Analysis

  • max time kernel
    150s
  • max time network
    144s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250502-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250502-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29/05/2025, 11:51

General

  • Target

    2025-05-29_b315b9baf0090e0fe9acd782b64c5bed_amadey_black-basta_elex_luca-stealer.exe

  • Size

    8.1MB

  • MD5

    b315b9baf0090e0fe9acd782b64c5bed

  • SHA1

    5e1d64a47d48be1d22a0e5a455bc422b08fcc5b3

  • SHA256

    d8f2501508489f91193dbcdf22d654b2562e38eb4074899854a7ae4306417af7

  • SHA512

    4f7c1dec92f2f82e4951a8b7dabe9979715ffb99d2c01f5706036f456adfa90afb32d76786226f5234c5650f721ab42d05d11ab37852e205194e869f01275976

  • SSDEEP

    49152:BGyqWyWy0GyqWyWyMRPC1em1eHc785diLvnb17:BGyqWyWy0GyqWyWyMRPC1em1eHL5dGTp

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 12 IoCs
  • Modifies visibility of file extensions in Explorer 2 TTPs 6 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 6 IoCs
  • UAC bypass 3 TTPs 6 IoCs
  • Disables RegEdit via registry modification 6 IoCs
  • Disables use of System Restore points 1 TTPs
  • Drops file in Drivers directory 24 IoCs
  • Event Triggered Execution: Image File Execution Options Injection 1 TTPs 64 IoCs
  • Executes dropped EXE 30 IoCs
  • Loads dropped DLL 18 IoCs
  • Adds Run key to start application 2 TTPs 24 IoCs
  • Checks whether UAC is enabled 1 TTPs 6 IoCs
  • Drops desktop.ini file(s) 64 IoCs
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops autorun.inf file 1 TTPs 64 IoCs

    Malware can abuse Windows Autorun to spread further via attached volumes.

  • Drops file in System32 directory 39 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 6 IoCs
  • UPX packed file 64 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in Windows directory 64 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 63 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 32 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

  • Modifies Control Panel 64 IoCs
  • Modifies Internet Explorer settings 1 TTPs 12 IoCs
  • Modifies registry class 51 IoCs
  • Runs ping.exe 1 TTPs 32 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 31 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2025-05-29_b315b9baf0090e0fe9acd782b64c5bed_amadey_black-basta_elex_luca-stealer.exe
    "C:\Users\Admin\AppData\Local\Temp\2025-05-29_b315b9baf0090e0fe9acd782b64c5bed_amadey_black-basta_elex_luca-stealer.exe"
    1⤵
    • Modifies WinLogon for persistence
    • Modifies visibility of file extensions in Explorer
    • Modifies visiblity of hidden/system files in Explorer
    • UAC bypass
    • Disables RegEdit via registry modification
    • Drops file in Drivers directory
    • Event Triggered Execution: Image File Execution Options Injection
    • Adds Run key to start application
    • Checks whether UAC is enabled
    • Drops desktop.ini file(s)
    • Enumerates connected drives
    • Drops autorun.inf file
    • Drops file in System32 directory
    • Sets desktop wallpaper using registry
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Modifies Control Panel
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:3224
    • C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe
      "C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe"
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • UAC bypass
      • Disables RegEdit via registry modification
      • Drops file in Drivers directory
      • Event Triggered Execution: Image File Execution Options Injection
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Drops desktop.ini file(s)
      • Enumerates connected drives
      • Drops autorun.inf file
      • Drops file in System32 directory
      • Sets desktop wallpaper using registry
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Modifies Control Panel
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:436
      • C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe
        "C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:3672
      • C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe
        "C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe"
        3⤵
        • Modifies WinLogon for persistence
        • Modifies visibility of file extensions in Explorer
        • Modifies visiblity of hidden/system files in Explorer
        • UAC bypass
        • Disables RegEdit via registry modification
        • Drops file in Drivers directory
        • Event Triggered Execution: Image File Execution Options Injection
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • Checks whether UAC is enabled
        • Drops desktop.ini file(s)
        • Enumerates connected drives
        • Drops autorun.inf file
        • Drops file in System32 directory
        • Sets desktop wallpaper using registry
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Modifies Control Panel
        • Modifies Internet Explorer settings
        • Modifies registry class
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        • System policy modification
        PID:4556
        • C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe
          "C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe"
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:2036
        • C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe
          "C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe"
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:2224
        • C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe
          "C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe"
          4⤵
          • Modifies WinLogon for persistence
          • Modifies visibility of file extensions in Explorer
          • Modifies visiblity of hidden/system files in Explorer
          • UAC bypass
          • Disables RegEdit via registry modification
          • Drops file in Drivers directory
          • Event Triggered Execution: Image File Execution Options Injection
          • Executes dropped EXE
          • Loads dropped DLL
          • Adds Run key to start application
          • Checks whether UAC is enabled
          • Drops desktop.ini file(s)
          • Enumerates connected drives
          • Drops autorun.inf file
          • Drops file in System32 directory
          • Sets desktop wallpaper using registry
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Modifies Control Panel
          • Modifies Internet Explorer settings
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          • System policy modification
          PID:3336
          • C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe
            "C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe"
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • System Location Discovery: System Language Discovery
            • Suspicious use of SetWindowsHookEx
            PID:4640
          • C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe
            "C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe"
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • System Location Discovery: System Language Discovery
            • Suspicious use of SetWindowsHookEx
            PID:2176
          • C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe
            "C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe"
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • System Location Discovery: System Language Discovery
            • Suspicious use of SetWindowsHookEx
            PID:1952
          • C:\Windows\SysWOW64\drivers\Kazekage.exe
            C:\Windows\system32\drivers\Kazekage.exe
            5⤵
            • Modifies WinLogon for persistence
            • Modifies visibility of file extensions in Explorer
            • Modifies visiblity of hidden/system files in Explorer
            • UAC bypass
            • Disables RegEdit via registry modification
            • Drops file in Drivers directory
            • Event Triggered Execution: Image File Execution Options Injection
            • Executes dropped EXE
            • Adds Run key to start application
            • Checks whether UAC is enabled
            • Drops desktop.ini file(s)
            • Enumerates connected drives
            • Drops autorun.inf file
            • Drops file in System32 directory
            • Sets desktop wallpaper using registry
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Modifies Control Panel
            • Modifies Internet Explorer settings
            • Modifies registry class
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            • System policy modification
            PID:1296
            • C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe
              "C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe"
              6⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • System Location Discovery: System Language Discovery
              • Suspicious use of SetWindowsHookEx
              PID:3028
            • C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe
              "C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe"
              6⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • System Location Discovery: System Language Discovery
              • Suspicious use of SetWindowsHookEx
              PID:916
            • C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe
              "C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe"
              6⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • System Location Discovery: System Language Discovery
              • Suspicious use of SetWindowsHookEx
              PID:868
            • C:\Windows\SysWOW64\drivers\Kazekage.exe
              C:\Windows\system32\drivers\Kazekage.exe
              6⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Suspicious use of SetWindowsHookEx
              PID:2504
            • C:\Windows\SysWOW64\drivers\system32.exe
              C:\Windows\system32\drivers\system32.exe
              6⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Suspicious use of SetWindowsHookEx
              PID:3960
            • C:\Windows\SysWOW64\ping.exe
              ping -a -l www.rasasayang.com.my 65500
              6⤵
              • System Location Discovery: System Language Discovery
              • System Network Configuration Discovery: Internet Connection Discovery
              • Runs ping.exe
              PID:3008
            • C:\Windows\SysWOW64\ping.exe
              ping -a -l www.duniasex.com 65500
              6⤵
              • System Location Discovery: System Language Discovery
              • System Network Configuration Discovery: Internet Connection Discovery
              • Runs ping.exe
              PID:5096
            • C:\Windows\SysWOW64\ping.exe
              ping -a -l www.rasasayang.com.my 65500
              6⤵
              • System Location Discovery: System Language Discovery
              • System Network Configuration Discovery: Internet Connection Discovery
              • Runs ping.exe
              PID:4772
            • C:\Windows\SysWOW64\ping.exe
              ping -a -l www.duniasex.com 65500
              6⤵
              • System Location Discovery: System Language Discovery
              • System Network Configuration Discovery: Internet Connection Discovery
              • Runs ping.exe
              PID:2248
            • C:\Windows\SysWOW64\ping.exe
              ping -a -l www.rasasayang.com.my 65500
              6⤵
              • System Location Discovery: System Language Discovery
              • System Network Configuration Discovery: Internet Connection Discovery
              • Runs ping.exe
              PID:3008
            • C:\Windows\SysWOW64\ping.exe
              ping -a -l www.duniasex.com 65500
              6⤵
              • System Location Discovery: System Language Discovery
              • System Network Configuration Discovery: Internet Connection Discovery
              • Runs ping.exe
              PID:2840
          • C:\Windows\SysWOW64\drivers\system32.exe
            C:\Windows\system32\drivers\system32.exe
            5⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious use of SetWindowsHookEx
            PID:4380
          • C:\Windows\SysWOW64\ping.exe
            ping -a -l www.rasasayang.com.my 65500
            5⤵
            • System Location Discovery: System Language Discovery
            • System Network Configuration Discovery: Internet Connection Discovery
            • Runs ping.exe
            PID:3316
          • C:\Windows\SysWOW64\ping.exe
            ping -a -l www.duniasex.com 65500
            5⤵
            • System Location Discovery: System Language Discovery
            • System Network Configuration Discovery: Internet Connection Discovery
            • Runs ping.exe
            PID:4896
          • C:\Windows\SysWOW64\ping.exe
            ping -a -l www.rasasayang.com.my 65500
            5⤵
            • System Location Discovery: System Language Discovery
            • System Network Configuration Discovery: Internet Connection Discovery
            • Runs ping.exe
            PID:2552
          • C:\Windows\SysWOW64\ping.exe
            ping -a -l www.duniasex.com 65500
            5⤵
            • System Location Discovery: System Language Discovery
            • System Network Configuration Discovery: Internet Connection Discovery
            • Runs ping.exe
            PID:4228
          • C:\Windows\SysWOW64\ping.exe
            ping -a -l www.rasasayang.com.my 65500
            5⤵
            • System Location Discovery: System Language Discovery
            • System Network Configuration Discovery: Internet Connection Discovery
            • Runs ping.exe
            PID:2244
          • C:\Windows\SysWOW64\ping.exe
            ping -a -l www.duniasex.com 65500
            5⤵
            • System Location Discovery: System Language Discovery
            • System Network Configuration Discovery: Internet Connection Discovery
            • Runs ping.exe
            PID:2176
        • C:\Windows\SysWOW64\drivers\Kazekage.exe
          C:\Windows\system32\drivers\Kazekage.exe
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:4704
        • C:\Windows\SysWOW64\drivers\system32.exe
          C:\Windows\system32\drivers\system32.exe
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:2780
        • C:\Windows\SysWOW64\ping.exe
          ping -a -l www.rasasayang.com.my 65500
          4⤵
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:3936
        • C:\Windows\SysWOW64\ping.exe
          ping -a -l www.duniasex.com 65500
          4⤵
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:2476
        • C:\Windows\SysWOW64\ping.exe
          ping -a -l www.rasasayang.com.my 65500
          4⤵
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:3120
        • C:\Windows\SysWOW64\ping.exe
          ping -a -l www.duniasex.com 65500
          4⤵
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:4336
        • C:\Windows\SysWOW64\ping.exe
          ping -a -l www.rasasayang.com.my 65500
          4⤵
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:3776
        • C:\Windows\SysWOW64\ping.exe
          ping -a -l www.duniasex.com 65500
          4⤵
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:4524
      • C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe
        "C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2536
      • C:\Windows\SysWOW64\drivers\Kazekage.exe
        C:\Windows\system32\drivers\Kazekage.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2180
      • C:\Windows\SysWOW64\drivers\system32.exe
        C:\Windows\system32\drivers\system32.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:3320
      • C:\Windows\SysWOW64\ping.exe
        ping -a -l www.rasasayang.com.my 65500
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:2176
      • C:\Windows\SysWOW64\ping.exe
        ping -a -l www.duniasex.com 65500
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:2636
      • C:\Windows\SysWOW64\ping.exe
        ping -a -l www.rasasayang.com.my 65500
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:3268
      • C:\Windows\SysWOW64\ping.exe
        ping -a -l www.duniasex.com 65500
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:2244
      • C:\Windows\SysWOW64\ping.exe
        ping -a -l www.rasasayang.com.my 65500
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:2068
      • C:\Windows\SysWOW64\ping.exe
        ping -a -l www.duniasex.com 65500
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:2308
    • C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe
      "C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:4812
    • C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe
      "C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:2096
    • C:\Windows\SysWOW64\drivers\Kazekage.exe
      C:\Windows\system32\drivers\Kazekage.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:4896
    • C:\Windows\SysWOW64\drivers\system32.exe
      C:\Windows\system32\drivers\system32.exe
      2⤵
      • Modifies WinLogon for persistence
      • Modifies visibility of file extensions in Explorer
      • Modifies visiblity of hidden/system files in Explorer
      • UAC bypass
      • Disables RegEdit via registry modification
      • Drops file in Drivers directory
      • Event Triggered Execution: Image File Execution Options Injection
      • Executes dropped EXE
      • Adds Run key to start application
      • Checks whether UAC is enabled
      • Drops desktop.ini file(s)
      • Enumerates connected drives
      • Drops autorun.inf file
      • Drops file in System32 directory
      • Sets desktop wallpaper using registry
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Modifies Control Panel
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      • System policy modification
      PID:808
      • C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe
        "C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:4336
      • C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe
        "C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2100
      • C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe
        "C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:1512
      • C:\Windows\SysWOW64\drivers\Kazekage.exe
        C:\Windows\system32\drivers\Kazekage.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2976
      • C:\Windows\SysWOW64\drivers\system32.exe
        C:\Windows\system32\drivers\system32.exe
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2732
      • C:\Windows\SysWOW64\ping.exe
        ping -a -l www.rasasayang.com.my 65500
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:452
      • C:\Windows\SysWOW64\ping.exe
        ping -a -l www.duniasex.com 65500
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:3936
      • C:\Windows\SysWOW64\ping.exe
        ping -a -l www.rasasayang.com.my 65500
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:184
      • C:\Windows\SysWOW64\ping.exe
        ping -a -l www.duniasex.com 65500
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:4876
    • C:\Windows\SysWOW64\ping.exe
      ping -a -l www.rasasayang.com.my 65500
      2⤵
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Internet Connection Discovery
      • Runs ping.exe
      PID:2248
    • C:\Windows\SysWOW64\ping.exe
      ping -a -l www.duniasex.com 65500
      2⤵
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Internet Connection Discovery
      • Runs ping.exe
      PID:4880
    • C:\Windows\SysWOW64\ping.exe
      ping -a -l www.rasasayang.com.my 65500
      2⤵
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Internet Connection Discovery
      • Runs ping.exe
      PID:4600
    • C:\Windows\SysWOW64\ping.exe
      ping -a -l www.duniasex.com 65500
      2⤵
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Internet Connection Discovery
      • Runs ping.exe
      PID:1096
  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c Fonts\Admin 29 - 5 - 2025\smss.exe
    1⤵
      PID:4484
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c Fonts\Admin 29 - 5 - 2025\Gaara.exe
      1⤵
        PID:1508
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c 29-5-2025.exe
        1⤵
          PID:4548
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c drivers\csrss.exe
          1⤵
            PID:2500

          Network

                MITRE ATT&CK Enterprise v16

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Admin Games\Readme.txt

                  Filesize

                  736B

                  MD5

                  bb5d6abdf8d0948ac6895ce7fdfbc151

                  SHA1

                  9266b7a247a4685892197194d2b9b86c8f6dddbd

                  SHA256

                  5db2e0915b5464d32e83484f8ae5e3c73d2c78f238fde5f58f9b40dbb5322de8

                  SHA512

                  878444760e8df878d65bb62b4798177e168eb099def58ad3634f4348e96705c83f74324f9fa358f0eff389991976698a233ca53e9b72034ae11c86d42322a76c

                • C:\Autorun.inf

                  Filesize

                  196B

                  MD5

                  1564dfe69ffed40950e5cb644e0894d1

                  SHA1

                  201b6f7a01cc49bb698bea6d4945a082ed454ce4

                  SHA256

                  be114a2dbcc08540b314b01882aa836a772a883322a77b67aab31233e26dc184

                  SHA512

                  72df187e39674b657974392cfa268e71ef86dc101ebd2303896381ca56d3c05aa9db3f0ab7d0e428d7436e0108c8f19e94c2013814d30b0b95a23a6b9e341097

                • C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe

                  Filesize

                  8.1MB

                  MD5

                  6440d87d42087aa7c97429151134d6c0

                  SHA1

                  d36bca08e72c6a351711cfc290939fc53060a4ee

                  SHA256

                  c4c4e2b2b937847924e801c0ca60288af7262b7ebb445ea794af2d1f25c76f8d

                  SHA512

                  f825cd4a0249db0283d196364433f0ee43680b1b9ac94b22c27a1e5a2dc7275dc4dfbbb50c2191a63b54d1ac94d46d1a5afa8025e50a6de096ff01f4632de782

                • C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe

                  Filesize

                  8.1MB

                  MD5

                  b315b9baf0090e0fe9acd782b64c5bed

                  SHA1

                  5e1d64a47d48be1d22a0e5a455bc422b08fcc5b3

                  SHA256

                  d8f2501508489f91193dbcdf22d654b2562e38eb4074899854a7ae4306417af7

                  SHA512

                  4f7c1dec92f2f82e4951a8b7dabe9979715ffb99d2c01f5706036f456adfa90afb32d76786226f5234c5650f721ab42d05d11ab37852e205194e869f01275976

                • C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe

                  Filesize

                  8.1MB

                  MD5

                  2e4335439d58f3866db2d4c2ef410938

                  SHA1

                  0621d26dcb0e786f599642a0f16958e5dbdd8d74

                  SHA256

                  b1a3ae69aa95fe3fb274840c77dc1d79e292832837088829ef41deb0b4c4e1e6

                  SHA512

                  4bb029e16097439f868d422e205b682089303ef891b5c34bdc1ac4c46e0f7034e55a0b129f0ab81c9a37077650c2292345d4cc5fe70135180b27b217e4da0faa

                • C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe

                  Filesize

                  8.1MB

                  MD5

                  a209979d29a40815a19b50c5a6def5d1

                  SHA1

                  44b0507a5a36ef3f75db6e088581c30e1c4506ec

                  SHA256

                  2fc6be28fedeb6c43921c0c8b8ac0e534625a74fce0a13a630b329f1755b86fb

                  SHA512

                  bfb975c37a970d85f2d819f8c8aa91005c09b02d77d97a0a3a520316021922ff0ee2998eeffd02b1ab5c884afafa1e2273132bf58eaff8c9078bfb3d651ebbfa

                • C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe

                  Filesize

                  8.1MB

                  MD5

                  bb430fec77f659dd54e50fcb39645b5f

                  SHA1

                  bc5d61e61d6bc710e0fc2c3459a9c547caf063f5

                  SHA256

                  fc9ceacd5c92b0caa61abfd2e91a019606dd4096b886e010a11d40f1b53955f7

                  SHA512

                  6ce8e0bbd1daba4416f375258af6f64c843a3757124f39a7b42029951bbaab60e2e996e0cf6f96c9f699baaf67896428b01584ae3007e4f5ca0a63d80384573b

                • C:\Windows\Fonts\The Kazekage.jpg

                  Filesize

                  1.4MB

                  MD5

                  d6b05020d4a0ec2a3a8b687099e335df

                  SHA1

                  df239d830ebcd1cde5c68c46a7b76dad49d415f4

                  SHA256

                  9824b98dab6af65a9e84c2ea40e9df948f9766ce2096e81feecad7db8dd6080a

                  SHA512

                  78fd360faa4d34f5732056d6e9ad7b9930964441c69cf24535845d397de92179553b9377a25649c01eb5ac7d547c29cc964e69ede7f2af9fc677508a99251fff

                • C:\Windows\SysWOW64\29-5-2025.exe

                  Filesize

                  8.1MB

                  MD5

                  93b5e6e8da7c9e9b41e9daf350e64959

                  SHA1

                  418b9c3fa9c03d4bfde8ef9474884ab1cfb0171d

                  SHA256

                  e4e43e672d787467e096e620ac15f7c26fc7c03a9e594be65bbe5c0ddfb3aa64

                  SHA512

                  bef11dc94b48455f63f2784c489e714eeed9b95b71f815c48ad8e2cc4797593f9e79f248836ea216effdf31fcd3a81964e4ba1c516ef0f64b288bbbaee498719

                • C:\Windows\SysWOW64\29-5-2025.exe

                  Filesize

                  8.1MB

                  MD5

                  16483a543ed3daaa72f271758aa04842

                  SHA1

                  dc9764045d9b21a72d9c56c9a6256dbd64275d29

                  SHA256

                  21709eac07c9545389b14f0452dab838cc211fcafbba440c2ebdd291bbba929f

                  SHA512

                  820b986540ff7354146779eef768dfc7441924cd4da75d69df275261dd53f1673356bd070c20cd904b4830eb9c88308133481cdbff5f601b2dea8b1f7a16ff85

                • C:\Windows\SysWOW64\Desktop.ini

                  Filesize

                  65B

                  MD5

                  64acfa7e03b01f48294cf30d201a0026

                  SHA1

                  10facd995b38a095f30b4a800fa454c0bcbf8438

                  SHA256

                  ba8159d865d106e7b4d0043007a63d1541e1de455dc8d7ff0edd3013bd425c62

                  SHA512

                  65a9b2e639de74a2a7faa83463a03f5f5b526495e3c793ec1e144c422ed0b842dd304cd5ff4f8aec3d76d826507030c5916f70a231429cea636ec2d8ab43931a

                • C:\Windows\SysWOW64\drivers\Kazekage.exe

                  Filesize

                  8.1MB

                  MD5

                  09bd480e5abb70ebf00f9898953e111b

                  SHA1

                  3a5af9bc19a4c4d935549331853a80f68bfbb4f5

                  SHA256

                  e2c610a34d1e8f074bba3d347bfcd7874936a1b8f8e84b30606dab7a782de499

                  SHA512

                  a000b4f56da9d278d581043ab74870d90de6afa6d457d9d4ca5fe0ae69dbfb1d519870e8201456516e8b3d4bcfccf5621ac15972b29a316a460b3c74beee46cf

                • C:\Windows\SysWOW64\drivers\Kazekage.exe

                  Filesize

                  8.1MB

                  MD5

                  415151d5dff7c5802378a5380df0c891

                  SHA1

                  efea1044673855981cb2173d64d5147fe75e2ca9

                  SHA256

                  ad991b23909407d8f141ef929220a4fa5fbc007d4dfdb723293e5d8aa099daca

                  SHA512

                  a83b2a87eab25fae7c17927c173607e9d96f7db2593e65b3b541f6249acec0b115dfe8cf88279cfa24dd5d5b823868f0ceb77a7960284bea7d62e0fb111a93e0

                • C:\Windows\SysWOW64\drivers\Kazekage.exe

                  Filesize

                  8.1MB

                  MD5

                  eed24dca9cc4da0a70bf670922e462c6

                  SHA1

                  ce76ea11a3348c5ee8f00c39360b7846d325b59f

                  SHA256

                  cc6f3b92b4fd98bfe90f8a5af219419454e14f5f97e1704651a6017826e805cb

                  SHA512

                  8327e07ba10d80047e9d1ab30c04fccd192c503eda18d095c7b9f36a3292df1dea496da9ea43bd0ac56b2f9ae068f7d5a9d116ec55eaa5a76331a7c7bdb175ec

                • C:\Windows\SysWOW64\drivers\system32.exe

                  Filesize

                  8.1MB

                  MD5

                  506a3f4f1441c0ccc52232c0e7441bc7

                  SHA1

                  9e4793e953df7f704b815eec400234037a595799

                  SHA256

                  3c572c000fccf092e765809f2e86baddbd0d39315196ad91a50e6e8eee7b0339

                  SHA512

                  303ae6b16988fde13fab4b220d0c9d554490047e1f6416bc7d49d8f2a4fb0ada15f81ce62604bfe0e1b2ee82c36f64f9ac8d08ddc2ea10f751d8cdc3c172c955

                • C:\Windows\SysWOW64\drivers\system32.exe

                  Filesize

                  8.1MB

                  MD5

                  f5d6939d4b117d6dc92d1ecbf55ca4d9

                  SHA1

                  6066a5c9841eb5c9cd86bd7548ae07338888c1a8

                  SHA256

                  5bd58506d92962ffb4f83caa4d7be53628b91132f98ec66c5720aa57da41d50d

                  SHA512

                  7087af2f68d0cc5d8f5c7df8862fbc4e24c1bc3e5bad6ca44fb0dfd0ccc90651dece571b900ab2fd91cab9fed76fa2f6910e421ec38bc12166e484e3a21d2a58

                • C:\Windows\System\msvbvm60.dll

                  Filesize

                  1.4MB

                  MD5

                  25f62c02619174b35851b0e0455b3d94

                  SHA1

                  4e8ee85157f1769f6e3f61c0acbe59072209da71

                  SHA256

                  898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2

                  SHA512

                  f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

                • F:\Admin Games\Gaara go to Kazekage.exe

                  Filesize

                  8.1MB

                  MD5

                  e7e8c00e1dca1daf5318bfcb9986f51a

                  SHA1

                  322eb3c5d7720ad8c01ce4008165058fc67a1946

                  SHA256

                  d282458d8c277ac6d8404b46b680141fbcfa42ef3a271f63f2fa0947e9011eb4

                  SHA512

                  29937e95e4f10f15ecd35bf4debace8690735bb31badbcc6d834e1e232c5fbc320bd679e61e4c3ce31e1f17ebc47625c533a114fc9d03977a6c96f53599b4654

                • F:\Admin Games\Hokage-Sampit (Nothing).exe

                  Filesize

                  8.1MB

                  MD5

                  41e6eb59a6c9ab8bb3a58fb68d737dd8

                  SHA1

                  2903fd373c11fc9b4cee9e93829233b5e13c0aa6

                  SHA256

                  35cdb2bbf57828e0c4c8843315c80f447cac19526860a0a0768f9b2deb9a7fe4

                  SHA512

                  509e7f7561763f5594d61e80fcbe0eaffb5c1d1066cd3aa2a17434fc31356fe8ee55455e5cae52cbad4a51e43704e317ff845d3cdc76de61ab913ffa7be7c721

                • memory/436-372-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/436-311-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/436-142-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/436-32-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/808-314-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/808-232-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/808-285-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/868-265-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/916-246-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/1296-590-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/1296-185-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/1296-243-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/1296-312-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/1952-176-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/2036-115-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/2096-181-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/2100-280-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/2176-167-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/2180-249-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/2224-119-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/2504-277-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/2732-309-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/2780-307-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/2976-301-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/3028-227-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/3224-316-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/3224-0-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/3224-122-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/3224-500-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/3224-310-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/3320-263-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/3336-587-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/3336-315-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/3336-123-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/3336-194-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/3672-75-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/3672-70-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/3960-290-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/3960-273-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/4336-270-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/4380-303-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/4556-164-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/4556-313-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/4556-77-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/4556-431-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/4640-160-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/4704-297-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/4704-286-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/4812-180-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/4812-171-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/4896-235-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB

                • memory/4896-195-0x0000000000400000-0x000000000042A000-memory.dmp

                  Filesize

                  168KB