Analysis

  • max time kernel
    149s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250502-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250502-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29/05/2025, 11:07

General

  • Target

    2025-05-29_0907ffbf662cae89a8751ab25d32d9b2_amadey_black-basta_elex_luca-stealer.exe

  • Size

    9.1MB

  • MD5

    0907ffbf662cae89a8751ab25d32d9b2

  • SHA1

    40f30266ade343e73282d8c939373c7c38f9f724

  • SHA256

    1c3bb7ae580061255ae6ca6119765ca282b2d529b2542d50331f798114adba99

  • SHA512

    2b60202c1cdab8800f84cb923912b9f54bf1934c81d88f82ca6a090d722912e49bf3c58a27f2bb6e32108e589e1a82e989cc55dd5f8805ef8ff178355a1fc450

  • SSDEEP

    98304:gGyqWyWy0GyqWyWyMRPC1em1eHL5dGTEYm:N1em1eHL5dem

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 12 IoCs
  • Modifies visibility of file extensions in Explorer 2 TTPs 6 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 6 IoCs
  • UAC bypass 3 TTPs 6 IoCs
  • Disables RegEdit via registry modification 6 IoCs
  • Disables use of System Restore points 1 TTPs
  • Drops file in Drivers directory 24 IoCs
  • Event Triggered Execution: Image File Execution Options Injection 1 TTPs 64 IoCs
  • Executes dropped EXE 30 IoCs
  • Loads dropped DLL 18 IoCs
  • Adds Run key to start application 2 TTPs 24 IoCs
  • Checks whether UAC is enabled 1 TTPs 6 IoCs
  • Drops desktop.ini file(s) 64 IoCs
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops autorun.inf file 1 TTPs 64 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 39 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 6 IoCs
  • UPX packed file 64 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in Windows directory 64 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 63 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 32 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

  • Modifies Control Panel 64 IoCs
  • Modifies Internet Explorer settings 1 TTPs 12 IoCs
  • Modifies registry class 51 IoCs
  • Runs ping.exe 1 TTPs 32 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 31 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2025-05-29_0907ffbf662cae89a8751ab25d32d9b2_amadey_black-basta_elex_luca-stealer.exe
    "C:\Users\Admin\AppData\Local\Temp\2025-05-29_0907ffbf662cae89a8751ab25d32d9b2_amadey_black-basta_elex_luca-stealer.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Modifies visibility of file extensions in Explorer
    • Modifies visiblity of hidden/system files in Explorer
    • UAC bypass
    • Disables RegEdit via registry modification
    • Drops file in Drivers directory
    • Event Triggered Execution: Image File Execution Options Injection
    • Adds Run key to start application
    • Checks whether UAC is enabled
    • Drops desktop.ini file(s)
    • Enumerates connected drives
    • Drops autorun.inf file
    • Drops file in System32 directory
    • Sets desktop wallpaper using registry
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Modifies Control Panel
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:3036
    • C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe
      "C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • UAC bypass
      • Disables RegEdit via registry modification
      • Drops file in Drivers directory
      • Event Triggered Execution: Image File Execution Options Injection
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Drops desktop.ini file(s)
      • Enumerates connected drives
      • Drops autorun.inf file
      • Drops file in System32 directory
      • Sets desktop wallpaper using registry
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Modifies Control Panel
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:4836
      • C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe
        "C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:4560
      • C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe
        "C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe"
        3⤵
        • Modifies WinLogon for persistence
        • Modifies visibility of file extensions in Explorer
        • Modifies visiblity of hidden/system files in Explorer
        • UAC bypass
        • Disables RegEdit via registry modification
        • Drops file in Drivers directory
        • Event Triggered Execution: Image File Execution Options Injection
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • Checks whether UAC is enabled
        • Drops desktop.ini file(s)
        • Enumerates connected drives
        • Drops autorun.inf file
        • Drops file in System32 directory
        • Sets desktop wallpaper using registry
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Modifies Control Panel
        • Modifies Internet Explorer settings
        • Modifies registry class
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        • System policy modification
        PID:3104
        • C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe
          "C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe"
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:3952
        • C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe
          "C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe"
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:1524
        • C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe
          "C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe"
          4⤵
          • Modifies WinLogon for persistence
          • Modifies visibility of file extensions in Explorer
          • Modifies visiblity of hidden/system files in Explorer
          • UAC bypass
          • Disables RegEdit via registry modification
          • Drops file in Drivers directory
          • Event Triggered Execution: Image File Execution Options Injection
          • Executes dropped EXE
          • Loads dropped DLL
          • Adds Run key to start application
          • Checks whether UAC is enabled
          • Drops desktop.ini file(s)
          • Enumerates connected drives
          • Drops autorun.inf file
          • Drops file in System32 directory
          • Sets desktop wallpaper using registry
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Modifies Control Panel
          • Modifies Internet Explorer settings
          • Modifies registry class
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:1196
          • C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe
            "C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe"
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • System Location Discovery: System Language Discovery
            • Suspicious use of SetWindowsHookEx
            PID:4232
          • C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe
            "C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe"
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • System Location Discovery: System Language Discovery
            • Suspicious use of SetWindowsHookEx
            PID:3372
          • C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe
            "C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe"
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • System Location Discovery: System Language Discovery
            • Suspicious use of SetWindowsHookEx
            PID:460
          • C:\Windows\SysWOW64\drivers\Kazekage.exe
            C:\Windows\system32\drivers\Kazekage.exe
            5⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious use of SetWindowsHookEx
            PID:1968
          • C:\Windows\SysWOW64\drivers\system32.exe
            C:\Windows\system32\drivers\system32.exe
            5⤵
            • Modifies WinLogon for persistence
            • Modifies visibility of file extensions in Explorer
            • Modifies visiblity of hidden/system files in Explorer
            • UAC bypass
            • Disables RegEdit via registry modification
            • Drops file in Drivers directory
            • Event Triggered Execution: Image File Execution Options Injection
            • Executes dropped EXE
            • Adds Run key to start application
            • Checks whether UAC is enabled
            • Drops desktop.ini file(s)
            • Enumerates connected drives
            • Drops autorun.inf file
            • Drops file in System32 directory
            • Sets desktop wallpaper using registry
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Modifies Control Panel
            • Modifies Internet Explorer settings
            • Modifies registry class
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            • System policy modification
            PID:3564
            • C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe
              "C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe"
              6⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • System Location Discovery: System Language Discovery
              • Suspicious use of SetWindowsHookEx
              PID:2268
            • C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe
              "C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe"
              6⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • System Location Discovery: System Language Discovery
              • Suspicious use of SetWindowsHookEx
              PID:1512
            • C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe
              "C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe"
              6⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • System Location Discovery: System Language Discovery
              • Suspicious use of SetWindowsHookEx
              PID:2312
            • C:\Windows\SysWOW64\drivers\Kazekage.exe
              C:\Windows\system32\drivers\Kazekage.exe
              6⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Suspicious use of SetWindowsHookEx
              PID:4968
            • C:\Windows\SysWOW64\drivers\system32.exe
              C:\Windows\system32\drivers\system32.exe
              6⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Suspicious use of SetWindowsHookEx
              PID:224
            • C:\Windows\SysWOW64\ping.exe
              ping -a -l www.rasasayang.com.my 65500
              6⤵
              • System Location Discovery: System Language Discovery
              • System Network Configuration Discovery: Internet Connection Discovery
              • Runs ping.exe
              PID:32
            • C:\Windows\SysWOW64\ping.exe
              ping -a -l www.duniasex.com 65500
              6⤵
              • System Location Discovery: System Language Discovery
              • System Network Configuration Discovery: Internet Connection Discovery
              • Runs ping.exe
              PID:4912
            • C:\Windows\SysWOW64\ping.exe
              ping -a -l www.rasasayang.com.my 65500
              6⤵
              • System Location Discovery: System Language Discovery
              • System Network Configuration Discovery: Internet Connection Discovery
              • Runs ping.exe
              PID:4560
            • C:\Windows\SysWOW64\ping.exe
              ping -a -l www.duniasex.com 65500
              6⤵
              • System Location Discovery: System Language Discovery
              • System Network Configuration Discovery: Internet Connection Discovery
              • Runs ping.exe
              PID:1644
          • C:\Windows\SysWOW64\ping.exe
            ping -a -l www.rasasayang.com.my 65500
            5⤵
            • System Location Discovery: System Language Discovery
            • System Network Configuration Discovery: Internet Connection Discovery
            • Runs ping.exe
            PID:4792
          • C:\Windows\SysWOW64\ping.exe
            ping -a -l www.duniasex.com 65500
            5⤵
            • System Location Discovery: System Language Discovery
            • System Network Configuration Discovery: Internet Connection Discovery
            • Runs ping.exe
            PID:4452
          • C:\Windows\SysWOW64\ping.exe
            ping -a -l www.rasasayang.com.my 65500
            5⤵
            • System Location Discovery: System Language Discovery
            • System Network Configuration Discovery: Internet Connection Discovery
            • Runs ping.exe
            PID:372
          • C:\Windows\SysWOW64\ping.exe
            ping -a -l www.duniasex.com 65500
            5⤵
            • System Location Discovery: System Language Discovery
            • System Network Configuration Discovery: Internet Connection Discovery
            • Runs ping.exe
            PID:2012
          • C:\Windows\SysWOW64\ping.exe
            ping -a -l www.rasasayang.com.my 65500
            5⤵
            • System Location Discovery: System Language Discovery
            • System Network Configuration Discovery: Internet Connection Discovery
            • Runs ping.exe
            PID:2484
          • C:\Windows\SysWOW64\ping.exe
            ping -a -l www.duniasex.com 65500
            5⤵
            • System Location Discovery: System Language Discovery
            • System Network Configuration Discovery: Internet Connection Discovery
            • Runs ping.exe
            PID:1312
        • C:\Windows\SysWOW64\drivers\Kazekage.exe
          C:\Windows\system32\drivers\Kazekage.exe
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:748
        • C:\Windows\SysWOW64\drivers\system32.exe
          C:\Windows\system32\drivers\system32.exe
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:2068
        • C:\Windows\SysWOW64\ping.exe
          ping -a -l www.rasasayang.com.my 65500
          4⤵
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:3244
        • C:\Windows\SysWOW64\ping.exe
          ping -a -l www.duniasex.com 65500
          4⤵
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:4716
        • C:\Windows\SysWOW64\ping.exe
          ping -a -l www.rasasayang.com.my 65500
          4⤵
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:3804
        • C:\Windows\SysWOW64\ping.exe
          ping -a -l www.duniasex.com 65500
          4⤵
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:4376
        • C:\Windows\SysWOW64\ping.exe
          ping -a -l www.rasasayang.com.my 65500
          4⤵
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:1552
        • C:\Windows\SysWOW64\ping.exe
          ping -a -l www.duniasex.com 65500
          4⤵
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:2040
      • C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe
        "C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:1652
      • C:\Windows\SysWOW64\drivers\Kazekage.exe
        C:\Windows\system32\drivers\Kazekage.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:3396
      • C:\Windows\SysWOW64\drivers\system32.exe
        C:\Windows\system32\drivers\system32.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2700
      • C:\Windows\SysWOW64\ping.exe
        ping -a -l www.rasasayang.com.my 65500
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:4212
      • C:\Windows\SysWOW64\ping.exe
        ping -a -l www.duniasex.com 65500
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:5056
      • C:\Windows\SysWOW64\ping.exe
        ping -a -l www.rasasayang.com.my 65500
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:2920
      • C:\Windows\SysWOW64\ping.exe
        ping -a -l www.duniasex.com 65500
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:3076
      • C:\Windows\SysWOW64\ping.exe
        ping -a -l www.rasasayang.com.my 65500
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:4636
      • C:\Windows\SysWOW64\ping.exe
        ping -a -l www.duniasex.com 65500
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:2668
    • C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe
      "C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:408
    • C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe
      "C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:2732
    • C:\Windows\SysWOW64\drivers\Kazekage.exe
      C:\Windows\system32\drivers\Kazekage.exe
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • UAC bypass
      • Disables RegEdit via registry modification
      • Drops file in Drivers directory
      • Event Triggered Execution: Image File Execution Options Injection
      • Executes dropped EXE
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Drops desktop.ini file(s)
      • Enumerates connected drives
      • Drops autorun.inf file
      • Drops file in System32 directory
      • Sets desktop wallpaper using registry
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Modifies Control Panel
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:624
      • C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe
        "C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:1888
      • C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe
        "C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:4016
      • C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe
        "C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:1032
      • C:\Windows\SysWOW64\drivers\Kazekage.exe
        C:\Windows\system32\drivers\Kazekage.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2996
      • C:\Windows\SysWOW64\drivers\system32.exe
        C:\Windows\system32\drivers\system32.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:4184
      • C:\Windows\SysWOW64\ping.exe
        ping -a -l www.rasasayang.com.my 65500
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:4812
      • C:\Windows\SysWOW64\ping.exe
        ping -a -l www.duniasex.com 65500
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:1240
      • C:\Windows\SysWOW64\ping.exe
        ping -a -l www.rasasayang.com.my 65500
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:1828
      • C:\Windows\SysWOW64\ping.exe
        ping -a -l www.duniasex.com 65500
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:2368
      • C:\Windows\SysWOW64\ping.exe
        ping -a -l www.rasasayang.com.my 65500
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:3044
      • C:\Windows\SysWOW64\ping.exe
        ping -a -l www.duniasex.com 65500
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:2956
    • C:\Windows\SysWOW64\drivers\system32.exe
      C:\Windows\system32\drivers\system32.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:4708
    • C:\Windows\SysWOW64\ping.exe
      ping -a -l www.rasasayang.com.my 65500
      2⤵
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Internet Connection Discovery
      • Runs ping.exe
      PID:872
    • C:\Windows\SysWOW64\ping.exe
      ping -a -l www.duniasex.com 65500
      2⤵
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Internet Connection Discovery
      • Runs ping.exe
      PID:3848
    • C:\Windows\SysWOW64\ping.exe
      ping -a -l www.rasasayang.com.my 65500
      2⤵
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Internet Connection Discovery
      • Runs ping.exe
      PID:1420
    • C:\Windows\SysWOW64\ping.exe
      ping -a -l www.duniasex.com 65500
      2⤵
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Internet Connection Discovery
      • Runs ping.exe
      PID:3416
  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c Fonts\Admin 29 - 5 - 2025\smss.exe
    1⤵
      PID:2624
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c Fonts\Admin 29 - 5 - 2025\Gaara.exe
      1⤵
        PID:5056
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c 29-5-2025.exe
        1⤵
          PID:396
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c drivers\csrss.exe
          1⤵
            PID:388

          Network

                MITRE ATT&CK Enterprise v16

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Admin Games\Readme.txt

                  Filesize

                  736B

                  MD5

                  bb5d6abdf8d0948ac6895ce7fdfbc151

                  SHA1

                  9266b7a247a4685892197194d2b9b86c8f6dddbd

                  SHA256

                  5db2e0915b5464d32e83484f8ae5e3c73d2c78f238fde5f58f9b40dbb5322de8

                  SHA512

                  878444760e8df878d65bb62b4798177e168eb099def58ad3634f4348e96705c83f74324f9fa358f0eff389991976698a233ca53e9b72034ae11c86d42322a76c

                • C:\Autorun.inf

                  Filesize

                  196B

                  MD5

                  1564dfe69ffed40950e5cb644e0894d1

                  SHA1

                  201b6f7a01cc49bb698bea6d4945a082ed454ce4

                  SHA256

                  be114a2dbcc08540b314b01882aa836a772a883322a77b67aab31233e26dc184

                  SHA512

                  72df187e39674b657974392cfa268e71ef86dc101ebd2303896381ca56d3c05aa9db3f0ab7d0e428d7436e0108c8f19e94c2013814d30b0b95a23a6b9e341097

                • C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe

                  Filesize

                  9.1MB

                  MD5

                  edec8336e124ce9cf216f180104300c9

                  SHA1

                  da62ac2fd3d599244635e04d96a3710bd6bb31e9

                  SHA256

                  0d17dbe38ad40896baa2efc85538deee4d3506e21413b9795359409f54347ea9

                  SHA512

                  0d15689613b26f7324ffe212170cd7ec3bbbb6f1bdeb6f6cf41398a989ca02ee6b5e8f244bbe957b550f566b385f607f097ac5a02c330835399273090177f480

                • C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe

                  Filesize

                  9.1MB

                  MD5

                  0907ffbf662cae89a8751ab25d32d9b2

                  SHA1

                  40f30266ade343e73282d8c939373c7c38f9f724

                  SHA256

                  1c3bb7ae580061255ae6ca6119765ca282b2d529b2542d50331f798114adba99

                  SHA512

                  2b60202c1cdab8800f84cb923912b9f54bf1934c81d88f82ca6a090d722912e49bf3c58a27f2bb6e32108e589e1a82e989cc55dd5f8805ef8ff178355a1fc450

                • C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe

                  Filesize

                  9.1MB

                  MD5

                  51f8358b2f42b378c3181ad80c70cc77

                  SHA1

                  d46b4fbd9d34d74cf0580790af9fd180bf2fe744

                  SHA256

                  14005431a23d6341c59a0ced63f3861bae9f11dc0dd96d75d15e385b3053c7dd

                  SHA512

                  4b9e86cc386ea34538fab42de1b277d91753519ca95d1a449b1e84934f7ba3385bab07bbd8c66127c3ad7c87074e002bae019a0746a934c0331d91267a1df122

                • C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe

                  Filesize

                  9.1MB

                  MD5

                  2041eafb3dbdfaa2cdd37c34646fa4da

                  SHA1

                  be6209e4c7f827846fa50016fbf0fd3ff76f5cde

                  SHA256

                  734886b50dbf328a04bf3e62b2832ebba1aadebceb98f145197256f8aada7045

                  SHA512

                  afc1d658c1104e9b0b11045fa7a0218bd11428a15df101f7d080baac98c5eb3dabf8a7bfbf0d3e408c32deb43f35b5fd80e1f282b293a733006edb0c22b0aa04

                • C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe

                  Filesize

                  9.1MB

                  MD5

                  8e028fada887e725f488537159594f13

                  SHA1

                  457cdf490ecb9599178bd1c14d2b3e19320f3b48

                  SHA256

                  9a9ec80844e476c46fa86d8a08817a1486242ac56245e28283d37e89abff31fe

                  SHA512

                  9a08a908d20b06e5d51302604d31dcf13a439e6d17b9b2c1e4261827adb0d76c20aba51d52f261ad85315a3d3cd5c3a0b107cc507f96bcb7010f903bb82d7dd1

                • C:\Windows\Fonts\The Kazekage.jpg

                  Filesize

                  1.4MB

                  MD5

                  d6b05020d4a0ec2a3a8b687099e335df

                  SHA1

                  df239d830ebcd1cde5c68c46a7b76dad49d415f4

                  SHA256

                  9824b98dab6af65a9e84c2ea40e9df948f9766ce2096e81feecad7db8dd6080a

                  SHA512

                  78fd360faa4d34f5732056d6e9ad7b9930964441c69cf24535845d397de92179553b9377a25649c01eb5ac7d547c29cc964e69ede7f2af9fc677508a99251fff

                • C:\Windows\SysWOW64\29-5-2025.exe

                  Filesize

                  9.1MB

                  MD5

                  e37e44c490d98227245ea47787fa8049

                  SHA1

                  33d83313e3ccfe5c13dc12474e524a140745fe39

                  SHA256

                  e1f76f0fffca7004d201eec0fee53deeba9bcf23680521cf5e3d22ddff5ca71b

                  SHA512

                  c761210e3593add74aab1018bb18af19664eeb9db75bc0a0bc1937ff95dbad7a510ccd2d176a837610705b9796c0ea51d5a8b131fe9551b0abf213f2e4f8973f

                • C:\Windows\SysWOW64\29-5-2025.exe

                  Filesize

                  9.1MB

                  MD5

                  556215a8eb64702ac0bd3b8e59aaa04f

                  SHA1

                  64e024cffdef304a0c416cd0c0f6ccab38f59b69

                  SHA256

                  8d4efd9cb562fc894dacbb2df61a004ddb5ccba7646b15f6ba9366df7ab058e9

                  SHA512

                  45f52616a859a22bf138f5161edda4b009b99a370222edfe38cc6042d37224a8e051190e37d5cccdbab78b7c918046b7fb8b7f64f05e2cf4d08a7f07f703c11f

                • C:\Windows\SysWOW64\29-5-2025.exe

                  Filesize

                  9.1MB

                  MD5

                  83ec06d6f3d3748a1141c71d76bf009a

                  SHA1

                  ea7383c4a8b60f724dd3631e41da35991c1c4b85

                  SHA256

                  82da3f38811fd0007c539b2f6a93887a99cf79ce6c3cff79f218c858576d07c6

                  SHA512

                  a6f86f136fae70d0460e50efe5127d13fae1b256cbda97363b914243e1d9588d5e545b66e42e88328580992760740c3ab7447bc472ed6828c1045604299df46b

                • C:\Windows\SysWOW64\Desktop.ini

                  Filesize

                  65B

                  MD5

                  64acfa7e03b01f48294cf30d201a0026

                  SHA1

                  10facd995b38a095f30b4a800fa454c0bcbf8438

                  SHA256

                  ba8159d865d106e7b4d0043007a63d1541e1de455dc8d7ff0edd3013bd425c62

                  SHA512

                  65a9b2e639de74a2a7faa83463a03f5f5b526495e3c793ec1e144c422ed0b842dd304cd5ff4f8aec3d76d826507030c5916f70a231429cea636ec2d8ab43931a

                • C:\Windows\SysWOW64\drivers\Kazekage.exe

                  Filesize

                  9.1MB

                  MD5

                  fcf292ab88d60104629fc6ee0bce7b82

                  SHA1

                  410a54301588238a15d489028131f486d07c5551

                  SHA256

                  da5c0fc248a5a07af6b432de9a9d10d519db70678ce0179dd0f7b906747c83b2

                  SHA512

                  709885c7e9e2a609a4006daf2afd3d2ff25a227d60a893734d2ac23840032d6f7d0bbecc4168dba45f3a3622383ba77ecb58e1170b6c08de901222b7b0e87f82

                • C:\Windows\SysWOW64\drivers\Kazekage.exe

                  Filesize

                  9.1MB

                  MD5

                  95ba055cfb9d584c150b2131ce9f9741

                  SHA1

                  d1fcd04420c213137927e72c6ad93aa2f7a8b394

                  SHA256

                  5cb9b6aa6f69398d8257078567ffbbc7fedfebafb08d589e56fb7c7fb82b7539

                  SHA512

                  ab90900234a9f3fc37223bf0d51f649e83349c4591e1f77e1da17edc50d9350d55e64f1eca543639bc39533132ebe10a112eb3fc7c2591607e8d7dafd885ed05

                • C:\Windows\SysWOW64\drivers\Kazekage.exe

                  Filesize

                  9.1MB

                  MD5

                  8e45b27c97fcc49e1d0900b10f6930db

                  SHA1

                  27d872a0a342a50512559fa7b0ab9ffc3cc29bde

                  SHA256

                  49eb6f6a3638bf030ca4bba44eaec9e4d3da31fdee1ff9478a9714cc5bcf7f0f

                  SHA512

                  c08b13ff920270bb556acb60302ae97e2ff0431147adb47871f9b4080ce7fe65b916605753d7e07e787d58cabc024b39254989e626f759682705b3dbb4fcb3b8

                • C:\Windows\SysWOW64\drivers\system32.exe

                  Filesize

                  9.1MB

                  MD5

                  c4c12d82fea5b5c173bb1dbce3918c12

                  SHA1

                  169e8f4491868ebcb22b06c35bce3d1ee91917c9

                  SHA256

                  9cb5b1a3354cd56ae583182f6e542fb4c9c90a0a4328b2f24376306ea71d9439

                  SHA512

                  5a603a49ec8e4f6343104ddf308daf656149b3cda2d3a62d469300ec353b1035bfa89d9ce6deaf2b62d7e66d4f4d4ad9cbef3b34928e4b636fc7dcdafcf15428

                • C:\Windows\SysWOW64\drivers\system32.exe

                  Filesize

                  9.1MB

                  MD5

                  0dee0c7e9165c6fbc215bc9523bd07e9

                  SHA1

                  59e5d302d784200da1c6b7c315d16a1805d157f6

                  SHA256

                  42e1253fe7c19b7a6dd016a59bf8da2d9e66aa5b35d9adaa05286866bf9960c0

                  SHA512

                  bc0f30125fab6aed4443bc6666b732c573747d279f61fae72dc74802ac9a625e731c3b3ce90e47e302a1408ff6839b2f81a4fc5e10e23c68c5c41d82de574481

                • C:\Windows\SysWOW64\drivers\system32.exe

                  Filesize

                  9.1MB

                  MD5

                  ee5d75df84d6608d49add0e30c805d16

                  SHA1

                  bce78d2b17700c7c20028f05cd0a99216ba56eed

                  SHA256

                  bf9067094317efc998e79cbf881cd211ccd93cec9864d11dc58da581a8669d3a

                  SHA512

                  a1351b18fbf09a030789f00e47af349861ff2b4ff237b574c5436c7086e703f52b5c646e2c52cd7aa0849cbe36c945ff77a7547e707accebca8f99a95e97d2e7

                • C:\Windows\System\msvbvm60.dll

                  Filesize

                  1.4MB

                  MD5

                  25f62c02619174b35851b0e0455b3d94

                  SHA1

                  4e8ee85157f1769f6e3f61c0acbe59072209da71

                  SHA256

                  898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

                  SHA512

                  f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

                • C:\Windows\system\msvbvm60.dll

                  Filesize

                  508KB

                  MD5

                  3510db7620dda3c052de49ea1aa0191e

                  SHA1

                  40105462edc01acc30c586f5bbad1311cce85fdc

                  SHA256

                  551a3c6401d8f67764db1eddd457416ca3f1c97f1ec3ab9e10179990130518a4

                  SHA512

                  3b4156e48ecc69a87267e4ebef26d003f63bc4122a36115396855ee6bcb773bdd600e1a084797a99a550e392ea4a7a7c4c0ba5064a0f11e6bd57e8ec15a81253

                • memory/224-299-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/408-178-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/460-185-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/624-311-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/624-589-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/624-254-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/624-192-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/748-303-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/1196-124-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/1196-191-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/1196-313-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/1196-456-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/1512-281-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/1512-265-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/1524-120-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/1524-114-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/1652-222-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/1652-239-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/1968-217-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/1968-188-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/2068-307-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/2312-288-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/2700-268-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/2732-173-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/2996-277-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/3036-498-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/3036-314-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/3036-0-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/3036-308-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/3036-123-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/3104-164-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/3104-500-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/3104-79-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/3104-316-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/3104-310-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/3372-176-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/3396-237-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/3396-257-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/3564-312-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/3564-218-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/3564-264-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/3952-116-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/4016-246-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/4184-274-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/4184-284-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/4232-161-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/4560-74-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/4560-70-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/4708-283-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/4708-292-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/4836-309-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/4836-135-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/4836-499-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/4836-33-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/4968-295-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB