysWOW64\ping.exe
        ping -a -l www.rasasayang.com.my 65500
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:5640
      • C:\Windows\SysWOW64\ping.exe
        ping -a -l www.duniasex.com 65500
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:5892
    • C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe
      "C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:4080
    • C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe
      "C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:2052
    • C:\Windows\SysWOW64\drivers\Kazekage.exe
      C:\Windows\system32\drivers\Kazekage.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:3604
    • C:\Windows\SysWOW64\drivers\system32.exe
      C:\Windows\system32\drivers\system32.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:2488
    • C:\Windows\SysWOW64\ping.exe
      ping -a -l www.rasasayang.com.my 65500
      2⤵
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Internet Connection Discovery
      • Runs ping.exe
      PID:5776
    • C:\Windows\SysWOW64\ping.exe
      ping -a -l www.duniasex.com 65500
      2⤵
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Internet Connection Discovery
      • Runs ping.exe
      PID:3992
    • C:\Windows\SysWOW64\ping.exe
      ping -a -l www.rasasayang.com.my 65500
      2⤵
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Internet Connection Discovery
      • Runs ping.exe
      PID:1728
    • C:\Windows\SysWOW64\ping.exe
      ping -a -l www.duniasex.com 65500
      2⤵
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Internet Connection Discovery
      • Runs ping.exe
      PID:1704
    • C:\Windows\SysWOW64\ping.exe
      ping -a -l www.rasasayang.com.my 65500
      2⤵
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Internet Connection Discovery
      • Runs ping.exe
      PID:5520
    • C:\Windows\SysWOW64\ping.exe
      ping -a -l www.duniasex.com 65500
      2⤵
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Internet Connection Discovery
      • Runs ping.exe
      PID:4688
  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\smss.exe
    1⤵
      PID:5924
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\Gaara.exe
      1⤵
        PID:4960
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c 2-5-2025.exe
        1⤵
          PID:2632
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c drivers\csrss.exe
          1⤵
            PID:436

          Network

                MITRE ATT&CK Enterprise v16

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Admin Games\Naruto games.exe

                  Filesize

                  8.3MB

                  MD5

                  b839e041fd7e3e52d5f28cd5aa81e753

                  SHA1

                  ce16337fed6a04c1f3233316e9a93453d158cb97

                  SHA256

                  bad31c7f9e1cb9dde324408e266921ac1fee90c5fc690a9b762ebac745f30c84

                  SHA512

                  8c49e2e17b917f448990a1f6db8a18d37e2b613c445403386339b0230e09065dc6d2fbc6a58c3a938d64979f656996e7b28b53afe61f9ded6e95f196808e0d96

                • C:\Admin Games\Readme.txt

                  Filesize

                  736B

                  MD5

                  bb5d6abdf8d0948ac6895ce7fdfbc151

                  SHA1

                  9266b7a247a4685892197194d2b9b86c8f6dddbd

                  SHA256

                  5db2e0915b5464d32e83484f8ae5e3c73d2c78f238fde5f58f9b40dbb5322de8

                  SHA512

                  878444760e8df878d65bb62b4798177e168eb099def58ad3634f4348e96705c83f74324f9fa358f0eff389991976698a233ca53e9b72034ae11c86d42322a76c

                • C:\Autorun.inf

                  Filesize

                  196B

                  MD5

                  1564dfe69ffed40950e5cb644e0894d1

                  SHA1

                  201b6f7a01cc49bb698bea6d4945a082ed454ce4

                  SHA256

                  be114a2dbcc08540b314b01882aa836a772a883322a77b67aab31233e26dc184

                  SHA512

                  72df187e39674b657974392cfa268e71ef86dc101ebd2303896381ca56d3c05aa9db3f0ab7d0e428d7436e0108c8f19e94c2013814d30b0b95a23a6b9e341097

                • C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe

                  Filesize

                  8.3MB

                  MD5

                  3bb2e9c9ac833744cd2a0807752d9d32

                  SHA1

                  4daadaf10f17a8d3c22dfaae0254e40b0845e378

                  SHA256

                  bcb3654eb2659c6390513f3d0aea931029c915cdb83b9ddc647a01042b0e7574

                  SHA512

                  ff7658a59b9dab6ce2ab13833914c18c51f85bc6f53bb8e9cb72fcaa397ff442b1ad785cb27ae7b575ef4f37f1d0d7d5de5662c520db6bcdd187fc2407d22f08

                • C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe

                  Filesize

                  8.3MB

                  MD5

                  252daf427ff74462bacd78a31277eb08

                  SHA1

                  0eb53676e022d38ea20f2f2290f1781ea7edd527

                  SHA256

                  4a0a1ecc1e6ee951eda7f8b8944f551558384e7e6cf84b7e1348126271c572fe

                  SHA512

                  4a49e17b195d74f301cc336922790032bda92dd783f38d1c4f3368d7552dfe520899c6354388496b3fc71e9157fa5d1fd466ce1948ecbf8f521c7a500ba0268b

                • C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe

                  Filesize

                  8.3MB

                  MD5

                  91c3c167099e163806fa4e43e70b57e7

                  SHA1

                  4eb6cb4ab26de3e3018cec984847d595463342d1

                  SHA256

                  e11c2215f0046d0a3e455e0b0f8a822c96dd99fd7bdb09598a699e8cfd6c30b4

                  SHA512

                  33499c6edbf39c7febd75430b363566cdbd89d5c76fae56a1ad16d20eb311c5550a9472fb8f087e7b3cc4995589d11e0909c0dd3373e57b91ea68a3654a4d117

                • C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe

                  Filesize

                  8.3MB

                  MD5

                  454738ad0b92942bb64b05e479a6845e

                  SHA1

                  490966a39f78ba900ddff3420fbb6f6106298ac6

                  SHA256

                  79d0ef7cfbe103a18724b0d094ef41380271310ca43e247e56cbea65c1dc5d43

                  SHA512

                  a69838044ee677faf7218db72b1f780c965e46388a6fcc7e28bbc5f83bd054208d60aa1857d58f100bb8b1f14d453ef697216dadf25de020898ed38d011dfa82

                • C:\Windows\Fonts\The Kazekage.jpg

                  Filesize

                  1.4MB

                  MD5

                  d6b05020d4a0ec2a3a8b687099e335df

                  SHA1

                  df239d830ebcd1cde5c68c46a7b76dad49d415f4

                  SHA256

                  9824b98dab6af65a9e84c2ea40e9df948f9766ce2096e81feecad7db8dd6080a

                  SHA512

                  78fd360faa4d34f5732056d6e9ad7b9930964441c69cf24535845d397de92179553b9377a25649c01eb5ac7d547c29cc964e69ede7f2af9fc677508a99251fff

                • C:\Windows\SysWOW64\2-5-2025.exe

                  Filesize

                  8.3MB

                  MD5

                  333c8125df96373225d259a9193beaaa

                  SHA1

                  884dd7256d2cc6e244d7fafb6d28d49b85309ba2

                  SHA256

                  b7f91f3716918445f411cf0d5273ff85c5a3827c4d29dde4a28f6617a4f956d0

                  SHA512

                  5242bb9e2cd7b732c35f14d0821a746b3fc17afea1732174d8e777c9fb84893c513e1d4f1460edb59a954e9b9c3fd630276aed8e86669b59aafa37f6205833ca

                • C:\Windows\SysWOW64\2-5-2025.exe

                  Filesize

                  8.3MB

                  MD5

                  a6e65d27146e986088832686ea6bb611

                  SHA1

                  46ad0999a011c111f9aa1417d6a55edc0be9e817

                  SHA256

                  b67bf2d455f30d8a0579cf038d98974e425ef2d9c4f036e249e9ce3a16c3d6c4

                  SHA512

                  6bae2b32cd4b063eeae2b17fca7aefab60acb7b24a93bfdfab9c98774e13d1d191dce41342d0a8e7087d822f3a8f4e4f7913950b6620c17494792cb988ebc252

                • C:\Windows\SysWOW64\2-5-2025.exe

                  Filesize

                  1.9MB

                  MD5

                  7d3cd46a94029554cbe90f0396fb9c2f

                  SHA1

                  026e762cafc3ab5e457524463bea98629bc6c33c

                  SHA256

                  abb803bfd199cdb7785da871b6c70156be970aa81ef91e8a53fb7015980c0a9a

                  SHA512

                  c62b1efcb1b391b887042608535b22c90e40a2f98375dd6d37a7f40512ebcef1252b8cd28ac71bbae304d240445ae7c38bba0e318d5d37cdd7961de242a55159

                • C:\Windows\SysWOW64\2-5-2025.exe

                  Filesize

                  1.9MB

                  MD5

                  dbd5eb8a9897764cacab3d52b94756cd

                  SHA1

                  fe24178d69e2dfbc7a2fc8bb85ed75fc1b0e8bb5

                  SHA256

                  509f5d8f771406eebcec85ff76902a75ae0515c67af0d1aabcaa4856edda50e4

                  SHA512

                  45bc78e062967d9b17bd1fa4360a09057b15a326faf53b645cdf5f9fdaa574f42d73e920deed39f444f9cb0867c077aa0a954bd5c272eaf2355ce1916d8f30c7

                • C:\Windows\SysWOW64\Desktop.ini

                  Filesize

                  65B

                  MD5

                  64acfa7e03b01f48294cf30d201a0026

                  SHA1

                  10facd995b38a095f30b4a800fa454c0bcbf8438

                  SHA256

                  ba8159d865d106e7b4d0043007a63d1541e1de455dc8d7ff0edd3013bd425c62

                  SHA512

                  65a9b2e639de74a2a7faa83463a03f5f5b526495e3c793ec1e144c422ed0b842dd304cd5ff4f8aec3d76d826507030c5916f70a231429cea636ec2d8ab43931a

                • C:\Windows\SysWOW64\drivers\Kazekage.exe

                  Filesize

                  8.3MB

                  MD5

                  7c06303be7c9f55f88df2a9cfee9d4f7

                  SHA1

                  aab57532bac323f9d4bf15afd420287c2682bd35

                  SHA256

                  ecbc9bfb84c10b8ef4b10a6347c77511cade26549e69dabee6a89333b20ca658

                  SHA512

                  fae9d7de3f351f68f6edd5a8221b95e33b83089386c5731164af53ddd117aa8276966b865c7948cae263cf02ddb08abb2a98d7dad981a737930870cf506a2ebd

                • C:\Windows\SysWOW64\drivers\Kazekage.exe

                  Filesize

                  8.3MB

                  MD5

                  3144c9f5554544ce9685ae74a79e87be

                  SHA1

                  fe23807122da2ec3e8750db8e760ea54690dc751

                  SHA256

                  0e1edeb613d8d45e288c5649e0f0a3b7e5669d5712b4e75d427ee06c9f82e2f1

                  SHA512

                  3213517748bfd2b557c7d125c11062f00f0f7bc9bbf5b9831fc1a47aaa14f27fbd38e77c84cf4c27ec35476503238a1e4b6ea51496e686a76e738c6279708caf

                • C:\Windows\SysWOW64\drivers\Kazekage.exe

                  Filesize

                  4.5MB

                  MD5

                  c3f454d22119d976867764c0b1265e27

                  SHA1

                  b2c23a538f28208c9e6d236be6e5068f5e7ce728

                  SHA256

                  0b32407738411b80ce60859eb04a3aa9fedc2b608583c83bff34abba3848deb0

                  SHA512

                  76c8a14733523e5dd4ffd951b17a30ed633e5bb34230f2764aada93ae8b4d4a81dac3cd145c2280543116f54dfd923a371c60d5b404a1a04513a104b767dd490

                • C:\Windows\SysWOW64\drivers\system32.exe

                  Filesize

                  8.3MB

                  MD5

                  7b841592cf313c498c801764bf11854a

                  SHA1

                  74bcd3478cbc9e890a4e392617b3d82d485d0dd1

                  SHA256

                  02b835ea0e8db2f4a07a899910c2fbd7e57caa76c4a5ac0ac9c6992e2a564d14

                  SHA512

                  1fdf29ffaa3b9a075453b0293855970ed1b960c44799fe1a6944293397fd2fb394c012cced8a7950f4c4bba6187b1d01b25cffdce726e26f8e687fc1159724a9

                • C:\Windows\SysWOW64\drivers\system32.exe

                  Filesize

                  2.4MB

                  MD5

                  30df67f75ecf3a687df6ae18898a0dbb

                  SHA1

                  b4d55d2a3d91985d4f93a5164ed365ba21d98f60

                  SHA256

                  282794efe4994578928679e17bc4c4ba21d8b41df34f891dbc5d7b442ccdaf28

                  SHA512

                  e45559c2b67a6ec81f060286ae5df36bbbf68fa7752df9463e8dd2c7b67a89e14c647141ea01f0806401ea80920f7851fba4e4db2805998de6c98e165cfd8b46

                • C:\Windows\System\msvbvm60.dll

                  Filesize

                  1.4MB

                  MD5

                  25f62c02619174b35851b0e0455b3d94

                  SHA1

                  4e8ee85157f1769f6e3f61c0acbe59072209da71

                  SHA256

                  898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

                  SHA512

                  f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

                • F:\Admin Games\Hokage-Sampit (Nothing).exe

                  Filesize

                  8.3MB

                  MD5

                  63c067dc1fac0c567176df5f297a1080

                  SHA1

                  0dc0e25393d8a841d497b5775baa892bf019475d

                  SHA256

                  f51a9f5d7ed920e779b0625382c95e705b91f50f6fa013ab323e2eb8fc3203b9

                  SHA512

                  d5b7b09978a0492d66aa680138a9df3c091fa63ba0ccda944e0c3238d878f0dca0a08978a918ffd15c21fcf3bace36f7487c2df5804d95ee76ec4c80acc085d6

                • memory/1456-79-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/1456-70-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/2084-264-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/2088-244-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/2416-275-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/2416-303-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/2416-531-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/2416-219-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/2456-536-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/2456-299-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/2456-172-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/2456-32-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/2456-305-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/2488-297-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/2648-283-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/3064-449-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/3064-306-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/3064-207-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/3064-77-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/3064-300-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/3172-168-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/3172-164-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/4080-287-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/4164-279-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/4532-301-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/4532-237-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/4532-538-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/4532-122-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/4532-307-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/4572-162-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/4804-156-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/4812-308-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/4812-173-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/4812-302-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/4812-252-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/4812-492-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/4844-206-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/4892-215-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/5376-114-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/5376-119-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/5432-260-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/5612-256-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/5728-271-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/6008-0-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/6008-298-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/6008-535-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/6008-163-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/6008-304-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/6112-251-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB