Analysis

  • max time kernel
    150s
  • max time network
    132s
  • platform
    windows11-21h2_x64
  • resource
    win11-20250502-en
  • resource tags

    arch:x64arch:x86image:win11-20250502-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    03/05/2025, 16:15

General

  • Target

    2025-05-03_9a2c0fe849b2f07ee331696ffef50eb6_black-basta_elex_hijackloader_luca-stealer.exe

  • Size

    9.5MB

  • MD5

    9a2c0fe849b2f07ee331696ffef50eb6

  • SHA1

    978bf0fd570e699bd682d0519138c35234c8231a

  • SHA256

    ff15808c643fcb662b8e4b34d40e7fb38e4719103fafde8f414bb99bcfc20fcf

  • SHA512

    980df21153538148816002e00c6a2524e633e41f05c1ff5aa1603475b6304e7346fb3a124ae521cc3b357e0b0355ac91698a971f6436f902b94a4e7846fb839f

  • SSDEEP

    98304:NyyqWyWy0GyqWyWyMRPC1eHL5dGYSEYvP:q1eHL5dEvP

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 12 IoCs
  • Modifies visibility of file extensions in Explorer 2 TTPs 6 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 6 IoCs
  • UAC bypass 3 TTPs 6 IoCs
  • Disables RegEdit via registry modification 6 IoCs
  • Disables use of System Restore points 1 TTPs
  • Drops file in Drivers directory 24 IoCs
  • Event Triggered Execution: Image File Execution Options Injection 1 TTPs 64 IoCs
  • Executes dropped EXE 30 IoCs
  • Loads dropped DLL 18 IoCs
  • Adds Run key to start application 2 TTPs 24 IoCs
  • Checks whether UAC is enabled 1 TTPs 6 IoCs
  • Drops desktop.ini file(s) 64 IoCs
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops autorun.inf file 1 TTPs 64 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 39 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 6 IoCs
  • UPX packed file 50 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in Windows directory 64 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 63 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 32 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

  • Modifies Control Panel 64 IoCs
  • Modifies Internet Explorer settings 1 TTPs 12 IoCs
  • Modifies registry class 51 IoCs
  • Runs ping.exe 1 TTPs 32 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 31 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2025-05-03_9a2c0fe849b2f07ee331696ffef50eb6_black-basta_elex_hijackloader_luca-stealer.exe
    "C:\Users\Admin\AppData\Local\Temp\2025-05-03_9a2c0fe849b2f07ee331696ffef50eb6_black-basta_elex_hijackloader_luca-stealer.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Modifies visibility of file extensions in Explorer
    • Modifies visiblity of hidden/system files in Explorer
    • UAC bypass
    • Disables RegEdit via registry modification
    • Drops file in Drivers directory
    • Event Triggered Execution: Image File Execution Options Injection
    • Adds Run key to start application
    • Checks whether UAC is enabled
    • Drops desktop.ini file(s)
    • Enumerates connected drives
    • Drops autorun.inf file
    • Drops file in System32 directory
    • Sets desktop wallpaper using registry
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Modifies Control Panel
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:4512
    • C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe
      "C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • UAC bypass
      • Disables RegEdit via registry modification
      • Drops file in Drivers directory
      • Event Triggered Execution: Image File Execution Options Injection
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Drops desktop.ini file(s)
      • Enumerates connected drives
      • Drops autorun.inf file
      • Drops file in System32 directory
      • Sets desktop wallpaper using registry
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Modifies Control Panel
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:2732
      • C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe
        "C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:1144
      • C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe
        "C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe"
        3⤵
        • Modifies WinLogon for persistence
        • Modifies visibility of file extensions in Explorer
        • Modifies visiblity of hidden/system files in Explorer
        • UAC bypass
        • Disables RegEdit via registry modification
        • Drops file in Drivers directory
        • Event Triggered Execution: Image File Execution Options Injection
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • Checks whether UAC is enabled
        • Drops desktop.ini file(s)
        • Enumerates connected drives
        • Drops autorun.inf file
        • Drops file in System32 directory
        • Sets desktop wallpaper using registry
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Modifies Control Panel
        • Modifies Internet Explorer settings
        • Modifies registry class
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        • System policy modification
        PID:4732
        • C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe
          "C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe"
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:5040
        • C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe
          "C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe"
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:5052
        • C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe
          "C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe"
          4⤵
          • Modifies WinLogon for persistence
          • Modifies visibility of file extensions in Explorer
          • Modifies visiblity of hidden/system files in Explorer
          • UAC bypass
          • Disables RegEdit via registry modification
          • Drops file in Drivers directory
          • Event Triggered Execution: Image File Execution Options Injection
          • Executes dropped EXE
          • Loads dropped DLL
          • Adds Run key to start application
          • Checks whether UAC is enabled
          • Drops desktop.ini file(s)
          • Enumerates connected drives
          • Drops autorun.inf file
          • Drops file in System32 directory
          • Sets desktop wallpaper using registry
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Modifies Control Panel
          • Modifies Internet Explorer settings
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:3264
          • C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe
            "C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe"
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • System Location Discovery: System Language Discovery
            • Suspicious use of SetWindowsHookEx
            PID:4716
          • C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe
            "C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe"
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • System Location Discovery: System Language Discovery
            • Suspicious use of SetWindowsHookEx
            PID:3748
          • C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe
            "C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe"
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • System Location Discovery: System Language Discovery
            • Suspicious use of SetWindowsHookEx
            PID:2296
          • C:\Windows\SysWOW64\drivers\Kazekage.exe
            C:\Windows\system32\drivers\Kazekage.exe
            5⤵
            • Modifies WinLogon for persistence
            • Modifies visibility of file extensions in Explorer
            • Modifies visiblity of hidden/system files in Explorer
            • UAC bypass
            • Disables RegEdit via registry modification
            • Drops file in Drivers directory
            • Event Triggered Execution: Image File Execution Options Injection
            • Executes dropped EXE
            • Adds Run key to start application
            • Checks whether UAC is enabled
            • Drops desktop.ini file(s)
            • Enumerates connected drives
            • Drops autorun.inf file
            • Drops file in System32 directory
            • Sets desktop wallpaper using registry
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Modifies Control Panel
            • Modifies Internet Explorer settings
            • Modifies registry class
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            • System policy modification
            PID:5980
            • C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe
              "C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe"
              6⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • System Location Discovery: System Language Discovery
              • Suspicious use of SetWindowsHookEx
              PID:896
            • C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe
              "C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe"
              6⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • System Location Discovery: System Language Discovery
              • Suspicious use of SetWindowsHookEx
              PID:5284
            • C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe
              "C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe"
              6⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • System Location Discovery: System Language Discovery
              • Suspicious use of SetWindowsHookEx
              PID:684
            • C:\Windows\SysWOW64\drivers\Kazekage.exe
              C:\Windows\system32\drivers\Kazekage.exe
              6⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Suspicious use of SetWindowsHookEx
              PID:444
            • C:\Windows\SysWOW64\drivers\system32.exe
              C:\Windows\system32\drivers\system32.exe
              6⤵
              • Modifies WinLogon for persistence
              • Modifies visibility of file extensions in Explorer
              • Modifies visiblity of hidden/system files in Explorer
              • UAC bypass
              • Disables RegEdit via registry modification
              • Drops file in Drivers directory
              • Event Triggered Execution: Image File Execution Options Injection
              • Executes dropped EXE
              • Adds Run key to start application
              • Checks whether UAC is enabled
              • Drops desktop.ini file(s)
              • Enumerates connected drives
              • Drops autorun.inf file
              • Drops file in System32 directory
              • Sets desktop wallpaper using registry
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Modifies Control Panel
              • Modifies Internet Explorer settings
              • Modifies registry class
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              • System policy modification
              PID:2144
              • C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe
                "C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe"
                7⤵
                • Executes dropped EXE
                • Loads dropped DLL
                • System Location Discovery: System Language Discovery
                • Suspicious use of SetWindowsHookEx
                PID:4416
              • C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe
                "C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe"
                7⤵
                • Executes dropped EXE
                • Loads dropped DLL
                • System Location Discovery: System Language Discovery
                • Suspicious use of SetWindowsHookEx
                PID:3048
              • C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe
                "C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe"
                7⤵
                • Executes dropped EXE
                • Loads dropped DLL
                • System Location Discovery: System Language Discovery
                • Suspicious use of SetWindowsHookEx
                PID:864
              • C:\Windows\SysWOW64\drivers\Kazekage.exe
                C:\Windows\system32\drivers\Kazekage.exe
                7⤵
                • Executes dropped EXE
                • System Location Discovery: System Language Discovery
                • Suspicious use of SetWindowsHookEx
                PID:2816
              • C:\Windows\SysWOW64\drivers\system32.exe
                C:\Windows\system32\drivers\system32.exe
                7⤵
                • Executes dropped EXE
                • System Location Discovery: System Language Discovery
                • Suspicious use of SetWindowsHookEx
                PID:4292
              • C:\Windows\SysWOW64\ping.exe
                ping -a -l www.rasasayang.com.my 65500
                7⤵
                • System Location Discovery: System Language Discovery
                • System Network Configuration Discovery: Internet Connection Discovery
                • Runs ping.exe
                PID:4544
              • C:\Windows\SysWOW64\ping.exe
                ping -a -l www.duniasex.com 65500
                7⤵
                • System Location Discovery: System Language Discovery
                • System Network Configuration Discovery: Internet Connection Discovery
                • Runs ping.exe
                PID:5544
              • C:\Windows\SysWOW64\ping.exe
                ping -a -l www.rasasayang.com.my 65500
                7⤵
                • System Location Discovery: System Language Discovery
                • System Network Configuration Discovery: Internet Connection Discovery
                • Runs ping.exe
                PID:5720
              • C:\Windows\SysWOW64\ping.exe
                ping -a -l www.duniasex.com 65500
                7⤵
                • System Location Discovery: System Language Discovery
                • System Network Configuration Discovery: Internet Connection Discovery
                • Runs ping.exe
                PID:4768
              • C:\Windows\SysWOW64\ping.exe
                ping -a -l www.rasasayang.com.my 65500
                7⤵
                • System Location Discovery: System Language Discovery
                • System Network Configuration Discovery: Internet Connection Discovery
                • Runs ping.exe
                PID:4136
              • C:\Windows\SysWOW64\ping.exe
                ping -a -l www.duniasex.com 65500
                7⤵
                • System Location Discovery: System Language Discovery
                • System Network Configuration Discovery: Internet Connection Discovery
                • Runs ping.exe
                PID:2784
            • C:\Windows\SysWOW64\ping.exe
              ping -a -l www.rasasayang.com.my 65500
              6⤵
              • System Location Discovery: System Language Discovery
              • System Network Configuration Discovery: Internet Connection Discovery
              • Runs ping.exe
              PID:3644
            • C:\Windows\SysWOW64\ping.exe
              ping -a -l www.duniasex.com 65500
              6⤵
              • System Location Discovery: System Language Discovery
              • System Network Configuration Discovery: Internet Connection Discovery
              • Runs ping.exe
              PID:5132
            • C:\Windows\SysWOW64\ping.exe
              ping -a -l www.rasasayang.com.my 65500
              6⤵
              • System Location Discovery: System Language Discovery
              • System Network Configuration Discovery: Internet Connection Discovery
              • Runs ping.exe
              PID:1376
            • C:\Windows\SysWOW64\ping.exe
              ping -a -l www.duniasex.com 65500
              6⤵
              • System Location Discovery: System Language Discovery
              • System Network Configuration Discovery: Internet Connection Discovery
              • Runs ping.exe
              PID:1708
            • C:\Windows\SysWOW64\ping.exe
              ping -a -l www.rasasayang.com.my 65500
              6⤵
              • System Location Discovery: System Language Discovery
              • System Network Configuration Discovery: Internet Connection Discovery
              • Runs ping.exe
              PID:5284
            • C:\Windows\SysWOW64\ping.exe
              ping -a -l www.duniasex.com 65500
              6⤵
              • System Location Discovery: System Language Discovery
              • System Network Configuration Discovery: Internet Connection Discovery
              • Runs ping.exe
              PID:6068
          • C:\Windows\SysWOW64\drivers\system32.exe
            C:\Windows\system32\drivers\system32.exe
            5⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious use of SetWindowsHookEx
            PID:2564
          • C:\Windows\SysWOW64\ping.exe
            ping -a -l www.rasasayang.com.my 65500
            5⤵
            • System Location Discovery: System Language Discovery
            • System Network Configuration Discovery: Internet Connection Discovery
            • Runs ping.exe
            PID:5568
          • C:\Windows\SysWOW64\ping.exe
            ping -a -l www.duniasex.com 65500
            5⤵
            • System Location Discovery: System Language Discovery
            • System Network Configuration Discovery: Internet Connection Discovery
            • Runs ping.exe
            PID:4812
          • C:\Windows\SysWOW64\ping.exe
            ping -a -l www.rasasayang.com.my 65500
            5⤵
            • System Location Discovery: System Language Discovery
            • System Network Configuration Discovery: Internet Connection Discovery
            • Runs ping.exe
            PID:4896
          • C:\Windows\SysWOW64\ping.exe
            ping -a -l www.duniasex.com 65500
            5⤵
            • System Location Discovery: System Language Discovery
            • System Network Configuration Discovery: Internet Connection Discovery
            • Runs ping.exe
            PID:5936
          • C:\Windows\SysWOW64\ping.exe
            ping -a -l www.rasasayang.com.my 65500
            5⤵
            • System Location Discovery: System Language Discovery
            • System Network Configuration Discovery: Internet Connection Discovery
            • Runs ping.exe
            PID:3652
          • C:\Windows\SysWOW64\ping.exe
            ping -a -l www.duniasex.com 65500
            5⤵
            • System Location Discovery: System Language Discovery
            • System Network Configuration Discovery: Internet Connection Discovery
            • Runs ping.exe
            PID:5080
        • C:\Windows\SysWOW64\drivers\Kazekage.exe
          C:\Windows\system32\drivers\Kazekage.exe
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:4172
        • C:\Windows\SysWOW64\drivers\system32.exe
          C:\Windows\system32\drivers\system32.exe
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:556
        • C:\Windows\SysWOW64\ping.exe
          ping -a -l www.rasasayang.com.my 65500
          4⤵
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:2840
        • C:\Windows\SysWOW64\ping.exe
          ping -a -l www.duniasex.com 65500
          4⤵
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:420
        • C:\Windows\SysWOW64\ping.exe
          ping -a -l www.rasasayang.com.my 65500
          4⤵
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:2188
        • C:\Windows\SysWOW64\ping.exe
          ping -a -l www.duniasex.com 65500
          4⤵
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:6132
        • C:\Windows\SysWOW64\ping.exe
          ping -a -l www.rasasayang.com.my 65500
          4⤵
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:4444
        • C:\Windows\SysWOW64\ping.exe
          ping -a -l www.duniasex.com 65500
          4⤵
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:3732
      • C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe
        "C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:5776
      • C:\Windows\SysWOW64\drivers\Kazekage.exe
        C:\Windows\system32\drivers\Kazekage.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2480
      • C:\Windows\SysWOW64\drivers\system32.exe
        C:\Windows\system32\drivers\system32.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:5044
      • C:\Windows\SysWOW64\ping.exe
        ping -a -l www.rasasayang.com.my 65500
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:840
      • C:\Windows\SysWOW64\ping.exe
        ping -a -l www.duniasex.com 65500
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:5760
      • C:\Windows\SysWOW64\ping.exe
        ping -a -l www.rasasayang.com.my 65500
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:2564
      • C:\Windows\SysWOW64\ping.exe
        ping -a -l www.duniasex.com 65500
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:4164
    • C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe
      "C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:5488
    • C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe
      "C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:3156
    • C:\Windows\SysWOW64\drivers\Kazekage.exe
      C:\Windows\system32\drivers\Kazekage.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:3004
    • C:\Windows\SysWOW64\drivers\system32.exe
      C:\Windows\system32\drivers\system32.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:5752
    • C:\Windows\SysWOW64\ping.exe
      ping -a -l www.rasasayang.com.my 65500
      2⤵
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Internet Connection Discovery
      • Runs ping.exe
      PID:1408
    • C:\Windows\SysWOW64\ping.exe
      ping -a -l www.duniasex.com 65500
      2⤵
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Internet Connection Discovery
      • Runs ping.exe
      PID:2956
    • C:\Windows\SysWOW64\ping.exe
      ping -a -l www.rasasayang.com.my 65500
      2⤵
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Internet Connection Discovery
      • Runs ping.exe
      PID:1044
    • C:\Windows\SysWOW64\ping.exe
      ping -a -l www.duniasex.com 65500
      2⤵
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Internet Connection Discovery
      • Runs ping.exe
      PID:2020
  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c Fonts\Admin 3 - 5 - 2025\Gaara.exe
    1⤵
      PID:5424
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c 3-5-2025.exe
      1⤵
        PID:1864
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c Fonts\Admin 3 - 5 - 2025\smss.exe
        1⤵
          PID:5104
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c drivers\csrss.exe
          1⤵
            PID:868

          Network

                MITRE ATT&CK Enterprise v16

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Admin Games\Readme.txt

                  Filesize

                  736B

                  MD5

                  bb5d6abdf8d0948ac6895ce7fdfbc151

                  SHA1

                  9266b7a247a4685892197194d2b9b86c8f6dddbd

                  SHA256

                  5db2e0915b5464d32e83484f8ae5e3c73d2c78f238fde5f58f9b40dbb5322de8

                  SHA512

                  878444760e8df878d65bb62b4798177e168eb099def58ad3634f4348e96705c83f74324f9fa358f0eff389991976698a233ca53e9b72034ae11c86d42322a76c

                • C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe

                  Filesize

                  9.5MB

                  MD5

                  a10cbf16ca9be16057e2d5d744ff5025

                  SHA1

                  8e43e546cb554f6c455ac1778703ad6cd97776ec

                  SHA256

                  9f8be177848650d9ae91930e0bdc40060094a07438053805eefc9d4e4ac51e8f

                  SHA512

                  8b88bfd8bd8619f97344254c14e244bb30d5dadde2e1130b00733f2d116087134a3aa6e7d2da40df832f7eea14627f0805780394e3216c8ca041e2a5cd1c76da

                • C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe

                  Filesize

                  9.5MB

                  MD5

                  9a2c0fe849b2f07ee331696ffef50eb6

                  SHA1

                  978bf0fd570e699bd682d0519138c35234c8231a

                  SHA256

                  ff15808c643fcb662b8e4b34d40e7fb38e4719103fafde8f414bb99bcfc20fcf

                  SHA512

                  980df21153538148816002e00c6a2524e633e41f05c1ff5aa1603475b6304e7346fb3a124ae521cc3b357e0b0355ac91698a971f6436f902b94a4e7846fb839f

                • C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe

                  Filesize

                  9.5MB

                  MD5

                  0f3ab06583eb960f04d48abc40e9881b

                  SHA1

                  42bc832b5017d2e3b3c32340d9cf1dbecdb11fde

                  SHA256

                  ee510a36f6b395ae7df49850284e9bf2a738900584f99813f72e027ed948bcf9

                  SHA512

                  1092ab7bfb88ddcb075fa032710b13db01b50615a7559a5eaa7e0086bde2e1ca44603aad706de12ad0df888106379735b4f450759fae7e9f29e9bcf828647d28

                • C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe

                  Filesize

                  9.5MB

                  MD5

                  0b5e265fb041af0cea926e6d6aa1f13b

                  SHA1

                  7f3ab1e11e705ebee7936fa7cd22ab8c89448a61

                  SHA256

                  d41e03db77707d4ec5dfd8d4dae356906ee01fa860dfd2b26887d4ae5d3183be

                  SHA512

                  0119004ba646eb09a08f6513cb26b2e4dff20c722d9467d6aca76821742dd269caf9fd05226138a973a4d71c4f1e76c8a1754c0ed0078d736e099c85c6de431c

                • C:\Windows\Fonts\The Kazekage.jpg

                  Filesize

                  1.4MB

                  MD5

                  d6b05020d4a0ec2a3a8b687099e335df

                  SHA1

                  df239d830ebcd1cde5c68c46a7b76dad49d415f4

                  SHA256

                  9824b98dab6af65a9e84c2ea40e9df948f9766ce2096e81feecad7db8dd6080a

                  SHA512

                  78fd360faa4d34f5732056d6e9ad7b9930964441c69cf24535845d397de92179553b9377a25649c01eb5ac7d547c29cc964e69ede7f2af9fc677508a99251fff

                • C:\Windows\SysWOW64\3-5-2025.exe

                  Filesize

                  2.6MB

                  MD5

                  26eadb4e283adc3c3db055bd466347dc

                  SHA1

                  137c65f2a46205e4f0391dc686f6836b47518e70

                  SHA256

                  5650851845e73549d0d16eaee10568a28a967d14b938ae3ede19b3d9a91f3b8c

                  SHA512

                  62e862a99bfac4edb83d90aea224cf6bdc6ddf94b2a90aea0f39e4d5a4a6664db2a551bb6db6fc1b1f8bd7009ce043cac1f43a6717e52fbdecde637cb09f46fa

                • C:\Windows\SysWOW64\3-5-2025.exe

                  Filesize

                  9.3MB

                  MD5

                  5179272473209922fb67b955074a0d42

                  SHA1

                  51dbbf1e056477a0c31073648594a81bf2488e20

                  SHA256

                  bd896bb1822b7da4795bc0d0874b8a1af2e8fad5bd426d0d4d2da93297258dff

                  SHA512

                  930d771c82bc06419c784815a2822f13ca9efb46ca0523cddcbc846e436c1348b18784fa7ac470629f6b1b338cb13a01454ec0b7d01f823e7bb8daf80c12ced9

                • C:\Windows\SysWOW64\3-5-2025.exe

                  Filesize

                  4.2MB

                  MD5

                  1307faa2c34af81b5a47218a4499f82f

                  SHA1

                  2f4f1cfdce026ecded79ef5f1c98dd2118d127b3

                  SHA256

                  c385d12e9d2982e08198ce7d1df09c9901458ec82716f484d0d28fd1de4bcd11

                  SHA512

                  3d72898fd2a8fe53f2e2984825d09d83f28c00149984af986b06e316851e4f27ee28da7a90785173920a390dbcb4b491d11aedb9d8bb30c306c6f54a377b038b

                • C:\Windows\SysWOW64\3-5-2025.exe

                  Filesize

                  3.0MB

                  MD5

                  d44dfeea1255be02b13e9e731c13bb8f

                  SHA1

                  6103cab4353e7cc49dd6a9b54210a53bbdff330c

                  SHA256

                  264e8364c6625e75ee7b261dbec32983ca7de19b4a1ff2fdf39e32a03750f75a

                  SHA512

                  7caba4fc79bd3c31977404e6cbd730bc99ebf12226b27fced48b15eeb1b0491d78fd5435579828ada24bf6d3b71dc1f0f02939aa82d0025b3bb8706e4baef1fa

                • C:\Windows\SysWOW64\Desktop.ini

                  Filesize

                  65B

                  MD5

                  64acfa7e03b01f48294cf30d201a0026

                  SHA1

                  10facd995b38a095f30b4a800fa454c0bcbf8438

                  SHA256

                  ba8159d865d106e7b4d0043007a63d1541e1de455dc8d7ff0edd3013bd425c62

                  SHA512

                  65a9b2e639de74a2a7faa83463a03f5f5b526495e3c793ec1e144c422ed0b842dd304cd5ff4f8aec3d76d826507030c5916f70a231429cea636ec2d8ab43931a

                • C:\Windows\SysWOW64\drivers\Kazekage.exe

                  Filesize

                  9.5MB

                  MD5

                  dfe5f86547d75ae61759720a22338b02

                  SHA1

                  9ad0005f906b8dae2a6245f3b06bd8e0243c5cbf

                  SHA256

                  076cd573e6fc695ce6400d72d882f47ecb82a9a81cf5cf50eabe669253405e1b

                  SHA512

                  4bce4b79e8cacf5c3c8cc882da59fc414ebef444d4d3e9073545a99adf08853710e271520e893b0b26d2e8627dd795de868f0db0462c07e9fac06ee8a29ae0c5

                • C:\Windows\SysWOW64\drivers\Kazekage.exe

                  Filesize

                  9.5MB

                  MD5

                  13b02c2648500379578ece8015414ca1

                  SHA1

                  d455a5c97903c9cc7564604dcae3e331efe82317

                  SHA256

                  119ac29726b5c74096a008ab8a161dd83e238bcef6197ebb348cec4c52b12387

                  SHA512

                  59e3c116d07ac9a75e7b3010fe167799f0b68c0010c65815104f7f35af6ab584507ef1ac9c9699547c8c48acc63a7c1f91fd047885327bcbbe26144b3bf1eea0

                • C:\Windows\SysWOW64\drivers\system32.exe

                  Filesize

                  2.9MB

                  MD5

                  79a213cc2f9bdfd6ad705bf51177d582

                  SHA1

                  fcecbfcb888abad0957e0ac17093372286f199b2

                  SHA256

                  ef6d4cbd61e606227baa76f4450d77c76acf6f922cb5196517f694a31cae4628

                  SHA512

                  7145125ac3bb8577bdfd1fac8886660f6a2a397d6c2c808d1fb39b5edd9ceca4488cdf49e60c099d4142455485b1153c1dcaa57bb4e337eae54dab35ea2dedfc

                • C:\Windows\SysWOW64\drivers\system32.exe

                  Filesize

                  2.8MB

                  MD5

                  e1298c0dbe664e5931155b6c512e2ea3

                  SHA1

                  9a0b0aecc26975c24d6b394e411f9072a9728560

                  SHA256

                  f6bf85e4bef693d68654b628bc7c8491479c0971a4243ef3d8e8753a42988497

                  SHA512

                  910f84b43b2a23c29164a26395bfeba4272a096cd37f54d03d1a708328fbbc6cc8213b218e28db90e17fc0272c8850ccb488cb53dc837ad2e0614c0dd36cbd9b

                • C:\Windows\SysWOW64\drivers\system32.exe

                  Filesize

                  9.5MB

                  MD5

                  ae95b1ee66375a286a0e77f2c4d4b607

                  SHA1

                  37a24453e683d69f267ca97fb39f9cf8b081871b

                  SHA256

                  bbf24a03d51fb62eef061bfb94642d4e25193875b5d19cf63d721b0f156af12f

                  SHA512

                  fa386932262338d302dfe2bc42eb8c6ab190a3ce1dedc5910ffd6a4c4dc31a0b9f4f0e72756700447a637aa2bf30ec90accaa369dd1c20c043b3a7405e578cff

                • C:\Windows\SysWOW64\drivers\system32.exe

                  Filesize

                  9.5MB

                  MD5

                  05fa0276148eb4a89dad7549840da3d7

                  SHA1

                  62f498c172952233a93057049401d6b0fd9871b3

                  SHA256

                  779989032e6bf9d0a9b43f0342be584118717f90cf8b6ee146730b8c1fb13ad7

                  SHA512

                  f68fed2685ce5903d33e9f1b605ead05b97f38251f6b2497c3079367a66b81a2486db73e8cf002f3fbaf94e55db4b3b46dbc24e890d4da4c7a40c7ecb50f313c

                • C:\Windows\System\msvbvm60.dll

                  Filesize

                  1.4MB

                  MD5

                  25f62c02619174b35851b0e0455b3d94

                  SHA1

                  4e8ee85157f1769f6e3f61c0acbe59072209da71

                  SHA256

                  898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

                  SHA512

                  f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

                • memory/444-207-0x0000000000400000-0x000000000042B000-memory.dmp

                  Filesize

                  172KB

                • memory/556-256-0x0000000000400000-0x000000000042B000-memory.dmp

                  Filesize

                  172KB

                • memory/684-202-0x0000000000400000-0x000000000042B000-memory.dmp

                  Filesize

                  172KB

                • memory/1144-73-0x0000000000400000-0x000000000042B000-memory.dmp

                  Filesize

                  172KB

                • memory/1144-70-0x0000000000400000-0x000000000042B000-memory.dmp

                  Filesize

                  172KB

                • memory/2144-259-0x0000000000400000-0x000000000042B000-memory.dmp

                  Filesize

                  172KB

                • memory/2144-210-0x0000000000400000-0x000000000042B000-memory.dmp

                  Filesize

                  172KB

                • memory/2296-161-0x0000000000400000-0x000000000042B000-memory.dmp

                  Filesize

                  172KB

                • memory/2296-157-0x0000000000400000-0x000000000042B000-memory.dmp

                  Filesize

                  172KB

                • memory/2480-262-0x0000000000400000-0x000000000042B000-memory.dmp

                  Filesize

                  172KB

                • memory/2564-250-0x0000000000400000-0x000000000042B000-memory.dmp

                  Filesize

                  172KB

                • memory/2732-34-0x0000000000400000-0x000000000042B000-memory.dmp

                  Filesize

                  172KB

                • memory/2732-188-0x0000000000400000-0x000000000042B000-memory.dmp

                  Filesize

                  172KB

                • memory/2816-236-0x0000000000400000-0x000000000042B000-memory.dmp

                  Filesize

                  172KB

                • memory/2816-239-0x0000000000400000-0x000000000042B000-memory.dmp

                  Filesize

                  172KB

                • memory/3004-272-0x0000000000400000-0x000000000042B000-memory.dmp

                  Filesize

                  172KB

                • memory/3048-235-0x0000000000400000-0x000000000042B000-memory.dmp

                  Filesize

                  172KB

                • memory/3264-120-0x0000000000400000-0x000000000042B000-memory.dmp

                  Filesize

                  172KB

                • memory/3264-228-0x0000000000400000-0x000000000042B000-memory.dmp

                  Filesize

                  172KB

                • memory/3748-158-0x0000000000400000-0x000000000042B000-memory.dmp

                  Filesize

                  172KB

                • memory/4172-253-0x0000000000400000-0x000000000042B000-memory.dmp

                  Filesize

                  172KB

                • memory/4292-241-0x0000000000400000-0x000000000042B000-memory.dmp

                  Filesize

                  172KB

                • memory/4292-244-0x0000000000400000-0x000000000042B000-memory.dmp

                  Filesize

                  172KB

                • memory/4512-164-0x0000000000400000-0x000000000042B000-memory.dmp

                  Filesize

                  172KB

                • memory/4512-0-0x0000000000400000-0x000000000042B000-memory.dmp

                  Filesize

                  172KB

                • memory/4732-198-0x0000000000400000-0x000000000042B000-memory.dmp

                  Filesize

                  172KB

                • memory/4732-76-0x0000000000400000-0x000000000042B000-memory.dmp

                  Filesize

                  172KB

                • memory/5040-114-0x0000000000400000-0x000000000042B000-memory.dmp

                  Filesize

                  172KB

                • memory/5044-276-0x0000000000400000-0x000000000042B000-memory.dmp

                  Filesize

                  172KB

                • memory/5052-117-0x0000000000400000-0x000000000042B000-memory.dmp

                  Filesize

                  172KB

                • memory/5052-113-0x0000000000400000-0x000000000042B000-memory.dmp

                  Filesize

                  172KB

                • memory/5284-199-0x0000000000400000-0x000000000042B000-memory.dmp

                  Filesize

                  172KB

                • memory/5488-267-0x0000000000400000-0x000000000042B000-memory.dmp

                  Filesize

                  172KB

                • memory/5752-275-0x0000000000400000-0x000000000042B000-memory.dmp

                  Filesize

                  172KB

                • memory/5980-240-0x0000000000400000-0x000000000042B000-memory.dmp

                  Filesize

                  172KB

                • memory/5980-165-0x0000000000400000-0x000000000042B000-memory.dmp

                  Filesize

                  172KB