Analysis

  • max time kernel
    149s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250502-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250502-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19/05/2025, 14:47

General

  • Target

    2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe

  • Size

    8.2MB

  • MD5

    5d94c92d0e4d68fdd3b2bc6be6cef612

  • SHA1

    cd2594f5a9da48781633962b78a22461b75dd54d

  • SHA256

    b7bccca618d889b72c3ec43f142082cdf5e79df979817de0b884f6fbc2fac7d6

  • SHA512

    fc04dc61ce316f16898ca6263687f562cd4a41ef5ed2dbe7b57e947d6672899e6d3e7bab6cb9be3c2d24af0e88dc4775d292a2bc62e866aa7e2b8f4363a99e9a

  • SSDEEP

    49152:byyqWyWy0GyqWyWyMRPC1eHc785dxytlWF17:byyqWyWy0GyqWyWyMRPC1eHL5dxyjyp

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 12 IoCs
  • Modifies visibility of file extensions in Explorer 2 TTPs 6 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 6 IoCs
  • UAC bypass 3 TTPs 6 IoCs
  • Disables RegEdit via registry modification 6 IoCs
  • Disables use of System Restore points 1 TTPs
  • Drops file in Drivers directory 24 IoCs
  • Event Triggered Execution: Image File Execution Options Injection 1 TTPs 64 IoCs
  • Executes dropped EXE 30 IoCs
  • Loads dropped DLL 18 IoCs
  • Adds Run key to start application 2 TTPs 24 IoCs
  • Checks whether UAC is enabled 1 TTPs 6 IoCs
  • Drops desktop.ini file(s) 64 IoCs
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops autorun.inf file 1 TTPs 64 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 39 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 6 IoCs
  • UPX packed file 46 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in Windows directory 64 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 63 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 32 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

  • Modifies Control Panel 64 IoCs
  • Modifies Internet Explorer settings 1 TTPs 12 IoCs
  • Modifies registry class 51 IoCs
  • Runs ping.exe 1 TTPs 32 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 31 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe
    "C:\Users\Admin\AppData\Local\Temp\2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Modifies visibility of file extensions in Explorer
    • Modifies visiblity of hidden/system files in Explorer
    • UAC bypass
    • Disables RegEdit via registry modification
    • Drops file in Drivers directory
    • Event Triggered Execution: Image File Execution Options Injection
    • Adds Run key to start application
    • Checks whether UAC is enabled
    • Drops desktop.ini file(s)
    • Enumerates connected drives
    • Drops autorun.inf file
    • Drops file in System32 directory
    • Sets desktop wallpaper using registry
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Modifies Control Panel
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:3160
    • C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe
      "C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • UAC bypass
      • Disables RegEdit via registry modification
      • Drops file in Drivers directory
      • Event Triggered Execution: Image File Execution Options Injection
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Drops desktop.ini file(s)
      • Enumerates connected drives
      • Drops autorun.inf file
      • Drops file in System32 directory
      • Sets desktop wallpaper using registry
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Modifies Control Panel
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:4624
      • C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe
        "C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:4980
      • C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe
        "C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe"
        3⤵
        • Modifies WinLogon for persistence
        • Modifies visibility of file extensions in Explorer
        • Modifies visiblity of hidden/system files in Explorer
        • UAC bypass
        • Disables RegEdit via registry modification
        • Drops file in Drivers directory
        • Event Triggered Execution: Image File Execution Options Injection
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • Checks whether UAC is enabled
        • Drops desktop.ini file(s)
        • Enumerates connected drives
        • Drops autorun.inf file
        • Drops file in System32 directory
        • Sets desktop wallpaper using registry
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Modifies Control Panel
        • Modifies Internet Explorer settings
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        • System policy modification
        PID:4832
        • C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe
          "C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe"
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:4788
        • C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe
          "C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe"
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:4368
        • C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe
          "C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe"
          4⤵
          • Modifies WinLogon for persistence
          • Modifies visibility of file extensions in Explorer
          • Modifies visiblity of hidden/system files in Explorer
          • UAC bypass
          • Disables RegEdit via registry modification
          • Drops file in Drivers directory
          • Event Triggered Execution: Image File Execution Options Injection
          • Executes dropped EXE
          • Loads dropped DLL
          • Adds Run key to start application
          • Checks whether UAC is enabled
          • Drops desktop.ini file(s)
          • Enumerates connected drives
          • Drops autorun.inf file
          • Drops file in System32 directory
          • Sets desktop wallpaper using registry
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Modifies Control Panel
          • Modifies Internet Explorer settings
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:3624
          • C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe
            "C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe"
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • System Location Discovery: System Language Discovery
            • Suspicious use of SetWindowsHookEx
            PID:2308
          • C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe
            "C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe"
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • System Location Discovery: System Language Discovery
            • Suspicious use of SetWindowsHookEx
            PID:5624
          • C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe
            "C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe"
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • System Location Discovery: System Language Discovery
            • Suspicious use of SetWindowsHookEx
            PID:5224
          • C:\Windows\SysWOW64\drivers\Kazekage.exe
            C:\Windows\system32\drivers\Kazekage.exe
            5⤵
            • Modifies WinLogon for persistence
            • Modifies visibility of file extensions in Explorer
            • Modifies visiblity of hidden/system files in Explorer
            • UAC bypass
            • Disables RegEdit via registry modification
            • Drops file in Drivers directory
            • Event Triggered Execution: Image File Execution Options Injection
            • Executes dropped EXE
            • Adds Run key to start application
            • Checks whether UAC is enabled
            • Drops desktop.ini file(s)
            • Enumerates connected drives
            • Drops autorun.inf file
            • Drops file in System32 directory
            • Sets desktop wallpaper using registry
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Modifies Control Panel
            • Modifies Internet Explorer settings
            • Modifies registry class
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            • System policy modification
            PID:6096
            • C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe
              "C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe"
              6⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • System Location Discovery: System Language Discovery
              • Suspicious use of SetWindowsHookEx
              PID:4040
            • C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe
              "C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe"
              6⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • System Location Discovery: System Language Discovery
              • Suspicious use of SetWindowsHookEx
              PID:5916
            • C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe
              "C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe"
              6⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • System Location Discovery: System Language Discovery
              • Suspicious use of SetWindowsHookEx
              PID:4968
            • C:\Windows\SysWOW64\drivers\Kazekage.exe
              C:\Windows\system32\drivers\Kazekage.exe
              6⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Suspicious use of SetWindowsHookEx
              PID:5540
            • C:\Windows\SysWOW64\drivers\system32.exe
              C:\Windows\system32\drivers\system32.exe
              6⤵
              • Modifies WinLogon for persistence
              • Modifies visibility of file extensions in Explorer
              • Modifies visiblity of hidden/system files in Explorer
              • UAC bypass
              • Disables RegEdit via registry modification
              • Drops file in Drivers directory
              • Event Triggered Execution: Image File Execution Options Injection
              • Executes dropped EXE
              • Adds Run key to start application
              • Checks whether UAC is enabled
              • Drops desktop.ini file(s)
              • Enumerates connected drives
              • Drops autorun.inf file
              • Drops file in System32 directory
              • Sets desktop wallpaper using registry
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Modifies Control Panel
              • Modifies Internet Explorer settings
              • Modifies registry class
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              • System policy modification
              PID:3216
              • C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe
                "C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe"
                7⤵
                • Executes dropped EXE
                • Loads dropped DLL
                • System Location Discovery: System Language Discovery
                • Suspicious use of SetWindowsHookEx
                PID:1640
              • C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe
                "C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe"
                7⤵
                • Executes dropped EXE
                • Loads dropped DLL
                • System Location Discovery: System Language Discovery
                • Suspicious use of SetWindowsHookEx
                PID:3332
              • C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe
                "C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe"
                7⤵
                • Executes dropped EXE
                • Loads dropped DLL
                • System Location Discovery: System Language Discovery
                • Suspicious use of SetWindowsHookEx
                PID:1296
              • C:\Windows\SysWOW64\drivers\Kazekage.exe
                C:\Windows\system32\drivers\Kazekage.exe
                7⤵
                • Executes dropped EXE
                • System Location Discovery: System Language Discovery
                • Suspicious use of SetWindowsHookEx
                PID:1012
              • C:\Windows\SysWOW64\drivers\system32.exe
                C:\Windows\system32\drivers\system32.exe
                7⤵
                • Executes dropped EXE
                • System Location Discovery: System Language Discovery
                • Suspicious use of SetWindowsHookEx
                PID:5300
              • C:\Windows\SysWOW64\ping.exe
                ping -a -l www.rasasayang.com.my 65500
                7⤵
                • System Location Discovery: System Language Discovery
                • System Network Configuration Discovery: Internet Connection Discovery
                • Runs ping.exe
                PID:3996
              • C:\Windows\SysWOW64\ping.exe
                ping -a -l www.duniasex.com 65500
                7⤵
                • System Location Discovery: System Language Discovery
                • System Network Configuration Discovery: Internet Connection Discovery
                • Runs ping.exe
                PID:4396
              • C:\Windows\SysWOW64\ping.exe
                ping -a -l www.rasasayang.com.my 65500
                7⤵
                • System Location Discovery: System Language Discovery
                • System Network Configuration Discovery: Internet Connection Discovery
                • Runs ping.exe
                PID:928
              • C:\Windows\SysWOW64\ping.exe
                ping -a -l www.duniasex.com 65500
                7⤵
                • System Location Discovery: System Language Discovery
                • System Network Configuration Discovery: Internet Connection Discovery
                • Runs ping.exe
                PID:3696
            • C:\Windows\SysWOW64\ping.exe
              ping -a -l www.rasasayang.com.my 65500
              6⤵
              • System Location Discovery: System Language Discovery
              • System Network Configuration Discovery: Internet Connection Discovery
              • Runs ping.exe
              PID:3604
            • C:\Windows\SysWOW64\ping.exe
              ping -a -l www.duniasex.com 65500
              6⤵
              • System Location Discovery: System Language Discovery
              • System Network Configuration Discovery: Internet Connection Discovery
              • Runs ping.exe
              PID:2912
            • C:\Windows\SysWOW64\ping.exe
              ping -a -l www.rasasayang.com.my 65500
              6⤵
              • System Location Discovery: System Language Discovery
              • System Network Configuration Discovery: Internet Connection Discovery
              • Runs ping.exe
              PID:856
            • C:\Windows\SysWOW64\ping.exe
              ping -a -l www.duniasex.com 65500
              6⤵
              • System Location Discovery: System Language Discovery
              • System Network Configuration Discovery: Internet Connection Discovery
              • Runs ping.exe
              PID:4132
            • C:\Windows\SysWOW64\ping.exe
              ping -a -l www.rasasayang.com.my 65500
              6⤵
              • System Location Discovery: System Language Discovery
              • System Network Configuration Discovery: Internet Connection Discovery
              • Runs ping.exe
              PID:4564
            • C:\Windows\SysWOW64\ping.exe
              ping -a -l www.duniasex.com 65500
              6⤵
              • System Location Discovery: System Language Discovery
              • System Network Configuration Discovery: Internet Connection Discovery
              • Runs ping.exe
              PID:5576
          • C:\Windows\SysWOW64\drivers\system32.exe
            C:\Windows\system32\drivers\system32.exe
            5⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious use of SetWindowsHookEx
            PID:5084
          • C:\Windows\SysWOW64\ping.exe
            ping -a -l www.rasasayang.com.my 65500
            5⤵
            • System Location Discovery: System Language Discovery
            • System Network Configuration Discovery: Internet Connection Discovery
            • Runs ping.exe
            PID:3872
          • C:\Windows\SysWOW64\ping.exe
            ping -a -l www.duniasex.com 65500
            5⤵
            • System Location Discovery: System Language Discovery
            • System Network Configuration Discovery: Internet Connection Discovery
            • Runs ping.exe
            PID:5628
          • C:\Windows\SysWOW64\ping.exe
            ping -a -l www.rasasayang.com.my 65500
            5⤵
            • System Location Discovery: System Language Discovery
            • System Network Configuration Discovery: Internet Connection Discovery
            • Runs ping.exe
            PID:5124
          • C:\Windows\SysWOW64\ping.exe
            ping -a -l www.duniasex.com 65500
            5⤵
            • System Location Discovery: System Language Discovery
            • System Network Configuration Discovery: Internet Connection Discovery
            • Runs ping.exe
            PID:3208
          • C:\Windows\SysWOW64\ping.exe
            ping -a -l www.rasasayang.com.my 65500
            5⤵
            • System Location Discovery: System Language Discovery
            • System Network Configuration Discovery: Internet Connection Discovery
            • Runs ping.exe
            PID:3428
          • C:\Windows\SysWOW64\ping.exe
            ping -a -l www.duniasex.com 65500
            5⤵
            • System Location Discovery: System Language Discovery
            • System Network Configuration Discovery: Internet Connection Discovery
            • Runs ping.exe
            PID:5776
        • C:\Windows\SysWOW64\drivers\Kazekage.exe
          C:\Windows\system32\drivers\Kazekage.exe
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:5004
        • C:\Windows\SysWOW64\drivers\system32.exe
          C:\Windows\system32\drivers\system32.exe
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:3364
        • C:\Windows\SysWOW64\ping.exe
          ping -a -l www.rasasayang.com.my 65500
          4⤵
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:5156
        • C:\Windows\SysWOW64\ping.exe
          ping -a -l www.duniasex.com 65500
          4⤵
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:2592
        • C:\Windows\SysWOW64\ping.exe
          ping -a -l www.rasasayang.com.my 65500
          4⤵
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:1932
        • C:\Windows\SysWOW64\ping.exe
          ping -a -l www.duniasex.com 65500
          4⤵
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:1360
        • C:\Windows\SysWOW64\ping.exe
          ping -a -l www.rasasayang.com.my 65500
          4⤵
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:5672
        • C:\Windows\SysWOW64\ping.exe
          ping -a -l www.duniasex.com 65500
          4⤵
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:1628
      • C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe
        "C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:3180
      • C:\Windows\SysWOW64\drivers\Kazekage.exe
        C:\Windows\system32\drivers\Kazekage.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:5276
      • C:\Windows\SysWOW64\drivers\system32.exe
        C:\Windows\system32\drivers\system32.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:1224
      • C:\Windows\SysWOW64\ping.exe
        ping -a -l www.rasasayang.com.my 65500
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:5264
      • C:\Windows\SysWOW64\ping.exe
        ping -a -l www.duniasex.com 65500
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:3192
      • C:\Windows\SysWOW64\ping.exe
        ping -a -l www.rasasayang.com.my 65500
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:4720
      • C:\Windows\SysWOW64\ping.exe
        ping -a -l www.duniasex.com 65500
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:3136
      • C:\Windows\SysWOW64\ping.exe
        ping -a -l www.rasasayang.com.my 65500
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:2756
      • C:\Windows\SysWOW64\ping.exe
        ping -a -l www.duniasex.com 65500
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:4984
    • C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe
      "C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:876
    • C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe
      "C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:4128
    • C:\Windows\SysWOW64\drivers\Kazekage.exe
      C:\Windows\system32\drivers\Kazekage.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:5628
    • C:\Windows\SysWOW64\drivers\system32.exe
      C:\Windows\system32\drivers\system32.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:3852
    • C:\Windows\SysWOW64\ping.exe
      ping -a -l www.rasasayang.com.my 65500
      2⤵
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Internet Connection Discovery
      • Runs ping.exe
      PID:1008
    • C:\Windows\SysWOW64\ping.exe
      ping -a -l www.duniasex.com 65500
      2⤵
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Internet Connection Discovery
      • Runs ping.exe
      PID:4828
    • C:\Windows\SysWOW64\ping.exe
      ping -a -l www.rasasayang.com.my 65500
      2⤵
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Internet Connection Discovery
      • Runs ping.exe
      PID:5072
    • C:\Windows\SysWOW64\ping.exe
      ping -a -l www.duniasex.com 65500
      2⤵
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Internet Connection Discovery
      • Runs ping.exe
      PID:2380
  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c Fonts\Admin 19 - 5 - 2025\smss.exe
    1⤵
      PID:2832
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c Fonts\Admin 19 - 5 - 2025\Gaara.exe
      1⤵
        PID:5928
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c 19-5-2025.exe
        1⤵
          PID:5168
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c drivers\csrss.exe
          1⤵
            PID:3432

          Network

                MITRE ATT&CK Enterprise v16

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Admin Games\Readme.txt

                  Filesize

                  736B

                  MD5

                  bb5d6abdf8d0948ac6895ce7fdfbc151

                  SHA1

                  9266b7a247a4685892197194d2b9b86c8f6dddbd

                  SHA256

                  5db2e0915b5464d32e83484f8ae5e3c73d2c78f238fde5f58f9b40dbb5322de8

                  SHA512

                  878444760e8df878d65bb62b4798177e168eb099def58ad3634f4348e96705c83f74324f9fa358f0eff389991976698a233ca53e9b72034ae11c86d42322a76c

                • C:\Autorun.inf

                  Filesize

                  196B

                  MD5

                  1564dfe69ffed40950e5cb644e0894d1

                  SHA1

                  201b6f7a01cc49bb698bea6d4945a082ed454ce4

                  SHA256

                  be114a2dbcc08540b314b01882aa836a772a883322a77b67aab31233e26dc184

                  SHA512

                  72df187e39674b657974392cfa268e71ef86dc101ebd2303896381ca56d3c05aa9db3f0ab7d0e428d7436e0108c8f19e94c2013814d30b0b95a23a6b9e341097

                • C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe

                  Filesize

                  8.2MB

                  MD5

                  ab30cdc327911d812d365eb2682b6f14

                  SHA1

                  000110c49df63032739224a822dca8181d2350a6

                  SHA256

                  c21216746e591bda1efc52627070344fc1d2c1c959f77d9435818ca80af53ed2

                  SHA512

                  80251f374d6c90d971321e10ac6620c6e07c96d9dfd9ce20235e23830a512127d2bd2271c7cc629db0477bafe4ffd631f186c0c6f74bc3d4fbdbe4ed7bb994e2

                • C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe

                  Filesize

                  8.2MB

                  MD5

                  5d94c92d0e4d68fdd3b2bc6be6cef612

                  SHA1

                  cd2594f5a9da48781633962b78a22461b75dd54d

                  SHA256

                  b7bccca618d889b72c3ec43f142082cdf5e79df979817de0b884f6fbc2fac7d6

                  SHA512

                  fc04dc61ce316f16898ca6263687f562cd4a41ef5ed2dbe7b57e947d6672899e6d3e7bab6cb9be3c2d24af0e88dc4775d292a2bc62e866aa7e2b8f4363a99e9a

                • C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe

                  Filesize

                  8.2MB

                  MD5

                  b5bd677dfc8d7b10c97fbafa25711035

                  SHA1

                  32801820f15d30ae990981a935ba1827d18462f8

                  SHA256

                  c8b9fbfe3a954c9ffb3f68455298d1a8e9b18d97d8162fb4090ee1c95cfe20b3

                  SHA512

                  2984d0cdfa0172e89940307ac88379082469baf3d923c4165a7a97af628b4c086f7f367b9538524e83e990e5dbdeb015d0db8d1aede9b92763f989bf77fc9755

                • C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe

                  Filesize

                  8.2MB

                  MD5

                  afd29303db6ee02aa734410f3c01467a

                  SHA1

                  066ab54884644cf713b05a861267a75f9fe753b1

                  SHA256

                  3bb428094af0fe29ea786d9a4d21cadb0f781555980c2cbc6a71dac977256a94

                  SHA512

                  e5bf3839f2b891d3441ceffff376d2e6a16a8459c05559123e6efa7ec3d277050f8afc7d5f344497a82b157e639288abb71c481d8225d11cf280a5d9b82207fc

                • C:\Windows\Fonts\The Kazekage.jpg

                  Filesize

                  1.4MB

                  MD5

                  d6b05020d4a0ec2a3a8b687099e335df

                  SHA1

                  df239d830ebcd1cde5c68c46a7b76dad49d415f4

                  SHA256

                  9824b98dab6af65a9e84c2ea40e9df948f9766ce2096e81feecad7db8dd6080a

                  SHA512

                  78fd360faa4d34f5732056d6e9ad7b9930964441c69cf24535845d397de92179553b9377a25649c01eb5ac7d547c29cc964e69ede7f2af9fc677508a99251fff

                • C:\Windows\SysWOW64\19-5-2025.exe

                  Filesize

                  8.2MB

                  MD5

                  146a99867d02ee314ef7e9a272195502

                  SHA1

                  f26afa19a67cd7ff27664073a4c15271fa0a4030

                  SHA256

                  fbe0025a648fd9ef8821edbc5ba5fa338f76e21a46766563be1326390121d8cc

                  SHA512

                  92a6ad3c02b9b631bfc1a4d9fa312abfd3fcf7d3049d4be65517624ae1ebe142efdf7ce65b64ed96f5295096d58463e5b8fcddf62c057f20a70cf857235fe4b6

                • C:\Windows\SysWOW64\19-5-2025.exe

                  Filesize

                  8.2MB

                  MD5

                  a04f7c845150dc86333958f02fe39bad

                  SHA1

                  2b6133562469d70ce18532865630fcd34303c2b5

                  SHA256

                  786275f69251ad09f8af4b256ba17c26cb6447243cb26513a6d87bee68995f9d

                  SHA512

                  0f141d2426e74dd7046bc3bb6772dcf8fdc04dfea87c0c24176a7d79b78c7070c1701dcbf7cde0f259a78dfdcd435ff6669eb04051aaf1b3dfb9af0dd2af251e

                • C:\Windows\SysWOW64\19-5-2025.exe

                  Filesize

                  8.2MB

                  MD5

                  8ec9eac2665e276c0a158fda5bbbcac9

                  SHA1

                  001d59ca48d702d481e47c6d617a0bfb36e84a45

                  SHA256

                  3ed6f555acf21238604fb8650203483e64f004c303bc3d2fe198a4f95b6e6a63

                  SHA512

                  920cbd1a0b444c3354882408866ad75f8d02717b0d398ca70929a159bd224b3720338b88d73071ed21fd62316e3941a89d5fc7863dbd3b6b8018de46bda0ffe9

                • C:\Windows\SysWOW64\19-5-2025.exe

                  Filesize

                  8.2MB

                  MD5

                  73ad0531079c3da71e234fff12a2f0b4

                  SHA1

                  6ddca005f6cc9a447232b0271de6f59285c5d460

                  SHA256

                  d0e0b0cbc200d849fc498021d8e3296532397d086650d4515d6cebc9f39691d7

                  SHA512

                  d2b5967a0be49822702f05d8f97c42e675f3e6b63e6925d443a0a7b7c8b4df44b39e693ee229b72cdb2fc80bce5ee42a7cb98f9c54f74d4a351011186f407e04

                • C:\Windows\SysWOW64\Desktop.ini

                  Filesize

                  65B

                  MD5

                  64acfa7e03b01f48294cf30d201a0026

                  SHA1

                  10facd995b38a095f30b4a800fa454c0bcbf8438

                  SHA256

                  ba8159d865d106e7b4d0043007a63d1541e1de455dc8d7ff0edd3013bd425c62

                  SHA512

                  65a9b2e639de74a2a7faa83463a03f5f5b526495e3c793ec1e144c422ed0b842dd304cd5ff4f8aec3d76d826507030c5916f70a231429cea636ec2d8ab43931a

                • C:\Windows\SysWOW64\drivers\Kazekage.exe

                  Filesize

                  8.2MB

                  MD5

                  39c26014038df5c722ce85ab22adbdd3

                  SHA1

                  80fd1d1bd7fd26db8d9cd4dc2fa117fcee0a2205

                  SHA256

                  9c31878274cb12180466f20466187480ae98ed3ef42f5297be226882e0f1814b

                  SHA512

                  1bec8f82c50f8abfc0ea636cbb4125824a0257ad12cb8ac5fbec895719343e9bb97e45a76bc40c298f588dfd0635ba01e6fcc346e0506c49f2f689adc46a5971

                • C:\Windows\SysWOW64\drivers\Kazekage.exe

                  Filesize

                  8.2MB

                  MD5

                  c120a1d9ea52655be12440c73bcef24d

                  SHA1

                  1033a713e5fc432dc207b5bb0cf77c3f8140a8fb

                  SHA256

                  07983115433516c6b1d9175d16f1d82343c287575ebd107c01b9b3cbfd98c952

                  SHA512

                  935968d5159e8ebdcd65d274d09f7d7ca56f37d7fb3cd18efabb948a0dd2b157f9a7b1711312d7a7828ce7a1d6f61e060f553d648fd99058213c8f101f6553c8

                • C:\Windows\SysWOW64\drivers\Kazekage.exe

                  Filesize

                  8.2MB

                  MD5

                  fffab0c0ed1f7dc1bd374b17f77d5c01

                  SHA1

                  98453ead12bf0b29d20aba56a8b61659c45a79d3

                  SHA256

                  2fa4cebc8bfc3de7cb787d4e267b9252832b78c410b17023c82ae8cf960dc245

                  SHA512

                  f7db684fc763392a0c7177c223145ef1d4d5756f2c26907ee99b54c570b0a0fd2c963ea141eca61765ecf45943a3bcdb2d2c3844c817f06ebeb719612535a134

                • C:\Windows\SysWOW64\drivers\system32.exe

                  Filesize

                  8.2MB

                  MD5

                  084430f6e639cd980f5f3dd70679317f

                  SHA1

                  3258f33530907841187a40917660a73b89679705

                  SHA256

                  863958e4582bef80c15e1b8c52cbd40d875e54500b8b493b4ade788aeb7bc735

                  SHA512

                  32fef8486de0f316f8ea6f07b44f23437690358bbdd1eccb77006633574bd1ea0aa6a165a15d3cdfc6a89a475eefbc6f9292c5a0fe2c15d0c440ff394474f8df

                • C:\Windows\SysWOW64\drivers\system32.exe

                  Filesize

                  8.2MB

                  MD5

                  e5a9999e3b680ff2ae33af57e8266496

                  SHA1

                  51601d01cc6b099b15b7f799b9b0fc87c3a42847

                  SHA256

                  c8b3fce4df5741daafb8dc9e21bdcdb9a96899ce2891ae39d46322f13d94150b

                  SHA512

                  cb1c72028cd0ee77cc5c2a29203bbe4686cec702dca0468bf0edba9674b5dd542b7c47d8440483f96e5cc8b3c39654a7c8d36f67dadf2e429bfa81491180abc5

                • C:\Windows\SysWOW64\drivers\system32.exe

                  Filesize

                  8.2MB

                  MD5

                  f45bfc455b25678125656829daeaff37

                  SHA1

                  bcd7dd66bb760406eb2309cb09d1485a72b79430

                  SHA256

                  fa2f6cb1896cae9e32512ded50f8d5e9d9a2c35a5778e139fe3059ababb6ba5d

                  SHA512

                  3edb43da90f3249a40d44c04ad122cbd373d337842413373b637c27327dd69682f8721e8b5bb325dd816fbe2317f3c3389c21790149595cd2e1cd4185b52481a

                • C:\Windows\SysWOW64\drivers\system32.exe

                  Filesize

                  8.2MB

                  MD5

                  251b6481ab586bfe0b6e2b8da69e4858

                  SHA1

                  2136a61ecee914975df5c661dd060e70de2c1ed1

                  SHA256

                  7bfc7f4ba3a24c5e461a6a29e72105db52e0a3c3810e376259ee1c7c738a08b8

                  SHA512

                  89152e3d629ef85f5d08591f7d1e41fd44022adde7cbe4f9309c3a72e3ab5b052ef706eee92460427fc9fde48c3c5578b939910927a74eaf5a4e4d3906843135

                • C:\Windows\SysWOW64\mscomctl.ocx

                  Filesize

                  8.2MB

                  MD5

                  9b88e635d9fb6dbc87a4b1fac2bd66cb

                  SHA1

                  b5eadf49ed0cb8b555643408a5f311b119e106d1

                  SHA256

                  e50b01dabb2c888aac0e0f52d7b83e142cd8296f8e3a1ce42d7be4654fdd6b15

                  SHA512

                  c23bf7fbb29e7e2e5f36ffec93a56337a4b88e246c44bb40777d80561eba6059b32d615fce390f46775e8107d506317ac78b821950351ad892a76289cb0d175e

                • C:\Windows\System\msvbvm60.dll

                  Filesize

                  1.4MB

                  MD5

                  25f62c02619174b35851b0e0455b3d94

                  SHA1

                  4e8ee85157f1769f6e3f61c0acbe59072209da71

                  SHA256

                  898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

                  SHA512

                  f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

                • memory/876-262-0x0000000000400000-0x000000000042B000-memory.dmp

                  Filesize

                  172KB

                • memory/1012-234-0x0000000000400000-0x000000000042B000-memory.dmp

                  Filesize

                  172KB

                • memory/1224-259-0x0000000000400000-0x000000000042B000-memory.dmp

                  Filesize

                  172KB

                • memory/3160-0-0x0000000000400000-0x000000000042B000-memory.dmp

                  Filesize

                  172KB

                • memory/3160-156-0x0000000000400000-0x000000000042B000-memory.dmp

                  Filesize

                  172KB

                • memory/3216-253-0x0000000000400000-0x000000000042B000-memory.dmp

                  Filesize

                  172KB

                • memory/3216-206-0x0000000000400000-0x000000000042B000-memory.dmp

                  Filesize

                  172KB

                • memory/3332-229-0x0000000000400000-0x000000000042B000-memory.dmp

                  Filesize

                  172KB

                • memory/3364-250-0x0000000000400000-0x000000000042B000-memory.dmp

                  Filesize

                  172KB

                • memory/3624-120-0x0000000000400000-0x000000000042B000-memory.dmp

                  Filesize

                  172KB

                • memory/3624-224-0x0000000000400000-0x000000000042B000-memory.dmp

                  Filesize

                  172KB

                • memory/3852-270-0x0000000000400000-0x000000000042B000-memory.dmp

                  Filesize

                  172KB

                • memory/4368-115-0x0000000000400000-0x000000000042B000-memory.dmp

                  Filesize

                  172KB

                • memory/4624-163-0x0000000000400000-0x000000000042B000-memory.dmp

                  Filesize

                  172KB

                • memory/4624-32-0x0000000000400000-0x000000000042B000-memory.dmp

                  Filesize

                  172KB

                • memory/4832-196-0x0000000000400000-0x000000000042B000-memory.dmp

                  Filesize

                  172KB

                • memory/4832-78-0x0000000000400000-0x000000000042B000-memory.dmp

                  Filesize

                  172KB

                • memory/4980-70-0x0000000000400000-0x000000000042B000-memory.dmp

                  Filesize

                  172KB

                • memory/4980-77-0x0000000000400000-0x000000000042B000-memory.dmp

                  Filesize

                  172KB

                • memory/5004-244-0x0000000000400000-0x000000000042B000-memory.dmp

                  Filesize

                  172KB

                • memory/5084-241-0x0000000000400000-0x000000000042B000-memory.dmp

                  Filesize

                  172KB

                • memory/5224-159-0x0000000000400000-0x000000000042B000-memory.dmp

                  Filesize

                  172KB

                • memory/5276-256-0x0000000000400000-0x000000000042B000-memory.dmp

                  Filesize

                  172KB

                • memory/5300-238-0x0000000000400000-0x000000000042B000-memory.dmp

                  Filesize

                  172KB

                • memory/5540-202-0x0000000000400000-0x000000000042B000-memory.dmp

                  Filesize

                  172KB

                • memory/5624-153-0x0000000000400000-0x000000000042B000-memory.dmp

                  Filesize

                  172KB

                • memory/5628-267-0x0000000000400000-0x000000000042B000-memory.dmp

                  Filesize

                  172KB

                • memory/5916-193-0x0000000000400000-0x000000000042B000-memory.dmp

                  Filesize

                  172KB

                • memory/6096-235-0x0000000000400000-0x000000000042B000-memory.dmp

                  Filesize

                  172KB

                • memory/6096-164-0x0000000000400000-0x000000000042B000-memory.dmp

                  Filesize

                  172KB