Analysis

  • max time kernel
    149s
  • max time network
    122s
  • platform
    windows11-21h2_x64
  • resource
    win11-20250502-en
  • resource tags

    arch:x64arch:x86image:win11-20250502-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    03/05/2025, 14:29

General

  • Target

    2025-05-03_fb25d1b774c9dd6cd99a7f8f4659ec50_black-basta_elex_hijackloader_luca-stealer.exe

  • Size

    9.4MB

  • MD5

    fb25d1b774c9dd6cd99a7f8f4659ec50

  • SHA1

    75a1ceaa1691597ed1bc42eae48df4d71bfa1e82

  • SHA256

    09d1d22cc8284e012be85683e41bfaac5dc11940d87dd13b7103322907fae508

  • SHA512

    296e951524b2ab5f55d5a454aa6e6de10df29c767dd28ba5f9792f34c44abb7cb01f2ae1fd6b6c68f295f521cb0acce6270a56a4cad26e8cddbd8f779d4df7b1

  • SSDEEP

    98304:cGyqWyWy0GyqWyWyMRPC1eHL5dGYSEYvA:Z1eHL5dEvA

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 12 IoCs
  • Modifies visibility of file extensions in Explorer 2 TTPs 6 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 6 IoCs
  • UAC bypass 3 TTPs 6 IoCs
  • Disables RegEdit via registry modification 6 IoCs
  • Disables use of System Restore points 1 TTPs
  • Drops file in Drivers directory 24 IoCs
  • Event Triggered Execution: Image File Execution Options Injection 1 TTPs 64 IoCs
  • Executes dropped EXE 30 IoCs
  • Loads dropped DLL 18 IoCs
  • Adds Run key to start application 2 TTPs 24 IoCs
  • Checks whether UAC is enabled 1 TTPs 6 IoCs
  • Drops desktop.ini file(s) 64 IoCs
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops autorun.inf file 1 TTPs 64 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 39 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 6 IoCs
  • UPX packed file 64 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in Windows directory 64 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 36 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

  • Modifies Control Panel 64 IoCs
  • Modifies Internet Explorer settings 1 TTPs 12 IoCs
  • Modifies registry class 51 IoCs
  • Runs ping.exe 1 TTPs 36 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 31 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2025-05-03_fb25d1b774c9dd6cd99a7f8f4659ec50_black-basta_elex_hijackloader_luca-stealer.exe
    "C:\Users\Admin\AppData\Local\Temp\2025-05-03_fb25d1b774c9dd6cd99a7f8f4659ec50_black-basta_elex_hijackloader_luca-stealer.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Modifies visibility of file extensions in Explorer
    • Modifies visiblity of hidden/system files in Explorer
    • UAC bypass
    • Disables RegEdit via registry modification
    • Drops file in Drivers directory
    • Event Triggered Execution: Image File Execution Options Injection
    • Adds Run key to start application
    • Checks whether UAC is enabled
    • Drops desktop.ini file(s)
    • Enumerates connected drives
    • Drops autorun.inf file
    • Drops file in System32 directory
    • Sets desktop wallpaper using registry
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Modifies Control Panel
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:4576
    • C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe
      "C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • UAC bypass
      • Disables RegEdit via registry modification
      • Drops file in Drivers directory
      • Event Triggered Execution: Image File Execution Options Injection
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Drops desktop.ini file(s)
      • Enumerates connected drives
      • Drops autorun.inf file
      • Drops file in System32 directory
      • Sets desktop wallpaper using registry
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Modifies Control Panel
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:4040
      • C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe
        "C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:3060
      • C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe
        "C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe"
        3⤵
        • Modifies WinLogon for persistence
        • Modifies visibility of file extensions in Explorer
        • Modifies visiblity of hidden/system files in Explorer
        • UAC bypass
        • Disables RegEdit via registry modification
        • Drops file in Drivers directory
        • Event Triggered Execution: Image File Execution Options Injection
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • Checks whether UAC is enabled
        • Drops desktop.ini file(s)
        • Enumerates connected drives
        • Drops autorun.inf file
        • Drops file in System32 directory
        • Sets desktop wallpaper using registry
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Modifies Control Panel
        • Modifies Internet Explorer settings
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        • System policy modification
        PID:2660
        • C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe
          "C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe"
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:4080
        • C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe
          "C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe"
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Suspicious use of SetWindowsHookEx
          PID:2708
        • C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe
          "C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe"
          4⤵
          • Modifies WinLogon for persistence
          • Modifies visibility of file extensions in Explorer
          • Modifies visiblity of hidden/system files in Explorer
          • UAC bypass
          • Disables RegEdit via registry modification
          • Drops file in Drivers directory
          • Event Triggered Execution: Image File Execution Options Injection
          • Executes dropped EXE
          • Loads dropped DLL
          • Adds Run key to start application
          • Checks whether UAC is enabled
          • Drops desktop.ini file(s)
          • Enumerates connected drives
          • Drops autorun.inf file
          • Drops file in System32 directory
          • Sets desktop wallpaper using registry
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Modifies Control Panel
          • Modifies Internet Explorer settings
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:4828
          • C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe
            "C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe"
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • System Location Discovery: System Language Discovery
            • Suspicious use of SetWindowsHookEx
            PID:1288
          • C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe
            "C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe"
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • System Location Discovery: System Language Discovery
            • Suspicious use of SetWindowsHookEx
            PID:3884
          • C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe
            "C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe"
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • System Location Discovery: System Language Discovery
            • Suspicious use of SetWindowsHookEx
            PID:4304
          • C:\Windows\SysWOW64\drivers\Kazekage.exe
            C:\Windows\system32\drivers\Kazekage.exe
            5⤵
            • Modifies WinLogon for persistence
            • Modifies visibility of file extensions in Explorer
            • Modifies visiblity of hidden/system files in Explorer
            • UAC bypass
            • Disables RegEdit via registry modification
            • Drops file in Drivers directory
            • Event Triggered Execution: Image File Execution Options Injection
            • Executes dropped EXE
            • Adds Run key to start application
            • Checks whether UAC is enabled
            • Drops desktop.ini file(s)
            • Enumerates connected drives
            • Drops autorun.inf file
            • Drops file in System32 directory
            • Sets desktop wallpaper using registry
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Modifies Control Panel
            • Modifies Internet Explorer settings
            • Modifies registry class
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            • System policy modification
            PID:3004
            • C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe
              "C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe"
              6⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • System Location Discovery: System Language Discovery
              • Suspicious use of SetWindowsHookEx
              PID:4568
            • C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe
              "C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe"
              6⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • System Location Discovery: System Language Discovery
              • Suspicious use of SetWindowsHookEx
              PID:1840
            • C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe
              "C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe"
              6⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • System Location Discovery: System Language Discovery
              • Suspicious use of SetWindowsHookEx
              PID:3512
            • C:\Windows\SysWOW64\drivers\Kazekage.exe
              C:\Windows\system32\drivers\Kazekage.exe
              6⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Suspicious use of SetWindowsHookEx
              PID:4644
            • C:\Windows\SysWOW64\drivers\system32.exe
              C:\Windows\system32\drivers\system32.exe
              6⤵
              • Modifies WinLogon for persistence
              • Modifies visibility of file extensions in Explorer
              • Modifies visiblity of hidden/system files in Explorer
              • UAC bypass
              • Disables RegEdit via registry modification
              • Drops file in Drivers directory
              • Event Triggered Execution: Image File Execution Options Injection
              • Executes dropped EXE
              • Adds Run key to start application
              • Checks whether UAC is enabled
              • Drops desktop.ini file(s)
              • Enumerates connected drives
              • Drops autorun.inf file
              • Drops file in System32 directory
              • Sets desktop wallpaper using registry
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Modifies Control Panel
              • Modifies Internet Explorer settings
              • Modifies registry class
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              • System policy modification
              PID:4780
              • C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe
                "C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe"
                7⤵
                • Executes dropped EXE
                • Loads dropped DLL
                • System Location Discovery: System Language Discovery
                • Suspicious use of SetWindowsHookEx
                PID:4704
              • C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe
                "C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe"
                7⤵
                • Executes dropped EXE
                • Loads dropped DLL
                • System Location Discovery: System Language Discovery
                • Suspicious use of SetWindowsHookEx
                PID:1032
              • C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe
                "C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe"
                7⤵
                • Executes dropped EXE
                • Loads dropped DLL
                • System Location Discovery: System Language Discovery
                • Suspicious use of SetWindowsHookEx
                PID:1700
              • C:\Windows\SysWOW64\drivers\Kazekage.exe
                C:\Windows\system32\drivers\Kazekage.exe
                7⤵
                • Executes dropped EXE
                • System Location Discovery: System Language Discovery
                • Suspicious use of SetWindowsHookEx
                PID:2436
              • C:\Windows\SysWOW64\drivers\system32.exe
                C:\Windows\system32\drivers\system32.exe
                7⤵
                • Executes dropped EXE
                • System Location Discovery: System Language Discovery
                • Suspicious use of SetWindowsHookEx
                PID:2904
              • C:\Windows\SysWOW64\ping.exe
                ping -a -l www.rasasayang.com.my 65500
                7⤵
                • System Location Discovery: System Language Discovery
                • System Network Configuration Discovery: Internet Connection Discovery
                • Runs ping.exe
                PID:3124
              • C:\Windows\SysWOW64\ping.exe
                ping -a -l www.duniasex.com 65500
                7⤵
                • System Location Discovery: System Language Discovery
                • System Network Configuration Discovery: Internet Connection Discovery
                • Runs ping.exe
                PID:3928
              • C:\Windows\SysWOW64\ping.exe
                ping -a -l www.rasasayang.com.my 65500
                7⤵
                • System Location Discovery: System Language Discovery
                • System Network Configuration Discovery: Internet Connection Discovery
                • Runs ping.exe
                PID:3472
              • C:\Windows\SysWOW64\ping.exe
                ping -a -l www.duniasex.com 65500
                7⤵
                • System Location Discovery: System Language Discovery
                • System Network Configuration Discovery: Internet Connection Discovery
                • Runs ping.exe
                PID:3928
              • C:\Windows\SysWOW64\ping.exe
                ping -a -l www.rasasayang.com.my 65500
                7⤵
                • System Location Discovery: System Language Discovery
                • System Network Configuration Discovery: Internet Connection Discovery
                • Runs ping.exe
                PID:3916
              • C:\Windows\SysWOW64\ping.exe
                ping -a -l www.duniasex.com 65500
                7⤵
                • System Location Discovery: System Language Discovery
                • System Network Configuration Discovery: Internet Connection Discovery
                • Runs ping.exe
                PID:3520
            • C:\Windows\SysWOW64\ping.exe
              ping -a -l www.rasasayang.com.my 65500
              6⤵
              • System Location Discovery: System Language Discovery
              • System Network Configuration Discovery: Internet Connection Discovery
              • Runs ping.exe
              PID:1508
            • C:\Windows\SysWOW64\ping.exe
              ping -a -l www.duniasex.com 65500
              6⤵
              • System Location Discovery: System Language Discovery
              • System Network Configuration Discovery: Internet Connection Discovery
              • Runs ping.exe
              PID:2596
            • C:\Windows\SysWOW64\ping.exe
              ping -a -l www.rasasayang.com.my 65500
              6⤵
              • System Location Discovery: System Language Discovery
              • System Network Configuration Discovery: Internet Connection Discovery
              • Runs ping.exe
              PID:2312
            • C:\Windows\SysWOW64\ping.exe
              ping -a -l www.duniasex.com 65500
              6⤵
              • System Location Discovery: System Language Discovery
              • System Network Configuration Discovery: Internet Connection Discovery
              • Runs ping.exe
              PID:548
            • C:\Windows\SysWOW64\ping.exe
              ping -a -l www.rasasayang.com.my 65500
              6⤵
              • System Location Discovery: System Language Discovery
              • System Network Configuration Discovery: Internet Connection Discovery
              • Runs ping.exe
              PID:4304
            • C:\Windows\SysWOW64\ping.exe
              ping -a -l www.duniasex.com 65500
              6⤵
              • System Location Discovery: System Language Discovery
              • System Network Configuration Discovery: Internet Connection Discovery
              • Runs ping.exe
              PID:4424
          • C:\Windows\SysWOW64\drivers\system32.exe
            C:\Windows\system32\drivers\system32.exe
            5⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious use of SetWindowsHookEx
            PID:4456
          • C:\Windows\SysWOW64\ping.exe
            ping -a -l www.rasasayang.com.my 65500
            5⤵
            • System Location Discovery: System Language Discovery
            • System Network Configuration Discovery: Internet Connection Discovery
            • Runs ping.exe
            PID:3060
          • C:\Windows\SysWOW64\ping.exe
            ping -a -l www.duniasex.com 65500
            5⤵
            • System Location Discovery: System Language Discovery
            • System Network Configuration Discovery: Internet Connection Discovery
            • Runs ping.exe
            PID:4820
            • C:\Windows\System32\Conhost.exe
              \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              6⤵
                PID:3628
            • C:\Windows\SysWOW64\ping.exe
              ping -a -l www.rasasayang.com.my 65500
              5⤵
              • System Location Discovery: System Language Discovery
              • System Network Configuration Discovery: Internet Connection Discovery
              • Runs ping.exe
              PID:5072
            • C:\Windows\SysWOW64\ping.exe
              ping -a -l www.duniasex.com 65500
              5⤵
              • System Location Discovery: System Language Discovery
              • System Network Configuration Discovery: Internet Connection Discovery
              • Runs ping.exe
              PID:716
            • C:\Windows\SysWOW64\ping.exe
              ping -a -l www.rasasayang.com.my 65500
              5⤵
              • System Location Discovery: System Language Discovery
              • System Network Configuration Discovery: Internet Connection Discovery
              • Runs ping.exe
              PID:4672
            • C:\Windows\SysWOW64\ping.exe
              ping -a -l www.duniasex.com 65500
              5⤵
              • System Location Discovery: System Language Discovery
              • System Network Configuration Discovery: Internet Connection Discovery
              • Runs ping.exe
              PID:8
          • C:\Windows\SysWOW64\drivers\Kazekage.exe
            C:\Windows\system32\drivers\Kazekage.exe
            4⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious use of SetWindowsHookEx
            PID:4996
          • C:\Windows\SysWOW64\drivers\system32.exe
            C:\Windows\system32\drivers\system32.exe
            4⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious use of SetWindowsHookEx
            PID:4240
          • C:\Windows\SysWOW64\ping.exe
            ping -a -l www.rasasayang.com.my 65500
            4⤵
            • System Location Discovery: System Language Discovery
            • System Network Configuration Discovery: Internet Connection Discovery
            • Runs ping.exe
            PID:2280
          • C:\Windows\SysWOW64\ping.exe
            ping -a -l www.duniasex.com 65500
            4⤵
            • System Location Discovery: System Language Discovery
            • System Network Configuration Discovery: Internet Connection Discovery
            • Runs ping.exe
            PID:1768
            • C:\Windows\System32\Conhost.exe
              \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              5⤵
                PID:4456
            • C:\Windows\SysWOW64\ping.exe
              ping -a -l www.rasasayang.com.my 65500
              4⤵
              • System Location Discovery: System Language Discovery
              • System Network Configuration Discovery: Internet Connection Discovery
              • Runs ping.exe
              PID:3356
            • C:\Windows\SysWOW64\ping.exe
              ping -a -l www.duniasex.com 65500
              4⤵
              • System Location Discovery: System Language Discovery
              • System Network Configuration Discovery: Internet Connection Discovery
              • Runs ping.exe
              PID:1768
            • C:\Windows\SysWOW64\ping.exe
              ping -a -l www.rasasayang.com.my 65500
              4⤵
              • System Location Discovery: System Language Discovery
              • System Network Configuration Discovery: Internet Connection Discovery
              • Runs ping.exe
              PID:4992
            • C:\Windows\SysWOW64\ping.exe
              ping -a -l www.duniasex.com 65500
              4⤵
              • System Location Discovery: System Language Discovery
              • System Network Configuration Discovery: Internet Connection Discovery
              • Runs ping.exe
              PID:4328
          • C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe
            "C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe"
            3⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • System Location Discovery: System Language Discovery
            • Suspicious use of SetWindowsHookEx
            PID:4624
          • C:\Windows\SysWOW64\drivers\Kazekage.exe
            C:\Windows\system32\drivers\Kazekage.exe
            3⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious use of SetWindowsHookEx
            PID:4184
          • C:\Windows\SysWOW64\drivers\system32.exe
            C:\Windows\system32\drivers\system32.exe
            3⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious use of SetWindowsHookEx
            PID:1096
          • C:\Windows\SysWOW64\ping.exe
            ping -a -l www.rasasayang.com.my 65500
            3⤵
            • System Location Discovery: System Language Discovery
            • System Network Configuration Discovery: Internet Connection Discovery
            • Runs ping.exe
            PID:1332
          • C:\Windows\SysWOW64\ping.exe
            ping -a -l www.duniasex.com 65500
            3⤵
            • System Location Discovery: System Language Discovery
            • System Network Configuration Discovery: Internet Connection Discovery
            • Runs ping.exe
            PID:768
          • C:\Windows\SysWOW64\ping.exe
            ping -a -l www.rasasayang.com.my 65500
            3⤵
            • System Network Configuration Discovery: Internet Connection Discovery
            • Runs ping.exe
            PID:4724
          • C:\Windows\SysWOW64\ping.exe
            ping -a -l www.duniasex.com 65500
            3⤵
            • System Location Discovery: System Language Discovery
            • System Network Configuration Discovery: Internet Connection Discovery
            • Runs ping.exe
            PID:2676
          • C:\Windows\SysWOW64\ping.exe
            ping -a -l www.rasasayang.com.my 65500
            3⤵
            • System Location Discovery: System Language Discovery
            • System Network Configuration Discovery: Internet Connection Discovery
            • Runs ping.exe
            PID:3000
          • C:\Windows\SysWOW64\ping.exe
            ping -a -l www.duniasex.com 65500
            3⤵
            • System Location Discovery: System Language Discovery
            • System Network Configuration Discovery: Internet Connection Discovery
            • Runs ping.exe
            PID:4252
        • C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe
          "C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe"
          2⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:2240
        • C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe
          "C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe"
          2⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:716
        • C:\Windows\SysWOW64\drivers\Kazekage.exe
          C:\Windows\system32\drivers\Kazekage.exe
          2⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:3628
        • C:\Windows\SysWOW64\drivers\system32.exe
          C:\Windows\system32\drivers\system32.exe
          2⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:2400
        • C:\Windows\SysWOW64\ping.exe
          ping -a -l www.rasasayang.com.my 65500
          2⤵
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:2000
        • C:\Windows\SysWOW64\ping.exe
          ping -a -l www.duniasex.com 65500
          2⤵
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:4628
        • C:\Windows\SysWOW64\ping.exe
          ping -a -l www.rasasayang.com.my 65500
          2⤵
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:3508
        • C:\Windows\SysWOW64\ping.exe
          ping -a -l www.duniasex.com 65500
          2⤵
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:2484
        • C:\Windows\SysWOW64\ping.exe
          ping -a -l www.rasasayang.com.my 65500
          2⤵
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:1996
        • C:\Windows\SysWOW64\ping.exe
          ping -a -l www.duniasex.com 65500
          2⤵
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:4616
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c Fonts\Admin 3 - 5 - 2025\smss.exe
        1⤵
          PID:3480
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c Fonts\Admin 3 - 5 - 2025\Gaara.exe
          1⤵
            PID:352
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe /c 3-5-2025.exe
            1⤵
              PID:2368
            • C:\Windows\system32\cmd.exe
              C:\Windows\system32\cmd.exe /c drivers\csrss.exe
              1⤵
                PID:4596

              Network

                    MITRE ATT&CK Enterprise v16

                    Replay Monitor

                    Loading Replay Monitor...

                    Downloads

                    • C:\Admin Games\Readme.txt

                      Filesize

                      736B

                      MD5

                      bb5d6abdf8d0948ac6895ce7fdfbc151

                      SHA1

                      9266b7a247a4685892197194d2b9b86c8f6dddbd

                      SHA256

                      5db2e0915b5464d32e83484f8ae5e3c73d2c78f238fde5f58f9b40dbb5322de8

                      SHA512

                      878444760e8df878d65bb62b4798177e168eb099def58ad3634f4348e96705c83f74324f9fa358f0eff389991976698a233ca53e9b72034ae11c86d42322a76c

                    • C:\Autorun.inf

                      Filesize

                      196B

                      MD5

                      1564dfe69ffed40950e5cb644e0894d1

                      SHA1

                      201b6f7a01cc49bb698bea6d4945a082ed454ce4

                      SHA256

                      be114a2dbcc08540b314b01882aa836a772a883322a77b67aab31233e26dc184

                      SHA512

                      72df187e39674b657974392cfa268e71ef86dc101ebd2303896381ca56d3c05aa9db3f0ab7d0e428d7436e0108c8f19e94c2013814d30b0b95a23a6b9e341097

                    • C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe

                      Filesize

                      9.4MB

                      MD5

                      6159f0d9c424f0ea31dc5ecac105e25d

                      SHA1

                      d129bd2d2a3a0a4acd66d68977c822b8e0bd03cc

                      SHA256

                      c9a201c26080ee7f2d08d66f93af6c53fc5e5bd2ce90057239d010f7b730b32e

                      SHA512

                      c0c7974b48e49a85404912bb65c91de3e43c583e64d2c2f9aca026bd1680afc3a5e0e600dd8ccc38053ec873d6c3266f855e8d9c3db24606ffc1ad6f2833d9b8

                    • C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe

                      Filesize

                      9.4MB

                      MD5

                      fb25d1b774c9dd6cd99a7f8f4659ec50

                      SHA1

                      75a1ceaa1691597ed1bc42eae48df4d71bfa1e82

                      SHA256

                      09d1d22cc8284e012be85683e41bfaac5dc11940d87dd13b7103322907fae508

                      SHA512

                      296e951524b2ab5f55d5a454aa6e6de10df29c767dd28ba5f9792f34c44abb7cb01f2ae1fd6b6c68f295f521cb0acce6270a56a4cad26e8cddbd8f779d4df7b1

                    • C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe

                      Filesize

                      9.4MB

                      MD5

                      702bb50355e6ad028b365567c0594dbc

                      SHA1

                      13bccc8662cbb40888fef8b27fe3de4704729f8e

                      SHA256

                      12bc0be6d89b8a04925bc18c232629c7886adadf079d23652831732deed2d46c

                      SHA512

                      c9accec02641241456501d5f807107072f1a957b3dd91713cf83f68f663195269424bfd2f95eb8a10e2bf428c0af907844b7d8f85a2658a7a563035021de3b21

                    • C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe

                      Filesize

                      9.4MB

                      MD5

                      eab670c5f02b99203b53780d20142e38

                      SHA1

                      c492e25cd3cb167f4157d72dd412b16466c97d4d

                      SHA256

                      695c3dd03fe5c5b6c86399abef35ce62ad73bea24fe8ec49467170a072057a9f

                      SHA512

                      042e97e7b6ab81b0f7d887ece07118a74109704c026f86ed48ddb2efac01c0657372a3bc4c5c1dc7175286f544a08d3f87ee99d53d80cf7f59bfaa7172cc70ac

                    • C:\Windows\Fonts\The Kazekage.jpg

                      Filesize

                      1.4MB

                      MD5

                      d6b05020d4a0ec2a3a8b687099e335df

                      SHA1

                      df239d830ebcd1cde5c68c46a7b76dad49d415f4

                      SHA256

                      9824b98dab6af65a9e84c2ea40e9df948f9766ce2096e81feecad7db8dd6080a

                      SHA512

                      78fd360faa4d34f5732056d6e9ad7b9930964441c69cf24535845d397de92179553b9377a25649c01eb5ac7d547c29cc964e69ede7f2af9fc677508a99251fff

                    • C:\Windows\SysWOW64\3-5-2025.exe

                      Filesize

                      9.4MB

                      MD5

                      7beb48092a5a1fc94ae1495724179759

                      SHA1

                      75a06466009ec3afcc75fed38af9b42ff91a704c

                      SHA256

                      58523c3e7a29bb324d06c5b43059111220ea99682351a65dfbe3448f0fc0b667

                      SHA512

                      e6b5de1c874ff6a5f58e28be1fec9921529de7ea1697c0bf89680ab2bd81606ecb1bb30c85189a224e95b48d5d0fcf49a1f5dbe55f3969fdc4251fbf1c421388

                    • C:\Windows\SysWOW64\3-5-2025.exe

                      Filesize

                      2.4MB

                      MD5

                      bc1f9733f0331f31dfafaf4f2bd01b82

                      SHA1

                      b10a21c71e9a27f1b0e42c65ba70f45c668d83bc

                      SHA256

                      bf3a6af2c120d3699d140b6bd943032dca62c2a4b358aa840924f4abeebb6353

                      SHA512

                      c7fb9cdf50c03fa6bd5ad0426908ebde8e7de7a2f4ff0d28f058e0af8a0cca79daaa786f036e935e22e5125ad9b9e6858b706c941ba7a5bce87a3edc1e648ef5

                    • C:\Windows\SysWOW64\Desktop.ini

                      Filesize

                      65B

                      MD5

                      64acfa7e03b01f48294cf30d201a0026

                      SHA1

                      10facd995b38a095f30b4a800fa454c0bcbf8438

                      SHA256

                      ba8159d865d106e7b4d0043007a63d1541e1de455dc8d7ff0edd3013bd425c62

                      SHA512

                      65a9b2e639de74a2a7faa83463a03f5f5b526495e3c793ec1e144c422ed0b842dd304cd5ff4f8aec3d76d826507030c5916f70a231429cea636ec2d8ab43931a

                    • C:\Windows\SysWOW64\drivers\Kazekage.exe

                      Filesize

                      9.4MB

                      MD5

                      2d2f76de9a817ccb48157b679a4d2455

                      SHA1

                      993ac9f16e0d35614ba9dbdaf4992aa72a28828d

                      SHA256

                      70add32f53d6f363de42792a228327d8897a83d3ba5793f0abf52bf55574fae4

                      SHA512

                      8981eaf499c715af9027d3ae7f52ec2adc3f9af274247d14f3da8992d72ca4ebe73e0ad27e1a040456eb9d8f376460185503a7c02a1c96eec9719e08a1a4d4c9

                    • C:\Windows\SysWOW64\drivers\system32.exe

                      Filesize

                      9.4MB

                      MD5

                      8c8eb54795acc86344fe2019ef4bab60

                      SHA1

                      9b91f8fca24fe044c502d285658d7873c152e248

                      SHA256

                      e4e88ed9eccc57c1f8e523aa96e6b18ce1900004b13d68c5386aad00866990fe

                      SHA512

                      683b273cd1a4ce8cf6849abb57b1a42aad0be40ae2cf641fa69245d8fae20a5027a4097dc586fcc4b4d8dc63eb671210ddb840feaadbf4f04d7c353e5ea2f854

                    • C:\Windows\SysWOW64\drivers\system32.exe

                      Filesize

                      832KB

                      MD5

                      dc739c3795d133358a9cfd96022d0ca2

                      SHA1

                      1dab8b97760ddca93c92043c5a054f77bb80e2e9

                      SHA256

                      eef59916c1570fbcbaba47da00f505a8f62e20428eb0107cbe46b2c78bc85a28

                      SHA512

                      31b03eb37e4786eb7bda68e0639325107e2a992a1eeae9fb5b37675af30057880a9eadaebba0ef1d3d592d045d640dedc06a4f2e7e55d70f648159b84eda3ba6

                    • C:\Windows\System\msvbvm60.dll

                      Filesize

                      1.4MB

                      MD5

                      25f62c02619174b35851b0e0455b3d94

                      SHA1

                      4e8ee85157f1769f6e3f61c0acbe59072209da71

                      SHA256

                      898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

                      SHA512

                      f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

                    • C:\Windows\system\msvbvm60.dll

                      Filesize

                      1.3MB

                      MD5

                      229f878923da3f8a4b1f55fbe19676f4

                      SHA1

                      7ce8614337d8d1c3f342cdb9438d6c6207cd5090

                      SHA256

                      a333291c65e432df6e44f8a04779a0962bf61b815a051fb6b1761b23a82af98d

                      SHA512

                      85b50d24332f84e372e24ec455553fa9e30b7b59ee32f8953313856e8720e6f347856386f614c6b5011f0763dc29d8c3fa2a5c8d565b9c1115479a6303e0994c

                    • F:\Admin Games\Naruto games.exe

                      Filesize

                      9.4MB

                      MD5

                      ef0b709dfbcf5d4448eb11ad65f4d5c0

                      SHA1

                      75e9995fddf525bf0df76b6c7f6d11371b984e14

                      SHA256

                      e4162f452924d08fdf4f91a893e3af8d18e57b717ed1431313ef17f7b6d196eb

                      SHA512

                      3d2f31ab734fe048490514f9f6d3ba7100a335142f4545b1c9b46d8a723cd0aec515cfae5a0d72566c8c50052b8108fb1633a6c3bafe8ff7716cf05fb0ec8f5e

                    • memory/716-298-0x0000000000400000-0x000000000042A000-memory.dmp

                      Filesize

                      168KB

                    • memory/1032-247-0x0000000000400000-0x000000000042A000-memory.dmp

                      Filesize

                      168KB

                    • memory/1096-290-0x0000000000400000-0x000000000042A000-memory.dmp

                      Filesize

                      168KB

                    • memory/1288-152-0x0000000000400000-0x000000000042A000-memory.dmp

                      Filesize

                      168KB

                    • memory/1288-158-0x0000000000400000-0x000000000042A000-memory.dmp

                      Filesize

                      168KB

                    • memory/1700-251-0x0000000000400000-0x000000000042A000-memory.dmp

                      Filesize

                      168KB

                    • memory/1840-202-0x0000000000400000-0x000000000042A000-memory.dmp

                      Filesize

                      168KB

                    • memory/1840-206-0x0000000000400000-0x000000000042A000-memory.dmp

                      Filesize

                      168KB

                    • memory/2240-294-0x0000000000400000-0x000000000042A000-memory.dmp

                      Filesize

                      168KB

                    • memory/2400-306-0x0000000000400000-0x000000000042A000-memory.dmp

                      Filesize

                      168KB

                    • memory/2436-260-0x0000000000400000-0x000000000042A000-memory.dmp

                      Filesize

                      168KB

                    • memory/2436-252-0x0000000000400000-0x000000000042A000-memory.dmp

                      Filesize

                      168KB

                    • memory/2660-309-0x0000000000400000-0x000000000042A000-memory.dmp

                      Filesize

                      168KB

                    • memory/2660-78-0x0000000000400000-0x000000000042A000-memory.dmp

                      Filesize

                      168KB

                    • memory/2660-458-0x0000000000400000-0x000000000042A000-memory.dmp

                      Filesize

                      168KB

                    • memory/2660-208-0x0000000000400000-0x000000000042A000-memory.dmp

                      Filesize

                      168KB

                    • memory/2708-124-0x0000000000400000-0x000000000042A000-memory.dmp

                      Filesize

                      168KB

                    • memory/2708-115-0x0000000000400000-0x000000000042A000-memory.dmp

                      Filesize

                      168KB

                    • memory/2904-262-0x0000000000400000-0x000000000042A000-memory.dmp

                      Filesize

                      168KB

                    • memory/2904-256-0x0000000000400000-0x000000000042A000-memory.dmp

                      Filesize

                      168KB

                    • memory/3004-255-0x0000000000400000-0x000000000042A000-memory.dmp

                      Filesize

                      168KB

                    • memory/3004-510-0x0000000000400000-0x000000000042A000-memory.dmp

                      Filesize

                      168KB

                    • memory/3004-311-0x0000000000400000-0x000000000042A000-memory.dmp

                      Filesize

                      168KB

                    • memory/3004-172-0x0000000000400000-0x000000000042A000-memory.dmp

                      Filesize

                      168KB

                    • memory/3060-73-0x0000000000400000-0x000000000042A000-memory.dmp

                      Filesize

                      168KB

                    • memory/3512-209-0x0000000000400000-0x000000000042A000-memory.dmp

                      Filesize

                      168KB

                    • memory/3628-302-0x0000000000400000-0x000000000042A000-memory.dmp

                      Filesize

                      168KB

                    • memory/3884-162-0x0000000000400000-0x000000000042A000-memory.dmp

                      Filesize

                      168KB

                    • memory/4040-391-0x0000000000400000-0x000000000042A000-memory.dmp

                      Filesize

                      168KB

                    • memory/4040-195-0x0000000000400000-0x000000000042A000-memory.dmp

                      Filesize

                      168KB

                    • memory/4040-308-0x0000000000400000-0x000000000042A000-memory.dmp

                      Filesize

                      168KB

                    • memory/4040-32-0x0000000000400000-0x000000000042A000-memory.dmp

                      Filesize

                      168KB

                    • memory/4080-113-0x0000000000400000-0x000000000042A000-memory.dmp

                      Filesize

                      168KB

                    • memory/4080-109-0x0000000000400000-0x000000000042A000-memory.dmp

                      Filesize

                      168KB

                    • memory/4184-286-0x0000000000400000-0x000000000042A000-memory.dmp

                      Filesize

                      168KB

                    • memory/4240-277-0x0000000000400000-0x000000000042A000-memory.dmp

                      Filesize

                      168KB

                    • memory/4304-168-0x0000000000400000-0x000000000042A000-memory.dmp

                      Filesize

                      168KB

                    • memory/4456-266-0x0000000000400000-0x000000000042A000-memory.dmp

                      Filesize

                      168KB

                    • memory/4576-171-0x0000000000400000-0x000000000042A000-memory.dmp

                      Filesize

                      168KB

                    • memory/4576-390-0x0000000000400000-0x000000000042A000-memory.dmp

                      Filesize

                      168KB

                    • memory/4576-307-0x0000000000400000-0x000000000042A000-memory.dmp

                      Filesize

                      168KB

                    • memory/4576-0-0x0000000000400000-0x000000000042A000-memory.dmp

                      Filesize

                      168KB

                    • memory/4624-281-0x0000000000400000-0x000000000042A000-memory.dmp

                      Filesize

                      168KB

                    • memory/4644-218-0x0000000000400000-0x000000000042A000-memory.dmp

                      Filesize

                      168KB

                    • memory/4644-214-0x0000000000400000-0x000000000042A000-memory.dmp

                      Filesize

                      168KB

                    • memory/4780-312-0x0000000000400000-0x000000000042A000-memory.dmp

                      Filesize

                      168KB

                    • memory/4780-282-0x0000000000400000-0x000000000042A000-memory.dmp

                      Filesize

                      168KB

                    • memory/4780-221-0x0000000000400000-0x000000000042A000-memory.dmp

                      Filesize

                      168KB

                    • memory/4780-545-0x0000000000400000-0x000000000042A000-memory.dmp

                      Filesize

                      168KB

                    • memory/4828-310-0x0000000000400000-0x000000000042A000-memory.dmp

                      Filesize

                      168KB

                    • memory/4828-125-0x0000000000400000-0x000000000042A000-memory.dmp

                      Filesize

                      168KB

                    • memory/4828-240-0x0000000000400000-0x000000000042A000-memory.dmp

                      Filesize

                      168KB

                    • memory/4828-588-0x0000000000400000-0x000000000042A000-memory.dmp

                      Filesize

                      168KB

                    • memory/4996-273-0x0000000000400000-0x000000000042A000-memory.dmp

                      Filesize

                      168KB