Analysis

  • max time kernel
    149s
  • max time network
    139s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250502-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250502-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19/05/2025, 13:26

General

  • Target

    2025-05-19_b8b2a4463646a9a50b5ef886d05b2bc0_amadey_black-basta_elex_luca-stealer.exe

  • Size

    8.1MB

  • MD5

    b8b2a4463646a9a50b5ef886d05b2bc0

  • SHA1

    6260b19ffd864de7e9c1828ff59f7176e83f1ac0

  • SHA256

    fd3413c6e3fd46d8a89123b5146a5895b0c48ec7da50f5dde698609714e9c5af

  • SHA512

    e31bf80d6bbd23ebe1008ee8322a317fb61ee5d9be13b98e67dd0a6ecbe9d259ecd44420bcdf60a79d6ed9368c0aa2128138e621addc21c9b52848cfbcb42094

  • SSDEEP

    49152:6GyqWyWy0GyqWyWyMRPC1eHc785dxytlWF17:6GyqWyWy0GyqWyWyMRPC1eHL5dxyjyp

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 12 IoCs
  • Modifies visibility of file extensions in Explorer 2 TTPs 6 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 6 IoCs
  • UAC bypass 3 TTPs 6 IoCs
  • Disables RegEdit via registry modification 6 IoCs
  • Disables use of System Restore points 1 TTPs
  • Drops file in Drivers directory 24 IoCs
  • Event Triggered Execution: Image File Execution Options Injection 1 TTPs 64 IoCs
  • Executes dropped EXE 30 IoCs
  • Loads dropped DLL 18 IoCs
  • Adds Run key to start application 2 TTPs 24 IoCs
  • Checks whether UAC is enabled 1 TTPs 6 IoCs
  • Drops desktop.ini file(s) 64 IoCs
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops autorun.inf file 1 TTPs 64 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 39 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 6 IoCs
  • UPX packed file 64 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in Windows directory 64 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 36 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

  • Modifies Control Panel 64 IoCs
  • Modifies Internet Explorer settings 1 TTPs 12 IoCs
  • Modifies registry class 51 IoCs
  • Runs ping.exe 1 TTPs 36 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 31 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2025-05-19_b8b2a4463646a9a50b5ef886d05b2bc0_amadey_black-basta_elex_luca-stealer.exe
    "C:\Users\Admin\AppData\Local\Temp\2025-05-19_b8b2a4463646a9a50b5ef886d05b2bc0_amadey_black-basta_elex_luca-stealer.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Modifies visibility of file extensions in Explorer
    • Modifies visiblity of hidden/system files in Explorer
    • UAC bypass
    • Disables RegEdit via registry modification
    • Drops file in Drivers directory
    • Event Triggered Execution: Image File Execution Options Injection
    • Adds Run key to start application
    • Checks whether UAC is enabled
    • Drops desktop.ini file(s)
    • Enumerates connected drives
    • Drops autorun.inf file
    • Drops file in System32 directory
    • Sets desktop wallpaper using registry
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Modifies Control Panel
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:1388
    • C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe
      "C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • UAC bypass
      • Disables RegEdit via registry modification
      • Drops file in Drivers directory
      • Event Triggered Execution: Image File Execution Options Injection
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Drops desktop.ini file(s)
      • Enumerates connected drives
      • Drops autorun.inf file
      • Drops file in System32 directory
      • Sets desktop wallpaper using registry
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Modifies Control Panel
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:1844
      • C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe
        "C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:1892
      • C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe
        "C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe"
        3⤵
        • Modifies WinLogon for persistence
        • Modifies visibility of file extensions in Explorer
        • Modifies visiblity of hidden/system files in Explorer
        • UAC bypass
        • Disables RegEdit via registry modification
        • Drops file in Drivers directory
        • Event Triggered Execution: Image File Execution Options Injection
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • Checks whether UAC is enabled
        • Drops desktop.ini file(s)
        • Enumerates connected drives
        • Drops autorun.inf file
        • Drops file in System32 directory
        • Sets desktop wallpaper using registry
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Modifies Control Panel
        • Modifies Internet Explorer settings
        • Modifies registry class
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        • System policy modification
        PID:1004
        • C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe
          "C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe"
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:2192
        • C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe
          "C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe"
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:4492
        • C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe
          "C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe"
          4⤵
          • Modifies WinLogon for persistence
          • Modifies visibility of file extensions in Explorer
          • Modifies visiblity of hidden/system files in Explorer
          • UAC bypass
          • Disables RegEdit via registry modification
          • Drops file in Drivers directory
          • Event Triggered Execution: Image File Execution Options Injection
          • Executes dropped EXE
          • Loads dropped DLL
          • Adds Run key to start application
          • Checks whether UAC is enabled
          • Drops desktop.ini file(s)
          • Enumerates connected drives
          • Drops autorun.inf file
          • Drops file in System32 directory
          • Sets desktop wallpaper using registry
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Modifies Control Panel
          • Modifies Internet Explorer settings
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:3284
          • C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe
            "C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe"
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • System Location Discovery: System Language Discovery
            • Suspicious use of SetWindowsHookEx
            PID:3332
          • C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe
            "C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe"
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • System Location Discovery: System Language Discovery
            • Suspicious use of SetWindowsHookEx
            PID:4072
          • C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe
            "C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe"
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • System Location Discovery: System Language Discovery
            • Suspicious use of SetWindowsHookEx
            PID:436
          • C:\Windows\SysWOW64\drivers\Kazekage.exe
            C:\Windows\system32\drivers\Kazekage.exe
            5⤵
            • Modifies WinLogon for persistence
            • Modifies visibility of file extensions in Explorer
            • Modifies visiblity of hidden/system files in Explorer
            • UAC bypass
            • Disables RegEdit via registry modification
            • Drops file in Drivers directory
            • Event Triggered Execution: Image File Execution Options Injection
            • Executes dropped EXE
            • Adds Run key to start application
            • Checks whether UAC is enabled
            • Drops desktop.ini file(s)
            • Enumerates connected drives
            • Drops autorun.inf file
            • Drops file in System32 directory
            • Sets desktop wallpaper using registry
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Modifies Control Panel
            • Modifies Internet Explorer settings
            • Modifies registry class
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            • System policy modification
            PID:3124
            • C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe
              "C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe"
              6⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • System Location Discovery: System Language Discovery
              • Suspicious use of SetWindowsHookEx
              PID:1748
            • C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe
              "C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe"
              6⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • System Location Discovery: System Language Discovery
              • Suspicious use of SetWindowsHookEx
              PID:1788
            • C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe
              "C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe"
              6⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • System Location Discovery: System Language Discovery
              • Suspicious use of SetWindowsHookEx
              PID:1704
            • C:\Windows\SysWOW64\drivers\Kazekage.exe
              C:\Windows\system32\drivers\Kazekage.exe
              6⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Suspicious use of SetWindowsHookEx
              PID:1532
            • C:\Windows\SysWOW64\drivers\system32.exe
              C:\Windows\system32\drivers\system32.exe
              6⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Suspicious use of SetWindowsHookEx
              PID:1856
            • C:\Windows\SysWOW64\ping.exe
              ping -a -l www.rasasayang.com.my 65500
              6⤵
              • System Location Discovery: System Language Discovery
              • System Network Configuration Discovery: Internet Connection Discovery
              • Runs ping.exe
              PID:3320
            • C:\Windows\SysWOW64\ping.exe
              ping -a -l www.duniasex.com 65500
              6⤵
              • System Location Discovery: System Language Discovery
              • System Network Configuration Discovery: Internet Connection Discovery
              • Runs ping.exe
              PID:2016
            • C:\Windows\SysWOW64\ping.exe
              ping -a -l www.rasasayang.com.my 65500
              6⤵
              • System Location Discovery: System Language Discovery
              • System Network Configuration Discovery: Internet Connection Discovery
              • Runs ping.exe
              PID:4672
            • C:\Windows\SysWOW64\ping.exe
              ping -a -l www.duniasex.com 65500
              6⤵
              • System Location Discovery: System Language Discovery
              • System Network Configuration Discovery: Internet Connection Discovery
              • Runs ping.exe
              PID:4500
            • C:\Windows\SysWOW64\ping.exe
              ping -a -l www.rasasayang.com.my 65500
              6⤵
              • System Location Discovery: System Language Discovery
              • System Network Configuration Discovery: Internet Connection Discovery
              • Runs ping.exe
              PID:3356
            • C:\Windows\SysWOW64\ping.exe
              ping -a -l www.duniasex.com 65500
              6⤵
              • System Location Discovery: System Language Discovery
              • System Network Configuration Discovery: Internet Connection Discovery
              • Runs ping.exe
              PID:1540
          • C:\Windows\SysWOW64\drivers\system32.exe
            C:\Windows\system32\drivers\system32.exe
            5⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious use of SetWindowsHookEx
            PID:3216
          • C:\Windows\SysWOW64\ping.exe
            ping -a -l www.rasasayang.com.my 65500
            5⤵
            • System Location Discovery: System Language Discovery
            • System Network Configuration Discovery: Internet Connection Discovery
            • Runs ping.exe
            PID:3292
          • C:\Windows\SysWOW64\ping.exe
            ping -a -l www.duniasex.com 65500
            5⤵
            • System Location Discovery: System Language Discovery
            • System Network Configuration Discovery: Internet Connection Discovery
            • Runs ping.exe
            PID:4052
          • C:\Windows\SysWOW64\ping.exe
            ping -a -l www.rasasayang.com.my 65500
            5⤵
            • System Location Discovery: System Language Discovery
            • System Network Configuration Discovery: Internet Connection Discovery
            • Runs ping.exe
            PID:3308
          • C:\Windows\SysWOW64\ping.exe
            ping -a -l www.duniasex.com 65500
            5⤵
            • System Location Discovery: System Language Discovery
            • System Network Configuration Discovery: Internet Connection Discovery
            • Runs ping.exe
            PID:2268
          • C:\Windows\SysWOW64\ping.exe
            ping -a -l www.rasasayang.com.my 65500
            5⤵
            • System Location Discovery: System Language Discovery
            • System Network Configuration Discovery: Internet Connection Discovery
            • Runs ping.exe
            PID:2468
          • C:\Windows\SysWOW64\ping.exe
            ping -a -l www.duniasex.com 65500
            5⤵
            • System Location Discovery: System Language Discovery
            • System Network Configuration Discovery: Internet Connection Discovery
            • Runs ping.exe
            PID:4764
        • C:\Windows\SysWOW64\drivers\Kazekage.exe
          C:\Windows\system32\drivers\Kazekage.exe
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:2596
        • C:\Windows\SysWOW64\drivers\system32.exe
          C:\Windows\system32\drivers\system32.exe
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:1168
        • C:\Windows\SysWOW64\ping.exe
          ping -a -l www.rasasayang.com.my 65500
          4⤵
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:1172
        • C:\Windows\SysWOW64\ping.exe
          ping -a -l www.duniasex.com 65500
          4⤵
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:3684
        • C:\Windows\SysWOW64\ping.exe
          ping -a -l www.rasasayang.com.my 65500
          4⤵
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:1412
        • C:\Windows\SysWOW64\ping.exe
          ping -a -l www.duniasex.com 65500
          4⤵
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:400
        • C:\Windows\SysWOW64\ping.exe
          ping -a -l www.rasasayang.com.my 65500
          4⤵
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:4900
        • C:\Windows\SysWOW64\ping.exe
          ping -a -l www.duniasex.com 65500
          4⤵
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:3652
      • C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe
        "C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:4824
      • C:\Windows\SysWOW64\drivers\Kazekage.exe
        C:\Windows\system32\drivers\Kazekage.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        PID:2372
      • C:\Windows\SysWOW64\drivers\system32.exe
        C:\Windows\system32\drivers\system32.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:4000
      • C:\Windows\SysWOW64\ping.exe
        ping -a -l www.rasasayang.com.my 65500
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:4540
      • C:\Windows\SysWOW64\ping.exe
        ping -a -l www.duniasex.com 65500
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:3236
      • C:\Windows\SysWOW64\ping.exe
        ping -a -l www.rasasayang.com.my 65500
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:3404
      • C:\Windows\SysWOW64\ping.exe
        ping -a -l www.duniasex.com 65500
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:2468
      • C:\Windows\SysWOW64\ping.exe
        ping -a -l www.rasasayang.com.my 65500
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:400
      • C:\Windows\SysWOW64\ping.exe
        ping -a -l www.duniasex.com 65500
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:3712
    • C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe
      "C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:4136
    • C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe
      "C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:728
    • C:\Windows\SysWOW64\drivers\Kazekage.exe
      C:\Windows\system32\drivers\Kazekage.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:3444
    • C:\Windows\SysWOW64\drivers\system32.exe
      C:\Windows\system32\drivers\system32.exe
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • UAC bypass
      • Disables RegEdit via registry modification
      • Drops file in Drivers directory
      • Event Triggered Execution: Image File Execution Options Injection
      • Executes dropped EXE
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Drops desktop.ini file(s)
      • Enumerates connected drives
      • Drops autorun.inf file
      • Drops file in System32 directory
      • Sets desktop wallpaper using registry
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Modifies Control Panel
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:740
      • C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe
        "C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetWindowsHookEx
        PID:4760
      • C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe
        "C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:3628
      • C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe
        "C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:5068
      • C:\Windows\SysWOW64\drivers\Kazekage.exe
        C:\Windows\system32\drivers\Kazekage.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:3832
      • C:\Windows\SysWOW64\drivers\system32.exe
        C:\Windows\system32\drivers\system32.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:4932
      • C:\Windows\SysWOW64\ping.exe
        ping -a -l www.rasasayang.com.my 65500
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:3656
      • C:\Windows\SysWOW64\ping.exe
        ping -a -l www.duniasex.com 65500
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:1864
      • C:\Windows\SysWOW64\ping.exe
        ping -a -l www.rasasayang.com.my 65500
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:1664
      • C:\Windows\SysWOW64\ping.exe
        ping -a -l www.duniasex.com 65500
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:1272
      • C:\Windows\SysWOW64\ping.exe
        ping -a -l www.rasasayang.com.my 65500
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:4472
      • C:\Windows\SysWOW64\ping.exe
        ping -a -l www.duniasex.com 65500
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:2192
    • C:\Windows\SysWOW64\ping.exe
      ping -a -l www.rasasayang.com.my 65500
      2⤵
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Internet Connection Discovery
      • Runs ping.exe
      PID:2736
    • C:\Windows\SysWOW64\ping.exe
      ping -a -l www.duniasex.com 65500
      2⤵
      • System Network Configuration Discovery: Internet Connection Discovery
      • Runs ping.exe
      PID:3596
    • C:\Windows\SysWOW64\ping.exe
      ping -a -l www.rasasayang.com.my 65500
      2⤵
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Internet Connection Discovery
      • Runs ping.exe
      PID:1660
    • C:\Windows\SysWOW64\ping.exe
      ping -a -l www.duniasex.com 65500
      2⤵
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Internet Connection Discovery
      • Runs ping.exe
      PID:2312
    • C:\Windows\SysWOW64\ping.exe
      ping -a -l www.rasasayang.com.my 65500
      2⤵
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Internet Connection Discovery
      • Runs ping.exe
      PID:2776
    • C:\Windows\SysWOW64\ping.exe
      ping -a -l www.duniasex.com 65500
      2⤵
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Internet Connection Discovery
      • Runs ping.exe
      PID:4404
  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c Fonts\Admin 19 - 5 - 2025\smss.exe
    1⤵
      PID:3968
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c Fonts\Admin 19 - 5 - 2025\Gaara.exe
      1⤵
        PID:1148
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c 19-5-2025.exe
        1⤵
          PID:3468
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c drivers\csrss.exe
          1⤵
            PID:384

          Network

                MITRE ATT&CK Enterprise v16

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Admin Games\Readme.txt

                  Filesize

                  736B

                  MD5

                  bb5d6abdf8d0948ac6895ce7fdfbc151

                  SHA1

                  9266b7a247a4685892197194d2b9b86c8f6dddbd

                  SHA256

                  5db2e0915b5464d32e83484f8ae5e3c73d2c78f238fde5f58f9b40dbb5322de8

                  SHA512

                  878444760e8df878d65bb62b4798177e168eb099def58ad3634f4348e96705c83f74324f9fa358f0eff389991976698a233ca53e9b72034ae11c86d42322a76c

                • C:\Autorun.inf

                  Filesize

                  196B

                  MD5

                  1564dfe69ffed40950e5cb644e0894d1

                  SHA1

                  201b6f7a01cc49bb698bea6d4945a082ed454ce4

                  SHA256

                  be114a2dbcc08540b314b01882aa836a772a883322a77b67aab31233e26dc184

                  SHA512

                  72df187e39674b657974392cfa268e71ef86dc101ebd2303896381ca56d3c05aa9db3f0ab7d0e428d7436e0108c8f19e94c2013814d30b0b95a23a6b9e341097

                • C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe

                  Filesize

                  8.1MB

                  MD5

                  3df692b7ddc2757c884e3b9aebb9398b

                  SHA1

                  adb9ad44233afd1ec5ae855a457ad7efa2277ae9

                  SHA256

                  d7d67980e293650a4b7623328a1b06441683e67cc62c7195c203947821315ccd

                  SHA512

                  6771b2cb2ea49de367084b7d3efad47611c84d012d82d8ba574b76622b04e681e1509e0e05a7a3ff50032c5ed0e08aba78c7754906b2c7b179d1de882555bb85

                • C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe

                  Filesize

                  8.1MB

                  MD5

                  b8b2a4463646a9a50b5ef886d05b2bc0

                  SHA1

                  6260b19ffd864de7e9c1828ff59f7176e83f1ac0

                  SHA256

                  fd3413c6e3fd46d8a89123b5146a5895b0c48ec7da50f5dde698609714e9c5af

                  SHA512

                  e31bf80d6bbd23ebe1008ee8322a317fb61ee5d9be13b98e67dd0a6ecbe9d259ecd44420bcdf60a79d6ed9368c0aa2128138e621addc21c9b52848cfbcb42094

                • C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe

                  Filesize

                  8.1MB

                  MD5

                  13e9d4c4b4d4b2128ce3982347a8a668

                  SHA1

                  1d243d51520c2088c8705e891b97debbbc7c5ba7

                  SHA256

                  4667f1e9260d0826ce431c79f077bdc9f2bb66f37b950f456b0cd64ce0ab1d3f

                  SHA512

                  1f3eeac634890f32bc65b8f8e32083bdf542bbc149f4a84f42491953ad292e4a1ce216d3798437d0c46c7ad8f056d867b0f749d801288b52b2dbb9c4dcc4f034

                • C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe

                  Filesize

                  8.1MB

                  MD5

                  957527f2d9b8c57d8bf997f5002a43c1

                  SHA1

                  7bcfa15a618f8651ddd7d277292f6be964e8f9e1

                  SHA256

                  c07cf6cb0539719a628177eb4161dc06d7d6c511939780055c180bb7686506b1

                  SHA512

                  e57dc2f59525d3c775ccf3619692e6ee6e7b464b837ef1bc99837dce2edbd1815cd4c9a98e0ed3d743497c7618a75fab96fa04f7772625bba73b636441909d27

                • C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe

                  Filesize

                  8.1MB

                  MD5

                  1a83b5cf772454decef6853477e08c7c

                  SHA1

                  eea0b69d9393d179494e047c459f16d077236e83

                  SHA256

                  071605e6255f13f58770364162b50170a187d03ac1828afb716bffce070fc80a

                  SHA512

                  aed860165b0fea26be408a92ae4311b76ac1c088203cd323dbd4024737da88b5a55f13450203e0b26507d088a111956f3a5d1b65a3a472ea008791c6f2c0ee39

                • C:\Windows\Fonts\The Kazekage.jpg

                  Filesize

                  1.4MB

                  MD5

                  d6b05020d4a0ec2a3a8b687099e335df

                  SHA1

                  df239d830ebcd1cde5c68c46a7b76dad49d415f4

                  SHA256

                  9824b98dab6af65a9e84c2ea40e9df948f9766ce2096e81feecad7db8dd6080a

                  SHA512

                  78fd360faa4d34f5732056d6e9ad7b9930964441c69cf24535845d397de92179553b9377a25649c01eb5ac7d547c29cc964e69ede7f2af9fc677508a99251fff

                • C:\Windows\SysWOW64\19-5-2025.exe

                  Filesize

                  8.1MB

                  MD5

                  bb3e8447a82d251c6027f7fce6333ea7

                  SHA1

                  d1594361ce4622d1de32a59035be3633ba0cbf34

                  SHA256

                  e72f64461b19b9e0b43128b1ad125e413621ac953b508ffc1daf36f85ac1023e

                  SHA512

                  841dfc96b2cb2239fbda35203f49b8bbd585f3def9372d78254b18f77a27d2691b7628f4e712da284e32874f63c91936f06dcfd33251be8eb56a0605c07df2ac

                • C:\Windows\SysWOW64\Desktop.ini

                  Filesize

                  65B

                  MD5

                  64acfa7e03b01f48294cf30d201a0026

                  SHA1

                  10facd995b38a095f30b4a800fa454c0bcbf8438

                  SHA256

                  ba8159d865d106e7b4d0043007a63d1541e1de455dc8d7ff0edd3013bd425c62

                  SHA512

                  65a9b2e639de74a2a7faa83463a03f5f5b526495e3c793ec1e144c422ed0b842dd304cd5ff4f8aec3d76d826507030c5916f70a231429cea636ec2d8ab43931a

                • C:\Windows\SysWOW64\drivers\Kazekage.exe

                  Filesize

                  8.1MB

                  MD5

                  f04ccfada02001f14b3112c000825f66

                  SHA1

                  04559da58e84a66f0447394c8733652197176cf4

                  SHA256

                  9b34ec0f5d18bc26c66abe5fb74830a83783d495fc8059bb859e5e802c2f03a1

                  SHA512

                  89e3e251ff3987bf3f7bfb5609637eff2b60577b508516d80e8bf5871b7d072dae36bae28b18661bb1b5112a260e6557c0250d5e833857e52364c87ded507c96

                • C:\Windows\SysWOW64\drivers\Kazekage.exe

                  Filesize

                  8.1MB

                  MD5

                  86dee1ac790976cbd4967154c4539199

                  SHA1

                  e3ef4b706b72e92b91afe65542b4dc876894e570

                  SHA256

                  c28cd8375e8323948bd97443756a56c1273652c428d62eacb981f4dda4b5457b

                  SHA512

                  cf5b58aae16adfdc37e82d75c6f1deec0c90ae2ebb9b2a3810b54ae65b624fd4c82a75b0cca1ee3a0ecdee39f260f96eb92a13f9a79fed0b2012566095284bb4

                • C:\Windows\SysWOW64\drivers\Kazekage.exe

                  Filesize

                  8.1MB

                  MD5

                  8f9e0ba499c51cc6a3cc3a5a7b67e9f3

                  SHA1

                  8ed9c517d37a1a046d612a62934439c014180556

                  SHA256

                  3d5b7a5421232fd030a92205a75da965bc3ab6ef004b651a78b21e9e95cbab71

                  SHA512

                  d867d79e15d02ab3ac7ec2de612a6a40e9fe9781b4cd862ea680199ba3744cddc3b699893fc7235c10adafff5198a05df102f9c712a0e873fc7e46043ecb02bd

                • C:\Windows\SysWOW64\drivers\system32.exe

                  Filesize

                  8.1MB

                  MD5

                  87a0977b73a1f136f5be126b8382c03d

                  SHA1

                  f13ef620ea88eec1ab5bd60cddc681564be16471

                  SHA256

                  0da343a46e37f086f99d9dd8e00d7b925e78c0fa712c4a862d97791047ca040e

                  SHA512

                  22f8c46d1c11b5520dbd97a27a70c3a86f05f51db65baf077c975fb1688884365cb01520b5e74568a574240ebdd2c8f2fea5acada6da3adeed0f5d22b29c2705

                • C:\Windows\SysWOW64\drivers\system32.exe

                  Filesize

                  8.1MB

                  MD5

                  8a29fe1674162c0ea029115411eccf22

                  SHA1

                  d372969d7e65920f8f2c5f3124842d1d2d4b98b4

                  SHA256

                  d8bf193ecc3d900837b4c123e3019359eb394f9109028d49ee2fb3089d9e759f

                  SHA512

                  bed92eed390270995f16dd897cb236b51cde5c65f07d075de67532ac57488c76fa4bda2b403a2ff8a3e2e04e3859611ac4759e394e87e907a10e54732f52788e

                • C:\Windows\SysWOW64\drivers\system32.exe

                  Filesize

                  8.1MB

                  MD5

                  447155b4b7b27e1f70c14ecc10d0649e

                  SHA1

                  30493995cba519b46b0ddf04d3933c28229a05db

                  SHA256

                  560f30049922a4ce769564b62f1826a30c041b5bb6528654f512f2f2f841026e

                  SHA512

                  f94d54f4c7d82a7560065dbee0d87c51c47724132fb19efbf6948a9594f61aac4ab8421018e49de138909783989c9994944cc21272ea9dcf0d1155baeb077ed3

                • C:\Windows\System\msvbvm60.dll

                  Filesize

                  1.4MB

                  MD5

                  25f62c02619174b35851b0e0455b3d94

                  SHA1

                  4e8ee85157f1769f6e3f61c0acbe59072209da71

                  SHA256

                  898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

                  SHA512

                  f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

                • memory/436-173-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/728-178-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/728-191-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/740-549-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/740-312-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/740-219-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/740-278-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/1004-168-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/1004-77-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/1004-374-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/1004-313-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/1168-295-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/1168-307-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/1388-309-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/1388-121-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/1388-0-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/1388-315-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/1388-321-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/1532-276-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/1788-253-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/1788-230-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/1844-362-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/1844-316-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/1844-141-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/1844-310-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/1844-32-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/1856-290-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/1892-74-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/1892-70-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/2372-263-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/2372-239-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/2596-297-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/3124-259-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/3124-184-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/3124-548-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/3124-311-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/3216-303-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/3284-122-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/3284-416-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/3284-314-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/3284-213-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/3444-221-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/3444-188-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/3832-301-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/4000-272-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/4000-260-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/4072-164-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/4136-177-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/4492-118-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/4760-254-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/4824-241-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/4824-227-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/4932-308-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/5068-289-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB