Analysis

  • max time kernel
    149s
  • max time network
    125s
  • platform
    windows11-21h2_x64
  • resource
    win11-20250502-en
  • resource tags

    arch:x64arch:x86image:win11-20250502-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    03/05/2025, 15:53

General

  • Target

    2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe

  • Size

    9.5MB

  • MD5

    0187b29f338fa5329aecfdf4dd33458a

  • SHA1

    da8b3f2af5e495daa6040b420dc4e0ac40d39c9b

  • SHA256

    7edeb8b50717817a353d24aadcecec71fd9ed6648998384b723017d98d79a45b

  • SHA512

    1257fcbe48c4e74adeaddb6957dd7702bc19ff6bdeed88500041f1f1db3f711c101e51e598e55f2c638af3a5cf3c48eaa0f76902193750e249913d7d0affdb54

  • SSDEEP

    98304:kyyqWyWy0GyqWyWyMRPC1eHL5dGYSEYv1:31eHL5dEv1

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 12 IoCs
  • Modifies visibility of file extensions in Explorer 2 TTPs 6 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 6 IoCs
  • UAC bypass 3 TTPs 6 IoCs
  • Disables RegEdit via registry modification 6 IoCs
  • Disables use of System Restore points 1 TTPs
  • Drops file in Drivers directory 24 IoCs
  • Event Triggered Execution: Image File Execution Options Injection 1 TTPs 64 IoCs
  • Executes dropped EXE 30 IoCs
  • Loads dropped DLL 18 IoCs
  • Adds Run key to start application 2 TTPs 24 IoCs
  • Checks whether UAC is enabled 1 TTPs 6 IoCs
  • Drops desktop.ini file(s) 64 IoCs
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops autorun.inf file 1 TTPs 64 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 39 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 6 IoCs
  • UPX packed file 44 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in Windows directory 64 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 36 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

  • Modifies Control Panel 64 IoCs
  • Modifies Internet Explorer settings 1 TTPs 12 IoCs
  • Modifies registry class 51 IoCs
  • Runs ping.exe 1 TTPs 36 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 31 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe
    "C:\Users\Admin\AppData\Local\Temp\2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Modifies visibility of file extensions in Explorer
    • Modifies visiblity of hidden/system files in Explorer
    • UAC bypass
    • Disables RegEdit via registry modification
    • Drops file in Drivers directory
    • Event Triggered Execution: Image File Execution Options Injection
    • Adds Run key to start application
    • Checks whether UAC is enabled
    • Drops desktop.ini file(s)
    • Enumerates connected drives
    • Drops autorun.inf file
    • Drops file in System32 directory
    • Sets desktop wallpaper using registry
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Modifies Control Panel
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:3704
    • C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe
      "C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • UAC bypass
      • Disables RegEdit via registry modification
      • Drops file in Drivers directory
      • Event Triggered Execution: Image File Execution Options Injection
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Drops desktop.ini file(s)
      • Enumerates connected drives
      • Drops autorun.inf file
      • Drops file in System32 directory
      • Sets desktop wallpaper using registry
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Modifies Control Panel
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:752
      • C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe
        "C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:3096
      • C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe
        "C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe"
        3⤵
        • Modifies WinLogon for persistence
        • Modifies visibility of file extensions in Explorer
        • Modifies visiblity of hidden/system files in Explorer
        • UAC bypass
        • Disables RegEdit via registry modification
        • Drops file in Drivers directory
        • Event Triggered Execution: Image File Execution Options Injection
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • Checks whether UAC is enabled
        • Drops desktop.ini file(s)
        • Enumerates connected drives
        • Drops autorun.inf file
        • Drops file in System32 directory
        • Sets desktop wallpaper using registry
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Modifies Control Panel
        • Modifies Internet Explorer settings
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        • System policy modification
        PID:1168
        • C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe
          "C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe"
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:5404
        • C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe
          "C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe"
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:4792
        • C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe
          "C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe"
          4⤵
          • Modifies WinLogon for persistence
          • Modifies visibility of file extensions in Explorer
          • Modifies visiblity of hidden/system files in Explorer
          • UAC bypass
          • Disables RegEdit via registry modification
          • Drops file in Drivers directory
          • Event Triggered Execution: Image File Execution Options Injection
          • Executes dropped EXE
          • Loads dropped DLL
          • Adds Run key to start application
          • Checks whether UAC is enabled
          • Drops desktop.ini file(s)
          • Enumerates connected drives
          • Drops autorun.inf file
          • Drops file in System32 directory
          • Sets desktop wallpaper using registry
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Modifies Control Panel
          • Modifies Internet Explorer settings
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:4844
          • C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe
            "C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe"
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • System Location Discovery: System Language Discovery
            • Suspicious use of SetWindowsHookEx
            PID:4444
          • C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe
            "C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe"
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • System Location Discovery: System Language Discovery
            • Suspicious use of SetWindowsHookEx
            PID:388
          • C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe
            "C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe"
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • System Location Discovery: System Language Discovery
            • Suspicious use of SetWindowsHookEx
            PID:2960
          • C:\Windows\SysWOW64\drivers\Kazekage.exe
            C:\Windows\system32\drivers\Kazekage.exe
            5⤵
            • Modifies WinLogon for persistence
            • Modifies visibility of file extensions in Explorer
            • Modifies visiblity of hidden/system files in Explorer
            • UAC bypass
            • Disables RegEdit via registry modification
            • Drops file in Drivers directory
            • Event Triggered Execution: Image File Execution Options Injection
            • Executes dropped EXE
            • Adds Run key to start application
            • Checks whether UAC is enabled
            • Drops desktop.ini file(s)
            • Enumerates connected drives
            • Drops autorun.inf file
            • Drops file in System32 directory
            • Sets desktop wallpaper using registry
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Modifies Control Panel
            • Modifies Internet Explorer settings
            • Modifies registry class
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            • System policy modification
            PID:1068
            • C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe
              "C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe"
              6⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • System Location Discovery: System Language Discovery
              • Suspicious use of SetWindowsHookEx
              PID:964
            • C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe
              "C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe"
              6⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • System Location Discovery: System Language Discovery
              • Suspicious use of SetWindowsHookEx
              PID:1624
            • C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe
              "C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe"
              6⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • System Location Discovery: System Language Discovery
              • Suspicious use of SetWindowsHookEx
              PID:4968
            • C:\Windows\SysWOW64\drivers\Kazekage.exe
              C:\Windows\system32\drivers\Kazekage.exe
              6⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Suspicious use of SetWindowsHookEx
              PID:3312
            • C:\Windows\SysWOW64\drivers\system32.exe
              C:\Windows\system32\drivers\system32.exe
              6⤵
              • Modifies WinLogon for persistence
              • Modifies visibility of file extensions in Explorer
              • Modifies visiblity of hidden/system files in Explorer
              • UAC bypass
              • Disables RegEdit via registry modification
              • Drops file in Drivers directory
              • Event Triggered Execution: Image File Execution Options Injection
              • Executes dropped EXE
              • Adds Run key to start application
              • Checks whether UAC is enabled
              • Drops desktop.ini file(s)
              • Enumerates connected drives
              • Drops autorun.inf file
              • Drops file in System32 directory
              • Sets desktop wallpaper using registry
              • Drops file in Windows directory
              • Modifies Control Panel
              • Modifies Internet Explorer settings
              • Modifies registry class
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              • System policy modification
              PID:5760
              • C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe
                "C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe"
                7⤵
                • Executes dropped EXE
                • Loads dropped DLL
                • System Location Discovery: System Language Discovery
                • Suspicious use of SetWindowsHookEx
                PID:5048
              • C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe
                "C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe"
                7⤵
                • Executes dropped EXE
                • Loads dropped DLL
                • System Location Discovery: System Language Discovery
                • Suspicious use of SetWindowsHookEx
                PID:3452
              • C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe
                "C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe"
                7⤵
                • Executes dropped EXE
                • Loads dropped DLL
                • System Location Discovery: System Language Discovery
                • Suspicious use of SetWindowsHookEx
                PID:2204
              • C:\Windows\SysWOW64\drivers\Kazekage.exe
                C:\Windows\system32\drivers\Kazekage.exe
                7⤵
                • Executes dropped EXE
                • System Location Discovery: System Language Discovery
                • Suspicious use of SetWindowsHookEx
                PID:1072
              • C:\Windows\SysWOW64\drivers\system32.exe
                C:\Windows\system32\drivers\system32.exe
                7⤵
                • Executes dropped EXE
                • System Location Discovery: System Language Discovery
                • Suspicious use of SetWindowsHookEx
                PID:4684
              • C:\Windows\SysWOW64\ping.exe
                ping -a -l www.rasasayang.com.my 65500
                7⤵
                • System Location Discovery: System Language Discovery
                • System Network Configuration Discovery: Internet Connection Discovery
                • Runs ping.exe
                PID:388
              • C:\Windows\SysWOW64\ping.exe
                ping -a -l www.duniasex.com 65500
                7⤵
                • System Location Discovery: System Language Discovery
                • System Network Configuration Discovery: Internet Connection Discovery
                • Runs ping.exe
                PID:4348
              • C:\Windows\SysWOW64\ping.exe
                ping -a -l www.rasasayang.com.my 65500
                7⤵
                • System Location Discovery: System Language Discovery
                • System Network Configuration Discovery: Internet Connection Discovery
                • Runs ping.exe
                PID:3040
              • C:\Windows\SysWOW64\ping.exe
                ping -a -l www.duniasex.com 65500
                7⤵
                • System Location Discovery: System Language Discovery
                • System Network Configuration Discovery: Internet Connection Discovery
                • Runs ping.exe
                PID:4044
              • C:\Windows\SysWOW64\ping.exe
                ping -a -l www.rasasayang.com.my 65500
                7⤵
                • System Location Discovery: System Language Discovery
                • System Network Configuration Discovery: Internet Connection Discovery
                • Runs ping.exe
                PID:3500
              • C:\Windows\SysWOW64\ping.exe
                ping -a -l www.duniasex.com 65500
                7⤵
                • System Location Discovery: System Language Discovery
                • System Network Configuration Discovery: Internet Connection Discovery
                • Runs ping.exe
                PID:3068
            • C:\Windows\SysWOW64\ping.exe
              ping -a -l www.rasasayang.com.my 65500
              6⤵
              • System Location Discovery: System Language Discovery
              • System Network Configuration Discovery: Internet Connection Discovery
              • Runs ping.exe
              PID:4868
            • C:\Windows\SysWOW64\ping.exe
              ping -a -l www.duniasex.com 65500
              6⤵
              • System Location Discovery: System Language Discovery
              • System Network Configuration Discovery: Internet Connection Discovery
              • Runs ping.exe
              PID:4924
            • C:\Windows\SysWOW64\ping.exe
              ping -a -l www.rasasayang.com.my 65500
              6⤵
              • System Location Discovery: System Language Discovery
              • System Network Configuration Discovery: Internet Connection Discovery
              • Runs ping.exe
              PID:1836
            • C:\Windows\SysWOW64\ping.exe
              ping -a -l www.duniasex.com 65500
              6⤵
              • System Location Discovery: System Language Discovery
              • System Network Configuration Discovery: Internet Connection Discovery
              • Runs ping.exe
              PID:5372
            • C:\Windows\SysWOW64\ping.exe
              ping -a -l www.rasasayang.com.my 65500
              6⤵
              • System Location Discovery: System Language Discovery
              • System Network Configuration Discovery: Internet Connection Discovery
              • Runs ping.exe
              PID:1388
            • C:\Windows\SysWOW64\ping.exe
              ping -a -l www.duniasex.com 65500
              6⤵
              • System Location Discovery: System Language Discovery
              • System Network Configuration Discovery: Internet Connection Discovery
              • Runs ping.exe
              PID:444
          • C:\Windows\SysWOW64\drivers\system32.exe
            C:\Windows\system32\drivers\system32.exe
            5⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious use of SetWindowsHookEx
            PID:4648
          • C:\Windows\SysWOW64\ping.exe
            ping -a -l www.rasasayang.com.my 65500
            5⤵
            • System Location Discovery: System Language Discovery
            • System Network Configuration Discovery: Internet Connection Discovery
            • Runs ping.exe
            PID:3388
          • C:\Windows\SysWOW64\ping.exe
            ping -a -l www.duniasex.com 65500
            5⤵
            • System Location Discovery: System Language Discovery
            • System Network Configuration Discovery: Internet Connection Discovery
            • Runs ping.exe
            PID:2340
          • C:\Windows\SysWOW64\ping.exe
            ping -a -l www.rasasayang.com.my 65500
            5⤵
            • System Location Discovery: System Language Discovery
            • System Network Configuration Discovery: Internet Connection Discovery
            • Runs ping.exe
            PID:1732
          • C:\Windows\SysWOW64\ping.exe
            ping -a -l www.duniasex.com 65500
            5⤵
            • System Location Discovery: System Language Discovery
            • System Network Configuration Discovery: Internet Connection Discovery
            • Runs ping.exe
            PID:2868
          • C:\Windows\SysWOW64\ping.exe
            ping -a -l www.rasasayang.com.my 65500
            5⤵
            • System Location Discovery: System Language Discovery
            • System Network Configuration Discovery: Internet Connection Discovery
            • Runs ping.exe
            PID:4988
          • C:\Windows\SysWOW64\ping.exe
            ping -a -l www.duniasex.com 65500
            5⤵
            • System Location Discovery: System Language Discovery
            • System Network Configuration Discovery: Internet Connection Discovery
            • Runs ping.exe
            PID:5028
        • C:\Windows\SysWOW64\drivers\Kazekage.exe
          C:\Windows\system32\drivers\Kazekage.exe
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:3816
        • C:\Windows\SysWOW64\drivers\system32.exe
          C:\Windows\system32\drivers\system32.exe
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:3080
        • C:\Windows\SysWOW64\ping.exe
          ping -a -l www.rasasayang.com.my 65500
          4⤵
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:4248
        • C:\Windows\SysWOW64\ping.exe
          ping -a -l www.duniasex.com 65500
          4⤵
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:4008
        • C:\Windows\SysWOW64\ping.exe
          ping -a -l www.rasasayang.com.my 65500
          4⤵
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:4636
        • C:\Windows\SysWOW64\ping.exe
          ping -a -l www.duniasex.com 65500
          4⤵
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:5144
        • C:\Windows\SysWOW64\ping.exe
          ping -a -l www.rasasayang.com.my 65500
          4⤵
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:3680
        • C:\Windows\SysWOW64\ping.exe
          ping -a -l www.duniasex.com 65500
          4⤵
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:1560
      • C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe
        "C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:5380
      • C:\Windows\SysWOW64\drivers\Kazekage.exe
        C:\Windows\system32\drivers\Kazekage.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:2248
      • C:\Windows\SysWOW64\drivers\system32.exe
        C:\Windows\system32\drivers\system32.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:4880
      • C:\Windows\SysWOW64\ping.exe
        ping -a -l www.rasasayang.com.my 65500
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:2948
      • C:\Windows\SysWOW64\ping.exe
        ping -a -l www.duniasex.com 65500
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:1672
      • C:\Windows\SysWOW64\ping.exe
        ping -a -l www.rasasayang.com.my 65500
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:2292
      • C:\Windows\SysWOW64\ping.exe
        ping -a -l www.duniasex.com 65500
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:5884
      • C:\Windows\SysWOW64\ping.exe
        ping -a -l www.rasasayang.com.my 65500
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:2932
      • C:\Windows\SysWOW64\ping.exe
        ping -a -l www.duniasex.com 65500
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:1368
    • C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe
      "C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:5528
    • C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe
      "C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:5848
    • C:\Windows\SysWOW64\drivers\Kazekage.exe
      C:\Windows\system32\drivers\Kazekage.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:3368
    • C:\Windows\SysWOW64\drivers\system32.exe
      C:\Windows\system32\drivers\system32.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:4240
    • C:\Windows\SysWOW64\ping.exe
      ping -a -l www.rasasayang.com.my 65500
      2⤵
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Internet Connection Discovery
      • Runs ping.exe
      PID:2644
    • C:\Windows\SysWOW64\ping.exe
      ping -a -l www.duniasex.com 65500
      2⤵
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Internet Connection Discovery
      • Runs ping.exe
      PID:5824
    • C:\Windows\SysWOW64\ping.exe
      ping -a -l www.rasasayang.com.my 65500
      2⤵
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Internet Connection Discovery
      • Runs ping.exe
      PID:1488
    • C:\Windows\SysWOW64\ping.exe
      ping -a -l www.duniasex.com 65500
      2⤵
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Internet Connection Discovery
      • Runs ping.exe
      PID:4208
    • C:\Windows\SysWOW64\ping.exe
      ping -a -l www.rasasayang.com.my 65500
      2⤵
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Internet Connection Discovery
      • Runs ping.exe
      PID:2392
    • C:\Windows\SysWOW64\ping.exe
      ping -a -l www.duniasex.com 65500
      2⤵
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Internet Connection Discovery
      • Runs ping.exe
      PID:5756
  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c Fonts\Admin 3 - 5 - 2025\smss.exe
    1⤵
      PID:2264
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c Fonts\Admin 3 - 5 - 2025\Gaara.exe
      1⤵
        PID:2028
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c 3-5-2025.exe
        1⤵
          PID:1896
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c drivers\csrss.exe
          1⤵
            PID:2980

          Network

                MITRE ATT&CK Enterprise v16

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Admin Games\Readme.txt

                  Filesize

                  736B

                  MD5

                  bb5d6abdf8d0948ac6895ce7fdfbc151

                  SHA1

                  9266b7a247a4685892197194d2b9b86c8f6dddbd

                  SHA256

                  5db2e0915b5464d32e83484f8ae5e3c73d2c78f238fde5f58f9b40dbb5322de8

                  SHA512

                  878444760e8df878d65bb62b4798177e168eb099def58ad3634f4348e96705c83f74324f9fa358f0eff389991976698a233ca53e9b72034ae11c86d42322a76c

                • C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe

                  Filesize

                  9.5MB

                  MD5

                  28f4130b7e83e58ae2d00a990c7095e6

                  SHA1

                  37b20eaab370104263a36583c451ae2003e179d6

                  SHA256

                  ef6676e8f4fd86a741e16b13c3039f8201b6dff9b57aa16a74f0e32e01b7581a

                  SHA512

                  e60ef2bf2899e7c3165b382b6daf542c0361c1af30130113f17bf75b0b9d471bdbd3d9b2770c6106499c582e16c9b4746ac6ba4edba3e36e1398ce79c38a8dab

                • C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe

                  Filesize

                  9.5MB

                  MD5

                  0187b29f338fa5329aecfdf4dd33458a

                  SHA1

                  da8b3f2af5e495daa6040b420dc4e0ac40d39c9b

                  SHA256

                  7edeb8b50717817a353d24aadcecec71fd9ed6648998384b723017d98d79a45b

                  SHA512

                  1257fcbe48c4e74adeaddb6957dd7702bc19ff6bdeed88500041f1f1db3f711c101e51e598e55f2c638af3a5cf3c48eaa0f76902193750e249913d7d0affdb54

                • C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe

                  Filesize

                  9.5MB

                  MD5

                  0849c02e56b7c48dec2a760d1c81e054

                  SHA1

                  d877f1aef77917904dd1df746d1abf10cabace3d

                  SHA256

                  8b88465800e16f96f800b19db2a8aa6b37f35c4f3a8f4b8e74b7b18947d6bac6

                  SHA512

                  4190047631f72c3169ec7a64994a1c06549cfa442010472247fa770fbe83fbcbe9d860f119da46acb56e0b43f96068b25c28ebbd1feb1db29223576b35af74a6

                • C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe

                  Filesize

                  9.5MB

                  MD5

                  936e54bd930785ef0bbefb22aacda9db

                  SHA1

                  eca6fa1ff092810c0fcd8e6717c5255120169659

                  SHA256

                  d43bd624583725171cfff0649a0e47dc76f5f5e1c352e0ca23304e4445bc92f1

                  SHA512

                  abbec998c0133bf5f23bc819bdda79105a7a4fca217f281401b202412b939c7b6f76ef0713f1e15aa4e3fe4c0e088675de400b2e1b050b504ed6e2d451eea1c5

                • C:\Windows\Fonts\The Kazekage.jpg

                  Filesize

                  1.4MB

                  MD5

                  d6b05020d4a0ec2a3a8b687099e335df

                  SHA1

                  df239d830ebcd1cde5c68c46a7b76dad49d415f4

                  SHA256

                  9824b98dab6af65a9e84c2ea40e9df948f9766ce2096e81feecad7db8dd6080a

                  SHA512

                  78fd360faa4d34f5732056d6e9ad7b9930964441c69cf24535845d397de92179553b9377a25649c01eb5ac7d547c29cc964e69ede7f2af9fc677508a99251fff

                • C:\Windows\SysWOW64\3-5-2025.exe

                  Filesize

                  1.6MB

                  MD5

                  9b4da9153f28d12d002e698ebee06cad

                  SHA1

                  56382d6af2abd1ceec7d25d5c47aa22e239a0e0d

                  SHA256

                  11965def89a07922b45174ed42b6a1a23049073011b6c8cefb7b81818d8a86fd

                  SHA512

                  8cc1f1e9c6423c5e9c628eefced3784bcd4ae5f26194c8ab1ee5be15ca8fa740924e4c8086c500e8d24fe50e3c914b4015566d988c56e86d052da9c00650d962

                • C:\Windows\SysWOW64\3-5-2025.exe

                  Filesize

                  9.5MB

                  MD5

                  7caaff6fa157db47c5063b7b89c087fb

                  SHA1

                  1b4b5514d68421ff3cce8d7b8b71ed837bbda229

                  SHA256

                  cf238294b4fa7247cef5a4d67f04a829b4db71017c606fd858230da8725651c4

                  SHA512

                  278da0d993806027f37a6ba4fd118f451ea1543c8c9783cfd5ac3899a5e4efec0c9dd37b7d7081be5a3b0384864d08a3b009bd0d93c9837c27d8cf9af35f10a4

                • C:\Windows\SysWOW64\Desktop.ini

                  Filesize

                  65B

                  MD5

                  64acfa7e03b01f48294cf30d201a0026

                  SHA1

                  10facd995b38a095f30b4a800fa454c0bcbf8438

                  SHA256

                  ba8159d865d106e7b4d0043007a63d1541e1de455dc8d7ff0edd3013bd425c62

                  SHA512

                  65a9b2e639de74a2a7faa83463a03f5f5b526495e3c793ec1e144c422ed0b842dd304cd5ff4f8aec3d76d826507030c5916f70a231429cea636ec2d8ab43931a

                • C:\Windows\SysWOW64\drivers\Kazekage.exe

                  Filesize

                  9.5MB

                  MD5

                  825747316fd6084a52fb1d6843c4c671

                  SHA1

                  316da0d986397eb829ddddec8bcd8af453d2e4a7

                  SHA256

                  397b9c62df4bd981b8379a19987ca1d7d73fef1df0c86822434855c760900c4d

                  SHA512

                  3c071e6d1b55329470f9cbc28506450f8189bc9fcca0761bb227399c874b5cfab6a0cbaabe3c849dc2bab59058642db36d48fec57f673d8e948b9b615eb832e1

                • C:\Windows\SysWOW64\drivers\system32.exe

                  Filesize

                  9.5MB

                  MD5

                  df8079fe7a1db331c68bea29f87de1fe

                  SHA1

                  bad3a7afe4497bff1a9bd4ffe8f35f06bddf4521

                  SHA256

                  7571b7107318eaf1e99cda8fc1bc048ed8301bba9d70f78395d7ff56d9e646ac

                  SHA512

                  b174aedf9b6b068212885e77ec75a86e2334e99f907187fe669d50318dbec1e305c73aa72c716911a10779d6f74b72b3c3070c35696c5cbebdb6ed049dd43114

                • C:\Windows\System\msvbvm60.dll

                  Filesize

                  1.4MB

                  MD5

                  25f62c02619174b35851b0e0455b3d94

                  SHA1

                  4e8ee85157f1769f6e3f61c0acbe59072209da71

                  SHA256

                  898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

                  SHA512

                  f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

                • memory/388-158-0x0000000000400000-0x000000000042B000-memory.dmp

                  Filesize

                  172KB

                • memory/752-189-0x0000000000400000-0x000000000042B000-memory.dmp

                  Filesize

                  172KB

                • memory/752-32-0x0000000000400000-0x000000000042B000-memory.dmp

                  Filesize

                  172KB

                • memory/1068-166-0x0000000000400000-0x000000000042B000-memory.dmp

                  Filesize

                  172KB

                • memory/1068-237-0x0000000000400000-0x000000000042B000-memory.dmp

                  Filesize

                  172KB

                • memory/1072-239-0x0000000000400000-0x000000000042B000-memory.dmp

                  Filesize

                  172KB

                • memory/1168-76-0x0000000000400000-0x000000000042B000-memory.dmp

                  Filesize

                  172KB

                • memory/1168-197-0x0000000000400000-0x000000000042B000-memory.dmp

                  Filesize

                  172KB

                • memory/1624-198-0x0000000000400000-0x000000000042B000-memory.dmp

                  Filesize

                  172KB

                • memory/2248-258-0x0000000000400000-0x000000000042B000-memory.dmp

                  Filesize

                  172KB

                • memory/2248-261-0x0000000000400000-0x000000000042B000-memory.dmp

                  Filesize

                  172KB

                • memory/2960-157-0x0000000000400000-0x000000000042B000-memory.dmp

                  Filesize

                  172KB

                • memory/2960-161-0x0000000000400000-0x000000000042B000-memory.dmp

                  Filesize

                  172KB

                • memory/3080-253-0x0000000000400000-0x000000000042B000-memory.dmp

                  Filesize

                  172KB

                • memory/3096-70-0x0000000000400000-0x000000000042B000-memory.dmp

                  Filesize

                  172KB

                • memory/3096-73-0x0000000000400000-0x000000000042B000-memory.dmp

                  Filesize

                  172KB

                • memory/3312-205-0x0000000000400000-0x000000000042B000-memory.dmp

                  Filesize

                  172KB

                • memory/3368-273-0x0000000000400000-0x000000000042B000-memory.dmp

                  Filesize

                  172KB

                • memory/3452-232-0x0000000000400000-0x000000000042B000-memory.dmp

                  Filesize

                  172KB

                • memory/3704-0-0x0000000000400000-0x000000000042B000-memory.dmp

                  Filesize

                  172KB

                • memory/3704-165-0x0000000000400000-0x000000000042B000-memory.dmp

                  Filesize

                  172KB

                • memory/3816-248-0x0000000000400000-0x000000000042B000-memory.dmp

                  Filesize

                  172KB

                • memory/4240-276-0x0000000000400000-0x000000000042B000-memory.dmp

                  Filesize

                  172KB

                • memory/4648-245-0x0000000000400000-0x000000000042B000-memory.dmp

                  Filesize

                  172KB

                • memory/4684-238-0x0000000000400000-0x000000000042B000-memory.dmp

                  Filesize

                  172KB

                • memory/4684-242-0x0000000000400000-0x000000000042B000-memory.dmp

                  Filesize

                  172KB

                • memory/4792-114-0x0000000000400000-0x000000000042B000-memory.dmp

                  Filesize

                  172KB

                • memory/4792-117-0x0000000000400000-0x000000000042B000-memory.dmp

                  Filesize

                  172KB

                • memory/4844-227-0x0000000000400000-0x000000000042B000-memory.dmp

                  Filesize

                  172KB

                • memory/4844-121-0x0000000000400000-0x000000000042B000-memory.dmp

                  Filesize

                  172KB

                • memory/4880-264-0x0000000000400000-0x000000000042B000-memory.dmp

                  Filesize

                  172KB

                • memory/5404-113-0x0000000000400000-0x000000000042B000-memory.dmp

                  Filesize

                  172KB

                • memory/5528-267-0x0000000000400000-0x000000000042B000-memory.dmp

                  Filesize

                  172KB

                • memory/5760-257-0x0000000000400000-0x000000000042B000-memory.dmp

                  Filesize

                  172KB

                • memory/5760-209-0x0000000000400000-0x000000000042B000-memory.dmp

                  Filesize

                  172KB

                • memory/5848-270-0x0000000000400000-0x000000000042B000-memory.dmp

                  Filesize

                  172KB