Analysis

  • max time kernel
    150s
  • max time network
    141s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250502-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250502-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18/05/2025, 11:11

General

  • Target

    2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe

  • Size

    8.2MB

  • MD5

    6db685c7c2e3c7b1262455f5dd2607f0

  • SHA1

    795ac9de22496df1395ac03c2960d75e9fbb5264

  • SHA256

    4e7db50b82d6096cc22d0e64a0513005e021cd11401799294d43f075ff960d39

  • SHA512

    ac262ceb58e43899a5c08ab0abe45522855e1c88c2ff801190172f2f94fe7add8eae3aa43d95dbd2e8a74080486699c2ea25fba6be2ecf31c515d0e1e428be51

  • SSDEEP

    49152:xyyqWyWy0GyqWyWyMRPC1eHc785dxytlWF17:xyyqWyWy0GyqWyWyMRPC1eHL5dxyjyp

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 12 IoCs
  • Modifies visibility of file extensions in Explorer 2 TTPs 6 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 6 IoCs
  • UAC bypass 3 TTPs 6 IoCs
  • Disables RegEdit via registry modification 6 IoCs
  • Disables use of System Restore points 1 TTPs
  • Drops file in Drivers directory 24 IoCs
  • Event Triggered Execution: Image File Execution Options Injection 1 TTPs 64 IoCs
  • Executes dropped EXE 30 IoCs
  • Loads dropped DLL 18 IoCs
  • Adds Run key to start application 2 TTPs 24 IoCs
  • Checks whether UAC is enabled 1 TTPs 6 IoCs
  • Drops desktop.ini file(s) 64 IoCs
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops autorun.inf file 1 TTPs 64 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 39 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 6 IoCs
  • UPX packed file 49 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in Windows directory 64 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 34 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

  • Modifies Control Panel 64 IoCs
  • Modifies Internet Explorer settings 1 TTPs 12 IoCs
  • Modifies registry class 51 IoCs
  • Runs ping.exe 1 TTPs 34 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 31 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe
    "C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Modifies visibility of file extensions in Explorer
    • Modifies visiblity of hidden/system files in Explorer
    • UAC bypass
    • Disables RegEdit via registry modification
    • Drops file in Drivers directory
    • Event Triggered Execution: Image File Execution Options Injection
    • Adds Run key to start application
    • Checks whether UAC is enabled
    • Drops desktop.ini file(s)
    • Enumerates connected drives
    • Drops autorun.inf file
    • Drops file in System32 directory
    • Sets desktop wallpaper using registry
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Modifies Control Panel
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:3120
    • C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe
      "C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • UAC bypass
      • Disables RegEdit via registry modification
      • Drops file in Drivers directory
      • Event Triggered Execution: Image File Execution Options Injection
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Drops desktop.ini file(s)
      • Enumerates connected drives
      • Drops autorun.inf file
      • Drops file in System32 directory
      • Sets desktop wallpaper using registry
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Modifies Control Panel
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:1492
      • C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe
        "C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:3580
      • C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe
        "C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe"
        3⤵
        • Modifies WinLogon for persistence
        • Modifies visibility of file extensions in Explorer
        • Modifies visiblity of hidden/system files in Explorer
        • UAC bypass
        • Disables RegEdit via registry modification
        • Drops file in Drivers directory
        • Event Triggered Execution: Image File Execution Options Injection
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • Checks whether UAC is enabled
        • Drops desktop.ini file(s)
        • Enumerates connected drives
        • Drops autorun.inf file
        • Drops file in System32 directory
        • Sets desktop wallpaper using registry
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Modifies Control Panel
        • Modifies Internet Explorer settings
        • Modifies registry class
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        • System policy modification
        PID:2868
        • C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe
          "C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe"
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:4684
        • C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe
          "C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe"
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:116
        • C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe
          "C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe"
          4⤵
          • Modifies WinLogon for persistence
          • Modifies visibility of file extensions in Explorer
          • Modifies visiblity of hidden/system files in Explorer
          • UAC bypass
          • Disables RegEdit via registry modification
          • Drops file in Drivers directory
          • Event Triggered Execution: Image File Execution Options Injection
          • Executes dropped EXE
          • Loads dropped DLL
          • Adds Run key to start application
          • Checks whether UAC is enabled
          • Drops desktop.ini file(s)
          • Enumerates connected drives
          • Drops autorun.inf file
          • Drops file in System32 directory
          • Sets desktop wallpaper using registry
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Modifies Control Panel
          • Modifies Internet Explorer settings
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:3020
          • C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe
            "C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe"
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • System Location Discovery: System Language Discovery
            • Suspicious use of SetWindowsHookEx
            PID:1744
          • C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe
            "C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe"
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • System Location Discovery: System Language Discovery
            • Suspicious use of SetWindowsHookEx
            PID:2296
          • C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe
            "C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe"
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • System Location Discovery: System Language Discovery
            • Suspicious use of SetWindowsHookEx
            PID:4852
          • C:\Windows\SysWOW64\drivers\Kazekage.exe
            C:\Windows\system32\drivers\Kazekage.exe
            5⤵
            • Modifies WinLogon for persistence
            • Modifies visibility of file extensions in Explorer
            • Modifies visiblity of hidden/system files in Explorer
            • UAC bypass
            • Disables RegEdit via registry modification
            • Drops file in Drivers directory
            • Event Triggered Execution: Image File Execution Options Injection
            • Executes dropped EXE
            • Adds Run key to start application
            • Checks whether UAC is enabled
            • Drops desktop.ini file(s)
            • Enumerates connected drives
            • Drops autorun.inf file
            • Drops file in System32 directory
            • Sets desktop wallpaper using registry
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Modifies Control Panel
            • Modifies Internet Explorer settings
            • Modifies registry class
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            • System policy modification
            PID:536
            • C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe
              "C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe"
              6⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • System Location Discovery: System Language Discovery
              • Suspicious use of SetWindowsHookEx
              PID:4460
            • C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe
              "C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe"
              6⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • System Location Discovery: System Language Discovery
              • Suspicious use of SetWindowsHookEx
              PID:2916
            • C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe
              "C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe"
              6⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • System Location Discovery: System Language Discovery
              • Suspicious use of SetWindowsHookEx
              PID:4620
            • C:\Windows\SysWOW64\drivers\Kazekage.exe
              C:\Windows\system32\drivers\Kazekage.exe
              6⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Suspicious use of SetWindowsHookEx
              PID:1916
            • C:\Windows\SysWOW64\drivers\system32.exe
              C:\Windows\system32\drivers\system32.exe
              6⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Suspicious use of SetWindowsHookEx
              PID:4064
            • C:\Windows\SysWOW64\ping.exe
              ping -a -l www.rasasayang.com.my 65500
              6⤵
              • System Location Discovery: System Language Discovery
              • System Network Configuration Discovery: Internet Connection Discovery
              • Runs ping.exe
              PID:4696
            • C:\Windows\SysWOW64\ping.exe
              ping -a -l www.duniasex.com 65500
              6⤵
              • System Location Discovery: System Language Discovery
              • System Network Configuration Discovery: Internet Connection Discovery
              • Runs ping.exe
              PID:212
            • C:\Windows\SysWOW64\ping.exe
              ping -a -l www.rasasayang.com.my 65500
              6⤵
              • System Location Discovery: System Language Discovery
              • System Network Configuration Discovery: Internet Connection Discovery
              • Runs ping.exe
              PID:4808
            • C:\Windows\SysWOW64\ping.exe
              ping -a -l www.duniasex.com 65500
              6⤵
              • System Location Discovery: System Language Discovery
              • System Network Configuration Discovery: Internet Connection Discovery
              • Runs ping.exe
              PID:5048
            • C:\Windows\SysWOW64\ping.exe
              ping -a -l www.rasasayang.com.my 65500
              6⤵
              • System Location Discovery: System Language Discovery
              • System Network Configuration Discovery: Internet Connection Discovery
              • Runs ping.exe
              PID:2304
            • C:\Windows\SysWOW64\ping.exe
              ping -a -l www.duniasex.com 65500
              6⤵
              • System Location Discovery: System Language Discovery
              • System Network Configuration Discovery: Internet Connection Discovery
              • Runs ping.exe
              PID:5036
          • C:\Windows\SysWOW64\drivers\system32.exe
            C:\Windows\system32\drivers\system32.exe
            5⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious use of SetWindowsHookEx
            PID:1804
          • C:\Windows\SysWOW64\ping.exe
            ping -a -l www.rasasayang.com.my 65500
            5⤵
            • System Location Discovery: System Language Discovery
            • System Network Configuration Discovery: Internet Connection Discovery
            • Runs ping.exe
            PID:4088
          • C:\Windows\SysWOW64\ping.exe
            ping -a -l www.duniasex.com 65500
            5⤵
            • System Location Discovery: System Language Discovery
            • System Network Configuration Discovery: Internet Connection Discovery
            • Runs ping.exe
            PID:4292
          • C:\Windows\SysWOW64\ping.exe
            ping -a -l www.rasasayang.com.my 65500
            5⤵
            • System Location Discovery: System Language Discovery
            • System Network Configuration Discovery: Internet Connection Discovery
            • Runs ping.exe
            PID:2252
          • C:\Windows\SysWOW64\ping.exe
            ping -a -l www.duniasex.com 65500
            5⤵
            • System Location Discovery: System Language Discovery
            • System Network Configuration Discovery: Internet Connection Discovery
            • Runs ping.exe
            PID:564
          • C:\Windows\SysWOW64\ping.exe
            ping -a -l www.rasasayang.com.my 65500
            5⤵
            • System Location Discovery: System Language Discovery
            • System Network Configuration Discovery: Internet Connection Discovery
            • Runs ping.exe
            PID:4472
          • C:\Windows\SysWOW64\ping.exe
            ping -a -l www.duniasex.com 65500
            5⤵
            • System Location Discovery: System Language Discovery
            • System Network Configuration Discovery: Internet Connection Discovery
            • Runs ping.exe
            PID:4544
        • C:\Windows\SysWOW64\drivers\Kazekage.exe
          C:\Windows\system32\drivers\Kazekage.exe
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:704
        • C:\Windows\SysWOW64\drivers\system32.exe
          C:\Windows\system32\drivers\system32.exe
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:1832
        • C:\Windows\SysWOW64\ping.exe
          ping -a -l www.rasasayang.com.my 65500
          4⤵
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:3348
        • C:\Windows\SysWOW64\ping.exe
          ping -a -l www.duniasex.com 65500
          4⤵
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:1676
        • C:\Windows\SysWOW64\ping.exe
          ping -a -l www.rasasayang.com.my 65500
          4⤵
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:1044
        • C:\Windows\SysWOW64\ping.exe
          ping -a -l www.duniasex.com 65500
          4⤵
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:3592
        • C:\Windows\SysWOW64\ping.exe
          ping -a -l www.rasasayang.com.my 65500
          4⤵
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:2700
        • C:\Windows\SysWOW64\ping.exe
          ping -a -l www.duniasex.com 65500
          4⤵
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:2940
      • C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe
        "C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:4864
      • C:\Windows\SysWOW64\drivers\Kazekage.exe
        C:\Windows\system32\drivers\Kazekage.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2696
      • C:\Windows\SysWOW64\drivers\system32.exe
        C:\Windows\system32\drivers\system32.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:3608
      • C:\Windows\SysWOW64\ping.exe
        ping -a -l www.rasasayang.com.my 65500
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:1536
      • C:\Windows\SysWOW64\ping.exe
        ping -a -l www.duniasex.com 65500
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:1836
      • C:\Windows\SysWOW64\ping.exe
        ping -a -l www.rasasayang.com.my 65500
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:1156
      • C:\Windows\SysWOW64\ping.exe
        ping -a -l www.duniasex.com 65500
        3⤵
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:4504
      • C:\Windows\SysWOW64\ping.exe
        ping -a -l www.rasasayang.com.my 65500
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:3572
      • C:\Windows\SysWOW64\ping.exe
        ping -a -l www.duniasex.com 65500
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:2864
    • C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe
      "C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:2240
    • C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe
      "C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:3604
    • C:\Windows\SysWOW64\drivers\Kazekage.exe
      C:\Windows\system32\drivers\Kazekage.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:1952
    • C:\Windows\SysWOW64\drivers\system32.exe
      C:\Windows\system32\drivers\system32.exe
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • UAC bypass
      • Disables RegEdit via registry modification
      • Drops file in Drivers directory
      • Event Triggered Execution: Image File Execution Options Injection
      • Executes dropped EXE
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Drops desktop.ini file(s)
      • Enumerates connected drives
      • Drops autorun.inf file
      • Drops file in System32 directory
      • Sets desktop wallpaper using registry
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Modifies Control Panel
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:3840
      • C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe
        "C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:4412
      • C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe
        "C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:4684
      • C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe
        "C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:5036
      • C:\Windows\SysWOW64\drivers\Kazekage.exe
        C:\Windows\system32\drivers\Kazekage.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:212
      • C:\Windows\SysWOW64\drivers\system32.exe
        C:\Windows\system32\drivers\system32.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:3708
      • C:\Windows\SysWOW64\ping.exe
        ping -a -l www.rasasayang.com.my 65500
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:4244
      • C:\Windows\SysWOW64\ping.exe
        ping -a -l www.duniasex.com 65500
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:3964
      • C:\Windows\SysWOW64\ping.exe
        ping -a -l www.rasasayang.com.my 65500
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:4088
      • C:\Windows\SysWOW64\ping.exe
        ping -a -l www.duniasex.com 65500
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:3656
    • C:\Windows\SysWOW64\ping.exe
      ping -a -l www.rasasayang.com.my 65500
      2⤵
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Internet Connection Discovery
      • Runs ping.exe
      PID:2024
    • C:\Windows\SysWOW64\ping.exe
      ping -a -l www.duniasex.com 65500
      2⤵
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Internet Connection Discovery
      • Runs ping.exe
      PID:748
    • C:\Windows\SysWOW64\ping.exe
      ping -a -l www.rasasayang.com.my 65500
      2⤵
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Internet Connection Discovery
      • Runs ping.exe
      PID:1904
    • C:\Windows\SysWOW64\ping.exe
      ping -a -l www.duniasex.com 65500
      2⤵
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Internet Connection Discovery
      • Runs ping.exe
      PID:3856
    • C:\Windows\SysWOW64\ping.exe
      ping -a -l www.rasasayang.com.my 65500
      2⤵
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Internet Connection Discovery
      • Runs ping.exe
      PID:2856
    • C:\Windows\SysWOW64\ping.exe
      ping -a -l www.duniasex.com 65500
      2⤵
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Internet Connection Discovery
      • Runs ping.exe
      PID:996
  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c Fonts\Admin 18 - 5 - 2025\smss.exe
    1⤵
      PID:4936
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c Fonts\Admin 18 - 5 - 2025\Gaara.exe
      1⤵
        PID:1688
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c 18-5-2025.exe
        1⤵
          PID:1852
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c drivers\csrss.exe
          1⤵
            PID:3236

          Network

                MITRE ATT&CK Enterprise v16

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Admin Games\Readme.txt

                  Filesize

                  736B

                  MD5

                  bb5d6abdf8d0948ac6895ce7fdfbc151

                  SHA1

                  9266b7a247a4685892197194d2b9b86c8f6dddbd

                  SHA256

                  5db2e0915b5464d32e83484f8ae5e3c73d2c78f238fde5f58f9b40dbb5322de8

                  SHA512

                  878444760e8df878d65bb62b4798177e168eb099def58ad3634f4348e96705c83f74324f9fa358f0eff389991976698a233ca53e9b72034ae11c86d42322a76c

                • C:\Autorun.inf

                  Filesize

                  196B

                  MD5

                  1564dfe69ffed40950e5cb644e0894d1

                  SHA1

                  201b6f7a01cc49bb698bea6d4945a082ed454ce4

                  SHA256

                  be114a2dbcc08540b314b01882aa836a772a883322a77b67aab31233e26dc184

                  SHA512

                  72df187e39674b657974392cfa268e71ef86dc101ebd2303896381ca56d3c05aa9db3f0ab7d0e428d7436e0108c8f19e94c2013814d30b0b95a23a6b9e341097

                • C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe

                  Filesize

                  8.2MB

                  MD5

                  b40505dd9bfbd4cee5bbd3330764476b

                  SHA1

                  260c7cf6363e052534320347f4c70e37649086d2

                  SHA256

                  ba7960c02ac5bac9103b539efd0132c675444dd92a34c8d8b12f7f0446366fc0

                  SHA512

                  a184224fefe6bb5ec0c2897c11a944e130db16a159fc4b047b997971a90b75028354f9d2c459eaf12d664d8ca9689d0ea38ae08147c7b6a1e6f561940825b33b

                • C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe

                  Filesize

                  8.2MB

                  MD5

                  6db685c7c2e3c7b1262455f5dd2607f0

                  SHA1

                  795ac9de22496df1395ac03c2960d75e9fbb5264

                  SHA256

                  4e7db50b82d6096cc22d0e64a0513005e021cd11401799294d43f075ff960d39

                  SHA512

                  ac262ceb58e43899a5c08ab0abe45522855e1c88c2ff801190172f2f94fe7add8eae3aa43d95dbd2e8a74080486699c2ea25fba6be2ecf31c515d0e1e428be51

                • C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe

                  Filesize

                  8.2MB

                  MD5

                  0587e4f8237ea92f227b596ddeffe39b

                  SHA1

                  b34b8ff8969df0a0a65eb5bdd2e4262f813dca98

                  SHA256

                  3e284151765d98efa1fcb69c46e14c0bd594dd04179fefef3d662e4fe5423c81

                  SHA512

                  12bcbc6b6872059fd8ae52271ae89daeebef5c44e0871ed94ad377db086111499e899c704d266f23c437772628ee59236a5a6ae3c1b9aa2c1dfcf9cb46e7ff9d

                • C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe

                  Filesize

                  8.2MB

                  MD5

                  c1e12c8e320ba1262fb0d7b48f7830d8

                  SHA1

                  b34424dde2a2de4edb039392f23b656032e59b93

                  SHA256

                  6f861cfbd3569e9069f4c44459e8c05f428417eb6791ee52ba221d18646e67f5

                  SHA512

                  fd9c257c47427f1e3315d7cf8e3c751c2a14f9e0beba86eeeb2259dccc0698b16a727126cfeca01f62315667df772394819aab754afdb09558cacd4acd59f244

                • C:\Windows\Fonts\The Kazekage.jpg

                  Filesize

                  1.4MB

                  MD5

                  d6b05020d4a0ec2a3a8b687099e335df

                  SHA1

                  df239d830ebcd1cde5c68c46a7b76dad49d415f4

                  SHA256

                  9824b98dab6af65a9e84c2ea40e9df948f9766ce2096e81feecad7db8dd6080a

                  SHA512

                  78fd360faa4d34f5732056d6e9ad7b9930964441c69cf24535845d397de92179553b9377a25649c01eb5ac7d547c29cc964e69ede7f2af9fc677508a99251fff

                • C:\Windows\SysWOW64\18-5-2025.exe

                  Filesize

                  8.2MB

                  MD5

                  9cfaa7f33f099a3a2111c467818a9453

                  SHA1

                  e80ddc7b4d8ee03b035461f4621b690d9907dc0b

                  SHA256

                  d36ce338e7609b4befad73350b8a1838cb908a64a1fc2462f5dd0910b3099b92

                  SHA512

                  503b5643a6477cefa3f47e123e31ba33f5ec6339f9b840f7181525db1f6cc9526044237e508c1565da04e764476616ca95c7432d72a1946f3fee2da7478bff42

                • C:\Windows\SysWOW64\18-5-2025.exe

                  Filesize

                  8.2MB

                  MD5

                  73046555826e790b83611bcf283f89be

                  SHA1

                  62119c7facf960b4253a8798d5ba10c96bf9f721

                  SHA256

                  93fbada7fd924b04f8ede0b55f8844968e43414e99c46127147c47f2a064660c

                  SHA512

                  65971365bd97c1891569693712036ff0f8f7a9c4de675eed5e29e5327a4b5fe8c8796b71603663843b1f0ee42a59eca3a8df1e5b38071a6b674d6cd231ec489f

                • C:\Windows\SysWOW64\18-5-2025.exe

                  Filesize

                  8.2MB

                  MD5

                  82f89e0efd5366bf83fa3088cfee942e

                  SHA1

                  3b5d55ba9602668dca5d91e16e30efb7e66b9f07

                  SHA256

                  50b7e07979abc00b558d66758f53fca92e51292fa0993eca7082a85c74f3c426

                  SHA512

                  d06f9f4bc0214a25b602d1d41f0fed7bd11b766d20ad1d972f85d434fa4e56bcd28e65c83c40b4815d29e9110dd7347458cc42d3294ceb8211c868e98328876b

                • C:\Windows\SysWOW64\Desktop.ini

                  Filesize

                  65B

                  MD5

                  64acfa7e03b01f48294cf30d201a0026

                  SHA1

                  10facd995b38a095f30b4a800fa454c0bcbf8438

                  SHA256

                  ba8159d865d106e7b4d0043007a63d1541e1de455dc8d7ff0edd3013bd425c62

                  SHA512

                  65a9b2e639de74a2a7faa83463a03f5f5b526495e3c793ec1e144c422ed0b842dd304cd5ff4f8aec3d76d826507030c5916f70a231429cea636ec2d8ab43931a

                • C:\Windows\SysWOW64\drivers\Kazekage.exe

                  Filesize

                  8.2MB

                  MD5

                  11d664154930e8524ec6f9c2ca5ec54a

                  SHA1

                  a00e400329656d34f1e0f06f71e0bf71f3291997

                  SHA256

                  99c87383e7ab52e3f32d9adc98aa275afee8304850d476495b035ebf6654c4a6

                  SHA512

                  401f4259eb4af2abb8779fa26c5e94a9afffadbfe32538f0b667bd748ffd0463fc35a30adf73adaae15b1c2224a9bfb0dbb03c024d433c3ba518c2a7683045b7

                • C:\Windows\SysWOW64\drivers\Kazekage.exe

                  Filesize

                  8.2MB

                  MD5

                  b8856d5dc116af4b7b7b5acdfa60807f

                  SHA1

                  573546145d4563bf060c0a46b4eee2d4da4dca2f

                  SHA256

                  e4f94219841169ca940eb69ded9e54038e3e7c09b46dc8548f039448232bab0e

                  SHA512

                  f2baec56290e3bfd139b4b726d057cf74a1fdf5c158ee845c6828b73a8fded3aacafd6e3f35a2c8eb173d2727991155f21ebd83213ce5c8e421be050b74fd91f

                • C:\Windows\SysWOW64\drivers\system32.exe

                  Filesize

                  8.2MB

                  MD5

                  43b3acde70a8e97ec5c1f56820746ef3

                  SHA1

                  f5c85ecd27d36622a181c13009244befc9ba2ea6

                  SHA256

                  7b4a68fd4cc6d6da139f0da8ca52ac170c1c939fa2c9bf499577a91bda8197c6

                  SHA512

                  c0c94e4eb717622a9bb6d78eb886cc07577fbd9ad818828e5aa04e060e77540c05fc31768b0b565cc90cb011780b5fbc3e80b25177441029904d1db9f6919600

                • C:\Windows\SysWOW64\drivers\system32.exe

                  Filesize

                  8.2MB

                  MD5

                  2be3a78a67d8a21a0e57d09d8dc5b88d

                  SHA1

                  2196b991d80ed0ea9caa58dc8519cc2df9f63d67

                  SHA256

                  c6d7e90e370c726fe78562dfbf095a8651139598400ab7e9b3a850767d40cb04

                  SHA512

                  62540a1a6dc71de6b6916ce8bbc1e7483d387de9d6aae9f01866076a28af4ff6f2e54f4023b710d715e9d9a0fb5f436db2a4bba6e7e61b1b5ce2fd726cc3f51c

                • C:\Windows\SysWOW64\drivers\system32.exe

                  Filesize

                  8.2MB

                  MD5

                  b90ebbf53af4a626ce927f6e6db5957f

                  SHA1

                  e3e4eb6892b405d851f90f85405d2aa293a2f139

                  SHA256

                  d401c64f7ce91605ebc2d4a556dce17a3a3a757305e2c21a22794fd67e6ab434

                  SHA512

                  3a0158c06539e87994ff6420df79a017c17d483aade391c40cdc554453dfdcbe280bb93382a9b5a6c3ee2e2c52b0d47956d2d96543d987b7fec8ebba15e2e868

                • C:\Windows\SysWOW64\drivers\system32.exe

                  Filesize

                  8.2MB

                  MD5

                  05ceb1872969e2a0aa00d134559f611c

                  SHA1

                  9362de422bee0e6f17628573b992abe6e6f54db8

                  SHA256

                  e2d0736f22fe1fffe8f0f08d1c0b60810eaee0522f748a32a5f6651ae3543e5e

                  SHA512

                  eba0dce6e8ffd002672d552e06eb4169194264695919a68f3aa007dcecb6bc3ac77ad3870a8a60e2e46daf2f552d7f9c6da88cad1a56210350ee16f00d841f8a

                • C:\Windows\System\msvbvm60.dll

                  Filesize

                  1.4MB

                  MD5

                  25f62c02619174b35851b0e0455b3d94

                  SHA1

                  4e8ee85157f1769f6e3f61c0acbe59072209da71

                  SHA256

                  898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

                  SHA512

                  f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

                • memory/116-119-0x0000000000400000-0x000000000042B000-memory.dmp

                  Filesize

                  172KB

                • memory/212-272-0x0000000000400000-0x000000000042B000-memory.dmp

                  Filesize

                  172KB

                • memory/536-226-0x0000000000400000-0x000000000042B000-memory.dmp

                  Filesize

                  172KB

                • memory/536-166-0x0000000000400000-0x000000000042B000-memory.dmp

                  Filesize

                  172KB

                • memory/704-267-0x0000000000400000-0x000000000042B000-memory.dmp

                  Filesize

                  172KB

                • memory/1492-32-0x0000000000400000-0x000000000042B000-memory.dmp

                  Filesize

                  172KB

                • memory/1492-127-0x0000000000400000-0x000000000042B000-memory.dmp

                  Filesize

                  172KB

                • memory/1804-262-0x0000000000400000-0x000000000042B000-memory.dmp

                  Filesize

                  172KB

                • memory/1832-273-0x0000000000400000-0x000000000042B000-memory.dmp

                  Filesize

                  172KB

                • memory/1916-237-0x0000000000400000-0x000000000042B000-memory.dmp

                  Filesize

                  172KB

                • memory/1952-207-0x0000000000400000-0x000000000042B000-memory.dmp

                  Filesize

                  172KB

                • memory/1952-215-0x0000000000400000-0x000000000042B000-memory.dmp

                  Filesize

                  172KB

                • memory/2240-193-0x0000000000400000-0x000000000042B000-memory.dmp

                  Filesize

                  172KB

                • memory/2296-153-0x0000000000400000-0x000000000042B000-memory.dmp

                  Filesize

                  172KB

                • memory/2296-160-0x0000000000400000-0x000000000042B000-memory.dmp

                  Filesize

                  172KB

                • memory/2696-249-0x0000000000400000-0x000000000042B000-memory.dmp

                  Filesize

                  172KB

                • memory/2868-158-0x0000000000400000-0x000000000042B000-memory.dmp

                  Filesize

                  172KB

                • memory/2868-76-0x0000000000400000-0x000000000042B000-memory.dmp

                  Filesize

                  172KB

                • memory/2916-213-0x0000000000400000-0x000000000042B000-memory.dmp

                  Filesize

                  172KB

                • memory/3020-121-0x0000000000400000-0x000000000042B000-memory.dmp

                  Filesize

                  172KB

                • memory/3020-195-0x0000000000400000-0x000000000042B000-memory.dmp

                  Filesize

                  172KB

                • memory/3120-120-0x0000000000400000-0x000000000042B000-memory.dmp

                  Filesize

                  172KB

                • memory/3120-0-0x0000000000400000-0x000000000042B000-memory.dmp

                  Filesize

                  172KB

                • memory/3580-70-0x0000000000400000-0x000000000042B000-memory.dmp

                  Filesize

                  172KB

                • memory/3580-73-0x0000000000400000-0x000000000042B000-memory.dmp

                  Filesize

                  172KB

                • memory/3604-209-0x0000000000400000-0x000000000042B000-memory.dmp

                  Filesize

                  172KB

                • memory/3608-247-0x0000000000400000-0x000000000042B000-memory.dmp

                  Filesize

                  172KB

                • memory/3608-259-0x0000000000400000-0x000000000042B000-memory.dmp

                  Filesize

                  172KB

                • memory/3708-276-0x0000000000400000-0x000000000042B000-memory.dmp

                  Filesize

                  172KB

                • memory/3840-217-0x0000000000400000-0x000000000042B000-memory.dmp

                  Filesize

                  172KB

                • memory/3840-260-0x0000000000400000-0x000000000042B000-memory.dmp

                  Filesize

                  172KB

                • memory/4064-255-0x0000000000400000-0x000000000042B000-memory.dmp

                  Filesize

                  172KB

                • memory/4460-205-0x0000000000400000-0x000000000042B000-memory.dmp

                  Filesize

                  172KB

                • memory/4684-261-0x0000000000400000-0x000000000042B000-memory.dmp

                  Filesize

                  172KB

                • memory/4852-162-0x0000000000400000-0x000000000042B000-memory.dmp

                  Filesize

                  172KB

                • memory/4864-234-0x0000000000400000-0x000000000042B000-memory.dmp

                  Filesize

                  172KB