Analysis

  • max time kernel
    149s
  • max time network
    139s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250502-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250502-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29/05/2025, 11:28

General

  • Target

    2025-05-29_11756abfad621de2c8a0ead901ab20e0_amadey_black-basta_elex_luca-stealer.exe

  • Size

    9.1MB

  • MD5

    11756abfad621de2c8a0ead901ab20e0

  • SHA1

    1e600d5e8502a4f6bde4126ebc054f95e53f4031

  • SHA256

    1b29e33fc0f8631a131fa56da8295919798ff0085a50171f33855d1b6e4823ad

  • SHA512

    afcc251e9faa79737541928c08884b6a8b30b1c5941301805562fd77aecbe900c482a0d9c15258dbdda958eb4719a10db7e8835a563e9be603b7fda439f9cf7e

  • SSDEEP

    98304:GGyqWyWy0GyqWyWyMRPC1em1eHL5dGTEYm:71em1eHL5dem

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 12 IoCs
  • Modifies visibility of file extensions in Explorer 2 TTPs 6 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 6 IoCs
  • UAC bypass 3 TTPs 6 IoCs
  • Disables RegEdit via registry modification 6 IoCs
  • Disables use of System Restore points 1 TTPs
  • Drops file in Drivers directory 24 IoCs
  • Event Triggered Execution: Image File Execution Options Injection 1 TTPs 64 IoCs
  • Executes dropped EXE 30 IoCs
  • Loads dropped DLL 18 IoCs
  • Adds Run key to start application 2 TTPs 24 IoCs
  • Checks whether UAC is enabled 1 TTPs 6 IoCs
  • Drops desktop.ini file(s) 64 IoCs
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops autorun.inf file 1 TTPs 64 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 39 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 6 IoCs
  • UPX packed file 64 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in Windows directory 64 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 34 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

  • Modifies Control Panel 64 IoCs
  • Modifies Internet Explorer settings 1 TTPs 12 IoCs
  • Modifies registry class 51 IoCs
  • Runs ping.exe 1 TTPs 34 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 31 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2025-05-29_11756abfad621de2c8a0ead901ab20e0_amadey_black-basta_elex_luca-stealer.exe
    "C:\Users\Admin\AppData\Local\Temp\2025-05-29_11756abfad621de2c8a0ead901ab20e0_amadey_black-basta_elex_luca-stealer.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Modifies visibility of file extensions in Explorer
    • Modifies visiblity of hidden/system files in Explorer
    • UAC bypass
    • Disables RegEdit via registry modification
    • Drops file in Drivers directory
    • Event Triggered Execution: Image File Execution Options Injection
    • Adds Run key to start application
    • Checks whether UAC is enabled
    • Drops desktop.ini file(s)
    • Enumerates connected drives
    • Drops autorun.inf file
    • Drops file in System32 directory
    • Sets desktop wallpaper using registry
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Modifies Control Panel
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2384
    • C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe
      "C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • UAC bypass
      • Disables RegEdit via registry modification
      • Drops file in Drivers directory
      • Event Triggered Execution: Image File Execution Options Injection
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Drops desktop.ini file(s)
      • Enumerates connected drives
      • Drops autorun.inf file
      • Drops file in System32 directory
      • Sets desktop wallpaper using registry
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Modifies Control Panel
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:5952
      • C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe
        "C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:1068
      • C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe
        "C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe"
        3⤵
        • Modifies WinLogon for persistence
        • Modifies visibility of file extensions in Explorer
        • Modifies visiblity of hidden/system files in Explorer
        • UAC bypass
        • Disables RegEdit via registry modification
        • Drops file in Drivers directory
        • Event Triggered Execution: Image File Execution Options Injection
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • Checks whether UAC is enabled
        • Drops desktop.ini file(s)
        • Enumerates connected drives
        • Drops autorun.inf file
        • Drops file in System32 directory
        • Sets desktop wallpaper using registry
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Modifies Control Panel
        • Modifies Internet Explorer settings
        • Modifies registry class
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        • System policy modification
        PID:6004
        • C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe
          "C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe"
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:1876
        • C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe
          "C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe"
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:2896
        • C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe
          "C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe"
          4⤵
          • Modifies WinLogon for persistence
          • Modifies visibility of file extensions in Explorer
          • Modifies visiblity of hidden/system files in Explorer
          • UAC bypass
          • Disables RegEdit via registry modification
          • Drops file in Drivers directory
          • Event Triggered Execution: Image File Execution Options Injection
          • Executes dropped EXE
          • Loads dropped DLL
          • Adds Run key to start application
          • Checks whether UAC is enabled
          • Drops desktop.ini file(s)
          • Enumerates connected drives
          • Drops autorun.inf file
          • Drops file in System32 directory
          • Sets desktop wallpaper using registry
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Modifies Control Panel
          • Modifies Internet Explorer settings
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:4684
          • C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe
            "C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe"
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • System Location Discovery: System Language Discovery
            • Suspicious use of SetWindowsHookEx
            PID:5316
          • C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe
            "C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe"
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • System Location Discovery: System Language Discovery
            • Suspicious use of SetWindowsHookEx
            PID:2668
          • C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe
            "C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe"
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • System Location Discovery: System Language Discovery
            • Suspicious use of SetWindowsHookEx
            PID:2484
          • C:\Windows\SysWOW64\drivers\Kazekage.exe
            C:\Windows\system32\drivers\Kazekage.exe
            5⤵
            • Modifies WinLogon for persistence
            • Modifies visibility of file extensions in Explorer
            • Modifies visiblity of hidden/system files in Explorer
            • UAC bypass
            • Disables RegEdit via registry modification
            • Drops file in Drivers directory
            • Event Triggered Execution: Image File Execution Options Injection
            • Executes dropped EXE
            • Adds Run key to start application
            • Checks whether UAC is enabled
            • Drops desktop.ini file(s)
            • Enumerates connected drives
            • Drops autorun.inf file
            • Drops file in System32 directory
            • Sets desktop wallpaper using registry
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Modifies Control Panel
            • Modifies Internet Explorer settings
            • Modifies registry class
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            • System policy modification
            PID:536
            • C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe
              "C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe"
              6⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • System Location Discovery: System Language Discovery
              • Suspicious use of SetWindowsHookEx
              PID:776
            • C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe
              "C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe"
              6⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • System Location Discovery: System Language Discovery
              • Suspicious use of SetWindowsHookEx
              PID:2188
            • C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe
              "C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe"
              6⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • System Location Discovery: System Language Discovery
              • Suspicious use of SetWindowsHookEx
              PID:3192
            • C:\Windows\SysWOW64\drivers\Kazekage.exe
              C:\Windows\system32\drivers\Kazekage.exe
              6⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Suspicious use of SetWindowsHookEx
              PID:5516
            • C:\Windows\SysWOW64\drivers\system32.exe
              C:\Windows\system32\drivers\system32.exe
              6⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Suspicious use of SetWindowsHookEx
              PID:3584
            • C:\Windows\SysWOW64\ping.exe
              ping -a -l www.rasasayang.com.my 65500
              6⤵
              • System Location Discovery: System Language Discovery
              • System Network Configuration Discovery: Internet Connection Discovery
              • Runs ping.exe
              PID:5876
            • C:\Windows\SysWOW64\ping.exe
              ping -a -l www.duniasex.com 65500
              6⤵
              • System Location Discovery: System Language Discovery
              • System Network Configuration Discovery: Internet Connection Discovery
              • Runs ping.exe
              PID:464
            • C:\Windows\SysWOW64\ping.exe
              ping -a -l www.rasasayang.com.my 65500
              6⤵
              • System Location Discovery: System Language Discovery
              • System Network Configuration Discovery: Internet Connection Discovery
              • Runs ping.exe
              PID:2628
            • C:\Windows\SysWOW64\ping.exe
              ping -a -l www.duniasex.com 65500
              6⤵
              • System Location Discovery: System Language Discovery
              • System Network Configuration Discovery: Internet Connection Discovery
              • Runs ping.exe
              PID:4760
          • C:\Windows\SysWOW64\drivers\system32.exe
            C:\Windows\system32\drivers\system32.exe
            5⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious use of SetWindowsHookEx
            PID:1496
          • C:\Windows\SysWOW64\ping.exe
            ping -a -l www.rasasayang.com.my 65500
            5⤵
            • System Location Discovery: System Language Discovery
            • System Network Configuration Discovery: Internet Connection Discovery
            • Runs ping.exe
            PID:3756
          • C:\Windows\SysWOW64\ping.exe
            ping -a -l www.duniasex.com 65500
            5⤵
            • System Location Discovery: System Language Discovery
            • System Network Configuration Discovery: Internet Connection Discovery
            • Runs ping.exe
            PID:404
          • C:\Windows\SysWOW64\ping.exe
            ping -a -l www.rasasayang.com.my 65500
            5⤵
            • System Location Discovery: System Language Discovery
            • System Network Configuration Discovery: Internet Connection Discovery
            • Runs ping.exe
            PID:3448
          • C:\Windows\SysWOW64\ping.exe
            ping -a -l www.duniasex.com 65500
            5⤵
            • System Location Discovery: System Language Discovery
            • System Network Configuration Discovery: Internet Connection Discovery
            • Runs ping.exe
            PID:1644
          • C:\Windows\SysWOW64\ping.exe
            ping -a -l www.rasasayang.com.my 65500
            5⤵
            • System Location Discovery: System Language Discovery
            • System Network Configuration Discovery: Internet Connection Discovery
            • Runs ping.exe
            PID:6132
          • C:\Windows\SysWOW64\ping.exe
            ping -a -l www.duniasex.com 65500
            5⤵
            • System Location Discovery: System Language Discovery
            • System Network Configuration Discovery: Internet Connection Discovery
            • Runs ping.exe
            PID:3244
        • C:\Windows\SysWOW64\drivers\Kazekage.exe
          C:\Windows\system32\drivers\Kazekage.exe
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:532
        • C:\Windows\SysWOW64\drivers\system32.exe
          C:\Windows\system32\drivers\system32.exe
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:4860
        • C:\Windows\SysWOW64\ping.exe
          ping -a -l www.rasasayang.com.my 65500
          4⤵
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:3448
        • C:\Windows\SysWOW64\ping.exe
          ping -a -l www.duniasex.com 65500
          4⤵
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:5980
        • C:\Windows\SysWOW64\ping.exe
          ping -a -l www.rasasayang.com.my 65500
          4⤵
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:3860
        • C:\Windows\SysWOW64\ping.exe
          ping -a -l www.duniasex.com 65500
          4⤵
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:2612
        • C:\Windows\SysWOW64\ping.exe
          ping -a -l www.rasasayang.com.my 65500
          4⤵
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:1952
        • C:\Windows\SysWOW64\ping.exe
          ping -a -l www.duniasex.com 65500
          4⤵
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:4736
      • C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe
        "C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:6020
      • C:\Windows\SysWOW64\drivers\Kazekage.exe
        C:\Windows\system32\drivers\Kazekage.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:5108
      • C:\Windows\SysWOW64\drivers\system32.exe
        C:\Windows\system32\drivers\system32.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:1940
      • C:\Windows\SysWOW64\ping.exe
        ping -a -l www.rasasayang.com.my 65500
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:6032
      • C:\Windows\SysWOW64\ping.exe
        ping -a -l www.duniasex.com 65500
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:4824
      • C:\Windows\SysWOW64\ping.exe
        ping -a -l www.rasasayang.com.my 65500
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:5776
      • C:\Windows\SysWOW64\ping.exe
        ping -a -l www.duniasex.com 65500
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:5496
      • C:\Windows\SysWOW64\ping.exe
        ping -a -l www.rasasayang.com.my 65500
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:5856
      • C:\Windows\SysWOW64\ping.exe
        ping -a -l www.duniasex.com 65500
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:1688
    • C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe
      "C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:2556
    • C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe
      "C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:3688
    • C:\Windows\SysWOW64\drivers\Kazekage.exe
      C:\Windows\system32\drivers\Kazekage.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:556
    • C:\Windows\SysWOW64\drivers\system32.exe
      C:\Windows\system32\drivers\system32.exe
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • UAC bypass
      • Disables RegEdit via registry modification
      • Drops file in Drivers directory
      • Event Triggered Execution: Image File Execution Options Injection
      • Executes dropped EXE
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Drops desktop.ini file(s)
      • Enumerates connected drives
      • Drops autorun.inf file
      • Drops file in System32 directory
      • Sets desktop wallpaper using registry
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Modifies Control Panel
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:5900
      • C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe
        "C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:5752
      • C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe
        "C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2980
      • C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe
        "C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:5220
      • C:\Windows\SysWOW64\drivers\Kazekage.exe
        C:\Windows\system32\drivers\Kazekage.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:3508
      • C:\Windows\SysWOW64\drivers\system32.exe
        C:\Windows\system32\drivers\system32.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:4432
      • C:\Windows\SysWOW64\ping.exe
        ping -a -l www.rasasayang.com.my 65500
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:4948
      • C:\Windows\SysWOW64\ping.exe
        ping -a -l www.duniasex.com 65500
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:3792
      • C:\Windows\SysWOW64\ping.exe
        ping -a -l www.rasasayang.com.my 65500
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:4244
      • C:\Windows\SysWOW64\ping.exe
        ping -a -l www.duniasex.com 65500
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:4624
      • C:\Windows\SysWOW64\ping.exe
        ping -a -l www.rasasayang.com.my 65500
        3⤵
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:4752
      • C:\Windows\SysWOW64\ping.exe
        ping -a -l www.duniasex.com 65500
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:4904
    • C:\Windows\SysWOW64\ping.exe
      ping -a -l www.rasasayang.com.my 65500
      2⤵
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Internet Connection Discovery
      • Runs ping.exe
      PID:5892
    • C:\Windows\SysWOW64\ping.exe
      ping -a -l www.duniasex.com 65500
      2⤵
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Internet Connection Discovery
      • Runs ping.exe
      PID:1400
    • C:\Windows\SysWOW64\ping.exe
      ping -a -l www.rasasayang.com.my 65500
      2⤵
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Internet Connection Discovery
      • Runs ping.exe
      PID:1236
    • C:\Windows\SysWOW64\ping.exe
      ping -a -l www.duniasex.com 65500
      2⤵
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Internet Connection Discovery
      • Runs ping.exe
      PID:512
    • C:\Windows\SysWOW64\ping.exe
      ping -a -l www.rasasayang.com.my 65500
      2⤵
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Internet Connection Discovery
      • Runs ping.exe
      PID:312
    • C:\Windows\SysWOW64\ping.exe
      ping -a -l www.duniasex.com 65500
      2⤵
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Internet Connection Discovery
      • Runs ping.exe
      PID:3528
  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c Fonts\Admin 29 - 5 - 2025\smss.exe
    1⤵
      PID:3756
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c Fonts\Admin 29 - 5 - 2025\Gaara.exe
      1⤵
        PID:4104
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c 29-5-2025.exe
        1⤵
          PID:3032
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c drivers\csrss.exe
          1⤵
            PID:5744

          Network

                MITRE ATT&CK Enterprise v16

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Admin Games\Readme.txt

                  Filesize

                  736B

                  MD5

                  bb5d6abdf8d0948ac6895ce7fdfbc151

                  SHA1

                  9266b7a247a4685892197194d2b9b86c8f6dddbd

                  SHA256

                  5db2e0915b5464d32e83484f8ae5e3c73d2c78f238fde5f58f9b40dbb5322de8

                  SHA512

                  878444760e8df878d65bb62b4798177e168eb099def58ad3634f4348e96705c83f74324f9fa358f0eff389991976698a233ca53e9b72034ae11c86d42322a76c

                • C:\Autorun.inf

                  Filesize

                  196B

                  MD5

                  1564dfe69ffed40950e5cb644e0894d1

                  SHA1

                  201b6f7a01cc49bb698bea6d4945a082ed454ce4

                  SHA256

                  be114a2dbcc08540b314b01882aa836a772a883322a77b67aab31233e26dc184

                  SHA512

                  72df187e39674b657974392cfa268e71ef86dc101ebd2303896381ca56d3c05aa9db3f0ab7d0e428d7436e0108c8f19e94c2013814d30b0b95a23a6b9e341097

                • C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe

                  Filesize

                  9.1MB

                  MD5

                  27040b1d7226340bfa086947f6f25e7d

                  SHA1

                  b5708fb24a3a6d5856c68431e460f62ceb27c738

                  SHA256

                  c14fec1d79dcbfd1ea8541b86893a390694af0b67abf016f3a0115a38a926c25

                  SHA512

                  3c3b3f507f95c75e7f5c69016497470be64cae02f5b36a06b813947883189cb051efda24560b6424f1d7f1be7a7e4b29bc43cb47e76c51d124dd08783d83a5ea

                • C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe

                  Filesize

                  9.1MB

                  MD5

                  11756abfad621de2c8a0ead901ab20e0

                  SHA1

                  1e600d5e8502a4f6bde4126ebc054f95e53f4031

                  SHA256

                  1b29e33fc0f8631a131fa56da8295919798ff0085a50171f33855d1b6e4823ad

                  SHA512

                  afcc251e9faa79737541928c08884b6a8b30b1c5941301805562fd77aecbe900c482a0d9c15258dbdda958eb4719a10db7e8835a563e9be603b7fda439f9cf7e

                • C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe

                  Filesize

                  9.1MB

                  MD5

                  2c9d946ace6ebd3d7e7429b02621ecda

                  SHA1

                  b799e33b9e6debbb775ea93171fb514920149f75

                  SHA256

                  033127e5c02089b50e35f121195541870d2667a9446dc1ddd1b5cd0b3c0ae9de

                  SHA512

                  2c5c457769715d3f7d755ad5de014d54a44da3c8f7ac22a2af2c69b28d51b73a2243e2b2bb9710d4a0bb6fca87dff28ba9f5bb730d892ee46ac54286a3ff1dfb

                • C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe

                  Filesize

                  9.1MB

                  MD5

                  bf6a7a45783eede00034e417683c23cf

                  SHA1

                  35fa17af7fd69b024e7c4e558e3e46d1c2e72499

                  SHA256

                  0f8414825c864623b56f1fa95ff6b9bdac5ea0c75dfe937c13577fdac70e4f93

                  SHA512

                  729f06a206e3c3702d4daaf03b2051a2b808918a09440ef3e89c1ba64466f1f983d50659ba12e49e7f6e44777ce92240d1e915336e879458062a06fb5c5fc4b7

                • C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe

                  Filesize

                  9.1MB

                  MD5

                  68f24d30f38a9d42e20db159cfbb5185

                  SHA1

                  c06a7e8f565ff9966760c3439eceb0f063544d9d

                  SHA256

                  d7723dd38ea5ba914d381a1f48bd51d6614acb1bdbac3165fe2339335728eed1

                  SHA512

                  3ca34d9138c6ae8607e8a5a297bfd58f4f79f900215611d792f2bef771338a3f081b2d2b85b82be779b346820bdc107ee84b447cd203a2de345664bc16b2b169

                • C:\Windows\Fonts\The Kazekage.jpg

                  Filesize

                  1.4MB

                  MD5

                  d6b05020d4a0ec2a3a8b687099e335df

                  SHA1

                  df239d830ebcd1cde5c68c46a7b76dad49d415f4

                  SHA256

                  9824b98dab6af65a9e84c2ea40e9df948f9766ce2096e81feecad7db8dd6080a

                  SHA512

                  78fd360faa4d34f5732056d6e9ad7b9930964441c69cf24535845d397de92179553b9377a25649c01eb5ac7d547c29cc964e69ede7f2af9fc677508a99251fff

                • C:\Windows\SysWOW64\29-5-2025.exe

                  Filesize

                  9.1MB

                  MD5

                  08df84402b166a3f16e468da3208430f

                  SHA1

                  82c7e1e75f056ad43e64aff2b086d37b2568497d

                  SHA256

                  32e432e2cc329d5ba172544509475fef0c9f81a094395cfa281ee580198d1d3a

                  SHA512

                  8ebc6edb1af3a944efc3ce2da5eaf6c2bec3949cb5b74485c439529a4587b959cff87f8866b37cb51b56456d33103ae096775c21a200a0b40634e6da9e551604

                • C:\Windows\SysWOW64\Desktop.ini

                  Filesize

                  65B

                  MD5

                  64acfa7e03b01f48294cf30d201a0026

                  SHA1

                  10facd995b38a095f30b4a800fa454c0bcbf8438

                  SHA256

                  ba8159d865d106e7b4d0043007a63d1541e1de455dc8d7ff0edd3013bd425c62

                  SHA512

                  65a9b2e639de74a2a7faa83463a03f5f5b526495e3c793ec1e144c422ed0b842dd304cd5ff4f8aec3d76d826507030c5916f70a231429cea636ec2d8ab43931a

                • C:\Windows\SysWOW64\drivers\Kazekage.exe

                  Filesize

                  9.1MB

                  MD5

                  6f2fdf5cf96309037d3d26bdcb679140

                  SHA1

                  fcd56dfdc9856910feee7f2095de4d76cdff28de

                  SHA256

                  b987968db916ba5bb3cd51eebdc5fba6f14484407dd277fe0e50172ef0f99585

                  SHA512

                  83e82f7f804f5b5954711291e3498120a09066ecb62f809d2a8d8010ef253b7463bea640a8f4a6dd2d6ed99ad3efee5252cb9f4c45e3f20a20c6b89a9ddff339

                • C:\Windows\SysWOW64\drivers\Kazekage.exe

                  Filesize

                  9.1MB

                  MD5

                  c81cf21fcce58dbce1ca2b27ca3b50f4

                  SHA1

                  4cf14d212bc005feefbc6212532e73b1e9716ecd

                  SHA256

                  d1c6d3abf736016702ce2d3399900d9b48f6a5ea805296e67d51d08342f8f8af

                  SHA512

                  b951169da717fba37c9691fd0e5cdcfc51f90fb2b0beebd04176c4bca6d07254911fc9e74a9618a1ed17d3fb9de9ffb3ab9ae86e1f57f7ecff410e6a06018237

                • C:\Windows\SysWOW64\drivers\Kazekage.exe

                  Filesize

                  9.1MB

                  MD5

                  ad8041b8f2d6817069368b447050ed70

                  SHA1

                  94ea8c37e82e378c62dbfac02c6440d457bbc09a

                  SHA256

                  66581392c4a9254a1d90165b34264d9c6f475eb709b294db6a764dd0393f1b72

                  SHA512

                  9295f74ce6153b3ce7b04e9b3d5e351b486f298df10210cf14b3deeee891c8e242b58b6c412cb1848e2cad4e24601d6381f88683c862b5901c576fb786dbb510

                • C:\Windows\SysWOW64\drivers\system32.exe

                  Filesize

                  1.3MB

                  MD5

                  e884c9fc34c220116ba9f9c90faaf6b3

                  SHA1

                  1258f92e9c9e4154df4d9f5b13041642f56255b8

                  SHA256

                  cd90495a134d52149da3d7690f354ab1e3383be738875a7131cf793c47fcd47f

                  SHA512

                  21a0f156cd7fbeb28e370a1ac4cf029d6bc6bae6acdc2f99e05165de7a919d7146d3a84ee4dea996c1a8b5bb6440ae016096341342d8d6f5866740b09224a45a

                • C:\Windows\SysWOW64\drivers\system32.exe

                  Filesize

                  9.1MB

                  MD5

                  f5524a4ad88cc806a2fdc7a9d4f9382c

                  SHA1

                  fd4be1556f2b58a17c25d2ecaa4e10f6fa95fe4f

                  SHA256

                  852fb574b1a25574aab25f90f1421ec330749dc10ca887eff29ccb7925a24cdb

                  SHA512

                  93d4f4b870fc6926c0acaf1c50c5810041ad9b5e33874a9fce531503251e25c9fc6d924a530c08ddab560ef5ebd6f9de1f25529435da0e721c1338a8f6a6d14c

                • C:\Windows\SysWOW64\drivers\system32.exe

                  Filesize

                  9.1MB

                  MD5

                  bdf1fdc3c1fa3da934730f0446551529

                  SHA1

                  7e051c0aa26236b9738ae209dd46256b84372476

                  SHA256

                  3941276e848ac3dba453a5dd35b9ce9ea34e20a6b1dd56cda45572ef30832239

                  SHA512

                  cc9bf6dd31e73984fafa17a0edaf8fbc7874008e07cfeed04232076289bf3ab2fec26abab182e5acc30f5eacd5bc37ad9b72636f49de22ce4035a4dd5d874362

                • C:\Windows\SysWOW64\drivers\system32.exe

                  Filesize

                  9.1MB

                  MD5

                  16059a0faccad7baa10e192bb0710ba5

                  SHA1

                  c7a1e6d279ca8d77479ef2542e12a22f1fdc230b

                  SHA256

                  1a549b98bb4c47492610aa90a698f63d97dd98346463096ba7278dbe2aee296d

                  SHA512

                  fcf6eb8114006fd34e62a553ba6e3863b343117ce900a9bffcdb6615e4111576a587fc5437902bf4a45b7138286ed3480fb731550d8aa0a52cb3a40f59790854

                • C:\Windows\System\msvbvm60.dll

                  Filesize

                  1.4MB

                  MD5

                  25f62c02619174b35851b0e0455b3d94

                  SHA1

                  4e8ee85157f1769f6e3f61c0acbe59072209da71

                  SHA256

                  898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

                  SHA512

                  f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

                • F:\Admin Games\Anbu Team Sampit (Nothing).exe

                  Filesize

                  7.2MB

                  MD5

                  93c2066ae6e9dc732c7f46d897ce0867

                  SHA1

                  133a97837686bf98f4fd0ea5bf8e0507d8800090

                  SHA256

                  4711a82c1c1916d89f23d94f12910ce716f561de946fe5aaba78cd715af8bcc3

                  SHA512

                  e74c5894a6f96fb112613c10ad5471c10c34b1f4e1c3bb25cbe3107d1d0650be88d3489bdeceb99a6bf6182cc947adfa07f41f6974772c9995442c05a700d1b4

                • memory/532-302-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/536-175-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/536-589-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/536-311-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/536-236-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/556-232-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/776-218-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/1068-70-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/1068-74-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/1496-292-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/1940-269-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/1940-253-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/2188-241-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/2384-123-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/2384-499-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/2384-0-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/2384-315-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/2384-309-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/2484-164-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/2484-171-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/2556-193-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/2556-179-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/2668-167-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/2668-157-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/2896-118-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/2980-285-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/3508-299-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/3584-283-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/3688-222-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/4432-308-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/4684-586-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/4684-314-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/4684-213-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/4684-124-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/4860-306-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/5108-252-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/5108-237-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/5316-159-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/5516-275-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/5900-233-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/5900-313-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/5900-591-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/5900-281-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/5952-310-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/5952-387-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/5952-316-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/5952-32-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/5952-134-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/6004-174-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/6004-77-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/6004-312-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/6004-543-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/6020-245-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB