Analysis

  • max time kernel
    149s
  • max time network
    142s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250502-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250502-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18/05/2025, 10:17

General

  • Target

    2025-05-18_3634e9114c3bd0532cd09ef30d1edb0c_amadey_black-basta_elex_luca-stealer.exe

  • Size

    8.2MB

  • MD5

    3634e9114c3bd0532cd09ef30d1edb0c

  • SHA1

    2fe2b9a03c4ddd8500f826704d0e4bb081ee2d11

  • SHA256

    d7e263ab3219fe6cf532476e1d51ac75d0f11bd7f011875b69d69a32debb75e1

  • SHA512

    1cac989da54d317e32faf31dae043bbe8e7ebe3578c7ae51f4b2fcd998166b7c7f13092802cec915aa7a6675fc6e4d9ebed5caa1cabcf8b5ac1f676871a622a9

  • SSDEEP

    49152:AyyqWyWy0GyqWyWyMRPC1eHc785dxytlWF17:AyyqWyWy0GyqWyWyMRPC1eHL5dxyjyp

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 12 IoCs
  • Modifies visibility of file extensions in Explorer 2 TTPs 6 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 6 IoCs
  • UAC bypass 3 TTPs 6 IoCs
  • Disables RegEdit via registry modification 6 IoCs
  • Disables use of System Restore points 1 TTPs
  • Drops file in Drivers directory 24 IoCs
  • Event Triggered Execution: Image File Execution Options Injection 1 TTPs 64 IoCs
  • Executes dropped EXE 30 IoCs
  • Loads dropped DLL 18 IoCs
  • Adds Run key to start application 2 TTPs 24 IoCs
  • Checks whether UAC is enabled 1 TTPs 6 IoCs
  • Drops desktop.ini file(s) 64 IoCs
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops autorun.inf file 1 TTPs 64 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 39 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 6 IoCs
  • UPX packed file 47 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in Windows directory 64 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 36 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

  • Modifies Control Panel 64 IoCs
  • Modifies Internet Explorer settings 1 TTPs 12 IoCs
  • Modifies registry class 51 IoCs
  • Runs ping.exe 1 TTPs 36 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 31 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2025-05-18_3634e9114c3bd0532cd09ef30d1edb0c_amadey_black-basta_elex_luca-stealer.exe
    "C:\Users\Admin\AppData\Local\Temp\2025-05-18_3634e9114c3bd0532cd09ef30d1edb0c_amadey_black-basta_elex_luca-stealer.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Modifies visibility of file extensions in Explorer
    • Modifies visiblity of hidden/system files in Explorer
    • UAC bypass
    • Disables RegEdit via registry modification
    • Drops file in Drivers directory
    • Event Triggered Execution: Image File Execution Options Injection
    • Adds Run key to start application
    • Checks whether UAC is enabled
    • Drops desktop.ini file(s)
    • Enumerates connected drives
    • Drops autorun.inf file
    • Drops file in System32 directory
    • Sets desktop wallpaper using registry
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Modifies Control Panel
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:3336
    • C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe
      "C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • UAC bypass
      • Disables RegEdit via registry modification
      • Drops file in Drivers directory
      • Event Triggered Execution: Image File Execution Options Injection
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Drops desktop.ini file(s)
      • Enumerates connected drives
      • Drops autorun.inf file
      • Drops file in System32 directory
      • Sets desktop wallpaper using registry
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Modifies Control Panel
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:2196
      • C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe
        "C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:4736
      • C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe
        "C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe"
        3⤵
        • Modifies WinLogon for persistence
        • Modifies visibility of file extensions in Explorer
        • Modifies visiblity of hidden/system files in Explorer
        • UAC bypass
        • Disables RegEdit via registry modification
        • Drops file in Drivers directory
        • Event Triggered Execution: Image File Execution Options Injection
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • Checks whether UAC is enabled
        • Drops desktop.ini file(s)
        • Enumerates connected drives
        • Drops autorun.inf file
        • Drops file in System32 directory
        • Sets desktop wallpaper using registry
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Modifies Control Panel
        • Modifies Internet Explorer settings
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        • System policy modification
        PID:4976
        • C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe
          "C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe"
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:5012
        • C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe
          "C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe"
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:4612
        • C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe
          "C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe"
          4⤵
          • Modifies WinLogon for persistence
          • Modifies visibility of file extensions in Explorer
          • Modifies visiblity of hidden/system files in Explorer
          • UAC bypass
          • Disables RegEdit via registry modification
          • Drops file in Drivers directory
          • Event Triggered Execution: Image File Execution Options Injection
          • Executes dropped EXE
          • Loads dropped DLL
          • Adds Run key to start application
          • Checks whether UAC is enabled
          • Drops desktop.ini file(s)
          • Enumerates connected drives
          • Drops autorun.inf file
          • Drops file in System32 directory
          • Sets desktop wallpaper using registry
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Modifies Control Panel
          • Modifies Internet Explorer settings
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:972
          • C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe
            "C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe"
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • System Location Discovery: System Language Discovery
            • Suspicious use of SetWindowsHookEx
            PID:1040
          • C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe
            "C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe"
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • System Location Discovery: System Language Discovery
            • Suspicious use of SetWindowsHookEx
            PID:5632
          • C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe
            "C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe"
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • System Location Discovery: System Language Discovery
            • Suspicious use of SetWindowsHookEx
            PID:5000
          • C:\Windows\SysWOW64\drivers\Kazekage.exe
            C:\Windows\system32\drivers\Kazekage.exe
            5⤵
            • Modifies WinLogon for persistence
            • Modifies visibility of file extensions in Explorer
            • Modifies visiblity of hidden/system files in Explorer
            • UAC bypass
            • Disables RegEdit via registry modification
            • Drops file in Drivers directory
            • Event Triggered Execution: Image File Execution Options Injection
            • Executes dropped EXE
            • Adds Run key to start application
            • Checks whether UAC is enabled
            • Drops desktop.ini file(s)
            • Enumerates connected drives
            • Drops autorun.inf file
            • Drops file in System32 directory
            • Sets desktop wallpaper using registry
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Modifies Control Panel
            • Modifies Internet Explorer settings
            • Modifies registry class
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            • System policy modification
            PID:5184
            • C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe
              "C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe"
              6⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • System Location Discovery: System Language Discovery
              • Suspicious use of SetWindowsHookEx
              PID:4552
            • C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe
              "C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe"
              6⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • System Location Discovery: System Language Discovery
              • Suspicious use of SetWindowsHookEx
              PID:2536
            • C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe
              "C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe"
              6⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • System Location Discovery: System Language Discovery
              • Suspicious use of SetWindowsHookEx
              PID:4152
            • C:\Windows\SysWOW64\drivers\Kazekage.exe
              C:\Windows\system32\drivers\Kazekage.exe
              6⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Suspicious use of SetWindowsHookEx
              PID:4128
            • C:\Windows\SysWOW64\drivers\system32.exe
              C:\Windows\system32\drivers\system32.exe
              6⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Suspicious use of SetWindowsHookEx
              PID:2832
            • C:\Windows\SysWOW64\ping.exe
              ping -a -l www.rasasayang.com.my 65500
              6⤵
              • System Location Discovery: System Language Discovery
              • System Network Configuration Discovery: Internet Connection Discovery
              • Runs ping.exe
              PID:2964
            • C:\Windows\SysWOW64\ping.exe
              ping -a -l www.duniasex.com 65500
              6⤵
              • System Location Discovery: System Language Discovery
              • System Network Configuration Discovery: Internet Connection Discovery
              • Runs ping.exe
              PID:4816
            • C:\Windows\SysWOW64\ping.exe
              ping -a -l www.rasasayang.com.my 65500
              6⤵
              • System Location Discovery: System Language Discovery
              • System Network Configuration Discovery: Internet Connection Discovery
              • Runs ping.exe
              PID:1572
            • C:\Windows\SysWOW64\ping.exe
              ping -a -l www.duniasex.com 65500
              6⤵
              • System Location Discovery: System Language Discovery
              • System Network Configuration Discovery: Internet Connection Discovery
              • Runs ping.exe
              PID:3572
            • C:\Windows\SysWOW64\ping.exe
              ping -a -l www.rasasayang.com.my 65500
              6⤵
              • System Location Discovery: System Language Discovery
              • System Network Configuration Discovery: Internet Connection Discovery
              • Runs ping.exe
              PID:5900
            • C:\Windows\SysWOW64\ping.exe
              ping -a -l www.duniasex.com 65500
              6⤵
              • System Location Discovery: System Language Discovery
              • System Network Configuration Discovery: Internet Connection Discovery
              • Runs ping.exe
              PID:5460
          • C:\Windows\SysWOW64\drivers\system32.exe
            C:\Windows\system32\drivers\system32.exe
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetWindowsHookEx
            PID:6136
          • C:\Windows\SysWOW64\ping.exe
            ping -a -l www.rasasayang.com.my 65500
            5⤵
            • System Location Discovery: System Language Discovery
            • System Network Configuration Discovery: Internet Connection Discovery
            • Runs ping.exe
            PID:2728
          • C:\Windows\SysWOW64\ping.exe
            ping -a -l www.duniasex.com 65500
            5⤵
            • System Location Discovery: System Language Discovery
            • System Network Configuration Discovery: Internet Connection Discovery
            • Runs ping.exe
            PID:3700
          • C:\Windows\SysWOW64\ping.exe
            ping -a -l www.rasasayang.com.my 65500
            5⤵
            • System Location Discovery: System Language Discovery
            • System Network Configuration Discovery: Internet Connection Discovery
            • Runs ping.exe
            PID:5108
          • C:\Windows\SysWOW64\ping.exe
            ping -a -l www.duniasex.com 65500
            5⤵
            • System Location Discovery: System Language Discovery
            • System Network Configuration Discovery: Internet Connection Discovery
            • Runs ping.exe
            PID:1740
          • C:\Windows\SysWOW64\ping.exe
            ping -a -l www.rasasayang.com.my 65500
            5⤵
            • System Location Discovery: System Language Discovery
            • System Network Configuration Discovery: Internet Connection Discovery
            • Runs ping.exe
            PID:5784
          • C:\Windows\SysWOW64\ping.exe
            ping -a -l www.duniasex.com 65500
            5⤵
            • System Location Discovery: System Language Discovery
            • System Network Configuration Discovery: Internet Connection Discovery
            • Runs ping.exe
            PID:5248
        • C:\Windows\SysWOW64\drivers\Kazekage.exe
          C:\Windows\system32\drivers\Kazekage.exe
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:896
        • C:\Windows\SysWOW64\drivers\system32.exe
          C:\Windows\system32\drivers\system32.exe
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:3360
        • C:\Windows\SysWOW64\ping.exe
          ping -a -l www.rasasayang.com.my 65500
          4⤵
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:5212
        • C:\Windows\SysWOW64\ping.exe
          ping -a -l www.duniasex.com 65500
          4⤵
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:3808
        • C:\Windows\SysWOW64\ping.exe
          ping -a -l www.rasasayang.com.my 65500
          4⤵
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:2424
        • C:\Windows\SysWOW64\ping.exe
          ping -a -l www.duniasex.com 65500
          4⤵
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:3300
        • C:\Windows\SysWOW64\ping.exe
          ping -a -l www.rasasayang.com.my 65500
          4⤵
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:4660
        • C:\Windows\SysWOW64\ping.exe
          ping -a -l www.duniasex.com 65500
          4⤵
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:1344
      • C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe
        "C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:1536
      • C:\Windows\SysWOW64\drivers\Kazekage.exe
        C:\Windows\system32\drivers\Kazekage.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2128
      • C:\Windows\SysWOW64\drivers\system32.exe
        C:\Windows\system32\drivers\system32.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:3884
      • C:\Windows\SysWOW64\ping.exe
        ping -a -l www.rasasayang.com.my 65500
        3⤵
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:5332
      • C:\Windows\SysWOW64\ping.exe
        ping -a -l www.duniasex.com 65500
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:5248
      • C:\Windows\SysWOW64\ping.exe
        ping -a -l www.rasasayang.com.my 65500
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:5240
      • C:\Windows\SysWOW64\ping.exe
        ping -a -l www.duniasex.com 65500
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:2700
      • C:\Windows\SysWOW64\ping.exe
        ping -a -l www.rasasayang.com.my 65500
        3⤵
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:3988
      • C:\Windows\SysWOW64\ping.exe
        ping -a -l www.duniasex.com 65500
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:2088
    • C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe
      "C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:2776
    • C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe
      "C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:3180
    • C:\Windows\SysWOW64\drivers\Kazekage.exe
      C:\Windows\system32\drivers\Kazekage.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:5416
    • C:\Windows\SysWOW64\drivers\system32.exe
      C:\Windows\system32\drivers\system32.exe
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • UAC bypass
      • Disables RegEdit via registry modification
      • Drops file in Drivers directory
      • Event Triggered Execution: Image File Execution Options Injection
      • Executes dropped EXE
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Drops desktop.ini file(s)
      • Enumerates connected drives
      • Drops autorun.inf file
      • Drops file in System32 directory
      • Sets desktop wallpaper using registry
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Modifies Control Panel
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:4064
      • C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe
        "C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:1352
      • C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe
        "C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2280
      • C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe
        "C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:4544
      • C:\Windows\SysWOW64\drivers\Kazekage.exe
        C:\Windows\system32\drivers\Kazekage.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:3436
      • C:\Windows\SysWOW64\drivers\system32.exe
        C:\Windows\system32\drivers\system32.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:3700
      • C:\Windows\SysWOW64\ping.exe
        ping -a -l www.rasasayang.com.my 65500
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:4196
      • C:\Windows\SysWOW64\ping.exe
        ping -a -l www.duniasex.com 65500
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:6032
      • C:\Windows\SysWOW64\ping.exe
        ping -a -l www.rasasayang.com.my 65500
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:3316
      • C:\Windows\SysWOW64\ping.exe
        ping -a -l www.duniasex.com 65500
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:4836
      • C:\Windows\SysWOW64\ping.exe
        ping -a -l www.rasasayang.com.my 65500
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:3748
      • C:\Windows\SysWOW64\ping.exe
        ping -a -l www.duniasex.com 65500
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:3812
    • C:\Windows\SysWOW64\ping.exe
      ping -a -l www.rasasayang.com.my 65500
      2⤵
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Internet Connection Discovery
      • Runs ping.exe
      PID:4252
    • C:\Windows\SysWOW64\ping.exe
      ping -a -l www.duniasex.com 65500
      2⤵
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Internet Connection Discovery
      • Runs ping.exe
      PID:1744
    • C:\Windows\SysWOW64\ping.exe
      ping -a -l www.rasasayang.com.my 65500
      2⤵
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Internet Connection Discovery
      • Runs ping.exe
      PID:5576
    • C:\Windows\SysWOW64\ping.exe
      ping -a -l www.duniasex.com 65500
      2⤵
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Internet Connection Discovery
      • Runs ping.exe
      PID:6048
    • C:\Windows\SysWOW64\ping.exe
      ping -a -l www.rasasayang.com.my 65500
      2⤵
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Internet Connection Discovery
      • Runs ping.exe
      PID:5552
    • C:\Windows\SysWOW64\ping.exe
      ping -a -l www.duniasex.com 65500
      2⤵
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Internet Connection Discovery
      • Runs ping.exe
      PID:1608
  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c Fonts\Admin 18 - 5 - 2025\smss.exe
    1⤵
      PID:1032
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c Fonts\Admin 18 - 5 - 2025\Gaara.exe
      1⤵
        PID:4164
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c 18-5-2025.exe
        1⤵
          PID:4248
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c drivers\csrss.exe
          1⤵
            PID:1072

          Network

                MITRE ATT&CK Enterprise v16

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Admin Games\Readme.txt

                  Filesize

                  736B

                  MD5

                  bb5d6abdf8d0948ac6895ce7fdfbc151

                  SHA1

                  9266b7a247a4685892197194d2b9b86c8f6dddbd

                  SHA256

                  5db2e0915b5464d32e83484f8ae5e3c73d2c78f238fde5f58f9b40dbb5322de8

                  SHA512

                  878444760e8df878d65bb62b4798177e168eb099def58ad3634f4348e96705c83f74324f9fa358f0eff389991976698a233ca53e9b72034ae11c86d42322a76c

                • C:\Autorun.inf

                  Filesize

                  196B

                  MD5

                  1564dfe69ffed40950e5cb644e0894d1

                  SHA1

                  201b6f7a01cc49bb698bea6d4945a082ed454ce4

                  SHA256

                  be114a2dbcc08540b314b01882aa836a772a883322a77b67aab31233e26dc184

                  SHA512

                  72df187e39674b657974392cfa268e71ef86dc101ebd2303896381ca56d3c05aa9db3f0ab7d0e428d7436e0108c8f19e94c2013814d30b0b95a23a6b9e341097

                • C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe

                  Filesize

                  8.2MB

                  MD5

                  2365043f1c8901f23cd8f48d6db645b0

                  SHA1

                  067786d3adec3847981a984806f91f261dd971ac

                  SHA256

                  164c30af21772ff64288c0ae9e3136d13b7635d8032c807df035006435dd7303

                  SHA512

                  4bec7c5d1909d5b057c3d842afb4e38c937b1f0e1c833c83f86979ef80488939c4895693bf2417119598e1b3fda11aaa842ef0e19fb9665cd5ccd773ac28bce0

                • C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe

                  Filesize

                  8.2MB

                  MD5

                  3634e9114c3bd0532cd09ef30d1edb0c

                  SHA1

                  2fe2b9a03c4ddd8500f826704d0e4bb081ee2d11

                  SHA256

                  d7e263ab3219fe6cf532476e1d51ac75d0f11bd7f011875b69d69a32debb75e1

                  SHA512

                  1cac989da54d317e32faf31dae043bbe8e7ebe3578c7ae51f4b2fcd998166b7c7f13092802cec915aa7a6675fc6e4d9ebed5caa1cabcf8b5ac1f676871a622a9

                • C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe

                  Filesize

                  8.2MB

                  MD5

                  b8960a07a26449bc9bd028ecf6c62bc6

                  SHA1

                  8a4bc8a8ec8f3412ac60d4cd41a183ae584e3207

                  SHA256

                  99917f78704e49b44af677f715abfbe555ff01d9f3e52f245c395e5d04f3d4e7

                  SHA512

                  efbc99ffdd80a0aabfd6b9360ebafe19ffbeac5bdf566d3210fd8285e022137b91c9a2198d1c047271ee8f2af79797ce463f33ea4b439d20cc8d8b82e1024d70

                • C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe

                  Filesize

                  8.2MB

                  MD5

                  316d523270f906f999a05482e65987f4

                  SHA1

                  3b1ec8dfee342b6c713c26bd92458b0ad7e5d286

                  SHA256

                  fcf55344d9203c5b270ba0ad4b74c1c0b3bf4382f490edef289a07b43fbba5f1

                  SHA512

                  513c2d4b7e47e45585b3a7d08a5ca71f008756749c9a78fd92cb6de8590fb3c3f9353d27a8445453269f30412fcb8580958108918acfa2a54016fab778b5bc93

                • C:\Windows\Fonts\The Kazekage.jpg

                  Filesize

                  1.4MB

                  MD5

                  d6b05020d4a0ec2a3a8b687099e335df

                  SHA1

                  df239d830ebcd1cde5c68c46a7b76dad49d415f4

                  SHA256

                  9824b98dab6af65a9e84c2ea40e9df948f9766ce2096e81feecad7db8dd6080a

                  SHA512

                  78fd360faa4d34f5732056d6e9ad7b9930964441c69cf24535845d397de92179553b9377a25649c01eb5ac7d547c29cc964e69ede7f2af9fc677508a99251fff

                • C:\Windows\SysWOW64\18-5-2025.exe

                  Filesize

                  8.2MB

                  MD5

                  83effef91ded9a8cacada4dcf3d74363

                  SHA1

                  fb2d36bdd3ae65c1789a67e51f4a00328502bc5d

                  SHA256

                  56d8707feed0d90d2ba81019d6b42b664a0259a8162b99220a868a6c28ee4cd7

                  SHA512

                  7734df20ac9c64c6756a85cf1a1b52aa6b9f98263e6ac38791c7dc7359ba4fc00e44927f81ec33de6d1d62bac187fd2086e751e34d3f2738b32ee35f5573857d

                • C:\Windows\SysWOW64\Desktop.ini

                  Filesize

                  65B

                  MD5

                  64acfa7e03b01f48294cf30d201a0026

                  SHA1

                  10facd995b38a095f30b4a800fa454c0bcbf8438

                  SHA256

                  ba8159d865d106e7b4d0043007a63d1541e1de455dc8d7ff0edd3013bd425c62

                  SHA512

                  65a9b2e639de74a2a7faa83463a03f5f5b526495e3c793ec1e144c422ed0b842dd304cd5ff4f8aec3d76d826507030c5916f70a231429cea636ec2d8ab43931a

                • C:\Windows\SysWOW64\drivers\Kazekage.exe

                  Filesize

                  8.2MB

                  MD5

                  3c775cb7a892e5e6f9bf81e69210541b

                  SHA1

                  ccd1e61e4bdb9aa0b928c54fc85ae4d511fffc77

                  SHA256

                  7d2202d0eb4276c327e134f457f89953f239c6546f0e8e7fe233a07b2d422624

                  SHA512

                  ce952dfcfeda0f55fb6b48885a7dccba2b1e85196013fbbb5a73818b231d7c0d7e954a93b7f1906a48ceb8a66285776b43abf6a67f5cd2b2cc1ea8e1cbfb7fd8

                • C:\Windows\SysWOW64\drivers\Kazekage.exe

                  Filesize

                  8.2MB

                  MD5

                  b9cd4b555e37c2d6a9507c194f76d5e0

                  SHA1

                  702ce0d54d4c759b9f6e0678c51a974de7868aed

                  SHA256

                  5401e93ccd0d94c23278e699f99dda3aa1f6f73d17a030d4dbb9bf37c0b8dfbe

                  SHA512

                  2faf5dc219b9e8d2d7226fe5f63ff9970ec1d18b6903e0fb49d7e31a0df58f7257bfa2d0c5c66db9d3e6940a466706ae62d57f93bb4db10b282d60c471300838

                • C:\Windows\SysWOW64\drivers\system32.exe

                  Filesize

                  8.2MB

                  MD5

                  af9a5278ec206a6b57e7827e64f58bf0

                  SHA1

                  5a8bea26218e1b1cb66601d1bc39c837b20a5bd5

                  SHA256

                  1e1476c3e1d1168393af7c68fbe014d942ce8604ee1f9f8bc0ef5326c362276e

                  SHA512

                  3a850770dadb2bb6d980e29c06f6b6b13d0ad3a5078991b5787b44676152722edb6b4feb0e100e9cc4ae006ea8869203df1ae4b19735b0f6df03e272829c32d2

                • C:\Windows\SysWOW64\drivers\system32.exe

                  Filesize

                  8.2MB

                  MD5

                  6fb4372f0d6eca51a5e38524282144ea

                  SHA1

                  14acdd0ab178485b39cec1bec8cc7a299f75ece5

                  SHA256

                  970d12f16860dbcd9a6b74620e198fbd7a9ba5f8d6df9d6adf4505095abbb8d3

                  SHA512

                  56263af0aee813482ed2f25062fd65e10c6830a7cd7fc16af64540a35dc2613091efab3ec92408df65d547df11c0fb1b814d90c8f141ab79b398b50d0a08fa12

                • C:\Windows\SysWOW64\drivers\system32.exe

                  Filesize

                  8.2MB

                  MD5

                  ae0842460543f8c2a0455a7ad11c49fd

                  SHA1

                  834df960083ae47ffb09c6559f273ef8abef054d

                  SHA256

                  b62af3b44f41a70c1d1a00f01660d70f18d77be398548e4209216dbaa67b7ddf

                  SHA512

                  64822190191d265105d4ec6bf0a19aad2eadd6353b3fa8827b86fc17fd4321b7e859bc722fc3b722c732af8d369fde1fa30887c45a17eb84fb2e266f14b0453f

                • C:\Windows\System\msvbvm60.dll

                  Filesize

                  1.4MB

                  MD5

                  25f62c02619174b35851b0e0455b3d94

                  SHA1

                  4e8ee85157f1769f6e3f61c0acbe59072209da71

                  SHA256

                  898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

                  SHA512

                  f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

                • memory/896-258-0x0000000000400000-0x000000000042B000-memory.dmp

                  Filesize

                  172KB

                • memory/972-205-0x0000000000400000-0x000000000042B000-memory.dmp

                  Filesize

                  172KB

                • memory/972-121-0x0000000000400000-0x000000000042B000-memory.dmp

                  Filesize

                  172KB

                • memory/1040-156-0x0000000000400000-0x000000000042B000-memory.dmp

                  Filesize

                  172KB

                • memory/2128-240-0x0000000000400000-0x000000000042B000-memory.dmp

                  Filesize

                  172KB

                • memory/2196-120-0x0000000000400000-0x000000000042B000-memory.dmp

                  Filesize

                  172KB

                • memory/2196-32-0x0000000000400000-0x000000000042B000-memory.dmp

                  Filesize

                  172KB

                • memory/2280-261-0x0000000000400000-0x000000000042B000-memory.dmp

                  Filesize

                  172KB

                • memory/2536-237-0x0000000000400000-0x000000000042B000-memory.dmp

                  Filesize

                  172KB

                • memory/2776-172-0x0000000000400000-0x000000000042B000-memory.dmp

                  Filesize

                  172KB

                • memory/2832-268-0x0000000000400000-0x000000000042B000-memory.dmp

                  Filesize

                  172KB

                • memory/3336-0-0x0000000000400000-0x000000000042B000-memory.dmp

                  Filesize

                  172KB

                • memory/3336-112-0x0000000000400000-0x000000000042B000-memory.dmp

                  Filesize

                  172KB

                • memory/3360-267-0x0000000000400000-0x000000000042B000-memory.dmp

                  Filesize

                  172KB

                • memory/3436-274-0x0000000000400000-0x000000000042B000-memory.dmp

                  Filesize

                  172KB

                • memory/3700-277-0x0000000000400000-0x000000000042B000-memory.dmp

                  Filesize

                  172KB

                • memory/3884-238-0x0000000000400000-0x000000000042B000-memory.dmp

                  Filesize

                  172KB

                • memory/3884-249-0x0000000000400000-0x000000000042B000-memory.dmp

                  Filesize

                  172KB

                • memory/4064-260-0x0000000000400000-0x000000000042B000-memory.dmp

                  Filesize

                  172KB

                • memory/4064-215-0x0000000000400000-0x000000000042B000-memory.dmp

                  Filesize

                  172KB

                • memory/4128-262-0x0000000000400000-0x000000000042B000-memory.dmp

                  Filesize

                  172KB

                • memory/4552-225-0x0000000000400000-0x000000000042B000-memory.dmp

                  Filesize

                  172KB

                • memory/4612-117-0x0000000000400000-0x000000000042B000-memory.dmp

                  Filesize

                  172KB

                • memory/4736-73-0x0000000000400000-0x000000000042B000-memory.dmp

                  Filesize

                  172KB

                • memory/4736-70-0x0000000000400000-0x000000000042B000-memory.dmp

                  Filesize

                  172KB

                • memory/4976-76-0x0000000000400000-0x000000000042B000-memory.dmp

                  Filesize

                  172KB

                • memory/4976-154-0x0000000000400000-0x000000000042B000-memory.dmp

                  Filesize

                  172KB

                • memory/5000-165-0x0000000000400000-0x000000000042B000-memory.dmp

                  Filesize

                  172KB

                • memory/5000-179-0x0000000000400000-0x000000000042B000-memory.dmp

                  Filesize

                  172KB

                • memory/5012-114-0x0000000000400000-0x000000000042B000-memory.dmp

                  Filesize

                  172KB

                • memory/5184-239-0x0000000000400000-0x000000000042B000-memory.dmp

                  Filesize

                  172KB

                • memory/5184-177-0x0000000000400000-0x000000000042B000-memory.dmp

                  Filesize

                  172KB

                • memory/5416-182-0x0000000000400000-0x000000000042B000-memory.dmp

                  Filesize

                  172KB

                • memory/5416-214-0x0000000000400000-0x000000000042B000-memory.dmp

                  Filesize

                  172KB

                • memory/5632-155-0x0000000000400000-0x000000000042B000-memory.dmp

                  Filesize

                  172KB

                • memory/5632-170-0x0000000000400000-0x000000000042B000-memory.dmp

                  Filesize

                  172KB

                • memory/6136-273-0x0000000000400000-0x000000000042B000-memory.dmp

                  Filesize

                  172KB