Analysis

  • max time kernel
    150s
  • max time network
    142s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250502-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250502-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19/05/2025, 14:28

General

  • Target

    2025-05-19_98fb17cd44481c16e1b7ee97315b8d15_amadey_black-basta_elex_luca-stealer.exe

  • Size

    8.2MB

  • MD5

    98fb17cd44481c16e1b7ee97315b8d15

  • SHA1

    e736aca23e63bd7fb337a3015ed2a6aa86d63947

  • SHA256

    c57a979d2d6317bec84e4c9ec97fee642d6188aa9f4b018a018bea332a4ebba8

  • SHA512

    f250029f0f13d0a00d65b6ee63fa3108ad7fc4eb847317a9b525fe46006fd20b47de42cbd96bf188dff107443f6eaecff7de8022991985e4e01e296c2b53ca14

  • SSDEEP

    49152:HyyqWyWy0GyqWyWyMRPC1eHc785dxytlWF17:HyyqWyWy0GyqWyWyMRPC1eHL5dxyjyp

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 12 IoCs
  • Modifies visibility of file extensions in Explorer 2 TTPs 6 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 6 IoCs
  • UAC bypass 3 TTPs 6 IoCs
  • Disables RegEdit via registry modification 6 IoCs
  • Disables use of System Restore points 1 TTPs
  • Drops file in Drivers directory 24 IoCs
  • Event Triggered Execution: Image File Execution Options Injection 1 TTPs 64 IoCs
  • Executes dropped EXE 30 IoCs
  • Loads dropped DLL 18 IoCs
  • Adds Run key to start application 2 TTPs 24 IoCs
  • Checks whether UAC is enabled 1 TTPs 6 IoCs
  • Drops desktop.ini file(s) 64 IoCs
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops autorun.inf file 1 TTPs 64 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 39 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 6 IoCs
  • UPX packed file 50 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in Windows directory 64 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 63 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 32 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

  • Modifies Control Panel 64 IoCs
  • Modifies Internet Explorer settings 1 TTPs 12 IoCs
  • Modifies registry class 51 IoCs
  • Runs ping.exe 1 TTPs 32 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 31 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2025-05-19_98fb17cd44481c16e1b7ee97315b8d15_amadey_black-basta_elex_luca-stealer.exe
    "C:\Users\Admin\AppData\Local\Temp\2025-05-19_98fb17cd44481c16e1b7ee97315b8d15_amadey_black-basta_elex_luca-stealer.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Modifies visibility of file extensions in Explorer
    • Modifies visiblity of hidden/system files in Explorer
    • UAC bypass
    • Disables RegEdit via registry modification
    • Drops file in Drivers directory
    • Event Triggered Execution: Image File Execution Options Injection
    • Adds Run key to start application
    • Checks whether UAC is enabled
    • Drops desktop.ini file(s)
    • Enumerates connected drives
    • Drops autorun.inf file
    • Drops file in System32 directory
    • Sets desktop wallpaper using registry
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Modifies Control Panel
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:3944
    • C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe
      "C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • UAC bypass
      • Disables RegEdit via registry modification
      • Drops file in Drivers directory
      • Event Triggered Execution: Image File Execution Options Injection
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Drops desktop.ini file(s)
      • Enumerates connected drives
      • Drops autorun.inf file
      • Drops file in System32 directory
      • Sets desktop wallpaper using registry
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Modifies Control Panel
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:5804
      • C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe
        "C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:6012
      • C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe
        "C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe"
        3⤵
        • Modifies WinLogon for persistence
        • Modifies visibility of file extensions in Explorer
        • Modifies visiblity of hidden/system files in Explorer
        • UAC bypass
        • Disables RegEdit via registry modification
        • Drops file in Drivers directory
        • Event Triggered Execution: Image File Execution Options Injection
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • Checks whether UAC is enabled
        • Drops desktop.ini file(s)
        • Enumerates connected drives
        • Drops autorun.inf file
        • Drops file in System32 directory
        • Sets desktop wallpaper using registry
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Modifies Control Panel
        • Modifies Internet Explorer settings
        • Modifies registry class
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        • System policy modification
        PID:4820
        • C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe
          "C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe"
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:4024
        • C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe
          "C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe"
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:4004
        • C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe
          "C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe"
          4⤵
          • Modifies WinLogon for persistence
          • Modifies visibility of file extensions in Explorer
          • Modifies visiblity of hidden/system files in Explorer
          • UAC bypass
          • Disables RegEdit via registry modification
          • Drops file in Drivers directory
          • Event Triggered Execution: Image File Execution Options Injection
          • Executes dropped EXE
          • Loads dropped DLL
          • Adds Run key to start application
          • Checks whether UAC is enabled
          • Drops desktop.ini file(s)
          • Enumerates connected drives
          • Drops autorun.inf file
          • Drops file in System32 directory
          • Sets desktop wallpaper using registry
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Modifies Control Panel
          • Modifies Internet Explorer settings
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:3368
          • C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe
            "C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe"
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • System Location Discovery: System Language Discovery
            • Suspicious use of SetWindowsHookEx
            PID:5092
          • C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe
            "C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe"
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • System Location Discovery: System Language Discovery
            • Suspicious use of SetWindowsHookEx
            PID:5944
          • C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe
            "C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe"
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • System Location Discovery: System Language Discovery
            • Suspicious use of SetWindowsHookEx
            PID:3080
          • C:\Windows\SysWOW64\drivers\Kazekage.exe
            C:\Windows\system32\drivers\Kazekage.exe
            5⤵
            • Modifies WinLogon for persistence
            • Modifies visibility of file extensions in Explorer
            • Modifies visiblity of hidden/system files in Explorer
            • UAC bypass
            • Disables RegEdit via registry modification
            • Drops file in Drivers directory
            • Event Triggered Execution: Image File Execution Options Injection
            • Executes dropped EXE
            • Adds Run key to start application
            • Checks whether UAC is enabled
            • Drops desktop.ini file(s)
            • Enumerates connected drives
            • Drops autorun.inf file
            • Drops file in System32 directory
            • Sets desktop wallpaper using registry
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Modifies Control Panel
            • Modifies Internet Explorer settings
            • Modifies registry class
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            • System policy modification
            PID:4872
            • C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe
              "C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe"
              6⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • System Location Discovery: System Language Discovery
              • Suspicious use of SetWindowsHookEx
              PID:4360
            • C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe
              "C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe"
              6⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • System Location Discovery: System Language Discovery
              • Suspicious use of SetWindowsHookEx
              PID:1688
            • C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe
              "C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe"
              6⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • System Location Discovery: System Language Discovery
              • Suspicious use of SetWindowsHookEx
              PID:3024
            • C:\Windows\SysWOW64\drivers\Kazekage.exe
              C:\Windows\system32\drivers\Kazekage.exe
              6⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Suspicious use of SetWindowsHookEx
              PID:1000
            • C:\Windows\SysWOW64\drivers\system32.exe
              C:\Windows\system32\drivers\system32.exe
              6⤵
              • Modifies WinLogon for persistence
              • Modifies visibility of file extensions in Explorer
              • Modifies visiblity of hidden/system files in Explorer
              • UAC bypass
              • Disables RegEdit via registry modification
              • Drops file in Drivers directory
              • Event Triggered Execution: Image File Execution Options Injection
              • Executes dropped EXE
              • Adds Run key to start application
              • Checks whether UAC is enabled
              • Drops desktop.ini file(s)
              • Enumerates connected drives
              • Drops autorun.inf file
              • Drops file in System32 directory
              • Sets desktop wallpaper using registry
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Modifies Control Panel
              • Modifies Internet Explorer settings
              • Modifies registry class
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              • System policy modification
              PID:3600
              • C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe
                "C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe"
                7⤵
                • Executes dropped EXE
                • Loads dropped DLL
                • System Location Discovery: System Language Discovery
                • Suspicious use of SetWindowsHookEx
                PID:2032
              • C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe
                "C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe"
                7⤵
                • Executes dropped EXE
                • Loads dropped DLL
                • System Location Discovery: System Language Discovery
                • Suspicious use of SetWindowsHookEx
                PID:2012
              • C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe
                "C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe"
                7⤵
                • Executes dropped EXE
                • Loads dropped DLL
                • System Location Discovery: System Language Discovery
                • Suspicious use of SetWindowsHookEx
                PID:2280
              • C:\Windows\SysWOW64\drivers\Kazekage.exe
                C:\Windows\system32\drivers\Kazekage.exe
                7⤵
                • Executes dropped EXE
                • System Location Discovery: System Language Discovery
                • Suspicious use of SetWindowsHookEx
                PID:1824
              • C:\Windows\SysWOW64\drivers\system32.exe
                C:\Windows\system32\drivers\system32.exe
                7⤵
                • Executes dropped EXE
                • System Location Discovery: System Language Discovery
                • Suspicious use of SetWindowsHookEx
                PID:1716
              • C:\Windows\SysWOW64\ping.exe
                ping -a -l www.rasasayang.com.my 65500
                7⤵
                • System Location Discovery: System Language Discovery
                • System Network Configuration Discovery: Internet Connection Discovery
                • Runs ping.exe
                PID:5376
              • C:\Windows\SysWOW64\ping.exe
                ping -a -l www.duniasex.com 65500
                7⤵
                • System Location Discovery: System Language Discovery
                • System Network Configuration Discovery: Internet Connection Discovery
                • Runs ping.exe
                PID:5676
              • C:\Windows\SysWOW64\ping.exe
                ping -a -l www.rasasayang.com.my 65500
                7⤵
                • System Location Discovery: System Language Discovery
                • System Network Configuration Discovery: Internet Connection Discovery
                • Runs ping.exe
                PID:4772
              • C:\Windows\SysWOW64\ping.exe
                ping -a -l www.duniasex.com 65500
                7⤵
                • System Location Discovery: System Language Discovery
                • System Network Configuration Discovery: Internet Connection Discovery
                • Runs ping.exe
                PID:2588
              • C:\Windows\SysWOW64\ping.exe
                ping -a -l www.rasasayang.com.my 65500
                7⤵
                • System Location Discovery: System Language Discovery
                • System Network Configuration Discovery: Internet Connection Discovery
                • Runs ping.exe
                PID:5916
              • C:\Windows\SysWOW64\ping.exe
                ping -a -l www.duniasex.com 65500
                7⤵
                • System Location Discovery: System Language Discovery
                • System Network Configuration Discovery: Internet Connection Discovery
                • Runs ping.exe
                PID:1164
            • C:\Windows\SysWOW64\ping.exe
              ping -a -l www.rasasayang.com.my 65500
              6⤵
              • System Location Discovery: System Language Discovery
              • System Network Configuration Discovery: Internet Connection Discovery
              • Runs ping.exe
              PID:5924
            • C:\Windows\SysWOW64\ping.exe
              ping -a -l www.duniasex.com 65500
              6⤵
              • System Location Discovery: System Language Discovery
              • System Network Configuration Discovery: Internet Connection Discovery
              • Runs ping.exe
              PID:264
            • C:\Windows\SysWOW64\ping.exe
              ping -a -l www.rasasayang.com.my 65500
              6⤵
              • System Location Discovery: System Language Discovery
              • System Network Configuration Discovery: Internet Connection Discovery
              • Runs ping.exe
              PID:1288
            • C:\Windows\SysWOW64\ping.exe
              ping -a -l www.duniasex.com 65500
              6⤵
              • System Location Discovery: System Language Discovery
              • System Network Configuration Discovery: Internet Connection Discovery
              • Runs ping.exe
              PID:4640
          • C:\Windows\SysWOW64\drivers\system32.exe
            C:\Windows\system32\drivers\system32.exe
            5⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious use of SetWindowsHookEx
            PID:2896
          • C:\Windows\SysWOW64\ping.exe
            ping -a -l www.rasasayang.com.my 65500
            5⤵
            • System Location Discovery: System Language Discovery
            • System Network Configuration Discovery: Internet Connection Discovery
            • Runs ping.exe
            PID:5536
          • C:\Windows\SysWOW64\ping.exe
            ping -a -l www.duniasex.com 65500
            5⤵
            • System Location Discovery: System Language Discovery
            • System Network Configuration Discovery: Internet Connection Discovery
            • Runs ping.exe
            PID:840
          • C:\Windows\SysWOW64\ping.exe
            ping -a -l www.rasasayang.com.my 65500
            5⤵
            • System Location Discovery: System Language Discovery
            • System Network Configuration Discovery: Internet Connection Discovery
            • Runs ping.exe
            PID:5800
          • C:\Windows\SysWOW64\ping.exe
            ping -a -l www.duniasex.com 65500
            5⤵
            • System Location Discovery: System Language Discovery
            • System Network Configuration Discovery: Internet Connection Discovery
            • Runs ping.exe
            PID:4056
          • C:\Windows\SysWOW64\ping.exe
            ping -a -l www.rasasayang.com.my 65500
            5⤵
            • System Location Discovery: System Language Discovery
            • System Network Configuration Discovery: Internet Connection Discovery
            • Runs ping.exe
            PID:5240
          • C:\Windows\SysWOW64\ping.exe
            ping -a -l www.duniasex.com 65500
            5⤵
            • System Location Discovery: System Language Discovery
            • System Network Configuration Discovery: Internet Connection Discovery
            • Runs ping.exe
            PID:3444
        • C:\Windows\SysWOW64\drivers\Kazekage.exe
          C:\Windows\system32\drivers\Kazekage.exe
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:5844
        • C:\Windows\SysWOW64\drivers\system32.exe
          C:\Windows\system32\drivers\system32.exe
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:3416
        • C:\Windows\SysWOW64\ping.exe
          ping -a -l www.rasasayang.com.my 65500
          4⤵
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:3576
        • C:\Windows\SysWOW64\ping.exe
          ping -a -l www.duniasex.com 65500
          4⤵
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:428
        • C:\Windows\SysWOW64\ping.exe
          ping -a -l www.rasasayang.com.my 65500
          4⤵
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:1728
        • C:\Windows\SysWOW64\ping.exe
          ping -a -l www.duniasex.com 65500
          4⤵
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:4260
        • C:\Windows\SysWOW64\ping.exe
          ping -a -l www.rasasayang.com.my 65500
          4⤵
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:5652
        • C:\Windows\SysWOW64\ping.exe
          ping -a -l www.duniasex.com 65500
          4⤵
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:2324
      • C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe
        "C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:4396
      • C:\Windows\SysWOW64\drivers\Kazekage.exe
        C:\Windows\system32\drivers\Kazekage.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:512
      • C:\Windows\SysWOW64\drivers\system32.exe
        C:\Windows\system32\drivers\system32.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:840
      • C:\Windows\SysWOW64\ping.exe
        ping -a -l www.rasasayang.com.my 65500
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:4980
      • C:\Windows\SysWOW64\ping.exe
        ping -a -l www.duniasex.com 65500
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:5436
      • C:\Windows\SysWOW64\ping.exe
        ping -a -l www.rasasayang.com.my 65500
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:4640
      • C:\Windows\SysWOW64\ping.exe
        ping -a -l www.duniasex.com 65500
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:1616
    • C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe
      "C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:5536
    • C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe
      "C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:2036
    • C:\Windows\SysWOW64\drivers\Kazekage.exe
      C:\Windows\system32\drivers\Kazekage.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:4484
    • C:\Windows\SysWOW64\drivers\system32.exe
      C:\Windows\system32\drivers\system32.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:4540
    • C:\Windows\SysWOW64\ping.exe
      ping -a -l www.rasasayang.com.my 65500
      2⤵
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Internet Connection Discovery
      • Runs ping.exe
      PID:400
    • C:\Windows\SysWOW64\ping.exe
      ping -a -l www.duniasex.com 65500
      2⤵
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Internet Connection Discovery
      • Runs ping.exe
      PID:1504
    • C:\Windows\SysWOW64\ping.exe
      ping -a -l www.rasasayang.com.my 65500
      2⤵
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Internet Connection Discovery
      • Runs ping.exe
      PID:5000
    • C:\Windows\SysWOW64\ping.exe
      ping -a -l www.duniasex.com 65500
      2⤵
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Internet Connection Discovery
      • Runs ping.exe
      PID:6044
    • C:\Windows\SysWOW64\ping.exe
      ping -a -l www.rasasayang.com.my 65500
      2⤵
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Internet Connection Discovery
      • Runs ping.exe
      PID:3364
    • C:\Windows\SysWOW64\ping.exe
      ping -a -l www.duniasex.com 65500
      2⤵
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Internet Connection Discovery
      • Runs ping.exe
      PID:828
  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c Fonts\Admin 19 - 5 - 2025\smss.exe
    1⤵
      PID:6024
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c Fonts\Admin 19 - 5 - 2025\Gaara.exe
      1⤵
        PID:3492
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c 19-5-2025.exe
        1⤵
          PID:2076
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c drivers\csrss.exe
          1⤵
            PID:4208

          Network

                MITRE ATT&CK Enterprise v16

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Admin Games\Readme.txt

                  Filesize

                  736B

                  MD5

                  bb5d6abdf8d0948ac6895ce7fdfbc151

                  SHA1

                  9266b7a247a4685892197194d2b9b86c8f6dddbd

                  SHA256

                  5db2e0915b5464d32e83484f8ae5e3c73d2c78f238fde5f58f9b40dbb5322de8

                  SHA512

                  878444760e8df878d65bb62b4798177e168eb099def58ad3634f4348e96705c83f74324f9fa358f0eff389991976698a233ca53e9b72034ae11c86d42322a76c

                • C:\Autorun.inf

                  Filesize

                  196B

                  MD5

                  1564dfe69ffed40950e5cb644e0894d1

                  SHA1

                  201b6f7a01cc49bb698bea6d4945a082ed454ce4

                  SHA256

                  be114a2dbcc08540b314b01882aa836a772a883322a77b67aab31233e26dc184

                  SHA512

                  72df187e39674b657974392cfa268e71ef86dc101ebd2303896381ca56d3c05aa9db3f0ab7d0e428d7436e0108c8f19e94c2013814d30b0b95a23a6b9e341097

                • C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe

                  Filesize

                  8.2MB

                  MD5

                  4780987de1ba478c9b5a76ea962521c4

                  SHA1

                  68eba2e52176a457f3e68d36aed727113182245e

                  SHA256

                  b1e9c18389599ade8f7390a45aa618760daefb339c669f6e8e6cecb2a9f8c914

                  SHA512

                  feaf43cdb93a9be78c93f75478ba8ed1dfe9279722f68b87f1c8cd8b620c5927229b4be238ecd7752881a984ebb258e7f46b792015157aa7280360f7d556be81

                • C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe

                  Filesize

                  8.2MB

                  MD5

                  98fb17cd44481c16e1b7ee97315b8d15

                  SHA1

                  e736aca23e63bd7fb337a3015ed2a6aa86d63947

                  SHA256

                  c57a979d2d6317bec84e4c9ec97fee642d6188aa9f4b018a018bea332a4ebba8

                  SHA512

                  f250029f0f13d0a00d65b6ee63fa3108ad7fc4eb847317a9b525fe46006fd20b47de42cbd96bf188dff107443f6eaecff7de8022991985e4e01e296c2b53ca14

                • C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe

                  Filesize

                  8.2MB

                  MD5

                  b77c770292fef155a065cdca6b15a569

                  SHA1

                  c654e99009bb247d8105255ac19c4549a9656d0f

                  SHA256

                  215e010c645f8bf5d0a6f645ff879a2ef75fd2f09511c71cc6ae2a698aa76953

                  SHA512

                  09231757320c940ede61e0517a69a8a706d128bd94c456f39d02e6411ec8b22fac9532c89d12f473ac2ce5a994b0c4c27cb64e84fcf3c399190e08ce1b61f256

                • C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe

                  Filesize

                  8.2MB

                  MD5

                  a1775b33af74ed139ee4a0426a8e316c

                  SHA1

                  6aa703a50e61d034d07e1200a6f3157761122128

                  SHA256

                  a0d93319e87b17ea0476787248719377e0a25f1f7e5a1fcfdb21125fc7c17ee7

                  SHA512

                  e0c23faccdb08bc3e06c00b7369de7995e207430707e38156114b6983bfd9313c82063f75add8dadf1d2f68bd3bccdabeeaddad60f34f2017ee29043ab367130

                • C:\Windows\Fonts\The Kazekage.jpg

                  Filesize

                  1.4MB

                  MD5

                  d6b05020d4a0ec2a3a8b687099e335df

                  SHA1

                  df239d830ebcd1cde5c68c46a7b76dad49d415f4

                  SHA256

                  9824b98dab6af65a9e84c2ea40e9df948f9766ce2096e81feecad7db8dd6080a

                  SHA512

                  78fd360faa4d34f5732056d6e9ad7b9930964441c69cf24535845d397de92179553b9377a25649c01eb5ac7d547c29cc964e69ede7f2af9fc677508a99251fff

                • C:\Windows\SysWOW64\19-5-2025.exe

                  Filesize

                  2.8MB

                  MD5

                  39253a8b73aea8d2f65383d9803e0f83

                  SHA1

                  0c8f267f69d0f9dc183f47cf42faa35ad4c217e4

                  SHA256

                  71245be01d1171b29b3ddd4b97c3771111b37fc0634c406b712965c34bcb22c1

                  SHA512

                  bebff167e9989d88163da8b563da27a136b37ba3340894f3a83acd9434be2b1a9903649e148657ee3e898fe25dc3f2a91e1c709f0753153ae5f0b0603147c97c

                • C:\Windows\SysWOW64\19-5-2025.exe

                  Filesize

                  6.4MB

                  MD5

                  e7263af04f30a1aef93ed3d3b6786530

                  SHA1

                  da32628602e9ad8995c9a742898fb2c9c1c8de5c

                  SHA256

                  335cc6b904da696c79012ed59117de4148beb885f481345e03555669c60ca1f9

                  SHA512

                  85f02343f6c0a0aa829039791be955ed26e21cd97b826a7ab7f4ac8911bffefcd51b8d0af5116d8c515205e479b9c739c3649c299891cad71b912c06fe67b557

                • C:\Windows\SysWOW64\19-5-2025.exe

                  Filesize

                  4.6MB

                  MD5

                  f1f8eeed42b61be4c6be8b2e1be46012

                  SHA1

                  8122d9cc78cd6ab074ed024e9ea30e03e877f254

                  SHA256

                  05fffbba39b2e28775716e871815fa0c9bef294a255a98db96465a2530447c95

                  SHA512

                  d3f4eaa2d20a9ee32750bccf5bfa02912e4e1db2aa5ef2cb4bd34171c01d37f2a4a276d9eeb30a6e3bc065e101af475335e8df5c55619382137a522f4b7cdf0f

                • C:\Windows\SysWOW64\Desktop.ini

                  Filesize

                  65B

                  MD5

                  64acfa7e03b01f48294cf30d201a0026

                  SHA1

                  10facd995b38a095f30b4a800fa454c0bcbf8438

                  SHA256

                  ba8159d865d106e7b4d0043007a63d1541e1de455dc8d7ff0edd3013bd425c62

                  SHA512

                  65a9b2e639de74a2a7faa83463a03f5f5b526495e3c793ec1e144c422ed0b842dd304cd5ff4f8aec3d76d826507030c5916f70a231429cea636ec2d8ab43931a

                • C:\Windows\SysWOW64\drivers\Kazekage.exe

                  Filesize

                  8.2MB

                  MD5

                  1bee3fbc936b14ad048a1ef8c3c08bc1

                  SHA1

                  4e862ab732df590da3a4bf4dbcb9aa283c93255c

                  SHA256

                  c49d853841c043eafbbcaa23530c854e8c740aca984400ec411c299b287a68ce

                  SHA512

                  d43c91507819407037009b6a2bca6ee8d938dc7668dc56e3f377ff84004629bb5270a0d720cec8a7d98fe1d6a52b5b8f5c9eb0f3488d2be997034fdede32b1a0

                • C:\Windows\SysWOW64\drivers\Kazekage.exe

                  Filesize

                  2.7MB

                  MD5

                  26eb6be53d87275ec1e57b7acd3dc654

                  SHA1

                  6978e153cdceaced01a6bc0bf7f74fe7bc22132c

                  SHA256

                  56edc6754a8f93d1de8e499c0b3f4072d7638383034560367cfa55eb78b119a1

                  SHA512

                  db25cd866c92f8cb717103dd641105bc0af5a4af470f8b2d1d86da3db98d80d0594624b2a1664dfcec7e434304542fa859c144dbc8f8a4071cc576b85a201502

                • C:\Windows\SysWOW64\drivers\Kazekage.exe

                  Filesize

                  8.2MB

                  MD5

                  720cc03e38512c7d655fbe569f0cefbf

                  SHA1

                  566eea4d0331f6ed0f19c2d414e4b4d4c8d01330

                  SHA256

                  6011794cbfab5d01c4416fc696f8ed2b44469f6c602c3e904691399c3129605d

                  SHA512

                  6ee7a097b82e9f9ca567454f47c2716ee649d4e3b5273d19c4b2b636300469cb109ec12a5f010d14a4fc4e6411d63e7cedc1c025c0795afc1e5038e784a58c58

                • C:\Windows\SysWOW64\drivers\system32.exe

                  Filesize

                  8.2MB

                  MD5

                  b153250d8daa81bb71a270a72c035ff8

                  SHA1

                  e12bfbff04464ef4bdb1c0faf6ac0ebc88cf016b

                  SHA256

                  7e08e5b2ad2455ca48e8ba2b279ac1e165c23d7be2a3bdb2639965e300a76e46

                  SHA512

                  ca3e0b07d38020fe4cd150cd861efa4f255c73051dc19aae1892aad8af6a2c000c6ff22f1ffbe5ea7ff290a6808648cb6aebee86f7f6bca28792391c8d3f8e72

                • C:\Windows\SysWOW64\drivers\system32.exe

                  Filesize

                  8.2MB

                  MD5

                  c3229e717bf0c81d648c02856fe8d83f

                  SHA1

                  b0779228de1011825da93dfc556b9715ff154ab3

                  SHA256

                  32821c3c08949aa7bd1bf735d7f3a2650c923210bf9c2b47f9f5157dc4e19eaa

                  SHA512

                  4f218c6b9c26e4a6f8357484954641ed06b18c7f7856501ca60a4cc3fb0c725ae7741217c01c3af25dac812abb59cf1d8b506a2135a0b99fd7b6d9680dd65c79

                • C:\Windows\System\msvbvm60.dll

                  Filesize

                  1.4MB

                  MD5

                  25f62c02619174b35851b0e0455b3d94

                  SHA1

                  4e8ee85157f1769f6e3f61c0acbe59072209da71

                  SHA256

                  898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

                  SHA512

                  f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

                • memory/512-263-0x0000000000400000-0x000000000042B000-memory.dmp

                  Filesize

                  172KB

                • memory/840-271-0x0000000000400000-0x000000000042B000-memory.dmp

                  Filesize

                  172KB

                • memory/1000-206-0x0000000000400000-0x000000000042B000-memory.dmp

                  Filesize

                  172KB

                • memory/1688-200-0x0000000000400000-0x000000000042B000-memory.dmp

                  Filesize

                  172KB

                • memory/1716-245-0x0000000000400000-0x000000000042B000-memory.dmp

                  Filesize

                  172KB

                • memory/1824-241-0x0000000000400000-0x000000000042B000-memory.dmp

                  Filesize

                  172KB

                • memory/1824-238-0x0000000000400000-0x000000000042B000-memory.dmp

                  Filesize

                  172KB

                • memory/2012-234-0x0000000000400000-0x000000000042B000-memory.dmp

                  Filesize

                  172KB

                • memory/2032-231-0x0000000000400000-0x000000000042B000-memory.dmp

                  Filesize

                  172KB

                • memory/2036-268-0x0000000000400000-0x000000000042B000-memory.dmp

                  Filesize

                  172KB

                • memory/2896-244-0x0000000000400000-0x000000000042B000-memory.dmp

                  Filesize

                  172KB

                • memory/2896-251-0x0000000000400000-0x000000000042B000-memory.dmp

                  Filesize

                  172KB

                • memory/3024-203-0x0000000000400000-0x000000000042B000-memory.dmp

                  Filesize

                  172KB

                • memory/3080-161-0x0000000000400000-0x000000000042B000-memory.dmp

                  Filesize

                  172KB

                • memory/3368-120-0x0000000000400000-0x000000000042B000-memory.dmp

                  Filesize

                  172KB

                • memory/3368-209-0x0000000000400000-0x000000000042B000-memory.dmp

                  Filesize

                  172KB

                • memory/3416-257-0x0000000000400000-0x000000000042B000-memory.dmp

                  Filesize

                  172KB

                • memory/3600-260-0x0000000000400000-0x000000000042B000-memory.dmp

                  Filesize

                  172KB

                • memory/3600-211-0x0000000000400000-0x000000000042B000-memory.dmp

                  Filesize

                  172KB

                • memory/3944-164-0x0000000000400000-0x000000000042B000-memory.dmp

                  Filesize

                  172KB

                • memory/3944-0-0x0000000000400000-0x000000000042B000-memory.dmp

                  Filesize

                  172KB

                • memory/4004-117-0x0000000000400000-0x000000000042B000-memory.dmp

                  Filesize

                  172KB

                • memory/4004-113-0x0000000000400000-0x000000000042B000-memory.dmp

                  Filesize

                  172KB

                • memory/4024-108-0x0000000000400000-0x000000000042B000-memory.dmp

                  Filesize

                  172KB

                • memory/4024-114-0x0000000000400000-0x000000000042B000-memory.dmp

                  Filesize

                  172KB

                • memory/4484-275-0x0000000000400000-0x000000000042B000-memory.dmp

                  Filesize

                  172KB

                • memory/4540-278-0x0000000000400000-0x000000000042B000-memory.dmp

                  Filesize

                  172KB

                • memory/4820-194-0x0000000000400000-0x000000000042B000-memory.dmp

                  Filesize

                  172KB

                • memory/4820-76-0x0000000000400000-0x000000000042B000-memory.dmp

                  Filesize

                  172KB

                • memory/4872-165-0x0000000000400000-0x000000000042B000-memory.dmp

                  Filesize

                  172KB

                • memory/4872-237-0x0000000000400000-0x000000000042B000-memory.dmp

                  Filesize

                  172KB

                • memory/5092-155-0x0000000000400000-0x000000000042B000-memory.dmp

                  Filesize

                  172KB

                • memory/5536-269-0x0000000000400000-0x000000000042B000-memory.dmp

                  Filesize

                  172KB

                • memory/5804-189-0x0000000000400000-0x000000000042B000-memory.dmp

                  Filesize

                  172KB

                • memory/5804-32-0x0000000000400000-0x000000000042B000-memory.dmp

                  Filesize

                  172KB

                • memory/5844-254-0x0000000000400000-0x000000000042B000-memory.dmp

                  Filesize

                  172KB

                • memory/5944-158-0x0000000000400000-0x000000000042B000-memory.dmp

                  Filesize

                  172KB

                • memory/6012-79-0x0000000000400000-0x000000000042B000-memory.dmp

                  Filesize

                  172KB