Analysis
-
max time kernel
149s -
max time network
127s -
platform
windows10-2004_x64 -
resource
win10v2004-20250314-en -
resource tags
arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system -
submitted
02/05/2025, 10:34
Behavioral task
behavioral1
Sample
2025-05-02_252daf427ff74462bacd78a31277eb08_black-basta_elex_luca-stealer.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral2
Sample
2025-05-02_252daf427ff74462bacd78a31277eb08_black-basta_elex_luca-stealer.exe
Resource
win11-20250410-en
General
-
Target
2025-05-02_252daf427ff74462bacd78a31277eb08_black-basta_elex_luca-stealer.exe
-
Size
8.3MB
-
MD5
252daf427ff74462bacd78a31277eb08
-
SHA1
0eb53676e022d38ea20f2f2290f1781ea7edd527
-
SHA256
4a0a1ecc1e6ee951eda7f8b8944f551558384e7e6cf84b7e1348126271c572fe
-
SHA512
4a49e17b195d74f301cc336922790032bda92dd783f38d1c4f3368d7552dfe520899c6354388496b3fc71e9157fa5d1fd466ce1948ecbf8f521c7a500ba0268b
-
SSDEEP
49152:9GyqWyWy0GyqWyWyMRPC1eHc785diLvQ8b1gtj:9GyqWyWy0GyqWyWyMRPC1eHL5dGYSW
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 12 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" 2025-05-02_252daf427ff74462bacd78a31277eb08_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" 2025-05-02_252daf427ff74462bacd78a31277eb08_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" system32.exe -
Modifies visibility of file extensions in Explorer 2 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" system32.exe Set value (int) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Kazekage.exe Set value (int) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" 2025-05-02_252daf427ff74462bacd78a31277eb08_black-basta_elex_luca-stealer.exe Set value (int) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" csrss.exe Set value (int) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" smss.exe Set value (int) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Gaara.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" Gaara.exe Set value (int) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" system32.exe Set value (int) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" Kazekage.exe Set value (int) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" 2025-05-02_252daf427ff74462bacd78a31277eb08_black-basta_elex_luca-stealer.exe Set value (int) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" csrss.exe Set value (int) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" smss.exe -
UAC bypass 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" system32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Kazekage.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 2025-05-02_252daf427ff74462bacd78a31277eb08_black-basta_elex_luca-stealer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Gaara.exe -
Disables RegEdit via registry modification 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" system32.exe Set value (int) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Kazekage.exe Set value (int) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" 2025-05-02_252daf427ff74462bacd78a31277eb08_black-basta_elex_luca-stealer.exe Set value (int) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" csrss.exe Set value (int) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" smss.exe Set value (int) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Gaara.exe -
Disables use of System Restore points 1 TTPs
-
Drops file in Drivers directory 24 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\drivers\system32.exe Kazekage.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe Gaara.exe File created C:\Windows\SysWOW64\drivers\system32.exe Gaara.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe csrss.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe 2025-05-02_252daf427ff74462bacd78a31277eb08_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe 2025-05-02_252daf427ff74462bacd78a31277eb08_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe smss.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe csrss.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe Kazekage.exe File created C:\Windows\SysWOW64\drivers\system32.exe smss.exe File created C:\Windows\SysWOW64\drivers\system32.exe csrss.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe system32.exe File created C:\Windows\SysWOW64\drivers\system32.exe system32.exe File created C:\Windows\SysWOW64\drivers\system32.exe Kazekage.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe 2025-05-02_252daf427ff74462bacd78a31277eb08_black-basta_elex_luca-stealer.exe File created C:\Windows\SysWOW64\drivers\system32.exe 2025-05-02_252daf427ff74462bacd78a31277eb08_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe smss.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe csrss.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe Kazekage.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe system32.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe system32.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe smss.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe Gaara.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe Gaara.exe -
Event Triggered Execution: Image File Execution Options Injection 1 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe\Debugger = "cmd.exe /c del" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe\Debugger = "cmd.exe /c del" 2025-05-02_252daf427ff74462bacd78a31277eb08_black-basta_elex_luca-stealer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe\Debugger = "cmd.exe /c del" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe\Debugger = "cmd.exe /c del" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe\Debugger = "drivers\\Kazekage.exe" 2025-05-02_252daf427ff74462bacd78a31277eb08_black-basta_elex_luca-stealer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe\Debugger = "cmd.exe /c del" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe\Debugger = "cmd.exe /c del" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe\Debugger = "drivers\\Kazekage.exe" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe 2025-05-02_252daf427ff74462bacd78a31277eb08_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com\Debugger = "cmd.exe /c del" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com\Debugger = "cmd.exe /c del" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe\Debugger = "cmd.exe /c del" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe\Debugger = "cmd.exe /c del" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com\Debugger = "cmd.exe /c del" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe\Debugger = "drivers\\Kazekage.exe" 2025-05-02_252daf427ff74462bacd78a31277eb08_black-basta_elex_luca-stealer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger = "drivers\\Kazekage.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\Debugger = "cmd.exe /c del" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe\Debugger = "cmd.exe /c del" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe\Debugger = "cmd.exe /c del" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe 2025-05-02_252daf427ff74462bacd78a31277eb08_black-basta_elex_luca-stealer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "drivers\\Kazekage.exe" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe\Debugger = "cmd.exe /c del" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe\Debugger = "cmd.exe /c del" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe 2025-05-02_252daf427ff74462bacd78a31277eb08_black-basta_elex_luca-stealer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com\Debugger = "cmd.exe /c del" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe 2025-05-02_252daf427ff74462bacd78a31277eb08_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "drivers\\Kazekage.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com\Debugger = "cmd.exe /c del" 2025-05-02_252daf427ff74462bacd78a31277eb08_black-basta_elex_luca-stealer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe\Debugger = "cmd.exe /c del" 2025-05-02_252daf427ff74462bacd78a31277eb08_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe\Debugger = "drivers\\Kazekage.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "drivers\\Kazekage.exe" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe\Debugger = "cmd.exe /c del" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "drivers\\Kazekage.exe" smss.exe -
Executes dropped EXE 30 IoCs
pid Process 2456 smss.exe 1456 smss.exe 3064 Gaara.exe 5972 smss.exe 5376 Gaara.exe 4532 csrss.exe 4804 smss.exe 4572 Gaara.exe 3172 csrss.exe 4812 Kazekage.exe 4768 smss.exe 4844 Gaara.exe 4948 csrss.exe 4892 Kazekage.exe 2416 system32.exe 3308 smss.exe 2088 Gaara.exe 6080 csrss.exe 6112 Kazekage.exe 5612 system32.exe 5432 system32.exe 2084 Kazekage.exe 5728 system32.exe 3524 csrss.exe 4164 Kazekage.exe 2648 system32.exe 4080 Gaara.exe 2052 csrss.exe 3604 Kazekage.exe 2488 system32.exe -
Loads dropped DLL 18 IoCs
pid Process 2456 smss.exe 1456 smss.exe 3064 Gaara.exe 5972 smss.exe 5376 Gaara.exe 4532 csrss.exe 4804 smss.exe 4572 Gaara.exe 3172 csrss.exe 4768 smss.exe 4844 Gaara.exe 4948 csrss.exe 3308 smss.exe 2088 Gaara.exe 6080 csrss.exe 3524 csrss.exe 4080 Gaara.exe 2052 csrss.exe -
Adds Run key to start application 2 TTPs 24 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 2 - 5 - 2025\\smss.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 2 - 5 - 2025\\Gaara.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "2-5-2025.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "2-5-2025.exe" 2025-05-02_252daf427ff74462bacd78a31277eb08_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "2-5-2025.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 2 - 5 - 2025\\Gaara.exe" 2025-05-02_252daf427ff74462bacd78a31277eb08_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 2 - 5 - 2025\\smss.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 2 - 5 - 2025\\Gaara.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "2-5-2025.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 2 - 5 - 2025\\Gaara.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 2 - 5 - 2025\\smss.exe" 2025-05-02_252daf427ff74462bacd78a31277eb08_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 2 - 5 - 2025\\smss.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 2 - 5 - 2025\\Gaara.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" 2025-05-02_252daf427ff74462bacd78a31277eb08_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 2 - 5 - 2025\\smss.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 2 - 5 - 2025\\Gaara.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "2-5-2025.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 2 - 5 - 2025\\smss.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "2-5-2025.exe" system32.exe -
Checks whether UAC is enabled 1 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" system32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Kazekage.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 2025-05-02_252daf427ff74462bacd78a31277eb08_black-basta_elex_luca-stealer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Gaara.exe -
Drops desktop.ini file(s) 64 IoCs
description ioc Process File opened for modification \??\V:\Desktop.ini 2025-05-02_252daf427ff74462bacd78a31277eb08_black-basta_elex_luca-stealer.exe File opened for modification \??\Q:\Desktop.ini Gaara.exe File opened for modification \??\S:\Desktop.ini Gaara.exe File opened for modification \??\L:\Desktop.ini system32.exe File opened for modification \??\B:\Desktop.ini csrss.exe File opened for modification C:\Desktop.ini 2025-05-02_252daf427ff74462bacd78a31277eb08_black-basta_elex_luca-stealer.exe File opened for modification \??\L:\Desktop.ini Kazekage.exe File opened for modification \??\O:\Desktop.ini csrss.exe File opened for modification \??\W:\Desktop.ini 2025-05-02_252daf427ff74462bacd78a31277eb08_black-basta_elex_luca-stealer.exe File opened for modification \??\R:\Desktop.ini csrss.exe File opened for modification \??\G:\Desktop.ini smss.exe File opened for modification \??\L:\Desktop.ini smss.exe File opened for modification \??\G:\Desktop.ini system32.exe File opened for modification D:\Desktop.ini smss.exe File opened for modification \??\T:\Desktop.ini Gaara.exe File opened for modification \??\B:\Desktop.ini Gaara.exe File opened for modification \??\O:\Desktop.ini 2025-05-02_252daf427ff74462bacd78a31277eb08_black-basta_elex_luca-stealer.exe File opened for modification \??\S:\Desktop.ini csrss.exe File opened for modification \??\H:\Desktop.ini smss.exe File opened for modification \??\V:\Desktop.ini Kazekage.exe File opened for modification \??\A:\Desktop.ini 2025-05-02_252daf427ff74462bacd78a31277eb08_black-basta_elex_luca-stealer.exe File opened for modification \??\K:\Desktop.ini 2025-05-02_252daf427ff74462bacd78a31277eb08_black-basta_elex_luca-stealer.exe File opened for modification \??\I:\Desktop.ini csrss.exe File opened for modification \??\P:\Desktop.ini 2025-05-02_252daf427ff74462bacd78a31277eb08_black-basta_elex_luca-stealer.exe File opened for modification \??\J:\Desktop.ini Gaara.exe File opened for modification \??\R:\Desktop.ini Gaara.exe File opened for modification \??\R:\Desktop.ini system32.exe File opened for modification \??\A:\Desktop.ini csrss.exe File opened for modification C:\Desktop.ini Gaara.exe File opened for modification \??\X:\Desktop.ini 2025-05-02_252daf427ff74462bacd78a31277eb08_black-basta_elex_luca-stealer.exe File opened for modification \??\Y:\Desktop.ini system32.exe File opened for modification F:\Desktop.ini csrss.exe File opened for modification \??\I:\Desktop.ini smss.exe File opened for modification \??\L:\Desktop.ini Gaara.exe File opened for modification \??\T:\Desktop.ini system32.exe File opened for modification \??\B:\Desktop.ini 2025-05-02_252daf427ff74462bacd78a31277eb08_black-basta_elex_luca-stealer.exe File opened for modification C:\Desktop.ini csrss.exe File opened for modification \??\T:\Desktop.ini Kazekage.exe File opened for modification \??\H:\Desktop.ini csrss.exe File opened for modification \??\Q:\Desktop.ini Kazekage.exe File opened for modification \??\W:\Desktop.ini Kazekage.exe File opened for modification F:\Desktop.ini system32.exe File opened for modification \??\J:\Desktop.ini system32.exe File opened for modification C:\Desktop.ini smss.exe File opened for modification \??\H:\Desktop.ini 2025-05-02_252daf427ff74462bacd78a31277eb08_black-basta_elex_luca-stealer.exe File opened for modification \??\I:\Desktop.ini Kazekage.exe File opened for modification \??\R:\Desktop.ini Kazekage.exe File opened for modification \??\W:\Desktop.ini csrss.exe File opened for modification \??\X:\Desktop.ini csrss.exe File opened for modification \??\P:\Desktop.ini system32.exe File opened for modification D:\Desktop.ini 2025-05-02_252daf427ff74462bacd78a31277eb08_black-basta_elex_luca-stealer.exe File opened for modification \??\E:\Desktop.ini Kazekage.exe File opened for modification \??\P:\Desktop.ini Kazekage.exe File opened for modification \??\M:\Desktop.ini Gaara.exe File opened for modification \??\B:\Desktop.ini system32.exe File opened for modification \??\V:\Desktop.ini system32.exe File opened for modification \??\E:\Desktop.ini 2025-05-02_252daf427ff74462bacd78a31277eb08_black-basta_elex_luca-stealer.exe File opened for modification \??\L:\Desktop.ini 2025-05-02_252daf427ff74462bacd78a31277eb08_black-basta_elex_luca-stealer.exe File opened for modification \??\K:\Desktop.ini csrss.exe File opened for modification \??\Q:\Desktop.ini csrss.exe File opened for modification \??\E:\Desktop.ini Gaara.exe File opened for modification \??\K:\Desktop.ini Gaara.exe File opened for modification \??\N:\Desktop.ini system32.exe File opened for modification \??\A:\Desktop.ini system32.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\N: Kazekage.exe File opened (read-only) \??\L: Kazekage.exe File opened (read-only) \??\K: 2025-05-02_252daf427ff74462bacd78a31277eb08_black-basta_elex_luca-stealer.exe File opened (read-only) \??\L: csrss.exe File opened (read-only) \??\H: csrss.exe File opened (read-only) \??\S: system32.exe File opened (read-only) \??\R: Kazekage.exe File opened (read-only) \??\S: csrss.exe File opened (read-only) \??\Y: smss.exe File opened (read-only) \??\B: smss.exe File opened (read-only) \??\S: Kazekage.exe File opened (read-only) \??\X: 2025-05-02_252daf427ff74462bacd78a31277eb08_black-basta_elex_luca-stealer.exe File opened (read-only) \??\Z: csrss.exe File opened (read-only) \??\J: Gaara.exe File opened (read-only) \??\B: system32.exe File opened (read-only) \??\T: system32.exe File opened (read-only) \??\W: system32.exe File opened (read-only) \??\V: 2025-05-02_252daf427ff74462bacd78a31277eb08_black-basta_elex_luca-stealer.exe File opened (read-only) \??\J: smss.exe File opened (read-only) \??\E: Gaara.exe File opened (read-only) \??\M: csrss.exe File opened (read-only) \??\Q: csrss.exe File opened (read-only) \??\W: 2025-05-02_252daf427ff74462bacd78a31277eb08_black-basta_elex_luca-stealer.exe File opened (read-only) \??\N: Gaara.exe File opened (read-only) \??\J: system32.exe File opened (read-only) \??\X: system32.exe File opened (read-only) \??\B: Kazekage.exe File opened (read-only) \??\Z: smss.exe File opened (read-only) \??\K: Gaara.exe File opened (read-only) \??\M: 2025-05-02_252daf427ff74462bacd78a31277eb08_black-basta_elex_luca-stealer.exe File opened (read-only) \??\O: Kazekage.exe File opened (read-only) \??\L: system32.exe File opened (read-only) \??\B: 2025-05-02_252daf427ff74462bacd78a31277eb08_black-basta_elex_luca-stealer.exe File opened (read-only) \??\Q: 2025-05-02_252daf427ff74462bacd78a31277eb08_black-basta_elex_luca-stealer.exe File opened (read-only) \??\P: Gaara.exe File opened (read-only) \??\H: system32.exe File opened (read-only) \??\K: system32.exe File opened (read-only) \??\E: 2025-05-02_252daf427ff74462bacd78a31277eb08_black-basta_elex_luca-stealer.exe File opened (read-only) \??\E: csrss.exe File opened (read-only) \??\K: csrss.exe File opened (read-only) \??\V: Gaara.exe File opened (read-only) \??\O: smss.exe File opened (read-only) \??\E: system32.exe File opened (read-only) \??\G: system32.exe File opened (read-only) \??\B: csrss.exe File opened (read-only) \??\H: Kazekage.exe File opened (read-only) \??\X: Gaara.exe File opened (read-only) \??\K: smss.exe File opened (read-only) \??\A: csrss.exe File opened (read-only) \??\M: Gaara.exe File opened (read-only) \??\M: system32.exe File opened (read-only) \??\N: system32.exe File opened (read-only) \??\L: 2025-05-02_252daf427ff74462bacd78a31277eb08_black-basta_elex_luca-stealer.exe File opened (read-only) \??\P: 2025-05-02_252daf427ff74462bacd78a31277eb08_black-basta_elex_luca-stealer.exe File opened (read-only) \??\P: system32.exe File opened (read-only) \??\Y: system32.exe File opened (read-only) \??\T: 2025-05-02_252daf427ff74462bacd78a31277eb08_black-basta_elex_luca-stealer.exe File opened (read-only) \??\P: csrss.exe File opened (read-only) \??\Z: Kazekage.exe File opened (read-only) \??\L: smss.exe File opened (read-only) \??\R: smss.exe File opened (read-only) \??\X: smss.exe File opened (read-only) \??\A: smss.exe File opened (read-only) \??\I: csrss.exe -
Drops autorun.inf file 1 TTPs 64 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File created D:\Autorun.inf csrss.exe File opened for modification \??\O:\Autorun.inf csrss.exe File opened for modification \??\A:\Autorun.inf Kazekage.exe File opened for modification D:\Autorun.inf Kazekage.exe File created \??\E:\Autorun.inf Kazekage.exe File opened for modification \??\U:\Autorun.inf Kazekage.exe File created \??\A:\Autorun.inf system32.exe File opened for modification \??\I:\Autorun.inf system32.exe File created \??\K:\Autorun.inf 2025-05-02_252daf427ff74462bacd78a31277eb08_black-basta_elex_luca-stealer.exe File opened for modification \??\M:\Autorun.inf 2025-05-02_252daf427ff74462bacd78a31277eb08_black-basta_elex_luca-stealer.exe File opened for modification \??\W:\Autorun.inf Kazekage.exe File opened for modification \??\E:\Autorun.inf smss.exe File opened for modification C:\Autorun.inf csrss.exe File opened for modification \??\Y:\Autorun.inf 2025-05-02_252daf427ff74462bacd78a31277eb08_black-basta_elex_luca-stealer.exe File opened for modification \??\J:\Autorun.inf smss.exe File opened for modification F:\Autorun.inf csrss.exe File opened for modification \??\P:\Autorun.inf csrss.exe File created \??\P:\Autorun.inf csrss.exe File opened for modification \??\X:\Autorun.inf csrss.exe File created \??\P:\Autorun.inf Kazekage.exe File created \??\I:\Autorun.inf system32.exe File created \??\X:\Autorun.inf smss.exe File created \??\Z:\Autorun.inf smss.exe File created \??\A:\Autorun.inf Kazekage.exe File created \??\J:\Autorun.inf system32.exe File opened for modification \??\B:\Autorun.inf smss.exe File created \??\L:\Autorun.inf Gaara.exe File opened for modification \??\O:\Autorun.inf Gaara.exe File created \??\X:\Autorun.inf csrss.exe File opened for modification \??\N:\Autorun.inf Kazekage.exe File opened for modification \??\J:\Autorun.inf system32.exe File created \??\Z:\Autorun.inf 2025-05-02_252daf427ff74462bacd78a31277eb08_black-basta_elex_luca-stealer.exe File created \??\B:\Autorun.inf 2025-05-02_252daf427ff74462bacd78a31277eb08_black-basta_elex_luca-stealer.exe File created \??\I:\Autorun.inf csrss.exe File created \??\J:\Autorun.inf csrss.exe File opened for modification \??\R:\Autorun.inf csrss.exe File opened for modification \??\W:\Autorun.inf csrss.exe File created D:\Autorun.inf system32.exe File created \??\E:\Autorun.inf 2025-05-02_252daf427ff74462bacd78a31277eb08_black-basta_elex_luca-stealer.exe File opened for modification \??\L:\Autorun.inf csrss.exe File created \??\T:\Autorun.inf Kazekage.exe File opened for modification \??\A:\Autorun.inf 2025-05-02_252daf427ff74462bacd78a31277eb08_black-basta_elex_luca-stealer.exe File opened for modification \??\P:\Autorun.inf 2025-05-02_252daf427ff74462bacd78a31277eb08_black-basta_elex_luca-stealer.exe File created \??\B:\Autorun.inf smss.exe File opened for modification \??\L:\Autorun.inf Gaara.exe File created \??\T:\Autorun.inf Gaara.exe File opened for modification \??\X:\Autorun.inf Gaara.exe File created \??\V:\Autorun.inf csrss.exe File created \??\W:\Autorun.inf csrss.exe File created \??\Q:\Autorun.inf Gaara.exe File created D:\Autorun.inf Kazekage.exe File opened for modification \??\K:\Autorun.inf Kazekage.exe File created \??\Y:\Autorun.inf Kazekage.exe File opened for modification \??\P:\Autorun.inf system32.exe File created \??\R:\Autorun.inf system32.exe File opened for modification \??\Z:\Autorun.inf csrss.exe File created \??\B:\Autorun.inf Kazekage.exe File created \??\V:\Autorun.inf 2025-05-02_252daf427ff74462bacd78a31277eb08_black-basta_elex_luca-stealer.exe File opened for modification \??\X:\Autorun.inf smss.exe File created \??\L:\Autorun.inf csrss.exe File opened for modification \??\K:\Autorun.inf system32.exe File created \??\O:\Autorun.inf smss.exe File created \??\Y:\Autorun.inf smss.exe File opened for modification \??\U:\Autorun.inf Gaara.exe -
Drops file in System32 directory 39 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\2-5-2025.exe smss.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx Gaara.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll Gaara.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll csrss.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx Kazekage.exe File opened for modification C:\Windows\SysWOW64\ system32.exe File created C:\Windows\SysWOW64\2-5-2025.exe 2025-05-02_252daf427ff74462bacd78a31277eb08_black-basta_elex_luca-stealer.exe File created C:\Windows\SysWOW64\msvbvm60.dll csrss.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini smss.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx smss.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini system32.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx system32.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll system32.exe File created C:\Windows\SysWOW64\msvbvm60.dll 2025-05-02_252daf427ff74462bacd78a31277eb08_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\SysWOW64\2-5-2025.exe Gaara.exe File created C:\Windows\SysWOW64\msvbvm60.dll system32.exe File opened for modification C:\Windows\SysWOW64\ Kazekage.exe File opened for modification C:\Windows\SysWOW64\2-5-2025.exe Kazekage.exe File created C:\Windows\SysWOW64\msvbvm60.dll Kazekage.exe File created C:\Windows\SysWOW64\mscomctl.ocx 2025-05-02_252daf427ff74462bacd78a31277eb08_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\SysWOW64\ 2025-05-02_252daf427ff74462bacd78a31277eb08_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\SysWOW64\ smss.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini 2025-05-02_252daf427ff74462bacd78a31277eb08_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\SysWOW64\2-5-2025.exe 2025-05-02_252daf427ff74462bacd78a31277eb08_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\SysWOW64\2-5-2025.exe system32.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll 2025-05-02_252daf427ff74462bacd78a31277eb08_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini Gaara.exe File opened for modification C:\Windows\SysWOW64\ csrss.exe File created C:\Windows\SysWOW64\msvbvm60.dll Gaara.exe File opened for modification C:\Windows\SysWOW64\2-5-2025.exe csrss.exe File created C:\Windows\SysWOW64\Desktop.ini 2025-05-02_252daf427ff74462bacd78a31277eb08_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx 2025-05-02_252daf427ff74462bacd78a31277eb08_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini csrss.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx csrss.exe File created C:\Windows\SysWOW64\msvbvm60.dll smss.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll smss.exe File opened for modification C:\Windows\SysWOW64\ Gaara.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini Kazekage.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll Kazekage.exe -
Sets desktop wallpaper using registry 2 TTPs 6 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" 2025-05-02_252daf427ff74462bacd78a31277eb08_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" system32.exe -
resource yara_rule behavioral1/memory/6008-0-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/files/0x00070000000242b0-11.dat upx behavioral1/files/0x00070000000242ae-31.dat upx behavioral1/memory/2456-32-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/files/0x00070000000242b1-49.dat upx behavioral1/files/0x00070000000242b1-50.dat upx behavioral1/files/0x00070000000242b2-53.dat upx behavioral1/files/0x00070000000242b3-57.dat upx behavioral1/memory/1456-70-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1456-79-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3064-77-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/files/0x00070000000242af-75.dat upx behavioral1/files/0x00070000000242b0-85.dat upx behavioral1/files/0x00070000000242b2-93.dat upx behavioral1/memory/5376-114-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/5376-119-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/4532-122-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3172-164-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3172-168-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/4812-173-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/files/0x00070000000242b1-179.dat upx behavioral1/memory/3064-207-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/files/0x00070000000242b2-210.dat upx behavioral1/memory/2416-219-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/files/0x00070000000242b1-225.dat upx behavioral1/memory/4812-252-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/5612-256-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/5432-260-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/4164-279-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2648-283-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2488-297-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/4080-287-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2416-275-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/5728-271-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2084-264-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/6112-251-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2088-244-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/4532-237-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/files/0x00070000000242b3-218.dat upx behavioral1/memory/4892-215-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/4844-206-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2456-172-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/6008-163-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/4572-162-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/4804-156-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2456-299-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/6008-298-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3064-300-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/4532-301-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/4812-302-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2416-303-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/6008-304-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2456-305-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3064-306-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/4532-307-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/4812-308-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3064-449-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/4812-492-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/files/0x00070000000242d8-497.dat upx behavioral1/memory/2416-531-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/6008-535-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2456-536-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/4532-538-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/files/0x000100000000002c-733.dat upx -
Drops file in Windows directory 64 IoCs
description ioc Process File created C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe Gaara.exe File opened for modification C:\Windows\system\msvbvm60.dll csrss.exe File created C:\Windows\Fonts\Admin 2 - 5 - 2025\msvbvm60.dll Kazekage.exe File opened for modification C:\Windows\ Kazekage.exe File opened for modification C:\Windows\Fonts\The Kazekage.jpg smss.exe File created C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe csrss.exe File opened for modification C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe csrss.exe File created C:\Windows\msvbvm60.dll 2025-05-02_252daf427ff74462bacd78a31277eb08_black-basta_elex_luca-stealer.exe File created C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe csrss.exe File opened for modification C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe Kazekage.exe File created C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe system32.exe File created C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe system32.exe File opened for modification C:\Windows\ Gaara.exe File opened for modification C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe smss.exe File opened for modification C:\Windows\system\msvbvm60.dll smss.exe File created C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe Gaara.exe File created C:\Windows\WBEM\msvbvm60.dll Gaara.exe File opened for modification C:\Windows\mscomctl.ocx smss.exe File opened for modification C:\Windows\ smss.exe File created C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe 2025-05-02_252daf427ff74462bacd78a31277eb08_black-basta_elex_luca-stealer.exe File created C:\Windows\system\msvbvm60.dll 2025-05-02_252daf427ff74462bacd78a31277eb08_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\system\msvbvm60.dll 2025-05-02_252daf427ff74462bacd78a31277eb08_black-basta_elex_luca-stealer.exe File created C:\Windows\WBEM\msvbvm60.dll 2025-05-02_252daf427ff74462bacd78a31277eb08_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe Gaara.exe File created C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe Kazekage.exe File created C:\Windows\WBEM\msvbvm60.dll system32.exe File opened for modification C:\Windows\msvbvm60.dll 2025-05-02_252daf427ff74462bacd78a31277eb08_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\system\mscoree.dll Gaara.exe File opened for modification C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe Kazekage.exe File opened for modification C:\Windows\system\msvbvm60.dll Kazekage.exe File created C:\Windows\WBEM\msvbvm60.dll Kazekage.exe File opened for modification C:\Windows\system\msvbvm60.dll Gaara.exe File opened for modification C:\Windows\system\msvbvm60.dll system32.exe File created C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe smss.exe File opened for modification C:\Windows\system\mscoree.dll 2025-05-02_252daf427ff74462bacd78a31277eb08_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe 2025-05-02_252daf427ff74462bacd78a31277eb08_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\Fonts\Admin 2 - 5 - 2025\msvbvm60.dll 2025-05-02_252daf427ff74462bacd78a31277eb08_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe Gaara.exe File opened for modification C:\Windows\msvbvm60.dll Kazekage.exe File opened for modification C:\Windows\msvbvm60.dll system32.exe File opened for modification C:\Windows\mscomctl.ocx csrss.exe File opened for modification C:\Windows\system\mscoree.dll Kazekage.exe File created C:\Windows\WBEM\msvbvm60.dll smss.exe File opened for modification C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe csrss.exe File opened for modification C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe csrss.exe File opened for modification C:\Windows\msvbvm60.dll csrss.exe File opened for modification C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe system32.exe File created C:\Windows\Fonts\Admin 2 - 5 - 2025\msvbvm60.dll system32.exe File created C:\Windows\mscomctl.ocx 2025-05-02_252daf427ff74462bacd78a31277eb08_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe 2025-05-02_252daf427ff74462bacd78a31277eb08_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\system\mscoree.dll smss.exe File opened for modification C:\Windows\Fonts\The Kazekage.jpg Gaara.exe File opened for modification C:\Windows\msvbvm60.dll Gaara.exe File opened for modification C:\Windows\Fonts\The Kazekage.jpg Kazekage.exe File opened for modification C:\Windows\system\mscoree.dll system32.exe File opened for modification C:\Windows\mscomctl.ocx Kazekage.exe File opened for modification C:\Windows\ system32.exe File created C:\Windows\Fonts\Admin 2 - 5 - 2025\msvbvm60.dll 2025-05-02_252daf427ff74462bacd78a31277eb08_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe smss.exe File opened for modification C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe Gaara.exe File created C:\Windows\Fonts\Admin 2 - 5 - 2025\msvbvm60.dll Gaara.exe File opened for modification C:\Windows\system\mscoree.dll csrss.exe File opened for modification C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe Kazekage.exe File opened for modification C:\Windows\ 2025-05-02_252daf427ff74462bacd78a31277eb08_black-basta_elex_luca-stealer.exe -
System Location Discovery: System Language Discovery 1 TTPs 63 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaara.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaara.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kazekage.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kazekage.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kazekage.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-05-02_252daf427ff74462bacd78a31277eb08_black-basta_elex_luca-stealer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kazekage.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kazekage.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kazekage.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaara.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaara.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaara.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaara.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 32 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 5472 ping.exe 732 ping.exe 2232 ping.exe 4580 ping.exe 5592 ping.exe 5892 ping.exe 5640 ping.exe 4952 ping.exe 5088 ping.exe 2476 ping.exe 1728 ping.exe 5504 ping.exe 3904 ping.exe 1160 ping.exe 1520 ping.exe 1704 ping.exe 3076 ping.exe 4228 ping.exe 5776 ping.exe 3992 ping.exe 6088 ping.exe 3928 ping.exe 3436 ping.exe 3256 ping.exe 4440 ping.exe 5520 ping.exe 4688 ping.exe 2056 ping.exe 4692 ping.exe 4608 ping.exe 2056 ping.exe 448 ping.exe -
Modifies Control Panel 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" 2025-05-02_252daf427ff74462bacd78a31277eb08_black-basta_elex_luca-stealer.exe Key created \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\Desktop smss.exe Key created \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\Screen Saver.Marquee Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\Screen Saver.Marquee\Speed = "4" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\Screen Saver.Marquee\Size = "72" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\Desktop\WallpaperStyle = "2" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" csrss.exe Key created \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\Screen Saver.Marquee csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\Desktop\WallpaperStyle = "2" csrss.exe Key created \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\Desktop system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\Screen Saver.Marquee\Size = "72" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\Screen Saver.Marquee\Speed = "4" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" Gaara.exe Key created \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\Desktop csrss.exe Key created \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\Screen Saver.Marquee system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" 2025-05-02_252daf427ff74462bacd78a31277eb08_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\Screen Saver.Marquee\Speed = "4" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" smss.exe Key created \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\Screen Saver.Marquee smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\Desktop\WallpaperStyle = "2" 2025-05-02_252daf427ff74462bacd78a31277eb08_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\Desktop\WallpaperStyle = "2" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\Desktop\WallpaperStyle = "2" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" 2025-05-02_252daf427ff74462bacd78a31277eb08_black-basta_elex_luca-stealer.exe Key created \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\Screen Saver.Marquee 2025-05-02_252daf427ff74462bacd78a31277eb08_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\Screen Saver.Marquee\Speed = "4" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" Kazekage.exe Key created \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\Desktop 2025-05-02_252daf427ff74462bacd78a31277eb08_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\Screen Saver.Marquee\Size = "72" 2025-05-02_252daf427ff74462bacd78a31277eb08_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" 2025-05-02_252daf427ff74462bacd78a31277eb08_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" 2025-05-02_252daf427ff74462bacd78a31277eb08_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" csrss.exe Key created \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\Screen Saver.Marquee Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" smss.exe Key created \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\Desktop Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\Screen Saver.Marquee\Size = "72" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" 2025-05-02_252daf427ff74462bacd78a31277eb08_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" system32.exe -
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" csrss.exe Key created \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Software\Microsoft\Internet Explorer\Main smss.exe Key created \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Software\Microsoft\Internet Explorer\Main system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" Kazekage.exe Key created \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Software\Microsoft\Internet Explorer\Main 2025-05-02_252daf427ff74462bacd78a31277eb08_black-basta_elex_luca-stealer.exe Key created \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Software\Microsoft\Internet Explorer\Main csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" smss.exe Key created \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Software\Microsoft\Internet Explorer\Main Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" system32.exe Key created \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Software\Microsoft\Internet Explorer\Main Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" 2025-05-02_252daf427ff74462bacd78a31277eb08_black-basta_elex_luca-stealer.exe -
Modifies registry class 51 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command 2025-05-02_252daf427ff74462bacd78a31277eb08_black-basta_elex_luca-stealer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command 2025-05-02_252daf427ff74462bacd78a31277eb08_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command 2025-05-02_252daf427ff74462bacd78a31277eb08_black-basta_elex_luca-stealer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command 2025-05-02_252daf427ff74462bacd78a31277eb08_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" 2025-05-02_252daf427ff74462bacd78a31277eb08_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" 2025-05-02_252daf427ff74462bacd78a31277eb08_black-basta_elex_luca-stealer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" 2025-05-02_252daf427ff74462bacd78a31277eb08_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" 2025-05-02_252daf427ff74462bacd78a31277eb08_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" smss.exe -
Runs ping.exe 1 TTPs 32 IoCs
pid Process 6088 ping.exe 2056 ping.exe 732 ping.exe 3904 ping.exe 4688 ping.exe 4692 ping.exe 3992 ping.exe 5088 ping.exe 2232 ping.exe 3256 ping.exe 4580 ping.exe 5592 ping.exe 1704 ping.exe 5892 ping.exe 5640 ping.exe 3436 ping.exe 3076 ping.exe 5776 ping.exe 1728 ping.exe 2056 ping.exe 4228 ping.exe 5472 ping.exe 4608 ping.exe 5504 ping.exe 3928 ping.exe 4440 ping.exe 5520 ping.exe 448 ping.exe 1520 ping.exe 2476 ping.exe 4952 ping.exe 1160 ping.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2416 system32.exe 2416 system32.exe 2416 system32.exe 2416 system32.exe 2416 system32.exe 2416 system32.exe 2416 system32.exe 2416 system32.exe 2416 system32.exe 2416 system32.exe 2416 system32.exe 2416 system32.exe 2416 system32.exe 2416 system32.exe 2416 system32.exe 2416 system32.exe 2416 system32.exe 2416 system32.exe 2416 system32.exe 2416 system32.exe 2416 system32.exe 2416 system32.exe 2416 system32.exe 2416 system32.exe 4812 Kazekage.exe 4812 Kazekage.exe 4812 Kazekage.exe 4812 Kazekage.exe 4812 Kazekage.exe 4812 Kazekage.exe 4812 Kazekage.exe 4812 Kazekage.exe 4812 Kazekage.exe 4812 Kazekage.exe 4812 Kazekage.exe 4812 Kazekage.exe 4812 Kazekage.exe 4812 Kazekage.exe 4812 Kazekage.exe 4812 Kazekage.exe 4812 Kazekage.exe 4812 Kazekage.exe 4812 Kazekage.exe 4812 Kazekage.exe 4812 Kazekage.exe 4812 Kazekage.exe 4812 Kazekage.exe 4812 Kazekage.exe 6008 2025-05-02_252daf427ff74462bacd78a31277eb08_black-basta_elex_luca-stealer.exe 6008 2025-05-02_252daf427ff74462bacd78a31277eb08_black-basta_elex_luca-stealer.exe 6008 2025-05-02_252daf427ff74462bacd78a31277eb08_black-basta_elex_luca-stealer.exe 6008 2025-05-02_252daf427ff74462bacd78a31277eb08_black-basta_elex_luca-stealer.exe 6008 2025-05-02_252daf427ff74462bacd78a31277eb08_black-basta_elex_luca-stealer.exe 6008 2025-05-02_252daf427ff74462bacd78a31277eb08_black-basta_elex_luca-stealer.exe 6008 2025-05-02_252daf427ff74462bacd78a31277eb08_black-basta_elex_luca-stealer.exe 6008 2025-05-02_252daf427ff74462bacd78a31277eb08_black-basta_elex_luca-stealer.exe 6008 2025-05-02_252daf427ff74462bacd78a31277eb08_black-basta_elex_luca-stealer.exe 6008 2025-05-02_252daf427ff74462bacd78a31277eb08_black-basta_elex_luca-stealer.exe 6008 2025-05-02_252daf427ff74462bacd78a31277eb08_black-basta_elex_luca-stealer.exe 6008 2025-05-02_252daf427ff74462bacd78a31277eb08_black-basta_elex_luca-stealer.exe 6008 2025-05-02_252daf427ff74462bacd78a31277eb08_black-basta_elex_luca-stealer.exe 6008 2025-05-02_252daf427ff74462bacd78a31277eb08_black-basta_elex_luca-stealer.exe 6008 2025-05-02_252daf427ff74462bacd78a31277eb08_black-basta_elex_luca-stealer.exe 6008 2025-05-02_252daf427ff74462bacd78a31277eb08_black-basta_elex_luca-stealer.exe -
Suspicious use of SetWindowsHookEx 31 IoCs
pid Process 6008 2025-05-02_252daf427ff74462bacd78a31277eb08_black-basta_elex_luca-stealer.exe 2456 smss.exe 1456 smss.exe 3064 Gaara.exe 5972 smss.exe 5376 Gaara.exe 4532 csrss.exe 4804 smss.exe 4572 Gaara.exe 3172 csrss.exe 4812 Kazekage.exe 4768 smss.exe 4844 Gaara.exe 4948 csrss.exe 4892 Kazekage.exe 2416 system32.exe 3308 smss.exe 2088 Gaara.exe 6080 csrss.exe 6112 Kazekage.exe 5612 system32.exe 5432 system32.exe 2084 Kazekage.exe 5728 system32.exe 3524 csrss.exe 4164 Kazekage.exe 2648 system32.exe 4080 Gaara.exe 2052 csrss.exe 3604 Kazekage.exe 2488 system32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 6008 wrote to memory of 2456 6008 2025-05-02_252daf427ff74462bacd78a31277eb08_black-basta_elex_luca-stealer.exe 84 PID 6008 wrote to memory of 2456 6008 2025-05-02_252daf427ff74462bacd78a31277eb08_black-basta_elex_luca-stealer.exe 84 PID 6008 wrote to memory of 2456 6008 2025-05-02_252daf427ff74462bacd78a31277eb08_black-basta_elex_luca-stealer.exe 84 PID 2456 wrote to memory of 1456 2456 smss.exe 85 PID 2456 wrote to memory of 1456 2456 smss.exe 85 PID 2456 wrote to memory of 1456 2456 smss.exe 85 PID 2456 wrote to memory of 3064 2456 smss.exe 86 PID 2456 wrote to memory of 3064 2456 smss.exe 86 PID 2456 wrote to memory of 3064 2456 smss.exe 86 PID 3064 wrote to memory of 5972 3064 Gaara.exe 87 PID 3064 wrote to memory of 5972 3064 Gaara.exe 87 PID 3064 wrote to memory of 5972 3064 Gaara.exe 87 PID 3064 wrote to memory of 5376 3064 Gaara.exe 88 PID 3064 wrote to memory of 5376 3064 Gaara.exe 88 PID 3064 wrote to memory of 5376 3064 Gaara.exe 88 PID 3064 wrote to memory of 4532 3064 Gaara.exe 89 PID 3064 wrote to memory of 4532 3064 Gaara.exe 89 PID 3064 wrote to memory of 4532 3064 Gaara.exe 89 PID 4532 wrote to memory of 4804 4532 csrss.exe 90 PID 4532 wrote to memory of 4804 4532 csrss.exe 90 PID 4532 wrote to memory of 4804 4532 csrss.exe 90 PID 4532 wrote to memory of 4572 4532 csrss.exe 91 PID 4532 wrote to memory of 4572 4532 csrss.exe 91 PID 4532 wrote to memory of 4572 4532 csrss.exe 91 PID 4532 wrote to memory of 3172 4532 csrss.exe 92 PID 4532 wrote to memory of 3172 4532 csrss.exe 92 PID 4532 wrote to memory of 3172 4532 csrss.exe 92 PID 4532 wrote to memory of 4812 4532 csrss.exe 93 PID 4532 wrote to memory of 4812 4532 csrss.exe 93 PID 4532 wrote to memory of 4812 4532 csrss.exe 93 PID 4812 wrote to memory of 4768 4812 Kazekage.exe 94 PID 4812 wrote to memory of 4768 4812 Kazekage.exe 94 PID 4812 wrote to memory of 4768 4812 Kazekage.exe 94 PID 4812 wrote to memory of 4844 4812 Kazekage.exe 95 PID 4812 wrote to memory of 4844 4812 Kazekage.exe 95 PID 4812 wrote to memory of 4844 4812 Kazekage.exe 95 PID 4812 wrote to memory of 4948 4812 Kazekage.exe 96 PID 4812 wrote to memory of 4948 4812 Kazekage.exe 96 PID 4812 wrote to memory of 4948 4812 Kazekage.exe 96 PID 4812 wrote to memory of 4892 4812 Kazekage.exe 97 PID 4812 wrote to memory of 4892 4812 Kazekage.exe 97 PID 4812 wrote to memory of 4892 4812 Kazekage.exe 97 PID 4812 wrote to memory of 2416 4812 Kazekage.exe 98 PID 4812 wrote to memory of 2416 4812 Kazekage.exe 98 PID 4812 wrote to memory of 2416 4812 Kazekage.exe 98 PID 2416 wrote to memory of 3308 2416 system32.exe 99 PID 2416 wrote to memory of 3308 2416 system32.exe 99 PID 2416 wrote to memory of 3308 2416 system32.exe 99 PID 2416 wrote to memory of 2088 2416 system32.exe 100 PID 2416 wrote to memory of 2088 2416 system32.exe 100 PID 2416 wrote to memory of 2088 2416 system32.exe 100 PID 2416 wrote to memory of 6080 2416 system32.exe 101 PID 2416 wrote to memory of 6080 2416 system32.exe 101 PID 2416 wrote to memory of 6080 2416 system32.exe 101 PID 2416 wrote to memory of 6112 2416 system32.exe 102 PID 2416 wrote to memory of 6112 2416 system32.exe 102 PID 2416 wrote to memory of 6112 2416 system32.exe 102 PID 2416 wrote to memory of 5612 2416 system32.exe 103 PID 2416 wrote to memory of 5612 2416 system32.exe 103 PID 2416 wrote to memory of 5612 2416 system32.exe 103 PID 4532 wrote to memory of 5432 4532 csrss.exe 104 PID 4532 wrote to memory of 5432 4532 csrss.exe 104 PID 4532 wrote to memory of 5432 4532 csrss.exe 104 PID 3064 wrote to memory of 2084 3064 Gaara.exe 105 -
System policy modification 1 TTPs 12 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System 2025-05-02_252daf427ff74462bacd78a31277eb08_black-basta_elex_luca-stealer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 2025-05-02_252daf427ff74462bacd78a31277eb08_black-basta_elex_luca-stealer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Gaara.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" system32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Kazekage.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2025-05-02_252daf427ff74462bacd78a31277eb08_black-basta_elex_luca-stealer.exe"C:\Users\Admin\AppData\Local\Temp\2025-05-02_252daf427ff74462bacd78a31277eb08_black-basta_elex_luca-stealer.exe"1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:6008 -
C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe"C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe"2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2456 -
C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe"C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1456
-
-
C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe"C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe"3⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3064 -
C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe"C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5972
-
-
C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe"C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5376
-
-
C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe"C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe"4⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4532 -
C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe"C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4804
-
-
C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe"C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4572
-
-
C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe"C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3172
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe5⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4812 -
C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe"C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4768
-
-
C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe"C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4844
-
-
C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe"C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4948
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4892
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe6⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2416 -
C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe"C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3308
-
-
C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe"C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2088
-
-
C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe"C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:6080
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:6112
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5612
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655007⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5592
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655007⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2476
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655007⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2232
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655007⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4952
-
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655006⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1520
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655006⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:732
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655006⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4440
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655006⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1160
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655006⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:448
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655006⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3256
-
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5432
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655005⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2056
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655005⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5088
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655005⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3436
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655005⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3904
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655005⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3076
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655005⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4228
-
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2084
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5728
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655004⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4580
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655004⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4608
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655004⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5504
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655004⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3928
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655004⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2056
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655004⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4692
-
-
-
C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe"C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3524
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4164
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2648
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:6088
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5472
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5640
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5892
-
-
-
C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe"C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4080
-
-
C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe"C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2052
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3604
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2488
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655002⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5776
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655002⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3992
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655002⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1728
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655002⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1704
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655002⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5520
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655002⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4688
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\smss.exe1⤵PID:5924
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\Gaara.exe1⤵PID:4960
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c 2-5-2025.exe1⤵PID:2632
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c drivers\csrss.exe1⤵PID:436
Network
MITRE ATT&CK Enterprise v16
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Event Triggered Execution
1Image File Execution Options Injection
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Event Triggered Execution
1Image File Execution Options Injection
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
1Disable or Modify Tools
1Modify Registry
8Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
8.3MB
MD5b839e041fd7e3e52d5f28cd5aa81e753
SHA1ce16337fed6a04c1f3233316e9a93453d158cb97
SHA256bad31c7f9e1cb9dde324408e266921ac1fee90c5fc690a9b762ebac745f30c84
SHA5128c49e2e17b917f448990a1f6db8a18d37e2b613c445403386339b0230e09065dc6d2fbc6a58c3a938d64979f656996e7b28b53afe61f9ded6e95f196808e0d96
-
Filesize
736B
MD5bb5d6abdf8d0948ac6895ce7fdfbc151
SHA19266b7a247a4685892197194d2b9b86c8f6dddbd
SHA2565db2e0915b5464d32e83484f8ae5e3c73d2c78f238fde5f58f9b40dbb5322de8
SHA512878444760e8df878d65bb62b4798177e168eb099def58ad3634f4348e96705c83f74324f9fa358f0eff389991976698a233ca53e9b72034ae11c86d42322a76c
-
Filesize
196B
MD51564dfe69ffed40950e5cb644e0894d1
SHA1201b6f7a01cc49bb698bea6d4945a082ed454ce4
SHA256be114a2dbcc08540b314b01882aa836a772a883322a77b67aab31233e26dc184
SHA51272df187e39674b657974392cfa268e71ef86dc101ebd2303896381ca56d3c05aa9db3f0ab7d0e428d7436e0108c8f19e94c2013814d30b0b95a23a6b9e341097
-
Filesize
8.3MB
MD53bb2e9c9ac833744cd2a0807752d9d32
SHA14daadaf10f17a8d3c22dfaae0254e40b0845e378
SHA256bcb3654eb2659c6390513f3d0aea931029c915cdb83b9ddc647a01042b0e7574
SHA512ff7658a59b9dab6ce2ab13833914c18c51f85bc6f53bb8e9cb72fcaa397ff442b1ad785cb27ae7b575ef4f37f1d0d7d5de5662c520db6bcdd187fc2407d22f08
-
Filesize
8.3MB
MD5252daf427ff74462bacd78a31277eb08
SHA10eb53676e022d38ea20f2f2290f1781ea7edd527
SHA2564a0a1ecc1e6ee951eda7f8b8944f551558384e7e6cf84b7e1348126271c572fe
SHA5124a49e17b195d74f301cc336922790032bda92dd783f38d1c4f3368d7552dfe520899c6354388496b3fc71e9157fa5d1fd466ce1948ecbf8f521c7a500ba0268b
-
Filesize
8.3MB
MD591c3c167099e163806fa4e43e70b57e7
SHA14eb6cb4ab26de3e3018cec984847d595463342d1
SHA256e11c2215f0046d0a3e455e0b0f8a822c96dd99fd7bdb09598a699e8cfd6c30b4
SHA51233499c6edbf39c7febd75430b363566cdbd89d5c76fae56a1ad16d20eb311c5550a9472fb8f087e7b3cc4995589d11e0909c0dd3373e57b91ea68a3654a4d117
-
Filesize
8.3MB
MD5454738ad0b92942bb64b05e479a6845e
SHA1490966a39f78ba900ddff3420fbb6f6106298ac6
SHA25679d0ef7cfbe103a18724b0d094ef41380271310ca43e247e56cbea65c1dc5d43
SHA512a69838044ee677faf7218db72b1f780c965e46388a6fcc7e28bbc5f83bd054208d60aa1857d58f100bb8b1f14d453ef697216dadf25de020898ed38d011dfa82
-
Filesize
1.4MB
MD5d6b05020d4a0ec2a3a8b687099e335df
SHA1df239d830ebcd1cde5c68c46a7b76dad49d415f4
SHA2569824b98dab6af65a9e84c2ea40e9df948f9766ce2096e81feecad7db8dd6080a
SHA51278fd360faa4d34f5732056d6e9ad7b9930964441c69cf24535845d397de92179553b9377a25649c01eb5ac7d547c29cc964e69ede7f2af9fc677508a99251fff
-
Filesize
8.3MB
MD5333c8125df96373225d259a9193beaaa
SHA1884dd7256d2cc6e244d7fafb6d28d49b85309ba2
SHA256b7f91f3716918445f411cf0d5273ff85c5a3827c4d29dde4a28f6617a4f956d0
SHA5125242bb9e2cd7b732c35f14d0821a746b3fc17afea1732174d8e777c9fb84893c513e1d4f1460edb59a954e9b9c3fd630276aed8e86669b59aafa37f6205833ca
-
Filesize
8.3MB
MD5a6e65d27146e986088832686ea6bb611
SHA146ad0999a011c111f9aa1417d6a55edc0be9e817
SHA256b67bf2d455f30d8a0579cf038d98974e425ef2d9c4f036e249e9ce3a16c3d6c4
SHA5126bae2b32cd4b063eeae2b17fca7aefab60acb7b24a93bfdfab9c98774e13d1d191dce41342d0a8e7087d822f3a8f4e4f7913950b6620c17494792cb988ebc252
-
Filesize
1.9MB
MD57d3cd46a94029554cbe90f0396fb9c2f
SHA1026e762cafc3ab5e457524463bea98629bc6c33c
SHA256abb803bfd199cdb7785da871b6c70156be970aa81ef91e8a53fb7015980c0a9a
SHA512c62b1efcb1b391b887042608535b22c90e40a2f98375dd6d37a7f40512ebcef1252b8cd28ac71bbae304d240445ae7c38bba0e318d5d37cdd7961de242a55159
-
Filesize
1.9MB
MD5dbd5eb8a9897764cacab3d52b94756cd
SHA1fe24178d69e2dfbc7a2fc8bb85ed75fc1b0e8bb5
SHA256509f5d8f771406eebcec85ff76902a75ae0515c67af0d1aabcaa4856edda50e4
SHA51245bc78e062967d9b17bd1fa4360a09057b15a326faf53b645cdf5f9fdaa574f42d73e920deed39f444f9cb0867c077aa0a954bd5c272eaf2355ce1916d8f30c7
-
Filesize
65B
MD564acfa7e03b01f48294cf30d201a0026
SHA110facd995b38a095f30b4a800fa454c0bcbf8438
SHA256ba8159d865d106e7b4d0043007a63d1541e1de455dc8d7ff0edd3013bd425c62
SHA51265a9b2e639de74a2a7faa83463a03f5f5b526495e3c793ec1e144c422ed0b842dd304cd5ff4f8aec3d76d826507030c5916f70a231429cea636ec2d8ab43931a
-
Filesize
8.3MB
MD57c06303be7c9f55f88df2a9cfee9d4f7
SHA1aab57532bac323f9d4bf15afd420287c2682bd35
SHA256ecbc9bfb84c10b8ef4b10a6347c77511cade26549e69dabee6a89333b20ca658
SHA512fae9d7de3f351f68f6edd5a8221b95e33b83089386c5731164af53ddd117aa8276966b865c7948cae263cf02ddb08abb2a98d7dad981a737930870cf506a2ebd
-
Filesize
8.3MB
MD53144c9f5554544ce9685ae74a79e87be
SHA1fe23807122da2ec3e8750db8e760ea54690dc751
SHA2560e1edeb613d8d45e288c5649e0f0a3b7e5669d5712b4e75d427ee06c9f82e2f1
SHA5123213517748bfd2b557c7d125c11062f00f0f7bc9bbf5b9831fc1a47aaa14f27fbd38e77c84cf4c27ec35476503238a1e4b6ea51496e686a76e738c6279708caf
-
Filesize
4.5MB
MD5c3f454d22119d976867764c0b1265e27
SHA1b2c23a538f28208c9e6d236be6e5068f5e7ce728
SHA2560b32407738411b80ce60859eb04a3aa9fedc2b608583c83bff34abba3848deb0
SHA51276c8a14733523e5dd4ffd951b17a30ed633e5bb34230f2764aada93ae8b4d4a81dac3cd145c2280543116f54dfd923a371c60d5b404a1a04513a104b767dd490
-
Filesize
8.3MB
MD57b841592cf313c498c801764bf11854a
SHA174bcd3478cbc9e890a4e392617b3d82d485d0dd1
SHA25602b835ea0e8db2f4a07a899910c2fbd7e57caa76c4a5ac0ac9c6992e2a564d14
SHA5121fdf29ffaa3b9a075453b0293855970ed1b960c44799fe1a6944293397fd2fb394c012cced8a7950f4c4bba6187b1d01b25cffdce726e26f8e687fc1159724a9
-
Filesize
2.4MB
MD530df67f75ecf3a687df6ae18898a0dbb
SHA1b4d55d2a3d91985d4f93a5164ed365ba21d98f60
SHA256282794efe4994578928679e17bc4c4ba21d8b41df34f891dbc5d7b442ccdaf28
SHA512e45559c2b67a6ec81f060286ae5df36bbbf68fa7752df9463e8dd2c7b67a89e14c647141ea01f0806401ea80920f7851fba4e4db2805998de6c98e165cfd8b46
-
Filesize
1.4MB
MD525f62c02619174b35851b0e0455b3d94
SHA14e8ee85157f1769f6e3f61c0acbe59072209da71
SHA256898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2
SHA512f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a
-
Filesize
8.3MB
MD563c067dc1fac0c567176df5f297a1080
SHA10dc0e25393d8a841d497b5775baa892bf019475d
SHA256f51a9f5d7ed920e779b0625382c95e705b91f50f6fa013ab323e2eb8fc3203b9
SHA512d5b7b09978a0492d66aa680138a9df3c091fa63ba0ccda944e0c3238d878f0dca0a08978a918ffd15c21fcf3bace36f7487c2df5804d95ee76ec4c80acc085d6