Analysis

  • max time kernel
    150s
  • max time network
    126s
  • platform
    windows11-21h2_x64
  • resource
    win11-20250410-en
  • resource tags

    arch:x64arch:x86image:win11-20250410-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    02/05/2025, 10:45

General

  • Target

    2025-05-02_68c3ccf1747176dd33a3396e0a6df5b6_black-basta_elex_luca-stealer.exe

  • Size

    8.3MB

  • MD5

    68c3ccf1747176dd33a3396e0a6df5b6

  • SHA1

    49a368528aa1bf37f3e46921d7ed127f7937b68b

  • SHA256

    6343149321470c22336072c0d6bbe1ad7781290cceb1b9ead202d9006d17236f

  • SHA512

    a45e5fc2ffc20a2fa177e0f337e90cb51a0e434e2ae77a0c71f0f01de3cb4598f9668b3ef680d6b44e0ec3086ca6e627dc44dfd4b298e80c7e97a60a8eeecad0

  • SSDEEP

    49152:qGyqWyWy0GyqWyWyMRPC1eHc785diLvQ8b1gtj:qGyqWyWy0GyqWyWyMRPC1eHL5dGYSW

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 12 IoCs
  • Modifies visibility of file extensions in Explorer 2 TTPs 6 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 6 IoCs
  • UAC bypass 3 TTPs 6 IoCs
  • Disables RegEdit via registry modification 6 IoCs
  • Disables use of System Restore points 1 TTPs
  • Drops file in Drivers directory 24 IoCs
  • Event Triggered Execution: Image File Execution Options Injection 1 TTPs 64 IoCs
  • Executes dropped EXE 30 IoCs
  • Loads dropped DLL 18 IoCs
  • Adds Run key to start application 2 TTPs 24 IoCs
  • Checks whether UAC is enabled 1 TTPs 6 IoCs
  • Drops desktop.ini file(s) 64 IoCs
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops autorun.inf file 1 TTPs 64 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 39 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 6 IoCs
  • UPX packed file 59 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in Windows directory 64 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 63 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 34 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

  • Modifies Control Panel 64 IoCs
  • Modifies Internet Explorer settings 1 TTPs 12 IoCs
  • Modifies registry class 54 IoCs
  • Runs ping.exe 1 TTPs 34 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 31 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c3ccf1747176dd33a3396e0a6df5b6_black-basta_elex_luca-stealer.exe
    "C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c3ccf1747176dd33a3396e0a6df5b6_black-basta_elex_luca-stealer.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Modifies visibility of file extensions in Explorer
    • Modifies visiblity of hidden/system files in Explorer
    • UAC bypass
    • Disables RegEdit via registry modification
    • Drops file in Drivers directory
    • Event Triggered Execution: Image File Execution Options Injection
    • Adds Run key to start application
    • Checks whether UAC is enabled
    • Drops desktop.ini file(s)
    • Enumerates connected drives
    • Drops autorun.inf file
    • Drops file in System32 directory
    • Sets desktop wallpaper using registry
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Modifies Control Panel
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:5932
    • C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe
      "C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • UAC bypass
      • Disables RegEdit via registry modification
      • Drops file in Drivers directory
      • Event Triggered Execution: Image File Execution Options Injection
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Drops desktop.ini file(s)
      • Enumerates connected drives
      • Drops autorun.inf file
      • Drops file in System32 directory
      • Sets desktop wallpaper using registry
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Modifies Control Panel
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:5832
      • C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe
        "C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:5536
      • C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe
        "C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe"
        3⤵
        • Modifies WinLogon for persistence
        • Modifies visibility of file extensions in Explorer
        • Modifies visiblity of hidden/system files in Explorer
        • UAC bypass
        • Disables RegEdit via registry modification
        • Drops file in Drivers directory
        • Event Triggered Execution: Image File Execution Options Injection
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • Checks whether UAC is enabled
        • Drops desktop.ini file(s)
        • Enumerates connected drives
        • Drops autorun.inf file
        • Drops file in System32 directory
        • Sets desktop wallpaper using registry
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Modifies Control Panel
        • Modifies Internet Explorer settings
        • Modifies registry class
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        • System policy modification
        PID:4640
        • C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe
          "C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe"
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:4812
        • C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe
          "C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe"
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:4880
        • C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe
          "C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe"
          4⤵
          • Modifies WinLogon for persistence
          • Modifies visibility of file extensions in Explorer
          • Modifies visiblity of hidden/system files in Explorer
          • UAC bypass
          • Disables RegEdit via registry modification
          • Drops file in Drivers directory
          • Event Triggered Execution: Image File Execution Options Injection
          • Executes dropped EXE
          • Loads dropped DLL
          • Adds Run key to start application
          • Checks whether UAC is enabled
          • Drops desktop.ini file(s)
          • Enumerates connected drives
          • Drops autorun.inf file
          • Drops file in System32 directory
          • Sets desktop wallpaper using registry
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Modifies Control Panel
          • Modifies Internet Explorer settings
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:5028
          • C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe
            "C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe"
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • System Location Discovery: System Language Discovery
            • Suspicious use of SetWindowsHookEx
            PID:4952
          • C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe
            "C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe"
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • System Location Discovery: System Language Discovery
            • Suspicious use of SetWindowsHookEx
            PID:5060
          • C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe
            "C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe"
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • System Location Discovery: System Language Discovery
            • Suspicious use of SetWindowsHookEx
            PID:5092
          • C:\Windows\SysWOW64\drivers\Kazekage.exe
            C:\Windows\system32\drivers\Kazekage.exe
            5⤵
            • Modifies WinLogon for persistence
            • Modifies visibility of file extensions in Explorer
            • Modifies visiblity of hidden/system files in Explorer
            • UAC bypass
            • Disables RegEdit via registry modification
            • Drops file in Drivers directory
            • Event Triggered Execution: Image File Execution Options Injection
            • Executes dropped EXE
            • Adds Run key to start application
            • Checks whether UAC is enabled
            • Drops desktop.ini file(s)
            • Enumerates connected drives
            • Drops autorun.inf file
            • Drops file in System32 directory
            • Sets desktop wallpaper using registry
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Modifies Control Panel
            • Modifies Internet Explorer settings
            • Modifies registry class
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            • System policy modification
            PID:4988
            • C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe
              "C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe"
              6⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • System Location Discovery: System Language Discovery
              • Suspicious use of SetWindowsHookEx
              PID:4004
            • C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe
              "C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe"
              6⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • System Location Discovery: System Language Discovery
              • Suspicious use of SetWindowsHookEx
              PID:4136
            • C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe
              "C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe"
              6⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • System Location Discovery: System Language Discovery
              • Suspicious use of SetWindowsHookEx
              PID:3384
            • C:\Windows\SysWOW64\drivers\Kazekage.exe
              C:\Windows\system32\drivers\Kazekage.exe
              6⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Suspicious use of SetWindowsHookEx
              PID:1848
            • C:\Windows\SysWOW64\drivers\system32.exe
              C:\Windows\system32\drivers\system32.exe
              6⤵
              • Modifies WinLogon for persistence
              • Modifies visibility of file extensions in Explorer
              • Modifies visiblity of hidden/system files in Explorer
              • UAC bypass
              • Disables RegEdit via registry modification
              • Drops file in Drivers directory
              • Event Triggered Execution: Image File Execution Options Injection
              • Executes dropped EXE
              • Adds Run key to start application
              • Checks whether UAC is enabled
              • Drops desktop.ini file(s)
              • Enumerates connected drives
              • Drops autorun.inf file
              • Drops file in System32 directory
              • Sets desktop wallpaper using registry
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Modifies Control Panel
              • Modifies Internet Explorer settings
              • Modifies registry class
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              • System policy modification
              PID:3348
              • C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe
                "C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe"
                7⤵
                • Executes dropped EXE
                • Loads dropped DLL
                • System Location Discovery: System Language Discovery
                • Suspicious use of SetWindowsHookEx
                PID:3092
              • C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe
                "C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe"
                7⤵
                • Executes dropped EXE
                • Loads dropped DLL
                • System Location Discovery: System Language Discovery
                • Suspicious use of SetWindowsHookEx
                PID:1872
              • C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe
                "C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe"
                7⤵
                • Executes dropped EXE
                • Loads dropped DLL
                • System Location Discovery: System Language Discovery
                • Suspicious use of SetWindowsHookEx
                PID:3708
              • C:\Windows\SysWOW64\drivers\Kazekage.exe
                C:\Windows\system32\drivers\Kazekage.exe
                7⤵
                • Executes dropped EXE
                • System Location Discovery: System Language Discovery
                • Suspicious use of SetWindowsHookEx
                PID:3504
              • C:\Windows\SysWOW64\drivers\system32.exe
                C:\Windows\system32\drivers\system32.exe
                7⤵
                • Executes dropped EXE
                • System Location Discovery: System Language Discovery
                • Suspicious use of SetWindowsHookEx
                PID:5112
              • C:\Windows\SysWOW64\ping.exe
                ping -a -l www.rasasayang.com.my 65500
                7⤵
                • System Location Discovery: System Language Discovery
                • System Network Configuration Discovery: Internet Connection Discovery
                • Runs ping.exe
                PID:5816
              • C:\Windows\SysWOW64\ping.exe
                ping -a -l www.duniasex.com 65500
                7⤵
                • System Location Discovery: System Language Discovery
                • System Network Configuration Discovery: Internet Connection Discovery
                • Runs ping.exe
                PID:5432
              • C:\Windows\SysWOW64\ping.exe
                ping -a -l www.rasasayang.com.my 65500
                7⤵
                • System Location Discovery: System Language Discovery
                • System Network Configuration Discovery: Internet Connection Discovery
                • Runs ping.exe
                PID:5636
              • C:\Windows\SysWOW64\ping.exe
                ping -a -l www.duniasex.com 65500
                7⤵
                • System Network Configuration Discovery: Internet Connection Discovery
                • Runs ping.exe
                PID:1676
              • C:\Windows\SysWOW64\ping.exe
                ping -a -l www.rasasayang.com.my 65500
                7⤵
                • System Location Discovery: System Language Discovery
                • System Network Configuration Discovery: Internet Connection Discovery
                • Runs ping.exe
                PID:6040
              • C:\Windows\SysWOW64\ping.exe
                ping -a -l www.duniasex.com 65500
                7⤵
                • System Location Discovery: System Language Discovery
                • System Network Configuration Discovery: Internet Connection Discovery
                • Runs ping.exe
                PID:1808
            • C:\Windows\SysWOW64\ping.exe
              ping -a -l www.rasasayang.com.my 65500
              6⤵
              • System Location Discovery: System Language Discovery
              • System Network Configuration Discovery: Internet Connection Discovery
              • Runs ping.exe
              PID:1140
            • C:\Windows\SysWOW64\ping.exe
              ping -a -l www.duniasex.com 65500
              6⤵
              • System Location Discovery: System Language Discovery
              • System Network Configuration Discovery: Internet Connection Discovery
              • Runs ping.exe
              PID:2348
            • C:\Windows\SysWOW64\ping.exe
              ping -a -l www.rasasayang.com.my 65500
              6⤵
              • System Location Discovery: System Language Discovery
              • System Network Configuration Discovery: Internet Connection Discovery
              • Runs ping.exe
              PID:3868
            • C:\Windows\SysWOW64\ping.exe
              ping -a -l www.duniasex.com 65500
              6⤵
              • System Location Discovery: System Language Discovery
              • System Network Configuration Discovery: Internet Connection Discovery
              • Runs ping.exe
              PID:904
            • C:\Windows\SysWOW64\ping.exe
              ping -a -l www.rasasayang.com.my 65500
              6⤵
              • System Location Discovery: System Language Discovery
              • System Network Configuration Discovery: Internet Connection Discovery
              • Runs ping.exe
              PID:4052
            • C:\Windows\SysWOW64\ping.exe
              ping -a -l www.duniasex.com 65500
              6⤵
              • System Location Discovery: System Language Discovery
              • System Network Configuration Discovery: Internet Connection Discovery
              • Runs ping.exe
              PID:2036
          • C:\Windows\SysWOW64\drivers\system32.exe
            C:\Windows\system32\drivers\system32.exe
            5⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious use of SetWindowsHookEx
            PID:5416
          • C:\Windows\SysWOW64\ping.exe
            ping -a -l www.rasasayang.com.my 65500
            5⤵
            • System Location Discovery: System Language Discovery
            • System Network Configuration Discovery: Internet Connection Discovery
            • Runs ping.exe
            PID:3524
          • C:\Windows\SysWOW64\ping.exe
            ping -a -l www.duniasex.com 65500
            5⤵
            • System Location Discovery: System Language Discovery
            • System Network Configuration Discovery: Internet Connection Discovery
            • Runs ping.exe
            PID:1428
          • C:\Windows\SysWOW64\ping.exe
            ping -a -l www.rasasayang.com.my 65500
            5⤵
            • System Location Discovery: System Language Discovery
            • System Network Configuration Discovery: Internet Connection Discovery
            • Runs ping.exe
            PID:5708
          • C:\Windows\SysWOW64\ping.exe
            ping -a -l www.duniasex.com 65500
            5⤵
            • System Location Discovery: System Language Discovery
            • System Network Configuration Discovery: Internet Connection Discovery
            • Runs ping.exe
            PID:3512
          • C:\Windows\SysWOW64\ping.exe
            ping -a -l www.rasasayang.com.my 65500
            5⤵
            • System Location Discovery: System Language Discovery
            • System Network Configuration Discovery: Internet Connection Discovery
            • Runs ping.exe
            PID:5856
          • C:\Windows\SysWOW64\ping.exe
            ping -a -l www.duniasex.com 65500
            5⤵
            • System Location Discovery: System Language Discovery
            • System Network Configuration Discovery: Internet Connection Discovery
            • Runs ping.exe
            PID:1056
        • C:\Windows\SysWOW64\drivers\Kazekage.exe
          C:\Windows\system32\drivers\Kazekage.exe
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:784
        • C:\Windows\SysWOW64\drivers\system32.exe
          C:\Windows\system32\drivers\system32.exe
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:4180
        • C:\Windows\SysWOW64\ping.exe
          ping -a -l www.rasasayang.com.my 65500
          4⤵
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:5788
        • C:\Windows\SysWOW64\ping.exe
          ping -a -l www.duniasex.com 65500
          4⤵
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:2140
        • C:\Windows\SysWOW64\ping.exe
          ping -a -l www.rasasayang.com.my 65500
          4⤵
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:5108
        • C:\Windows\SysWOW64\ping.exe
          ping -a -l www.duniasex.com 65500
          4⤵
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:4928
      • C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe
        "C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:5264
      • C:\Windows\SysWOW64\drivers\Kazekage.exe
        C:\Windows\system32\drivers\Kazekage.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:1308
      • C:\Windows\SysWOW64\drivers\system32.exe
        C:\Windows\system32\drivers\system32.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:5532
      • C:\Windows\SysWOW64\ping.exe
        ping -a -l www.rasasayang.com.my 65500
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:6016
      • C:\Windows\SysWOW64\ping.exe
        ping -a -l www.duniasex.com 65500
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:6024
      • C:\Windows\SysWOW64\ping.exe
        ping -a -l www.rasasayang.com.my 65500
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:572
      • C:\Windows\SysWOW64\ping.exe
        ping -a -l www.duniasex.com 65500
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:3860
      • C:\Windows\SysWOW64\ping.exe
        ping -a -l www.rasasayang.com.my 65500
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:4820
      • C:\Windows\SysWOW64\ping.exe
        ping -a -l www.duniasex.com 65500
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:4832
    • C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe
      "C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:5132
    • C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe
      "C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:6084
    • C:\Windows\SysWOW64\drivers\Kazekage.exe
      C:\Windows\system32\drivers\Kazekage.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:1160
    • C:\Windows\SysWOW64\drivers\system32.exe
      C:\Windows\system32\drivers\system32.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:4644
    • C:\Windows\SysWOW64\ping.exe
      ping -a -l www.rasasayang.com.my 65500
      2⤵
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Internet Connection Discovery
      • Runs ping.exe
      PID:1444
    • C:\Windows\SysWOW64\ping.exe
      ping -a -l www.duniasex.com 65500
      2⤵
      • System Network Configuration Discovery: Internet Connection Discovery
      • Runs ping.exe
      PID:996
    • C:\Windows\SysWOW64\ping.exe
      ping -a -l www.rasasayang.com.my 65500
      2⤵
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Internet Connection Discovery
      • Runs ping.exe
      PID:2840
    • C:\Windows\SysWOW64\ping.exe
      ping -a -l www.duniasex.com 65500
      2⤵
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Internet Connection Discovery
      • Runs ping.exe
      PID:5076
    • C:\Windows\SysWOW64\ping.exe
      ping -a -l www.rasasayang.com.my 65500
      2⤵
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Internet Connection Discovery
      • Runs ping.exe
      PID:4536
    • C:\Windows\SysWOW64\ping.exe
      ping -a -l www.duniasex.com 65500
      2⤵
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Internet Connection Discovery
      • Runs ping.exe
      PID:4676
  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\smss.exe
    1⤵
      PID:3224
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\Gaara.exe
      1⤵
        PID:1844
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c 2-5-2025.exe
        1⤵
          PID:1628
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c drivers\csrss.exe
          1⤵
            PID:2124

          Network

                MITRE ATT&CK Enterprise v16

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Admin Games\Anbu Team Sampit (Nothing).exe

                  Filesize

                  8.3MB

                  MD5

                  337599d7ca17138688de4e9efe7b88ff

                  SHA1

                  f3ebb730664b649353c23726905b50463c713174

                  SHA256

                  405bf442f1e151e175bdcde4fa835754730ab3427dbcada143b664556ff23a85

                  SHA512

                  0fa88c94182d5db648c9813d038df1c0af7c4c0a63c8b8f7e728adee9e584b728bfe0eb397c75b7e90509aa0708c742b1ed1ea6c5a0acda94c7f8f307e0b1044

                • C:\Admin Games\Readme.txt

                  Filesize

                  736B

                  MD5

                  bb5d6abdf8d0948ac6895ce7fdfbc151

                  SHA1

                  9266b7a247a4685892197194d2b9b86c8f6dddbd

                  SHA256

                  5db2e0915b5464d32e83484f8ae5e3c73d2c78f238fde5f58f9b40dbb5322de8

                  SHA512

                  878444760e8df878d65bb62b4798177e168eb099def58ad3634f4348e96705c83f74324f9fa358f0eff389991976698a233ca53e9b72034ae11c86d42322a76c

                • C:\Autorun.inf

                  Filesize

                  196B

                  MD5

                  1564dfe69ffed40950e5cb644e0894d1

                  SHA1

                  201b6f7a01cc49bb698bea6d4945a082ed454ce4

                  SHA256

                  be114a2dbcc08540b314b01882aa836a772a883322a77b67aab31233e26dc184

                  SHA512

                  72df187e39674b657974392cfa268e71ef86dc101ebd2303896381ca56d3c05aa9db3f0ab7d0e428d7436e0108c8f19e94c2013814d30b0b95a23a6b9e341097

                • C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe

                  Filesize

                  8.3MB

                  MD5

                  04376594051c55613267c96649f87581

                  SHA1

                  e828d299ea2ed893d181d848566c7f3107547ade

                  SHA256

                  51f0ce83f9c7faf9cb5f388a5c72c7cc5dbb456e5b9bc7c8bedbbdf28840ef74

                  SHA512

                  ee8a2cfd31570ecc06bb20168a69655d6711a7ce6556176dca33038bae378ad7e843c61e9b90f2bc9e9ee643169c5a10b17486ee097faf4cdf6b05983955b0a2

                • C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe

                  Filesize

                  8.3MB

                  MD5

                  68c3ccf1747176dd33a3396e0a6df5b6

                  SHA1

                  49a368528aa1bf37f3e46921d7ed127f7937b68b

                  SHA256

                  6343149321470c22336072c0d6bbe1ad7781290cceb1b9ead202d9006d17236f

                  SHA512

                  a45e5fc2ffc20a2fa177e0f337e90cb51a0e434e2ae77a0c71f0f01de3cb4598f9668b3ef680d6b44e0ec3086ca6e627dc44dfd4b298e80c7e97a60a8eeecad0

                • C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe

                  Filesize

                  8.3MB

                  MD5

                  b04c938e341501e61cd6b78aa08368e9

                  SHA1

                  4d1263d160896d9db5ad914dfd3b629b2c2d70ce

                  SHA256

                  67912f1c084858f1a469c0e8fe6fbbe5176f3deb3b0a661e60123b463f552c3d

                  SHA512

                  2cecf5cea5fbd97753333925d7154479c46d1e330b984b547f984e7ec8a7c1557ec2c114d2e13d62b3885399cb221c02912b16857e580ec33fe38dd675c20b98

                • C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe

                  Filesize

                  8.3MB

                  MD5

                  96982677a2ae05dbb0f975e13d1610a2

                  SHA1

                  92007507d3d7d84c29b705b15749320a345233a7

                  SHA256

                  5d815bbf5efda775e1f98f49d379ab0393fe5be24ae8d03466ca7e0944d89b43

                  SHA512

                  8bf77f2cbec2865bcc47777c2fa9e1a99b0b3998bcad5ea121d258be5565b0f6cd4cfc7a6c7904a3516b57fe7fba2f55366ccc6dde1e384532b9b546f0957ff4

                • C:\Windows\Fonts\The Kazekage.jpg

                  Filesize

                  1.4MB

                  MD5

                  d6b05020d4a0ec2a3a8b687099e335df

                  SHA1

                  df239d830ebcd1cde5c68c46a7b76dad49d415f4

                  SHA256

                  9824b98dab6af65a9e84c2ea40e9df948f9766ce2096e81feecad7db8dd6080a

                  SHA512

                  78fd360faa4d34f5732056d6e9ad7b9930964441c69cf24535845d397de92179553b9377a25649c01eb5ac7d547c29cc964e69ede7f2af9fc677508a99251fff

                • C:\Windows\SysWOW64\2-5-2025.exe

                  Filesize

                  8.3MB

                  MD5

                  c634b9e2e3db1c225788eb423a97a6e4

                  SHA1

                  22febaad77f8a6e8555ca0d12afd5b78f6c0ccd9

                  SHA256

                  cfb3294dd6d2c17a507d52746266236261129e395b68fbdc03a188fd475bbbe4

                  SHA512

                  b1c38bfe75322eacb8d60944b3dbf5c79e48d72795868d082cdeba6cbebf9ffb736c375c1bad4768ae7c443a2b801ba7db218049dc5e2d51ab842dba972ca6f3

                • C:\Windows\SysWOW64\2-5-2025.exe

                  Filesize

                  8.3MB

                  MD5

                  b3928686f34323a02943185c96ccc61a

                  SHA1

                  420e071033d11b70811c6d9bad4be7e659503a9f

                  SHA256

                  b36734500fd7482483341b88eb56030d9fc4ea4c0da1d43c5023249fe8d62c04

                  SHA512

                  ee03494ca6ddcae8873c7fa19aaa83c602bf1083eb35aca380cc3ffbc9f7449ad3776e9d2c61e6d42cf9d4fc501b5b9b10aa667fd821a5942a9c03a4ec40c043

                • C:\Windows\SysWOW64\2-5-2025.exe

                  Filesize

                  8.3MB

                  MD5

                  65f7fa44f0cc72a682b163bcc051f52f

                  SHA1

                  4055a39a3fb8800ca4b5e2e600b4fa1042ef5bd1

                  SHA256

                  784d9bc27bb75e552000ee5495639d37ed25332e4b515fcb9a4638e5f4ba7c71

                  SHA512

                  ac2487948268ad55a5b6ba67c1dc36b928ee49faa6f3daf01d6c54bb4b3ed57b3793a6fad1f7e402988875fc49e1ee462a34a18b53b0ce18ec33c706ad949e4d

                • C:\Windows\SysWOW64\Desktop.ini

                  Filesize

                  65B

                  MD5

                  64acfa7e03b01f48294cf30d201a0026

                  SHA1

                  10facd995b38a095f30b4a800fa454c0bcbf8438

                  SHA256

                  ba8159d865d106e7b4d0043007a63d1541e1de455dc8d7ff0edd3013bd425c62

                  SHA512

                  65a9b2e639de74a2a7faa83463a03f5f5b526495e3c793ec1e144c422ed0b842dd304cd5ff4f8aec3d76d826507030c5916f70a231429cea636ec2d8ab43931a

                • C:\Windows\SysWOW64\drivers\Kazekage.exe

                  Filesize

                  8.3MB

                  MD5

                  0dcfa56d7a20a8eebcdf019fd0cca56c

                  SHA1

                  e837f19d3ed7c283f42c7c45499332e81f8fe279

                  SHA256

                  40e073aed9a6ff39bc0ef60e36aa1d0a16d32ac5c75717ed89767f31425b0e4d

                  SHA512

                  c989c65aaae63b46d0973c03fb3c95a5dbdd513f41c13d11f69dfcabe9216863d137f9d7d80081d9ee4fd936ddacaa0685ed02e6db0bba207da661b0a10a8a39

                • C:\Windows\SysWOW64\drivers\Kazekage.exe

                  Filesize

                  8.3MB

                  MD5

                  17ab194c30b9d420ba816fb12d9b33f8

                  SHA1

                  b136701f7d64e129d988b80d18065f85d8890728

                  SHA256

                  10798c39cffc3cbd73b52dda250102b76cba51c2d4a5b5e3877b0f07367f68aa

                  SHA512

                  f49a605fb58ee49323b2bf70c82c1e464be27c6a009877a78a1746e02d7fd1b5c312b6ccf8ffd02c344d967b17cead2655efcd9f1a1214dffa1fea58c3b03ae0

                • C:\Windows\SysWOW64\drivers\system32.exe

                  Filesize

                  8.3MB

                  MD5

                  1affe8fbd3c2815e95f9ce26f01eb368

                  SHA1

                  bfd3e0ba2c299f128774131a8a878356b8a08ade

                  SHA256

                  603017db04e11df2df18cfb53296eed0d26e605910060fa26dba836d27182f2a

                  SHA512

                  b13a1eec1e006376e44f5928b2961cc4240b43029d237f8c3a0d956a6075c920cdeb9f55c3ea3d61a8411ac245138a8f7bf23e6ac2b98766b70bfdafcdfcdced

                • C:\Windows\SysWOW64\drivers\system32.exe

                  Filesize

                  8.3MB

                  MD5

                  b96f2f1516d86f03483f8f6c88e46b27

                  SHA1

                  7d60cbec66d05362382640369f77947b916b877d

                  SHA256

                  9e68ee80186c941bed1090f1c01e98564f742df7b0ccee9d3bede99797cf9c22

                  SHA512

                  09308c319f1705aed3be8d19fa190417f16312008160fc7e7b9ad419a773c87c0500695895c372efcc32cc2a96eaba2bb1bbe9a3a82dc05eb03dc539a7a212c6

                • C:\Windows\SysWOW64\drivers\system32.exe

                  Filesize

                  8.3MB

                  MD5

                  205a29c92620da8fd642e5bef59b2f32

                  SHA1

                  89831fb804b210985ff7c14e8cee408aab53f39a

                  SHA256

                  963b09d45804c8f970027ae13c2aca06af2349929693b78796ceb20e6d8a32c8

                  SHA512

                  acca2321567ec415f323e8bd1402add1442b29bb3bba9dfc170d447c996ef300728c87c8599abceb3a255b0ae60d8b057fc470b0f1c4f3ae2829297242b2fe80

                • C:\Windows\System\msvbvm60.dll

                  Filesize

                  1.4MB

                  MD5

                  25f62c02619174b35851b0e0455b3d94

                  SHA1

                  4e8ee85157f1769f6e3f61c0acbe59072209da71

                  SHA256

                  898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

                  SHA512

                  f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

                • memory/784-265-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/1160-295-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/1308-277-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/1848-216-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/1872-245-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/3348-542-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/3348-305-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/3348-273-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/3348-220-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/3504-252-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/4136-207-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/4180-269-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/4640-302-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/4640-75-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/4640-208-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/4640-308-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/4644-299-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/4812-114-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/4880-119-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/4952-151-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/4952-157-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/4988-253-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/4988-519-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/4988-173-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/4988-304-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/5028-303-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/5028-424-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/5028-124-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/5028-238-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/5060-164-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/5060-158-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/5092-168-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/5112-257-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/5132-288-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/5416-261-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/5532-281-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/5536-77-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/5536-70-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/5832-409-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/5832-301-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/5832-196-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/5832-32-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/5932-318-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/5932-300-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/5932-0-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/5932-172-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB