Analysis
-
max time kernel
149s -
max time network
139s -
platform
windows10-2004_x64 -
resource
win10v2004-20250410-en -
resource tags
arch:x64arch:x86image:win10v2004-20250410-enlocale:en-usos:windows10-2004-x64system -
submitted
02/05/2025, 10:40
Behavioral task
behavioral1
Sample
2025-05-02_2dbb5c1082d809ce83df93eb2f480a30_black-basta_elex_luca-stealer.exe
Resource
win10v2004-20250410-en
General
-
Target
2025-05-02_2dbb5c1082d809ce83df93eb2f480a30_black-basta_elex_luca-stealer.exe
-
Size
8.3MB
-
MD5
2dbb5c1082d809ce83df93eb2f480a30
-
SHA1
c78a7e6ffe18f24d352c9540d22b18fb13fbf477
-
SHA256
b672ba2801a2f3f9ca5b3bc1b8bee564c4a7c32bd33fb5bf19d585146eeef8cf
-
SHA512
021be5d67af78098e5f5aa6964942aaf22a1d00252a43962679b16586f76c92adbf6c1d3d4dd7b4f841f0a9e79b548cb916df3212b6c68c6b4b5bb5e939d6db4
-
SSDEEP
49152:hGyqWyWy0GyqWyWyMRPC1eHc785diLvQ8b1gtj:hGyqWyWy0GyqWyWyMRPC1eHL5dGYSW
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 12 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" 2025-05-02_2dbb5c1082d809ce83df93eb2f480a30_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" 2025-05-02_2dbb5c1082d809ce83df93eb2f480a30_black-basta_elex_luca-stealer.exe -
Modifies visibility of file extensions in Explorer 2 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" smss.exe Set value (int) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" csrss.exe Set value (int) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" 2025-05-02_2dbb5c1082d809ce83df93eb2f480a30_black-basta_elex_luca-stealer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Gaara.exe Set value (int) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Kazekage.exe Set value (int) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" system32.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" smss.exe Set value (int) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" csrss.exe Set value (int) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" 2025-05-02_2dbb5c1082d809ce83df93eb2f480a30_black-basta_elex_luca-stealer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" Gaara.exe Set value (int) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" Kazekage.exe Set value (int) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" system32.exe -
UAC bypass 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 2025-05-02_2dbb5c1082d809ce83df93eb2f480a30_black-basta_elex_luca-stealer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Gaara.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Kazekage.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" system32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe -
Disables RegEdit via registry modification 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" csrss.exe Set value (int) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" 2025-05-02_2dbb5c1082d809ce83df93eb2f480a30_black-basta_elex_luca-stealer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Gaara.exe Set value (int) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Kazekage.exe Set value (int) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" system32.exe Set value (int) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" smss.exe -
Disables use of System Restore points 1 TTPs
-
Drops file in Drivers directory 24 IoCs
description ioc Process File created C:\Windows\SysWOW64\drivers\Kazekage.exe Gaara.exe File created C:\Windows\SysWOW64\drivers\system32.exe Kazekage.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe smss.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe system32.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe 2025-05-02_2dbb5c1082d809ce83df93eb2f480a30_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe smss.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe Gaara.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe csrss.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe Kazekage.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe smss.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe csrss.exe File created C:\Windows\SysWOW64\drivers\system32.exe csrss.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe 2025-05-02_2dbb5c1082d809ce83df93eb2f480a30_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe Gaara.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe Kazekage.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe system32.exe File created C:\Windows\SysWOW64\drivers\system32.exe system32.exe File created C:\Windows\SysWOW64\drivers\system32.exe smss.exe File created C:\Windows\SysWOW64\drivers\system32.exe Gaara.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe Kazekage.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe system32.exe File created C:\Windows\SysWOW64\drivers\system32.exe 2025-05-02_2dbb5c1082d809ce83df93eb2f480a30_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe 2025-05-02_2dbb5c1082d809ce83df93eb2f480a30_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe csrss.exe -
Event Triggered Execution: Image File Execution Options Injection 1 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe\Debugger = "cmd.exe /c del" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe 2025-05-02_2dbb5c1082d809ce83df93eb2f480a30_black-basta_elex_luca-stealer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe\Debugger = "cmd.exe /c del" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe\Debugger = "cmd.exe /c del" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe\Debugger = "cmd.exe /c del" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe 2025-05-02_2dbb5c1082d809ce83df93eb2f480a30_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe\Debugger = "cmd.exe /c del" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "drivers\\Kazekage.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com\Debugger = "cmd.exe /c del" 2025-05-02_2dbb5c1082d809ce83df93eb2f480a30_black-basta_elex_luca-stealer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe\Debugger = "cmd.exe /c del" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe\Debugger = "cmd.exe /c del" 2025-05-02_2dbb5c1082d809ce83df93eb2f480a30_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe\Debugger = "cmd.exe /c del" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe\Debugger = "drivers\\Kazekage.exe" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe\Debugger = "drivers\\Kazekage.exe" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe\Debugger = "drivers\\Kazekage.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe\Debugger = "drivers\\Kazekage.exe" 2025-05-02_2dbb5c1082d809ce83df93eb2f480a30_black-basta_elex_luca-stealer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe\Debugger = "cmd.exe /c del" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe\Debugger = "cmd.exe /c del" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "drivers\\Kazekage.exe" 2025-05-02_2dbb5c1082d809ce83df93eb2f480a30_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe\Debugger = "cmd.exe /c del" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "drivers\\Kazekage.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe\Debugger = "cmd.exe /c del" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe\Debugger = "cmd.exe /c del" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe 2025-05-02_2dbb5c1082d809ce83df93eb2f480a30_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe\Debugger = "cmd.exe /c del" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "drivers\\Kazekage.exe" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe\Debugger = "cmd.exe /c del" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "drivers\\Kazekage.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe\Debugger = "cmd.exe /c del" 2025-05-02_2dbb5c1082d809ce83df93eb2f480a30_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "drivers\\Kazekage.exe" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe\Debugger = "cmd.exe /c del" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "drivers\\Kazekage.exe" 2025-05-02_2dbb5c1082d809ce83df93eb2f480a30_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe\Debugger = "cmd.exe /c del" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe\Debugger = "cmd.exe /c del" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe\Debugger = "cmd.exe /c del" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe\Debugger = "cmd.exe /c del" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe system32.exe -
Executes dropped EXE 30 IoCs
pid Process 5560 smss.exe 4848 smss.exe 4964 Gaara.exe 3800 smss.exe 3672 Gaara.exe 4944 csrss.exe 1680 smss.exe 2012 Gaara.exe 4032 csrss.exe 4068 Gaara.exe 5892 csrss.exe 5016 Kazekage.exe 4532 Kazekage.exe 2252 smss.exe 3256 system32.exe 4320 csrss.exe 5188 Gaara.exe 3704 Kazekage.exe 5596 smss.exe 3144 csrss.exe 1464 Kazekage.exe 2188 system32.exe 5720 Gaara.exe 2140 Kazekage.exe 5504 system32.exe 3960 csrss.exe 5864 system32.exe 5340 Kazekage.exe 2848 system32.exe 1852 system32.exe -
Loads dropped DLL 18 IoCs
pid Process 5560 smss.exe 4848 smss.exe 4964 Gaara.exe 3800 smss.exe 3672 Gaara.exe 4944 csrss.exe 1680 smss.exe 2012 Gaara.exe 4032 csrss.exe 4068 Gaara.exe 5892 csrss.exe 2252 smss.exe 4320 csrss.exe 5188 Gaara.exe 5596 smss.exe 3144 csrss.exe 5720 Gaara.exe 3960 csrss.exe -
Adds Run key to start application 2 TTPs 24 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 2 - 5 - 2025\\smss.exe" 2025-05-02_2dbb5c1082d809ce83df93eb2f480a30_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "2-5-2025.exe" 2025-05-02_2dbb5c1082d809ce83df93eb2f480a30_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 2 - 5 - 2025\\smss.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "2-5-2025.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 2 - 5 - 2025\\smss.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 2 - 5 - 2025\\Gaara.exe" 2025-05-02_2dbb5c1082d809ce83df93eb2f480a30_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "2-5-2025.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 2 - 5 - 2025\\Gaara.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 2 - 5 - 2025\\smss.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" 2025-05-02_2dbb5c1082d809ce83df93eb2f480a30_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 2 - 5 - 2025\\Gaara.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 2 - 5 - 2025\\smss.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "2-5-2025.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 2 - 5 - 2025\\Gaara.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "2-5-2025.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 2 - 5 - 2025\\smss.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 2 - 5 - 2025\\Gaara.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "2-5-2025.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 2 - 5 - 2025\\Gaara.exe" csrss.exe -
Checks whether UAC is enabled 1 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" system32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 2025-05-02_2dbb5c1082d809ce83df93eb2f480a30_black-basta_elex_luca-stealer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Gaara.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Kazekage.exe -
Drops desktop.ini file(s) 64 IoCs
description ioc Process File opened for modification \??\K:\Desktop.ini Kazekage.exe File opened for modification \??\Q:\Desktop.ini csrss.exe File opened for modification D:\Desktop.ini 2025-05-02_2dbb5c1082d809ce83df93eb2f480a30_black-basta_elex_luca-stealer.exe File opened for modification \??\K:\Desktop.ini 2025-05-02_2dbb5c1082d809ce83df93eb2f480a30_black-basta_elex_luca-stealer.exe File opened for modification \??\G:\Desktop.ini Gaara.exe File opened for modification \??\I:\Desktop.ini Gaara.exe File opened for modification \??\W:\Desktop.ini Gaara.exe File opened for modification \??\X:\Desktop.ini Kazekage.exe File opened for modification \??\V:\Desktop.ini csrss.exe File opened for modification \??\H:\Desktop.ini 2025-05-02_2dbb5c1082d809ce83df93eb2f480a30_black-basta_elex_luca-stealer.exe File opened for modification \??\V:\Desktop.ini 2025-05-02_2dbb5c1082d809ce83df93eb2f480a30_black-basta_elex_luca-stealer.exe File opened for modification C:\Desktop.ini Gaara.exe File opened for modification F:\Desktop.ini Gaara.exe File opened for modification D:\Desktop.ini smss.exe File opened for modification \??\Z:\Desktop.ini smss.exe File opened for modification \??\O:\Desktop.ini csrss.exe File opened for modification \??\P:\Desktop.ini Kazekage.exe File opened for modification \??\B:\Desktop.ini smss.exe File opened for modification F:\Desktop.ini smss.exe File opened for modification \??\P:\Desktop.ini smss.exe File opened for modification \??\G:\Desktop.ini 2025-05-02_2dbb5c1082d809ce83df93eb2f480a30_black-basta_elex_luca-stealer.exe File opened for modification \??\I:\Desktop.ini 2025-05-02_2dbb5c1082d809ce83df93eb2f480a30_black-basta_elex_luca-stealer.exe File opened for modification \??\J:\Desktop.ini 2025-05-02_2dbb5c1082d809ce83df93eb2f480a30_black-basta_elex_luca-stealer.exe File opened for modification \??\P:\Desktop.ini 2025-05-02_2dbb5c1082d809ce83df93eb2f480a30_black-basta_elex_luca-stealer.exe File opened for modification F:\Desktop.ini Kazekage.exe File opened for modification \??\U:\Desktop.ini csrss.exe File opened for modification \??\L:\Desktop.ini Gaara.exe File opened for modification \??\Q:\Desktop.ini Gaara.exe File opened for modification \??\I:\Desktop.ini Kazekage.exe File opened for modification \??\O:\Desktop.ini Kazekage.exe File opened for modification \??\A:\Desktop.ini csrss.exe File opened for modification \??\I:\Desktop.ini csrss.exe File opened for modification \??\X:\Desktop.ini csrss.exe File opened for modification \??\Q:\Desktop.ini 2025-05-02_2dbb5c1082d809ce83df93eb2f480a30_black-basta_elex_luca-stealer.exe File opened for modification \??\R:\Desktop.ini 2025-05-02_2dbb5c1082d809ce83df93eb2f480a30_black-basta_elex_luca-stealer.exe File opened for modification \??\L:\Desktop.ini csrss.exe File opened for modification C:\Desktop.ini 2025-05-02_2dbb5c1082d809ce83df93eb2f480a30_black-basta_elex_luca-stealer.exe File opened for modification \??\E:\Desktop.ini 2025-05-02_2dbb5c1082d809ce83df93eb2f480a30_black-basta_elex_luca-stealer.exe File opened for modification \??\M:\Desktop.ini 2025-05-02_2dbb5c1082d809ce83df93eb2f480a30_black-basta_elex_luca-stealer.exe File opened for modification \??\S:\Desktop.ini Gaara.exe File opened for modification \??\E:\Desktop.ini Kazekage.exe File opened for modification D:\Desktop.ini system32.exe File opened for modification \??\A:\Desktop.ini system32.exe File opened for modification \??\H:\Desktop.ini smss.exe File opened for modification \??\U:\Desktop.ini smss.exe File opened for modification F:\Desktop.ini csrss.exe File opened for modification \??\I:\Desktop.ini system32.exe File opened for modification \??\Z:\Desktop.ini Kazekage.exe File opened for modification \??\Z:\Desktop.ini 2025-05-02_2dbb5c1082d809ce83df93eb2f480a30_black-basta_elex_luca-stealer.exe File opened for modification \??\V:\Desktop.ini Gaara.exe File opened for modification \??\G:\Desktop.ini smss.exe File opened for modification \??\W:\Desktop.ini csrss.exe File opened for modification \??\X:\Desktop.ini 2025-05-02_2dbb5c1082d809ce83df93eb2f480a30_black-basta_elex_luca-stealer.exe File opened for modification \??\R:\Desktop.ini Gaara.exe File opened for modification \??\T:\Desktop.ini Gaara.exe File opened for modification \??\G:\Desktop.ini Kazekage.exe File opened for modification \??\N:\Desktop.ini system32.exe File opened for modification \??\T:\Desktop.ini system32.exe File opened for modification \??\Y:\Desktop.ini system32.exe File opened for modification C:\Desktop.ini csrss.exe File opened for modification \??\E:\Desktop.ini Gaara.exe File opened for modification \??\Q:\Desktop.ini Kazekage.exe File opened for modification \??\R:\Desktop.ini Kazekage.exe File opened for modification \??\T:\Desktop.ini Kazekage.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\L: smss.exe File opened (read-only) \??\Q: smss.exe File opened (read-only) \??\B: csrss.exe File opened (read-only) \??\G: csrss.exe File opened (read-only) \??\J: csrss.exe File opened (read-only) \??\X: csrss.exe File opened (read-only) \??\X: smss.exe File opened (read-only) \??\S: 2025-05-02_2dbb5c1082d809ce83df93eb2f480a30_black-basta_elex_luca-stealer.exe File opened (read-only) \??\W: Gaara.exe File opened (read-only) \??\W: Kazekage.exe File opened (read-only) \??\Y: Kazekage.exe File opened (read-only) \??\B: smss.exe File opened (read-only) \??\N: smss.exe File opened (read-only) \??\E: csrss.exe File opened (read-only) \??\L: 2025-05-02_2dbb5c1082d809ce83df93eb2f480a30_black-basta_elex_luca-stealer.exe File opened (read-only) \??\P: system32.exe File opened (read-only) \??\B: Kazekage.exe File opened (read-only) \??\W: 2025-05-02_2dbb5c1082d809ce83df93eb2f480a30_black-basta_elex_luca-stealer.exe File opened (read-only) \??\I: Kazekage.exe File opened (read-only) \??\R: smss.exe File opened (read-only) \??\I: csrss.exe File opened (read-only) \??\Q: csrss.exe File opened (read-only) \??\Z: csrss.exe File opened (read-only) \??\J: system32.exe File opened (read-only) \??\U: csrss.exe File opened (read-only) \??\K: 2025-05-02_2dbb5c1082d809ce83df93eb2f480a30_black-basta_elex_luca-stealer.exe File opened (read-only) \??\Y: 2025-05-02_2dbb5c1082d809ce83df93eb2f480a30_black-basta_elex_luca-stealer.exe File opened (read-only) \??\E: Gaara.exe File opened (read-only) \??\A: system32.exe File opened (read-only) \??\E: Kazekage.exe File opened (read-only) \??\G: Kazekage.exe File opened (read-only) \??\Q: system32.exe File opened (read-only) \??\E: 2025-05-02_2dbb5c1082d809ce83df93eb2f480a30_black-basta_elex_luca-stealer.exe File opened (read-only) \??\T: smss.exe File opened (read-only) \??\U: smss.exe File opened (read-only) \??\V: csrss.exe File opened (read-only) \??\M: Gaara.exe File opened (read-only) \??\N: Kazekage.exe File opened (read-only) \??\I: system32.exe File opened (read-only) \??\K: system32.exe File opened (read-only) \??\M: 2025-05-02_2dbb5c1082d809ce83df93eb2f480a30_black-basta_elex_luca-stealer.exe File opened (read-only) \??\O: 2025-05-02_2dbb5c1082d809ce83df93eb2f480a30_black-basta_elex_luca-stealer.exe File opened (read-only) \??\P: Kazekage.exe File opened (read-only) \??\R: Kazekage.exe File opened (read-only) \??\P: 2025-05-02_2dbb5c1082d809ce83df93eb2f480a30_black-basta_elex_luca-stealer.exe File opened (read-only) \??\R: 2025-05-02_2dbb5c1082d809ce83df93eb2f480a30_black-basta_elex_luca-stealer.exe File opened (read-only) \??\L: Kazekage.exe File opened (read-only) \??\H: system32.exe File opened (read-only) \??\R: system32.exe File opened (read-only) \??\U: system32.exe File opened (read-only) \??\O: csrss.exe File opened (read-only) \??\X: Kazekage.exe File opened (read-only) \??\E: smss.exe File opened (read-only) \??\N: csrss.exe File opened (read-only) \??\B: Gaara.exe File opened (read-only) \??\H: Kazekage.exe File opened (read-only) \??\W: smss.exe File opened (read-only) \??\Q: Kazekage.exe File opened (read-only) \??\T: system32.exe File opened (read-only) \??\Y: smss.exe File opened (read-only) \??\B: 2025-05-02_2dbb5c1082d809ce83df93eb2f480a30_black-basta_elex_luca-stealer.exe File opened (read-only) \??\V: 2025-05-02_2dbb5c1082d809ce83df93eb2f480a30_black-basta_elex_luca-stealer.exe File opened (read-only) \??\J: Gaara.exe File opened (read-only) \??\X: Gaara.exe -
Drops autorun.inf file 1 TTPs 64 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File created \??\J:\Autorun.inf Gaara.exe File created \??\B:\Autorun.inf system32.exe File created \??\E:\Autorun.inf Gaara.exe File opened for modification \??\J:\Autorun.inf system32.exe File created \??\Q:\Autorun.inf 2025-05-02_2dbb5c1082d809ce83df93eb2f480a30_black-basta_elex_luca-stealer.exe File opened for modification \??\Z:\Autorun.inf 2025-05-02_2dbb5c1082d809ce83df93eb2f480a30_black-basta_elex_luca-stealer.exe File created \??\B:\Autorun.inf smss.exe File created \??\X:\Autorun.inf smss.exe File created \??\L:\Autorun.inf csrss.exe File created \??\V:\Autorun.inf 2025-05-02_2dbb5c1082d809ce83df93eb2f480a30_black-basta_elex_luca-stealer.exe File created \??\I:\Autorun.inf Gaara.exe File opened for modification D:\Autorun.inf csrss.exe File created D:\Autorun.inf system32.exe File opened for modification \??\T:\Autorun.inf system32.exe File opened for modification \??\M:\Autorun.inf smss.exe File created \??\N:\Autorun.inf smss.exe File created \??\K:\Autorun.inf Gaara.exe File created \??\X:\Autorun.inf csrss.exe File created \??\I:\Autorun.inf Kazekage.exe File opened for modification \??\P:\Autorun.inf system32.exe File opened for modification F:\Autorun.inf Gaara.exe File opened for modification \??\Q:\Autorun.inf smss.exe File created \??\U:\Autorun.inf smss.exe File opened for modification C:\Autorun.inf 2025-05-02_2dbb5c1082d809ce83df93eb2f480a30_black-basta_elex_luca-stealer.exe File opened for modification \??\E:\Autorun.inf 2025-05-02_2dbb5c1082d809ce83df93eb2f480a30_black-basta_elex_luca-stealer.exe File opened for modification \??\M:\Autorun.inf 2025-05-02_2dbb5c1082d809ce83df93eb2f480a30_black-basta_elex_luca-stealer.exe File opened for modification F:\Autorun.inf smss.exe File opened for modification F:\Autorun.inf Kazekage.exe File opened for modification \??\N:\Autorun.inf Kazekage.exe File opened for modification \??\V:\Autorun.inf Kazekage.exe File opened for modification \??\X:\Autorun.inf Kazekage.exe File opened for modification \??\K:\Autorun.inf csrss.exe File created \??\A:\Autorun.inf Kazekage.exe File opened for modification \??\Y:\Autorun.inf 2025-05-02_2dbb5c1082d809ce83df93eb2f480a30_black-basta_elex_luca-stealer.exe File opened for modification \??\A:\Autorun.inf csrss.exe File opened for modification C:\Autorun.inf csrss.exe File created \??\A:\Autorun.inf Gaara.exe File opened for modification \??\L:\Autorun.inf Gaara.exe File created \??\N:\Autorun.inf Gaara.exe File created \??\O:\Autorun.inf Gaara.exe File created \??\R:\Autorun.inf Gaara.exe File created \??\E:\Autorun.inf csrss.exe File opened for modification \??\M:\Autorun.inf csrss.exe File opened for modification \??\V:\Autorun.inf csrss.exe File created \??\Z:\Autorun.inf smss.exe File opened for modification \??\G:\Autorun.inf csrss.exe File created \??\N:\Autorun.inf csrss.exe File created \??\Y:\Autorun.inf csrss.exe File opened for modification \??\A:\Autorun.inf Kazekage.exe File opened for modification \??\J:\Autorun.inf Kazekage.exe File opened for modification \??\W:\Autorun.inf Kazekage.exe File created \??\L:\Autorun.inf system32.exe File created \??\O:\Autorun.inf smss.exe File created \??\H:\Autorun.inf Gaara.exe File created \??\T:\Autorun.inf csrss.exe File opened for modification \??\Y:\Autorun.inf Kazekage.exe File opened for modification \??\B:\Autorun.inf Gaara.exe File created \??\O:\Autorun.inf csrss.exe File opened for modification \??\T:\Autorun.inf csrss.exe File opened for modification \??\W:\Autorun.inf csrss.exe File opened for modification C:\Autorun.inf system32.exe File opened for modification \??\M:\Autorun.inf system32.exe File opened for modification \??\O:\Autorun.inf system32.exe File created \??\X:\Autorun.inf system32.exe -
Drops file in System32 directory 39 IoCs
description ioc Process File created C:\Windows\SysWOW64\msvbvm60.dll Kazekage.exe File created C:\Windows\SysWOW64\mscomctl.ocx 2025-05-02_2dbb5c1082d809ce83df93eb2f480a30_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx 2025-05-02_2dbb5c1082d809ce83df93eb2f480a30_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini Gaara.exe File opened for modification C:\Windows\SysWOW64\ csrss.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll csrss.exe File opened for modification C:\Windows\SysWOW64\ Gaara.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini system32.exe File opened for modification C:\Windows\SysWOW64\2-5-2025.exe csrss.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx smss.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll smss.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini Kazekage.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx Kazekage.exe File opened for modification C:\Windows\SysWOW64\2-5-2025.exe smss.exe File created C:\Windows\SysWOW64\msvbvm60.dll Gaara.exe File created C:\Windows\SysWOW64\msvbvm60.dll system32.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini 2025-05-02_2dbb5c1082d809ce83df93eb2f480a30_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\SysWOW64\ Kazekage.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx system32.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll system32.exe File created C:\Windows\SysWOW64\2-5-2025.exe 2025-05-02_2dbb5c1082d809ce83df93eb2f480a30_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\SysWOW64\2-5-2025.exe 2025-05-02_2dbb5c1082d809ce83df93eb2f480a30_black-basta_elex_luca-stealer.exe File created C:\Windows\SysWOW64\msvbvm60.dll smss.exe File created C:\Windows\SysWOW64\msvbvm60.dll csrss.exe File opened for modification C:\Windows\SysWOW64\ 2025-05-02_2dbb5c1082d809ce83df93eb2f480a30_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll 2025-05-02_2dbb5c1082d809ce83df93eb2f480a30_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\SysWOW64\ smss.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini csrss.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll Kazekage.exe File opened for modification C:\Windows\SysWOW64\ system32.exe File created C:\Windows\SysWOW64\msvbvm60.dll 2025-05-02_2dbb5c1082d809ce83df93eb2f480a30_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll Gaara.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx csrss.exe File opened for modification C:\Windows\SysWOW64\2-5-2025.exe Kazekage.exe File created C:\Windows\SysWOW64\Desktop.ini 2025-05-02_2dbb5c1082d809ce83df93eb2f480a30_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini smss.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx Gaara.exe File opened for modification C:\Windows\SysWOW64\2-5-2025.exe system32.exe File opened for modification C:\Windows\SysWOW64\2-5-2025.exe Gaara.exe -
Sets desktop wallpaper using registry 2 TTPs 6 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" 2025-05-02_2dbb5c1082d809ce83df93eb2f480a30_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" system32.exe -
resource yara_rule behavioral1/memory/1412-0-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/files/0x0007000000024294-11.dat upx behavioral1/files/0x0007000000024292-30.dat upx behavioral1/memory/5560-32-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/files/0x0007000000024294-45.dat upx behavioral1/files/0x0007000000024295-49.dat upx behavioral1/memory/4964-74-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/files/0x0007000000024293-73.dat upx behavioral1/memory/4848-78-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/files/0x0007000000024298-96.dat upx behavioral1/files/0x0007000000024295-88.dat upx behavioral1/memory/3800-109-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3672-114-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3800-118-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/4944-125-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3672-124-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/files/0x0007000000024294-122.dat upx behavioral1/memory/1412-131-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/files/0x0007000000024298-141.dat upx behavioral1/memory/5560-152-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/files/0x0007000000024297-136.dat upx behavioral1/files/0x0007000000024295-132.dat upx behavioral1/memory/1680-158-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/4032-164-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2012-167-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/4964-172-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/4068-179-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/5016-186-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/4032-182-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/4532-191-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/4944-190-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/5892-198-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/files/0x0007000000024298-204.dat upx behavioral1/memory/2252-216-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/files/0x0007000000024295-199.dat upx behavioral1/memory/3256-223-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/4532-226-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/5188-233-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2252-235-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/5016-255-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/5188-257-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2188-261-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3704-264-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3256-270-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1464-275-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2188-279-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/5720-282-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/5864-284-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2140-289-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/5504-292-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3960-295-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/5864-300-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/5340-303-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2848-307-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1852-309-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1412-310-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/5560-311-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/5016-312-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3256-314-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/4964-313-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/4944-315-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1412-316-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/5560-317-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1412-347-0x0000000000400000-0x000000000042A000-memory.dmp upx -
Drops file in Windows directory 64 IoCs
description ioc Process File created C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe csrss.exe File opened for modification C:\Windows\ smss.exe File opened for modification C:\Windows\ Gaara.exe File opened for modification C:\Windows\ csrss.exe File created C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe 2025-05-02_2dbb5c1082d809ce83df93eb2f480a30_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe Gaara.exe File created C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe Kazekage.exe File opened for modification C:\Windows\mscomctl.ocx Gaara.exe File created C:\Windows\Fonts\The Kazekage.jpg 2025-05-02_2dbb5c1082d809ce83df93eb2f480a30_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\Fonts\The Kazekage.jpg smss.exe File opened for modification C:\Windows\system\msvbvm60.dll smss.exe File opened for modification C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe system32.exe File created C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe system32.exe File opened for modification C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe system32.exe File created C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe smss.exe File opened for modification C:\Windows\Fonts\Admin 2 - 5 - 2025\msvbvm60.dll 2025-05-02_2dbb5c1082d809ce83df93eb2f480a30_black-basta_elex_luca-stealer.exe File created C:\Windows\WBEM\msvbvm60.dll 2025-05-02_2dbb5c1082d809ce83df93eb2f480a30_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe Gaara.exe File opened for modification C:\Windows\system\msvbvm60.dll Gaara.exe File opened for modification C:\Windows\system\msvbvm60.dll csrss.exe File opened for modification C:\Windows\system\mscoree.dll Kazekage.exe File opened for modification C:\Windows\system\msvbvm60.dll Kazekage.exe File opened for modification C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe smss.exe File created C:\Windows\WBEM\msvbvm60.dll smss.exe File created C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe csrss.exe File opened for modification C:\Windows\msvbvm60.dll Kazekage.exe File created C:\Windows\WBEM\msvbvm60.dll system32.exe File created C:\Windows\mscomctl.ocx 2025-05-02_2dbb5c1082d809ce83df93eb2f480a30_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\mscomctl.ocx 2025-05-02_2dbb5c1082d809ce83df93eb2f480a30_black-basta_elex_luca-stealer.exe File created C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe smss.exe File created C:\Windows\Fonts\Admin 2 - 5 - 2025\msvbvm60.dll 2025-05-02_2dbb5c1082d809ce83df93eb2f480a30_black-basta_elex_luca-stealer.exe File created C:\Windows\msvbvm60.dll 2025-05-02_2dbb5c1082d809ce83df93eb2f480a30_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\system\msvbvm60.dll 2025-05-02_2dbb5c1082d809ce83df93eb2f480a30_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\system\mscoree.dll Gaara.exe File opened for modification C:\Windows\msvbvm60.dll Gaara.exe File opened for modification C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe csrss.exe File opened for modification C:\Windows\msvbvm60.dll csrss.exe File opened for modification C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe Kazekage.exe File opened for modification C:\Windows\system\mscoree.dll 2025-05-02_2dbb5c1082d809ce83df93eb2f480a30_black-basta_elex_luca-stealer.exe File created C:\Windows\Fonts\Admin 2 - 5 - 2025\msvbvm60.dll Kazekage.exe File opened for modification C:\Windows\system\msvbvm60.dll system32.exe File opened for modification C:\Windows\ 2025-05-02_2dbb5c1082d809ce83df93eb2f480a30_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\ system32.exe File opened for modification C:\Windows\Fonts\The Kazekage.jpg Kazekage.exe File created C:\Windows\Fonts\Admin 2 - 5 - 2025\msvbvm60.dll smss.exe File opened for modification C:\Windows\msvbvm60.dll smss.exe File opened for modification C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe 2025-05-02_2dbb5c1082d809ce83df93eb2f480a30_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\system\mscoree.dll smss.exe File created C:\Windows\WBEM\msvbvm60.dll Gaara.exe File opened for modification C:\Windows\system\mscoree.dll system32.exe File opened for modification C:\Windows\mscomctl.ocx smss.exe File opened for modification C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe smss.exe File created C:\Windows\Fonts\Admin 2 - 5 - 2025\msvbvm60.dll system32.exe File opened for modification C:\Windows\msvbvm60.dll system32.exe File created C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe Gaara.exe File opened for modification C:\Windows\mscomctl.ocx Kazekage.exe File opened for modification C:\Windows\Fonts\The Kazekage.jpg csrss.exe File opened for modification C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe Kazekage.exe File opened for modification C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe Gaara.exe File opened for modification C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe csrss.exe File created C:\Windows\Fonts\Admin 2 - 5 - 2025\msvbvm60.dll csrss.exe File created C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe system32.exe File opened for modification C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe 2025-05-02_2dbb5c1082d809ce83df93eb2f480a30_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\system\mscoree.dll csrss.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kazekage.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaara.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaara.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaara.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaara.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kazekage.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kazekage.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kazekage.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-05-02_2dbb5c1082d809ce83df93eb2f480a30_black-basta_elex_luca-stealer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kazekage.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaara.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaara.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 36 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 5332 ping.exe 3304 ping.exe 1208 ping.exe 4908 ping.exe 4404 ping.exe 4448 ping.exe 5628 ping.exe 4872 ping.exe 5544 ping.exe 216 ping.exe 6060 ping.exe 1688 ping.exe 3740 ping.exe 5076 ping.exe 4908 ping.exe 2528 ping.exe 5100 ping.exe 2584 ping.exe 4308 ping.exe 1592 ping.exe 3948 ping.exe 2552 ping.exe 6032 ping.exe 4748 ping.exe 2324 ping.exe 4116 ping.exe 4808 ping.exe 2896 ping.exe 5456 ping.exe 1624 ping.exe 5572 ping.exe 2144 ping.exe 5768 ping.exe 2656 ping.exe 100 ping.exe 3280 ping.exe -
Modifies Control Panel 64 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Screen Saver.Marquee smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" smss.exe Key created \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Desktop Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" 2025-05-02_2dbb5c1082d809ce83df93eb2f480a30_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Screen Saver.Marquee\Speed = "4" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Desktop\WallpaperStyle = "2" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Desktop\WallpaperStyle = "2" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Screen Saver.Marquee\Size = "72" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" 2025-05-02_2dbb5c1082d809ce83df93eb2f480a30_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" Gaara.exe Key created \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Screen Saver.Marquee Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" 2025-05-02_2dbb5c1082d809ce83df93eb2f480a30_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" 2025-05-02_2dbb5c1082d809ce83df93eb2f480a30_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" 2025-05-02_2dbb5c1082d809ce83df93eb2f480a30_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Screen Saver.Marquee\Speed = "4" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Screen Saver.Marquee\Speed = "4" csrss.exe Key created \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Desktop Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Screen Saver.Marquee\Size = "72" 2025-05-02_2dbb5c1082d809ce83df93eb2f480a30_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" 2025-05-02_2dbb5c1082d809ce83df93eb2f480a30_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" Kazekage.exe Key created \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Screen Saver.Marquee csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" 2025-05-02_2dbb5c1082d809ce83df93eb2f480a30_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Screen Saver.Marquee\Size = "72" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Screen Saver.Marquee\Speed = "4" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Desktop\WallpaperStyle = "2" 2025-05-02_2dbb5c1082d809ce83df93eb2f480a30_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" Gaara.exe Key created \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Desktop 2025-05-02_2dbb5c1082d809ce83df93eb2f480a30_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" 2025-05-02_2dbb5c1082d809ce83df93eb2f480a30_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Desktop\WallpaperStyle = "2" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Screen Saver.Marquee\Size = "72" system32.exe Key created \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Desktop smss.exe Key created \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Desktop csrss.exe Key created \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Desktop system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" 2025-05-02_2dbb5c1082d809ce83df93eb2f480a30_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Screen Saver.Marquee\Size = "72" Kazekage.exe Key created \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Screen Saver.Marquee system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" smss.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Software\Microsoft\Internet Explorer\Main csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" 2025-05-02_2dbb5c1082d809ce83df93eb2f480a30_black-basta_elex_luca-stealer.exe Key created \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Software\Microsoft\Internet Explorer\Main Kazekage.exe Key created \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Software\Microsoft\Internet Explorer\Main system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" system32.exe Key created \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Software\Microsoft\Internet Explorer\Main smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" csrss.exe Key created \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Software\Microsoft\Internet Explorer\Main 2025-05-02_2dbb5c1082d809ce83df93eb2f480a30_black-basta_elex_luca-stealer.exe Key created \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Software\Microsoft\Internet Explorer\Main Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" smss.exe -
Modifies registry class 51 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command 2025-05-02_2dbb5c1082d809ce83df93eb2f480a30_black-basta_elex_luca-stealer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command 2025-05-02_2dbb5c1082d809ce83df93eb2f480a30_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" 2025-05-02_2dbb5c1082d809ce83df93eb2f480a30_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command 2025-05-02_2dbb5c1082d809ce83df93eb2f480a30_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" 2025-05-02_2dbb5c1082d809ce83df93eb2f480a30_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" 2025-05-02_2dbb5c1082d809ce83df93eb2f480a30_black-basta_elex_luca-stealer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command 2025-05-02_2dbb5c1082d809ce83df93eb2f480a30_black-basta_elex_luca-stealer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" 2025-05-02_2dbb5c1082d809ce83df93eb2f480a30_black-basta_elex_luca-stealer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" system32.exe -
Runs ping.exe 1 TTPs 36 IoCs
pid Process 2552 ping.exe 5544 ping.exe 5572 ping.exe 5628 ping.exe 4872 ping.exe 5076 ping.exe 2144 ping.exe 1592 ping.exe 3948 ping.exe 216 ping.exe 2896 ping.exe 6032 ping.exe 5332 ping.exe 5768 ping.exe 4404 ping.exe 1688 ping.exe 5456 ping.exe 4308 ping.exe 4808 ping.exe 3304 ping.exe 4908 ping.exe 2584 ping.exe 4448 ping.exe 1624 ping.exe 3280 ping.exe 4908 ping.exe 2528 ping.exe 2656 ping.exe 100 ping.exe 2324 ping.exe 5100 ping.exe 3740 ping.exe 4116 ping.exe 4748 ping.exe 6060 ping.exe 1208 ping.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4944 csrss.exe 4944 csrss.exe 4944 csrss.exe 4944 csrss.exe 4944 csrss.exe 4944 csrss.exe 4944 csrss.exe 4944 csrss.exe 4944 csrss.exe 4944 csrss.exe 4944 csrss.exe 4944 csrss.exe 4944 csrss.exe 4944 csrss.exe 4944 csrss.exe 4944 csrss.exe 4944 csrss.exe 4944 csrss.exe 4944 csrss.exe 4944 csrss.exe 4944 csrss.exe 4944 csrss.exe 4944 csrss.exe 4944 csrss.exe 1412 2025-05-02_2dbb5c1082d809ce83df93eb2f480a30_black-basta_elex_luca-stealer.exe 1412 2025-05-02_2dbb5c1082d809ce83df93eb2f480a30_black-basta_elex_luca-stealer.exe 1412 2025-05-02_2dbb5c1082d809ce83df93eb2f480a30_black-basta_elex_luca-stealer.exe 1412 2025-05-02_2dbb5c1082d809ce83df93eb2f480a30_black-basta_elex_luca-stealer.exe 1412 2025-05-02_2dbb5c1082d809ce83df93eb2f480a30_black-basta_elex_luca-stealer.exe 1412 2025-05-02_2dbb5c1082d809ce83df93eb2f480a30_black-basta_elex_luca-stealer.exe 1412 2025-05-02_2dbb5c1082d809ce83df93eb2f480a30_black-basta_elex_luca-stealer.exe 1412 2025-05-02_2dbb5c1082d809ce83df93eb2f480a30_black-basta_elex_luca-stealer.exe 1412 2025-05-02_2dbb5c1082d809ce83df93eb2f480a30_black-basta_elex_luca-stealer.exe 1412 2025-05-02_2dbb5c1082d809ce83df93eb2f480a30_black-basta_elex_luca-stealer.exe 1412 2025-05-02_2dbb5c1082d809ce83df93eb2f480a30_black-basta_elex_luca-stealer.exe 1412 2025-05-02_2dbb5c1082d809ce83df93eb2f480a30_black-basta_elex_luca-stealer.exe 1412 2025-05-02_2dbb5c1082d809ce83df93eb2f480a30_black-basta_elex_luca-stealer.exe 1412 2025-05-02_2dbb5c1082d809ce83df93eb2f480a30_black-basta_elex_luca-stealer.exe 1412 2025-05-02_2dbb5c1082d809ce83df93eb2f480a30_black-basta_elex_luca-stealer.exe 1412 2025-05-02_2dbb5c1082d809ce83df93eb2f480a30_black-basta_elex_luca-stealer.exe 1412 2025-05-02_2dbb5c1082d809ce83df93eb2f480a30_black-basta_elex_luca-stealer.exe 1412 2025-05-02_2dbb5c1082d809ce83df93eb2f480a30_black-basta_elex_luca-stealer.exe 1412 2025-05-02_2dbb5c1082d809ce83df93eb2f480a30_black-basta_elex_luca-stealer.exe 1412 2025-05-02_2dbb5c1082d809ce83df93eb2f480a30_black-basta_elex_luca-stealer.exe 1412 2025-05-02_2dbb5c1082d809ce83df93eb2f480a30_black-basta_elex_luca-stealer.exe 1412 2025-05-02_2dbb5c1082d809ce83df93eb2f480a30_black-basta_elex_luca-stealer.exe 1412 2025-05-02_2dbb5c1082d809ce83df93eb2f480a30_black-basta_elex_luca-stealer.exe 1412 2025-05-02_2dbb5c1082d809ce83df93eb2f480a30_black-basta_elex_luca-stealer.exe 4964 Gaara.exe 4964 Gaara.exe 4964 Gaara.exe 4964 Gaara.exe 4964 Gaara.exe 4964 Gaara.exe 4964 Gaara.exe 4964 Gaara.exe 4964 Gaara.exe 4964 Gaara.exe 4964 Gaara.exe 4964 Gaara.exe 4964 Gaara.exe 4964 Gaara.exe 4964 Gaara.exe 4964 Gaara.exe -
Suspicious use of SetWindowsHookEx 31 IoCs
pid Process 1412 2025-05-02_2dbb5c1082d809ce83df93eb2f480a30_black-basta_elex_luca-stealer.exe 5560 smss.exe 4848 smss.exe 4964 Gaara.exe 3800 smss.exe 3672 Gaara.exe 4944 csrss.exe 1680 smss.exe 2012 Gaara.exe 4032 csrss.exe 4068 Gaara.exe 5892 csrss.exe 5016 Kazekage.exe 4532 Kazekage.exe 2252 smss.exe 3256 system32.exe 4320 csrss.exe 5188 Gaara.exe 3704 Kazekage.exe 5596 smss.exe 1464 Kazekage.exe 3144 csrss.exe 2188 system32.exe 5720 Gaara.exe 5504 system32.exe 2140 Kazekage.exe 3960 csrss.exe 5864 system32.exe 5340 Kazekage.exe 2848 system32.exe 1852 system32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1412 wrote to memory of 5560 1412 2025-05-02_2dbb5c1082d809ce83df93eb2f480a30_black-basta_elex_luca-stealer.exe 88 PID 1412 wrote to memory of 5560 1412 2025-05-02_2dbb5c1082d809ce83df93eb2f480a30_black-basta_elex_luca-stealer.exe 88 PID 1412 wrote to memory of 5560 1412 2025-05-02_2dbb5c1082d809ce83df93eb2f480a30_black-basta_elex_luca-stealer.exe 88 PID 5560 wrote to memory of 4848 5560 smss.exe 90 PID 5560 wrote to memory of 4848 5560 smss.exe 90 PID 5560 wrote to memory of 4848 5560 smss.exe 90 PID 5560 wrote to memory of 4964 5560 smss.exe 91 PID 5560 wrote to memory of 4964 5560 smss.exe 91 PID 5560 wrote to memory of 4964 5560 smss.exe 91 PID 4964 wrote to memory of 3800 4964 Gaara.exe 92 PID 4964 wrote to memory of 3800 4964 Gaara.exe 92 PID 4964 wrote to memory of 3800 4964 Gaara.exe 92 PID 4964 wrote to memory of 3672 4964 Gaara.exe 95 PID 4964 wrote to memory of 3672 4964 Gaara.exe 95 PID 4964 wrote to memory of 3672 4964 Gaara.exe 95 PID 4964 wrote to memory of 4944 4964 Gaara.exe 96 PID 4964 wrote to memory of 4944 4964 Gaara.exe 96 PID 4964 wrote to memory of 4944 4964 Gaara.exe 96 PID 4944 wrote to memory of 1680 4944 csrss.exe 98 PID 4944 wrote to memory of 1680 4944 csrss.exe 98 PID 4944 wrote to memory of 1680 4944 csrss.exe 98 PID 4944 wrote to memory of 2012 4944 csrss.exe 103 PID 4944 wrote to memory of 2012 4944 csrss.exe 103 PID 4944 wrote to memory of 2012 4944 csrss.exe 103 PID 4944 wrote to memory of 4032 4944 csrss.exe 104 PID 4944 wrote to memory of 4032 4944 csrss.exe 104 PID 4944 wrote to memory of 4032 4944 csrss.exe 104 PID 1412 wrote to memory of 4068 1412 2025-05-02_2dbb5c1082d809ce83df93eb2f480a30_black-basta_elex_luca-stealer.exe 105 PID 1412 wrote to memory of 4068 1412 2025-05-02_2dbb5c1082d809ce83df93eb2f480a30_black-basta_elex_luca-stealer.exe 105 PID 1412 wrote to memory of 4068 1412 2025-05-02_2dbb5c1082d809ce83df93eb2f480a30_black-basta_elex_luca-stealer.exe 105 PID 1412 wrote to memory of 5892 1412 2025-05-02_2dbb5c1082d809ce83df93eb2f480a30_black-basta_elex_luca-stealer.exe 107 PID 1412 wrote to memory of 5892 1412 2025-05-02_2dbb5c1082d809ce83df93eb2f480a30_black-basta_elex_luca-stealer.exe 107 PID 1412 wrote to memory of 5892 1412 2025-05-02_2dbb5c1082d809ce83df93eb2f480a30_black-basta_elex_luca-stealer.exe 107 PID 4944 wrote to memory of 5016 4944 csrss.exe 106 PID 4944 wrote to memory of 5016 4944 csrss.exe 106 PID 4944 wrote to memory of 5016 4944 csrss.exe 106 PID 1412 wrote to memory of 4532 1412 2025-05-02_2dbb5c1082d809ce83df93eb2f480a30_black-basta_elex_luca-stealer.exe 109 PID 1412 wrote to memory of 4532 1412 2025-05-02_2dbb5c1082d809ce83df93eb2f480a30_black-basta_elex_luca-stealer.exe 109 PID 1412 wrote to memory of 4532 1412 2025-05-02_2dbb5c1082d809ce83df93eb2f480a30_black-basta_elex_luca-stealer.exe 109 PID 5016 wrote to memory of 2252 5016 Kazekage.exe 111 PID 5016 wrote to memory of 2252 5016 Kazekage.exe 111 PID 5016 wrote to memory of 2252 5016 Kazekage.exe 111 PID 1412 wrote to memory of 3256 1412 2025-05-02_2dbb5c1082d809ce83df93eb2f480a30_black-basta_elex_luca-stealer.exe 112 PID 1412 wrote to memory of 3256 1412 2025-05-02_2dbb5c1082d809ce83df93eb2f480a30_black-basta_elex_luca-stealer.exe 112 PID 1412 wrote to memory of 3256 1412 2025-05-02_2dbb5c1082d809ce83df93eb2f480a30_black-basta_elex_luca-stealer.exe 112 PID 5560 wrote to memory of 4320 5560 smss.exe 113 PID 5560 wrote to memory of 4320 5560 smss.exe 113 PID 5560 wrote to memory of 4320 5560 smss.exe 113 PID 5016 wrote to memory of 5188 5016 Kazekage.exe 114 PID 5016 wrote to memory of 5188 5016 Kazekage.exe 114 PID 5016 wrote to memory of 5188 5016 Kazekage.exe 114 PID 4964 wrote to memory of 3704 4964 Gaara.exe 115 PID 4964 wrote to memory of 3704 4964 Gaara.exe 115 PID 4964 wrote to memory of 3704 4964 Gaara.exe 115 PID 3256 wrote to memory of 5596 3256 system32.exe 116 PID 3256 wrote to memory of 5596 3256 system32.exe 116 PID 3256 wrote to memory of 5596 3256 system32.exe 116 PID 5016 wrote to memory of 3144 5016 Kazekage.exe 117 PID 5016 wrote to memory of 3144 5016 Kazekage.exe 117 PID 5016 wrote to memory of 3144 5016 Kazekage.exe 117 PID 5560 wrote to memory of 1464 5560 smss.exe 118 PID 5560 wrote to memory of 1464 5560 smss.exe 118 PID 5560 wrote to memory of 1464 5560 smss.exe 118 PID 4964 wrote to memory of 2188 4964 Gaara.exe 119 -
System policy modification 1 TTPs 12 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System 2025-05-02_2dbb5c1082d809ce83df93eb2f480a30_black-basta_elex_luca-stealer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Kazekage.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Kazekage.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" system32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 2025-05-02_2dbb5c1082d809ce83df93eb2f480a30_black-basta_elex_luca-stealer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Gaara.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System smss.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2025-05-02_2dbb5c1082d809ce83df93eb2f480a30_black-basta_elex_luca-stealer.exe"C:\Users\Admin\AppData\Local\Temp\2025-05-02_2dbb5c1082d809ce83df93eb2f480a30_black-basta_elex_luca-stealer.exe"1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1412 -
C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe"C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe"2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:5560 -
C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe"C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4848
-
-
C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe"C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe"3⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4964 -
C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe"C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3800
-
-
C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe"C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3672
-
-
C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe"C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe"4⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4944 -
C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe"C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1680
-
-
C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe"C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2012
-
-
C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe"C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4032
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe5⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:5016 -
C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe"C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2252
-
-
C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe"C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5188
-
-
C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe"C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3144
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2140
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5864
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655006⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3304
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655006⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:6060
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655006⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:6032
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655006⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5456
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655006⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2528
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655006⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5572
-
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2848
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655005⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:216
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655005⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2324
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655005⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:100
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655005⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2552
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655005⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4116
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655005⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4908
-
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3704
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2188
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655004⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2656
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655004⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3948
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655004⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2584
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655004⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4448
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655004⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4308
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655004⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5076
-
-
-
C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe"C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4320
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1464
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5504
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1592
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5768
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1688
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5100
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3280
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5544
-
-
-
C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe"C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4068
-
-
C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe"C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5892
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4532
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3256 -
C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe"C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5596
-
-
C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe"C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5720
-
-
C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe"C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3960
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5340
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1852
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2896
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1208
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3740
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1624
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4748
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4808
-
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655002⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2144
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655002⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5332
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655002⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4908
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655002⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4404
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655002⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5628
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655002⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4872
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\smss.exe1⤵PID:1964
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\Gaara.exe1⤵PID:3752
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c 2-5-2025.exe1⤵PID:2544
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c drivers\csrss.exe1⤵PID:2196
Network
MITRE ATT&CK Enterprise v16
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Event Triggered Execution
1Image File Execution Options Injection
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Event Triggered Execution
1Image File Execution Options Injection
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
1Disable or Modify Tools
1Modify Registry
8Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
8.3MB
MD528fa0d74e3f0ad2191038715aecada1a
SHA1075dd97f41966e3a0741c0caab5c95a1fc18a5ea
SHA256f1651c80a437b451bf97b777a8eafeba44d34110cf991e7b1f6ce238b849d492
SHA512b340522a1a52fe62d34e9fccedeb2c90d7b59af0c1b273d489df1baa150687f798503315c0733ddbea3e5e8de78f4e585acca46c8835d1c6e502eb8cfb06d824
-
Filesize
736B
MD5bb5d6abdf8d0948ac6895ce7fdfbc151
SHA19266b7a247a4685892197194d2b9b86c8f6dddbd
SHA2565db2e0915b5464d32e83484f8ae5e3c73d2c78f238fde5f58f9b40dbb5322de8
SHA512878444760e8df878d65bb62b4798177e168eb099def58ad3634f4348e96705c83f74324f9fa358f0eff389991976698a233ca53e9b72034ae11c86d42322a76c
-
Filesize
196B
MD51564dfe69ffed40950e5cb644e0894d1
SHA1201b6f7a01cc49bb698bea6d4945a082ed454ce4
SHA256be114a2dbcc08540b314b01882aa836a772a883322a77b67aab31233e26dc184
SHA51272df187e39674b657974392cfa268e71ef86dc101ebd2303896381ca56d3c05aa9db3f0ab7d0e428d7436e0108c8f19e94c2013814d30b0b95a23a6b9e341097
-
Filesize
8.3MB
MD5517b163c583432c16cee6164dd579cd0
SHA1a9594485350b999a8d2414e5688a4a937a7dc277
SHA2563b4e64ee81fc84c5ab2587ff3168416c9cbe227e69f8cf483eaa3969c5707bff
SHA512477a80d2853ffe00ca921f64056416d6aaa66072b225202e489842fb0fcf5805341f186ae212c77c5127c7fa9e411087639a8f0e39bfb5082d0037f1fc156091
-
Filesize
8.3MB
MD52dbb5c1082d809ce83df93eb2f480a30
SHA1c78a7e6ffe18f24d352c9540d22b18fb13fbf477
SHA256b672ba2801a2f3f9ca5b3bc1b8bee564c4a7c32bd33fb5bf19d585146eeef8cf
SHA512021be5d67af78098e5f5aa6964942aaf22a1d00252a43962679b16586f76c92adbf6c1d3d4dd7b4f841f0a9e79b548cb916df3212b6c68c6b4b5bb5e939d6db4
-
Filesize
8.3MB
MD505f2b9e64d365bc4c8008a2f2c7a9a05
SHA1e6ed989b93d5aaa2a63f5c44189fd06c91327464
SHA256bf4b9a33ad0a453b82dd4e9b47ab2f8579de087dae0b9b06707cc253c3590f11
SHA5123335eed692d058ded6bf8ccc7be628124e4d20b3afbc3199d3a849f50ee75038718758a751210a08051d1d79b456cef59443f48121fbd619196929aae9b7d7ad
-
Filesize
8.3MB
MD5425ea25f879293965de2388fc7e5f25d
SHA1bbe5f7aa306f0e20e01260a3cf229e0a9c592e76
SHA256e9eb361ceb652b364d4391e23952690a423b23d496d34a8885b565eb5202e174
SHA5125c27108e69784fbf88d7e2e91b96e0cca192a1c224d531bf5179f30b9a203809accbddadebc07b7c53aa141b51c66fcf11cd5a6ac636cab835d4b9a5c8c50848
-
Filesize
8.3MB
MD5fbc334f5aa8655a89edd01fb0a1682b8
SHA1360d68fd5737aedc10ff7a9f248d705ab285c31a
SHA256ac2b2b1ce0504445255b5b95ce4b0503c0a53c89346444fb0f623c86c503fde8
SHA51214fe697e4939c6c9108ada5d7719ed40082f5752b86b62ec75a73e5a9522cb60b9a9296f76ebecdd40d5acc0448239c153c6d8a16d0b4e6f85f8f1e5233decda
-
Filesize
1.4MB
MD5d6b05020d4a0ec2a3a8b687099e335df
SHA1df239d830ebcd1cde5c68c46a7b76dad49d415f4
SHA2569824b98dab6af65a9e84c2ea40e9df948f9766ce2096e81feecad7db8dd6080a
SHA51278fd360faa4d34f5732056d6e9ad7b9930964441c69cf24535845d397de92179553b9377a25649c01eb5ac7d547c29cc964e69ede7f2af9fc677508a99251fff
-
Filesize
8.3MB
MD50bab5cfa406ae0bb913de68c83ecc744
SHA18343a772117f6a69f2e3d7648646d0e37e944b88
SHA256957dd770041f69f44bcebda193123b533e12885936829315b4fc356318b007f4
SHA51257297526801a702d087c49bee6f80f8ea898d48f4b4623546cfc70564e9cb07bdd5f9683f265b534621455d6cfc9142332abdcff8efaf7dfbcbc05bba07ebf93
-
Filesize
8.3MB
MD51ee7c026446b2b625b6cba581556aec1
SHA16c2b70476fc066571605f08bfad04534b20578c5
SHA256c321145b3dc254015d619f8953e36f2635ae00e7dba88dca40529613cf18d5a6
SHA512ae19efda3098a38a8d7f650c84dd279dd77c270de6544a41c0d06d83cefff6a40b26a61fad9231eff2759d466973cd0a9fc5bbcfa4d5715eee501ba17d7b280d
-
Filesize
8.3MB
MD54f815a5e34938a6d4db599cde91d26d6
SHA1cff94ab2888210960bf4ffb74a2b9929fa1e4078
SHA256234ca7d14c2120fa834ae01d644f6a3aa7d5758d0b2fbb373b0741c9763863bf
SHA51284a90cf5fe62cfcb261902b57b0ea6c7b559d0c4f920bad466de9381abad8d67bd3b8a21ce449ffd2bc08f8476b68c95f7ca319cf125540f444012d9e2aceb1d
-
Filesize
8.3MB
MD58a803625ee2cb953e6ea145ceafa59df
SHA18ce49b26456f43828e7f42b85b4a873c79f60aff
SHA2567a1cd45c535178a787215c7f410ffdf8e969edb5a8a6e0a7f8f0fb178067dcef
SHA512bc8bef94e75e44989ae775356cd9ebc523ff2f1cc7312d34fd2c82ba40cdf3b579767ae242196080c3eb1f4273f7c2b16ae3b84b9e0d61dbe4df53137ee5daca
-
Filesize
65B
MD564acfa7e03b01f48294cf30d201a0026
SHA110facd995b38a095f30b4a800fa454c0bcbf8438
SHA256ba8159d865d106e7b4d0043007a63d1541e1de455dc8d7ff0edd3013bd425c62
SHA51265a9b2e639de74a2a7faa83463a03f5f5b526495e3c793ec1e144c422ed0b842dd304cd5ff4f8aec3d76d826507030c5916f70a231429cea636ec2d8ab43931a
-
Filesize
8.3MB
MD5e8b49866850b49063e3982d8f34bf974
SHA1e35e174b2172542f748be948623a0cfbb1b06144
SHA25672f57f430b83916396c35782698e49eaac273fb46f1c25da74e7aa4c1c298818
SHA51244abdbbf1cc356548382a41178638871fbd9e1d206f61d09a43ecb77c7bd4968fa9068f840c3a4a84bf7644fc83843f4079873c4e59974533b26bfcc79e1ce5a
-
Filesize
8.3MB
MD562fb35f067b477efb6b9580ea21f281b
SHA1d415ae6ff27d4bcb9728156a4a21963c5840f738
SHA2569a8ea6c39d4e9cd867bede547b6798679780f72f7d5b5aea3d23dbf9e61658d4
SHA5128c117c77c650bdf4011ba29d2f81f2188b93766ca3eee2b5cfc5381fbf0cafe9b73bca1d40efbc486ea170d0d6e15009fb9685c130c8ca2d797cca3029986d97
-
Filesize
8.3MB
MD5afd2a25376b4cda3839c56a8563d9d10
SHA12cd20164179d60c6967d9b548cf39db7092f2d43
SHA25648d255b7f77e96826ee7ad7682a06c311c86f89c0caebe7c45516c6a1634f966
SHA512202ce8878e3463a8bf0402f0e5b06b27243768b51d23f80f521b52be52cbc90a94f8a67a4268b204a1f54eaedc1b10fb6f591d9abc51982e218508ad02695e66
-
Filesize
8.3MB
MD54bfb2a4c94012afd2c73681fe731f681
SHA199f9428ae08dc878b849ed6ff44b1a409ccce4b9
SHA25682b14f49ac321b867fa7f5d7f9aadad703dc18824d52823a717ae014d1818013
SHA512a187096284157e2d41ebc42f95901d8d7639d6b60a58c9a836c976caf70a3cddce5b7b0365ab287afdf69f610eb042eb956f73cae13ee214558af9c66927aa9b
-
Filesize
1.4MB
MD525f62c02619174b35851b0e0455b3d94
SHA14e8ee85157f1769f6e3f61c0acbe59072209da71
SHA256898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2
SHA512f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a