Analysis

  • max time kernel
    149s
  • max time network
    139s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250410-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250410-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02/05/2025, 10:40

General

  • Target

    2025-05-02_2dbb5c1082d809ce83df93eb2f480a30_black-basta_elex_luca-stealer.exe

  • Size

    8.3MB

  • MD5

    2dbb5c1082d809ce83df93eb2f480a30

  • SHA1

    c78a7e6ffe18f24d352c9540d22b18fb13fbf477

  • SHA256

    b672ba2801a2f3f9ca5b3bc1b8bee564c4a7c32bd33fb5bf19d585146eeef8cf

  • SHA512

    021be5d67af78098e5f5aa6964942aaf22a1d00252a43962679b16586f76c92adbf6c1d3d4dd7b4f841f0a9e79b548cb916df3212b6c68c6b4b5bb5e939d6db4

  • SSDEEP

    49152:hGyqWyWy0GyqWyWyMRPC1eHc785diLvQ8b1gtj:hGyqWyWy0GyqWyWyMRPC1eHL5dGYSW

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 12 IoCs
  • Modifies visibility of file extensions in Explorer 2 TTPs 6 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 6 IoCs
  • UAC bypass 3 TTPs 6 IoCs
  • Disables RegEdit via registry modification 6 IoCs
  • Disables use of System Restore points 1 TTPs
  • Drops file in Drivers directory 24 IoCs
  • Event Triggered Execution: Image File Execution Options Injection 1 TTPs 64 IoCs
  • Executes dropped EXE 30 IoCs
  • Loads dropped DLL 18 IoCs
  • Adds Run key to start application 2 TTPs 24 IoCs
  • Checks whether UAC is enabled 1 TTPs 6 IoCs
  • Drops desktop.ini file(s) 64 IoCs
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops autorun.inf file 1 TTPs 64 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 39 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 6 IoCs
  • UPX packed file 64 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in Windows directory 64 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 36 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

  • Modifies Control Panel 64 IoCs
  • Modifies Internet Explorer settings 1 TTPs 12 IoCs
  • Modifies registry class 51 IoCs
  • Runs ping.exe 1 TTPs 36 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 31 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2025-05-02_2dbb5c1082d809ce83df93eb2f480a30_black-basta_elex_luca-stealer.exe
    "C:\Users\Admin\AppData\Local\Temp\2025-05-02_2dbb5c1082d809ce83df93eb2f480a30_black-basta_elex_luca-stealer.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Modifies visibility of file extensions in Explorer
    • Modifies visiblity of hidden/system files in Explorer
    • UAC bypass
    • Disables RegEdit via registry modification
    • Drops file in Drivers directory
    • Event Triggered Execution: Image File Execution Options Injection
    • Adds Run key to start application
    • Checks whether UAC is enabled
    • Drops desktop.ini file(s)
    • Enumerates connected drives
    • Drops autorun.inf file
    • Drops file in System32 directory
    • Sets desktop wallpaper using registry
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Modifies Control Panel
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:1412
    • C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe
      "C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • UAC bypass
      • Disables RegEdit via registry modification
      • Drops file in Drivers directory
      • Event Triggered Execution: Image File Execution Options Injection
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Drops desktop.ini file(s)
      • Enumerates connected drives
      • Drops autorun.inf file
      • Drops file in System32 directory
      • Sets desktop wallpaper using registry
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Modifies Control Panel
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:5560
      • C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe
        "C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:4848
      • C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe
        "C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe"
        3⤵
        • Modifies WinLogon for persistence
        • Modifies visibility of file extensions in Explorer
        • Modifies visiblity of hidden/system files in Explorer
        • UAC bypass
        • Disables RegEdit via registry modification
        • Drops file in Drivers directory
        • Event Triggered Execution: Image File Execution Options Injection
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • Checks whether UAC is enabled
        • Drops desktop.ini file(s)
        • Enumerates connected drives
        • Drops autorun.inf file
        • Drops file in System32 directory
        • Sets desktop wallpaper using registry
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Modifies Control Panel
        • Modifies Internet Explorer settings
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        • System policy modification
        PID:4964
        • C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe
          "C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe"
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:3800
        • C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe
          "C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe"
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:3672
        • C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe
          "C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe"
          4⤵
          • Modifies WinLogon for persistence
          • Modifies visibility of file extensions in Explorer
          • Modifies visiblity of hidden/system files in Explorer
          • UAC bypass
          • Disables RegEdit via registry modification
          • Drops file in Drivers directory
          • Event Triggered Execution: Image File Execution Options Injection
          • Executes dropped EXE
          • Loads dropped DLL
          • Adds Run key to start application
          • Checks whether UAC is enabled
          • Drops desktop.ini file(s)
          • Enumerates connected drives
          • Drops autorun.inf file
          • Drops file in System32 directory
          • Sets desktop wallpaper using registry
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Modifies Control Panel
          • Modifies Internet Explorer settings
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:4944
          • C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe
            "C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe"
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • System Location Discovery: System Language Discovery
            • Suspicious use of SetWindowsHookEx
            PID:1680
          • C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe
            "C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe"
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • System Location Discovery: System Language Discovery
            • Suspicious use of SetWindowsHookEx
            PID:2012
          • C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe
            "C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe"
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • System Location Discovery: System Language Discovery
            • Suspicious use of SetWindowsHookEx
            PID:4032
          • C:\Windows\SysWOW64\drivers\Kazekage.exe
            C:\Windows\system32\drivers\Kazekage.exe
            5⤵
            • Modifies WinLogon for persistence
            • Modifies visibility of file extensions in Explorer
            • Modifies visiblity of hidden/system files in Explorer
            • UAC bypass
            • Disables RegEdit via registry modification
            • Drops file in Drivers directory
            • Event Triggered Execution: Image File Execution Options Injection
            • Executes dropped EXE
            • Adds Run key to start application
            • Checks whether UAC is enabled
            • Drops desktop.ini file(s)
            • Enumerates connected drives
            • Drops autorun.inf file
            • Drops file in System32 directory
            • Sets desktop wallpaper using registry
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Modifies Control Panel
            • Modifies Internet Explorer settings
            • Modifies registry class
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            • System policy modification
            PID:5016
            • C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe
              "C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe"
              6⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • System Location Discovery: System Language Discovery
              • Suspicious use of SetWindowsHookEx
              PID:2252
            • C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe
              "C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe"
              6⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • System Location Discovery: System Language Discovery
              • Suspicious use of SetWindowsHookEx
              PID:5188
            • C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe
              "C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe"
              6⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • System Location Discovery: System Language Discovery
              • Suspicious use of SetWindowsHookEx
              PID:3144
            • C:\Windows\SysWOW64\drivers\Kazekage.exe
              C:\Windows\system32\drivers\Kazekage.exe
              6⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Suspicious use of SetWindowsHookEx
              PID:2140
            • C:\Windows\SysWOW64\drivers\system32.exe
              C:\Windows\system32\drivers\system32.exe
              6⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Suspicious use of SetWindowsHookEx
              PID:5864
            • C:\Windows\SysWOW64\ping.exe
              ping -a -l www.rasasayang.com.my 65500
              6⤵
              • System Location Discovery: System Language Discovery
              • System Network Configuration Discovery: Internet Connection Discovery
              • Runs ping.exe
              PID:3304
            • C:\Windows\SysWOW64\ping.exe
              ping -a -l www.duniasex.com 65500
              6⤵
              • System Location Discovery: System Language Discovery
              • System Network Configuration Discovery: Internet Connection Discovery
              • Runs ping.exe
              PID:6060
            • C:\Windows\SysWOW64\ping.exe
              ping -a -l www.rasasayang.com.my 65500
              6⤵
              • System Location Discovery: System Language Discovery
              • System Network Configuration Discovery: Internet Connection Discovery
              • Runs ping.exe
              PID:6032
            • C:\Windows\SysWOW64\ping.exe
              ping -a -l www.duniasex.com 65500
              6⤵
              • System Location Discovery: System Language Discovery
              • System Network Configuration Discovery: Internet Connection Discovery
              • Runs ping.exe
              PID:5456
            • C:\Windows\SysWOW64\ping.exe
              ping -a -l www.rasasayang.com.my 65500
              6⤵
              • System Location Discovery: System Language Discovery
              • System Network Configuration Discovery: Internet Connection Discovery
              • Runs ping.exe
              PID:2528
            • C:\Windows\SysWOW64\ping.exe
              ping -a -l www.duniasex.com 65500
              6⤵
              • System Location Discovery: System Language Discovery
              • System Network Configuration Discovery: Internet Connection Discovery
              • Runs ping.exe
              PID:5572
          • C:\Windows\SysWOW64\drivers\system32.exe
            C:\Windows\system32\drivers\system32.exe
            5⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious use of SetWindowsHookEx
            PID:2848
          • C:\Windows\SysWOW64\ping.exe
            ping -a -l www.rasasayang.com.my 65500
            5⤵
            • System Location Discovery: System Language Discovery
            • System Network Configuration Discovery: Internet Connection Discovery
            • Runs ping.exe
            PID:216
          • C:\Windows\SysWOW64\ping.exe
            ping -a -l www.duniasex.com 65500
            5⤵
            • System Location Discovery: System Language Discovery
            • System Network Configuration Discovery: Internet Connection Discovery
            • Runs ping.exe
            PID:2324
          • C:\Windows\SysWOW64\ping.exe
            ping -a -l www.rasasayang.com.my 65500
            5⤵
            • System Location Discovery: System Language Discovery
            • System Network Configuration Discovery: Internet Connection Discovery
            • Runs ping.exe
            PID:100
          • C:\Windows\SysWOW64\ping.exe
            ping -a -l www.duniasex.com 65500
            5⤵
            • System Location Discovery: System Language Discovery
            • System Network Configuration Discovery: Internet Connection Discovery
            • Runs ping.exe
            PID:2552
          • C:\Windows\SysWOW64\ping.exe
            ping -a -l www.rasasayang.com.my 65500
            5⤵
            • System Location Discovery: System Language Discovery
            • System Network Configuration Discovery: Internet Connection Discovery
            • Runs ping.exe
            PID:4116
          • C:\Windows\SysWOW64\ping.exe
            ping -a -l www.duniasex.com 65500
            5⤵
            • System Location Discovery: System Language Discovery
            • System Network Configuration Discovery: Internet Connection Discovery
            • Runs ping.exe
            PID:4908
        • C:\Windows\SysWOW64\drivers\Kazekage.exe
          C:\Windows\system32\drivers\Kazekage.exe
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetWindowsHookEx
          PID:3704
        • C:\Windows\SysWOW64\drivers\system32.exe
          C:\Windows\system32\drivers\system32.exe
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:2188
        • C:\Windows\SysWOW64\ping.exe
          ping -a -l www.rasasayang.com.my 65500
          4⤵
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:2656
        • C:\Windows\SysWOW64\ping.exe
          ping -a -l www.duniasex.com 65500
          4⤵
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:3948
        • C:\Windows\SysWOW64\ping.exe
          ping -a -l www.rasasayang.com.my 65500
          4⤵
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:2584
        • C:\Windows\SysWOW64\ping.exe
          ping -a -l www.duniasex.com 65500
          4⤵
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:4448
        • C:\Windows\SysWOW64\ping.exe
          ping -a -l www.rasasayang.com.my 65500
          4⤵
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:4308
        • C:\Windows\SysWOW64\ping.exe
          ping -a -l www.duniasex.com 65500
          4⤵
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:5076
      • C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe
        "C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:4320
      • C:\Windows\SysWOW64\drivers\Kazekage.exe
        C:\Windows\system32\drivers\Kazekage.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:1464
      • C:\Windows\SysWOW64\drivers\system32.exe
        C:\Windows\system32\drivers\system32.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:5504
      • C:\Windows\SysWOW64\ping.exe
        ping -a -l www.rasasayang.com.my 65500
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:1592
      • C:\Windows\SysWOW64\ping.exe
        ping -a -l www.duniasex.com 65500
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:5768
      • C:\Windows\SysWOW64\ping.exe
        ping -a -l www.rasasayang.com.my 65500
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:1688
      • C:\Windows\SysWOW64\ping.exe
        ping -a -l www.duniasex.com 65500
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:5100
      • C:\Windows\SysWOW64\ping.exe
        ping -a -l www.rasasayang.com.my 65500
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:3280
      • C:\Windows\SysWOW64\ping.exe
        ping -a -l www.duniasex.com 65500
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:5544
    • C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe
      "C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:4068
    • C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe
      "C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:5892
    • C:\Windows\SysWOW64\drivers\Kazekage.exe
      C:\Windows\system32\drivers\Kazekage.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:4532
    • C:\Windows\SysWOW64\drivers\system32.exe
      C:\Windows\system32\drivers\system32.exe
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • UAC bypass
      • Disables RegEdit via registry modification
      • Drops file in Drivers directory
      • Event Triggered Execution: Image File Execution Options Injection
      • Executes dropped EXE
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Drops desktop.ini file(s)
      • Enumerates connected drives
      • Drops autorun.inf file
      • Drops file in System32 directory
      • Sets desktop wallpaper using registry
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Modifies Control Panel
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:3256
      • C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe
        "C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:5596
      • C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe
        "C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:5720
      • C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe
        "C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:3960
      • C:\Windows\SysWOW64\drivers\Kazekage.exe
        C:\Windows\system32\drivers\Kazekage.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:5340
      • C:\Windows\SysWOW64\drivers\system32.exe
        C:\Windows\system32\drivers\system32.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:1852
      • C:\Windows\SysWOW64\ping.exe
        ping -a -l www.rasasayang.com.my 65500
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:2896
      • C:\Windows\SysWOW64\ping.exe
        ping -a -l www.duniasex.com 65500
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:1208
      • C:\Windows\SysWOW64\ping.exe
        ping -a -l www.rasasayang.com.my 65500
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:3740
      • C:\Windows\SysWOW64\ping.exe
        ping -a -l www.duniasex.com 65500
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:1624
      • C:\Windows\SysWOW64\ping.exe
        ping -a -l www.rasasayang.com.my 65500
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:4748
      • C:\Windows\SysWOW64\ping.exe
        ping -a -l www.duniasex.com 65500
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:4808
    • C:\Windows\SysWOW64\ping.exe
      ping -a -l www.rasasayang.com.my 65500
      2⤵
      • System Network Configuration Discovery: Internet Connection Discovery
      • Runs ping.exe
      PID:2144
    • C:\Windows\SysWOW64\ping.exe
      ping -a -l www.duniasex.com 65500
      2⤵
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Internet Connection Discovery
      • Runs ping.exe
      PID:5332
    • C:\Windows\SysWOW64\ping.exe
      ping -a -l www.rasasayang.com.my 65500
      2⤵
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Internet Connection Discovery
      • Runs ping.exe
      PID:4908
    • C:\Windows\SysWOW64\ping.exe
      ping -a -l www.duniasex.com 65500
      2⤵
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Internet Connection Discovery
      • Runs ping.exe
      PID:4404
    • C:\Windows\SysWOW64\ping.exe
      ping -a -l www.rasasayang.com.my 65500
      2⤵
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Internet Connection Discovery
      • Runs ping.exe
      PID:5628
    • C:\Windows\SysWOW64\ping.exe
      ping -a -l www.duniasex.com 65500
      2⤵
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Internet Connection Discovery
      • Runs ping.exe
      PID:4872
  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\smss.exe
    1⤵
      PID:1964
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\Gaara.exe
      1⤵
        PID:3752
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c 2-5-2025.exe
        1⤵
          PID:2544
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c drivers\csrss.exe
          1⤵
            PID:2196

          Network

                MITRE ATT&CK Enterprise v16

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Admin Games\Kazekage VS Hokage.exe

                  Filesize

                  8.3MB

                  MD5

                  28fa0d74e3f0ad2191038715aecada1a

                  SHA1

                  075dd97f41966e3a0741c0caab5c95a1fc18a5ea

                  SHA256

                  f1651c80a437b451bf97b777a8eafeba44d34110cf991e7b1f6ce238b849d492

                  SHA512

                  b340522a1a52fe62d34e9fccedeb2c90d7b59af0c1b273d489df1baa150687f798503315c0733ddbea3e5e8de78f4e585acca46c8835d1c6e502eb8cfb06d824

                • C:\Admin Games\Readme.txt

                  Filesize

                  736B

                  MD5

                  bb5d6abdf8d0948ac6895ce7fdfbc151

                  SHA1

                  9266b7a247a4685892197194d2b9b86c8f6dddbd

                  SHA256

                  5db2e0915b5464d32e83484f8ae5e3c73d2c78f238fde5f58f9b40dbb5322de8

                  SHA512

                  878444760e8df878d65bb62b4798177e168eb099def58ad3634f4348e96705c83f74324f9fa358f0eff389991976698a233ca53e9b72034ae11c86d42322a76c

                • C:\Autorun.inf

                  Filesize

                  196B

                  MD5

                  1564dfe69ffed40950e5cb644e0894d1

                  SHA1

                  201b6f7a01cc49bb698bea6d4945a082ed454ce4

                  SHA256

                  be114a2dbcc08540b314b01882aa836a772a883322a77b67aab31233e26dc184

                  SHA512

                  72df187e39674b657974392cfa268e71ef86dc101ebd2303896381ca56d3c05aa9db3f0ab7d0e428d7436e0108c8f19e94c2013814d30b0b95a23a6b9e341097

                • C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe

                  Filesize

                  8.3MB

                  MD5

                  517b163c583432c16cee6164dd579cd0

                  SHA1

                  a9594485350b999a8d2414e5688a4a937a7dc277

                  SHA256

                  3b4e64ee81fc84c5ab2587ff3168416c9cbe227e69f8cf483eaa3969c5707bff

                  SHA512

                  477a80d2853ffe00ca921f64056416d6aaa66072b225202e489842fb0fcf5805341f186ae212c77c5127c7fa9e411087639a8f0e39bfb5082d0037f1fc156091

                • C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe

                  Filesize

                  8.3MB

                  MD5

                  2dbb5c1082d809ce83df93eb2f480a30

                  SHA1

                  c78a7e6ffe18f24d352c9540d22b18fb13fbf477

                  SHA256

                  b672ba2801a2f3f9ca5b3bc1b8bee564c4a7c32bd33fb5bf19d585146eeef8cf

                  SHA512

                  021be5d67af78098e5f5aa6964942aaf22a1d00252a43962679b16586f76c92adbf6c1d3d4dd7b4f841f0a9e79b548cb916df3212b6c68c6b4b5bb5e939d6db4

                • C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe

                  Filesize

                  8.3MB

                  MD5

                  05f2b9e64d365bc4c8008a2f2c7a9a05

                  SHA1

                  e6ed989b93d5aaa2a63f5c44189fd06c91327464

                  SHA256

                  bf4b9a33ad0a453b82dd4e9b47ab2f8579de087dae0b9b06707cc253c3590f11

                  SHA512

                  3335eed692d058ded6bf8ccc7be628124e4d20b3afbc3199d3a849f50ee75038718758a751210a08051d1d79b456cef59443f48121fbd619196929aae9b7d7ad

                • C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe

                  Filesize

                  8.3MB

                  MD5

                  425ea25f879293965de2388fc7e5f25d

                  SHA1

                  bbe5f7aa306f0e20e01260a3cf229e0a9c592e76

                  SHA256

                  e9eb361ceb652b364d4391e23952690a423b23d496d34a8885b565eb5202e174

                  SHA512

                  5c27108e69784fbf88d7e2e91b96e0cca192a1c224d531bf5179f30b9a203809accbddadebc07b7c53aa141b51c66fcf11cd5a6ac636cab835d4b9a5c8c50848

                • C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe

                  Filesize

                  8.3MB

                  MD5

                  fbc334f5aa8655a89edd01fb0a1682b8

                  SHA1

                  360d68fd5737aedc10ff7a9f248d705ab285c31a

                  SHA256

                  ac2b2b1ce0504445255b5b95ce4b0503c0a53c89346444fb0f623c86c503fde8

                  SHA512

                  14fe697e4939c6c9108ada5d7719ed40082f5752b86b62ec75a73e5a9522cb60b9a9296f76ebecdd40d5acc0448239c153c6d8a16d0b4e6f85f8f1e5233decda

                • C:\Windows\Fonts\The Kazekage.jpg

                  Filesize

                  1.4MB

                  MD5

                  d6b05020d4a0ec2a3a8b687099e335df

                  SHA1

                  df239d830ebcd1cde5c68c46a7b76dad49d415f4

                  SHA256

                  9824b98dab6af65a9e84c2ea40e9df948f9766ce2096e81feecad7db8dd6080a

                  SHA512

                  78fd360faa4d34f5732056d6e9ad7b9930964441c69cf24535845d397de92179553b9377a25649c01eb5ac7d547c29cc964e69ede7f2af9fc677508a99251fff

                • C:\Windows\SysWOW64\2-5-2025.exe

                  Filesize

                  8.3MB

                  MD5

                  0bab5cfa406ae0bb913de68c83ecc744

                  SHA1

                  8343a772117f6a69f2e3d7648646d0e37e944b88

                  SHA256

                  957dd770041f69f44bcebda193123b533e12885936829315b4fc356318b007f4

                  SHA512

                  57297526801a702d087c49bee6f80f8ea898d48f4b4623546cfc70564e9cb07bdd5f9683f265b534621455d6cfc9142332abdcff8efaf7dfbcbc05bba07ebf93

                • C:\Windows\SysWOW64\2-5-2025.exe

                  Filesize

                  8.3MB

                  MD5

                  1ee7c026446b2b625b6cba581556aec1

                  SHA1

                  6c2b70476fc066571605f08bfad04534b20578c5

                  SHA256

                  c321145b3dc254015d619f8953e36f2635ae00e7dba88dca40529613cf18d5a6

                  SHA512

                  ae19efda3098a38a8d7f650c84dd279dd77c270de6544a41c0d06d83cefff6a40b26a61fad9231eff2759d466973cd0a9fc5bbcfa4d5715eee501ba17d7b280d

                • C:\Windows\SysWOW64\2-5-2025.exe

                  Filesize

                  8.3MB

                  MD5

                  4f815a5e34938a6d4db599cde91d26d6

                  SHA1

                  cff94ab2888210960bf4ffb74a2b9929fa1e4078

                  SHA256

                  234ca7d14c2120fa834ae01d644f6a3aa7d5758d0b2fbb373b0741c9763863bf

                  SHA512

                  84a90cf5fe62cfcb261902b57b0ea6c7b559d0c4f920bad466de9381abad8d67bd3b8a21ce449ffd2bc08f8476b68c95f7ca319cf125540f444012d9e2aceb1d

                • C:\Windows\SysWOW64\2-5-2025.exe

                  Filesize

                  8.3MB

                  MD5

                  8a803625ee2cb953e6ea145ceafa59df

                  SHA1

                  8ce49b26456f43828e7f42b85b4a873c79f60aff

                  SHA256

                  7a1cd45c535178a787215c7f410ffdf8e969edb5a8a6e0a7f8f0fb178067dcef

                  SHA512

                  bc8bef94e75e44989ae775356cd9ebc523ff2f1cc7312d34fd2c82ba40cdf3b579767ae242196080c3eb1f4273f7c2b16ae3b84b9e0d61dbe4df53137ee5daca

                • C:\Windows\SysWOW64\Desktop.ini

                  Filesize

                  65B

                  MD5

                  64acfa7e03b01f48294cf30d201a0026

                  SHA1

                  10facd995b38a095f30b4a800fa454c0bcbf8438

                  SHA256

                  ba8159d865d106e7b4d0043007a63d1541e1de455dc8d7ff0edd3013bd425c62

                  SHA512

                  65a9b2e639de74a2a7faa83463a03f5f5b526495e3c793ec1e144c422ed0b842dd304cd5ff4f8aec3d76d826507030c5916f70a231429cea636ec2d8ab43931a

                • C:\Windows\SysWOW64\drivers\Kazekage.exe

                  Filesize

                  8.3MB

                  MD5

                  e8b49866850b49063e3982d8f34bf974

                  SHA1

                  e35e174b2172542f748be948623a0cfbb1b06144

                  SHA256

                  72f57f430b83916396c35782698e49eaac273fb46f1c25da74e7aa4c1c298818

                  SHA512

                  44abdbbf1cc356548382a41178638871fbd9e1d206f61d09a43ecb77c7bd4968fa9068f840c3a4a84bf7644fc83843f4079873c4e59974533b26bfcc79e1ce5a

                • C:\Windows\SysWOW64\drivers\system32.exe

                  Filesize

                  8.3MB

                  MD5

                  62fb35f067b477efb6b9580ea21f281b

                  SHA1

                  d415ae6ff27d4bcb9728156a4a21963c5840f738

                  SHA256

                  9a8ea6c39d4e9cd867bede547b6798679780f72f7d5b5aea3d23dbf9e61658d4

                  SHA512

                  8c117c77c650bdf4011ba29d2f81f2188b93766ca3eee2b5cfc5381fbf0cafe9b73bca1d40efbc486ea170d0d6e15009fb9685c130c8ca2d797cca3029986d97

                • C:\Windows\SysWOW64\drivers\system32.exe

                  Filesize

                  8.3MB

                  MD5

                  afd2a25376b4cda3839c56a8563d9d10

                  SHA1

                  2cd20164179d60c6967d9b548cf39db7092f2d43

                  SHA256

                  48d255b7f77e96826ee7ad7682a06c311c86f89c0caebe7c45516c6a1634f966

                  SHA512

                  202ce8878e3463a8bf0402f0e5b06b27243768b51d23f80f521b52be52cbc90a94f8a67a4268b204a1f54eaedc1b10fb6f591d9abc51982e218508ad02695e66

                • C:\Windows\SysWOW64\drivers\system32.exe

                  Filesize

                  8.3MB

                  MD5

                  4bfb2a4c94012afd2c73681fe731f681

                  SHA1

                  99f9428ae08dc878b849ed6ff44b1a409ccce4b9

                  SHA256

                  82b14f49ac321b867fa7f5d7f9aadad703dc18824d52823a717ae014d1818013

                  SHA512

                  a187096284157e2d41ebc42f95901d8d7639d6b60a58c9a836c976caf70a3cddce5b7b0365ab287afdf69f610eb042eb956f73cae13ee214558af9c66927aa9b

                • C:\Windows\System\msvbvm60.dll

                  Filesize

                  1.4MB

                  MD5

                  25f62c02619174b35851b0e0455b3d94

                  SHA1

                  4e8ee85157f1769f6e3f61c0acbe59072209da71

                  SHA256

                  898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

                  SHA512

                  f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

                • memory/1412-347-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/1412-131-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/1412-310-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/1412-316-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/1412-0-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/1464-275-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/1680-158-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/1852-309-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/2012-167-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/2140-289-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/2188-279-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/2188-261-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/2252-216-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/2252-235-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/2848-307-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/3256-592-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/3256-314-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/3256-223-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/3256-270-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/3672-124-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/3672-114-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/3704-264-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/3800-109-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/3800-118-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/3960-295-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/4032-164-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/4032-182-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/4068-179-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/4532-226-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/4532-191-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/4848-78-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/4944-315-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/4944-125-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/4944-458-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/4944-190-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/4964-74-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/4964-172-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/4964-544-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/4964-313-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/5016-255-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/5016-312-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/5016-590-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/5016-186-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/5188-257-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/5188-233-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/5340-303-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/5504-292-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/5560-317-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/5560-388-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/5560-32-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/5560-152-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/5560-311-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/5720-282-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/5864-300-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/5864-284-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/5892-198-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB