Analysis
-
max time kernel
150s -
max time network
126s -
platform
windows11-21h2_x64 -
resource
win11-20250410-en -
resource tags
arch:x64arch:x86image:win11-20250410-enlocale:en-usos:windows11-21h2-x64system -
submitted
02/05/2025, 10:45
Behavioral task
behavioral1
Sample
2025-05-02_68c3ccf1747176dd33a3396e0a6df5b6_black-basta_elex_luca-stealer.exe
Resource
win10v2004-20250314-en
Behavioral task
behavioral2
Sample
2025-05-02_68c3ccf1747176dd33a3396e0a6df5b6_black-basta_elex_luca-stealer.exe
Resource
win11-20250410-en
General
-
Target
2025-05-02_68c3ccf1747176dd33a3396e0a6df5b6_black-basta_elex_luca-stealer.exe
-
Size
8.3MB
-
MD5
68c3ccf1747176dd33a3396e0a6df5b6
-
SHA1
49a368528aa1bf37f3e46921d7ed127f7937b68b
-
SHA256
6343149321470c22336072c0d6bbe1ad7781290cceb1b9ead202d9006d17236f
-
SHA512
a45e5fc2ffc20a2fa177e0f337e90cb51a0e434e2ae77a0c71f0f01de3cb4598f9668b3ef680d6b44e0ec3086ca6e627dc44dfd4b298e80c7e97a60a8eeecad0
-
SSDEEP
49152:qGyqWyWy0GyqWyWyMRPC1eHc785diLvQ8b1gtj:qGyqWyWy0GyqWyWyMRPC1eHL5dGYSW
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 12 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" 2025-05-02_68c3ccf1747176dd33a3396e0a6df5b6_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" 2025-05-02_68c3ccf1747176dd33a3396e0a6df5b6_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" system32.exe -
Modifies visibility of file extensions in Explorer 2 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Kazekage.exe Set value (int) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" smss.exe Set value (int) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Gaara.exe Set value (int) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" system32.exe Set value (int) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" 2025-05-02_68c3ccf1747176dd33a3396e0a6df5b6_black-basta_elex_luca-stealer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" csrss.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" 2025-05-02_68c3ccf1747176dd33a3396e0a6df5b6_black-basta_elex_luca-stealer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" csrss.exe Set value (int) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" Kazekage.exe Set value (int) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" smss.exe Set value (int) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" Gaara.exe Set value (int) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" system32.exe -
UAC bypass 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Gaara.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" system32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Kazekage.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 2025-05-02_68c3ccf1747176dd33a3396e0a6df5b6_black-basta_elex_luca-stealer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe -
Disables RegEdit via registry modification 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Gaara.exe Set value (int) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" system32.exe Set value (int) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" csrss.exe Set value (int) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Kazekage.exe Set value (int) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" 2025-05-02_68c3ccf1747176dd33a3396e0a6df5b6_black-basta_elex_luca-stealer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" smss.exe -
Disables use of System Restore points 1 TTPs
-
Drops file in Drivers directory 24 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\drivers\system32.exe smss.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe Gaara.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe smss.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe csrss.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe Gaara.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe csrss.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe Kazekage.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe Kazekage.exe File created C:\Windows\SysWOW64\drivers\system32.exe system32.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe 2025-05-02_68c3ccf1747176dd33a3396e0a6df5b6_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe smss.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe Gaara.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe csrss.exe File created C:\Windows\SysWOW64\drivers\system32.exe smss.exe File created C:\Windows\SysWOW64\drivers\system32.exe Kazekage.exe File created C:\Windows\SysWOW64\drivers\system32.exe 2025-05-02_68c3ccf1747176dd33a3396e0a6df5b6_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe Kazekage.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe system32.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe system32.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe system32.exe File created C:\Windows\SysWOW64\drivers\system32.exe csrss.exe File created C:\Windows\SysWOW64\drivers\system32.exe Gaara.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe 2025-05-02_68c3ccf1747176dd33a3396e0a6df5b6_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe 2025-05-02_68c3ccf1747176dd33a3396e0a6df5b6_black-basta_elex_luca-stealer.exe -
Event Triggered Execution: Image File Execution Options Injection 1 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "drivers\\Kazekage.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "drivers\\Kazekage.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe\Debugger = "cmd.exe /c del" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe\Debugger = "cmd.exe /c del" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\Debugger = "cmd.exe /c del" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe\Debugger = "cmd.exe /c del" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger = "drivers\\Kazekage.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe\Debugger = "cmd.exe /c del" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "drivers\\Kazekage.exe" 2025-05-02_68c3ccf1747176dd33a3396e0a6df5b6_black-basta_elex_luca-stealer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe 2025-05-02_68c3ccf1747176dd33a3396e0a6df5b6_black-basta_elex_luca-stealer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe\Debugger = "cmd.exe /c del" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "drivers\\Kazekage.exe" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe\Debugger = "cmd.exe /c del" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "drivers\\Kazekage.exe" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe\Debugger = "cmd.exe /c del" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "drivers\\Kazekage.exe" 2025-05-02_68c3ccf1747176dd33a3396e0a6df5b6_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com\Debugger = "cmd.exe /c del" 2025-05-02_68c3ccf1747176dd33a3396e0a6df5b6_black-basta_elex_luca-stealer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe 2025-05-02_68c3ccf1747176dd33a3396e0a6df5b6_black-basta_elex_luca-stealer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe 2025-05-02_68c3ccf1747176dd33a3396e0a6df5b6_black-basta_elex_luca-stealer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "drivers\\Kazekage.exe" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe\Debugger = "cmd.exe /c del" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe\Debugger = "cmd.exe /c del" 2025-05-02_68c3ccf1747176dd33a3396e0a6df5b6_black-basta_elex_luca-stealer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe\Debugger = "cmd.exe /c del" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe\Debugger = "cmd.exe /c del" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "drivers\\Kazekage.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe\Debugger = "cmd.exe /c del" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger = "drivers\\Kazekage.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "drivers\\Kazekage.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe\Debugger = "cmd.exe /c del" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe\Debugger = "cmd.exe /c del" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "drivers\\Kazekage.exe" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe 2025-05-02_68c3ccf1747176dd33a3396e0a6df5b6_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe\Debugger = "drivers\\Kazekage.exe" 2025-05-02_68c3ccf1747176dd33a3396e0a6df5b6_black-basta_elex_luca-stealer.exe -
Executes dropped EXE 30 IoCs
pid Process 5832 smss.exe 5536 smss.exe 4640 Gaara.exe 4812 smss.exe 4880 Gaara.exe 5028 csrss.exe 4952 smss.exe 5060 Gaara.exe 5092 csrss.exe 4988 Kazekage.exe 4004 smss.exe 4136 Gaara.exe 3384 csrss.exe 1848 Kazekage.exe 3348 system32.exe 3092 smss.exe 1872 Gaara.exe 3708 csrss.exe 3504 Kazekage.exe 5112 system32.exe 5416 system32.exe 784 Kazekage.exe 4180 system32.exe 5264 csrss.exe 1308 Kazekage.exe 5532 system32.exe 5132 Gaara.exe 6084 csrss.exe 1160 Kazekage.exe 4644 system32.exe -
Loads dropped DLL 18 IoCs
pid Process 5832 smss.exe 5536 smss.exe 4640 Gaara.exe 4812 smss.exe 4880 Gaara.exe 5028 csrss.exe 4952 smss.exe 5060 Gaara.exe 5092 csrss.exe 4004 smss.exe 4136 Gaara.exe 3384 csrss.exe 3092 smss.exe 1872 Gaara.exe 3708 csrss.exe 5264 csrss.exe 5132 Gaara.exe 6084 csrss.exe -
Adds Run key to start application 2 TTPs 24 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 2 - 5 - 2025\\Gaara.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 2 - 5 - 2025\\smss.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "2-5-2025.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 2 - 5 - 2025\\smss.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "2-5-2025.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "2-5-2025.exe" 2025-05-02_68c3ccf1747176dd33a3396e0a6df5b6_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 2 - 5 - 2025\\Gaara.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "2-5-2025.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 2 - 5 - 2025\\Gaara.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 2 - 5 - 2025\\Gaara.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 2 - 5 - 2025\\smss.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 2 - 5 - 2025\\Gaara.exe" 2025-05-02_68c3ccf1747176dd33a3396e0a6df5b6_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" 2025-05-02_68c3ccf1747176dd33a3396e0a6df5b6_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 2 - 5 - 2025\\smss.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "2-5-2025.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 2 - 5 - 2025\\Gaara.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "2-5-2025.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 2 - 5 - 2025\\smss.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 2 - 5 - 2025\\smss.exe" 2025-05-02_68c3ccf1747176dd33a3396e0a6df5b6_black-basta_elex_luca-stealer.exe -
Checks whether UAC is enabled 1 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Gaara.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" system32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Kazekage.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 2025-05-02_68c3ccf1747176dd33a3396e0a6df5b6_black-basta_elex_luca-stealer.exe -
Drops desktop.ini file(s) 64 IoCs
description ioc Process File opened for modification \??\O:\Desktop.ini 2025-05-02_68c3ccf1747176dd33a3396e0a6df5b6_black-basta_elex_luca-stealer.exe File opened for modification \??\P:\Desktop.ini 2025-05-02_68c3ccf1747176dd33a3396e0a6df5b6_black-basta_elex_luca-stealer.exe File opened for modification \??\U:\Desktop.ini system32.exe File opened for modification \??\Y:\Desktop.ini system32.exe File opened for modification \??\V:\Desktop.ini 2025-05-02_68c3ccf1747176dd33a3396e0a6df5b6_black-basta_elex_luca-stealer.exe File opened for modification F:\Desktop.ini smss.exe File opened for modification \??\G:\Desktop.ini Kazekage.exe File opened for modification \??\H:\Desktop.ini Kazekage.exe File opened for modification \??\R:\Desktop.ini csrss.exe File opened for modification \??\U:\Desktop.ini csrss.exe File opened for modification \??\U:\Desktop.ini 2025-05-02_68c3ccf1747176dd33a3396e0a6df5b6_black-basta_elex_luca-stealer.exe File opened for modification F:\Desktop.ini system32.exe File opened for modification C:\Desktop.ini csrss.exe File opened for modification \??\K:\Desktop.ini 2025-05-02_68c3ccf1747176dd33a3396e0a6df5b6_black-basta_elex_luca-stealer.exe File opened for modification \??\X:\Desktop.ini 2025-05-02_68c3ccf1747176dd33a3396e0a6df5b6_black-basta_elex_luca-stealer.exe File opened for modification \??\Q:\Desktop.ini system32.exe File opened for modification \??\G:\Desktop.ini smss.exe File opened for modification \??\S:\Desktop.ini smss.exe File opened for modification \??\T:\Desktop.ini smss.exe File opened for modification F:\Desktop.ini Gaara.exe File opened for modification \??\M:\Desktop.ini Gaara.exe File opened for modification \??\S:\Desktop.ini system32.exe File opened for modification F:\Desktop.ini 2025-05-02_68c3ccf1747176dd33a3396e0a6df5b6_black-basta_elex_luca-stealer.exe File opened for modification \??\W:\Desktop.ini 2025-05-02_68c3ccf1747176dd33a3396e0a6df5b6_black-basta_elex_luca-stealer.exe File opened for modification \??\W:\Desktop.ini smss.exe File opened for modification \??\R:\Desktop.ini system32.exe File opened for modification \??\I:\Desktop.ini Kazekage.exe File opened for modification \??\L:\Desktop.ini Kazekage.exe File opened for modification \??\N:\Desktop.ini 2025-05-02_68c3ccf1747176dd33a3396e0a6df5b6_black-basta_elex_luca-stealer.exe File opened for modification \??\Y:\Desktop.ini Kazekage.exe File opened for modification \??\E:\Desktop.ini csrss.exe File opened for modification \??\Z:\Desktop.ini 2025-05-02_68c3ccf1747176dd33a3396e0a6df5b6_black-basta_elex_luca-stealer.exe File opened for modification \??\H:\Desktop.ini Gaara.exe File opened for modification \??\E:\Desktop.ini system32.exe File opened for modification \??\A:\Desktop.ini Kazekage.exe File opened for modification \??\H:\Desktop.ini 2025-05-02_68c3ccf1747176dd33a3396e0a6df5b6_black-basta_elex_luca-stealer.exe File opened for modification \??\O:\Desktop.ini smss.exe File opened for modification \??\R:\Desktop.ini smss.exe File opened for modification \??\X:\Desktop.ini smss.exe File opened for modification \??\I:\Desktop.ini system32.exe File opened for modification \??\T:\Desktop.ini Kazekage.exe File opened for modification \??\I:\Desktop.ini smss.exe File opened for modification \??\T:\Desktop.ini Gaara.exe File opened for modification \??\J:\Desktop.ini 2025-05-02_68c3ccf1747176dd33a3396e0a6df5b6_black-basta_elex_luca-stealer.exe File opened for modification \??\B:\Desktop.ini Kazekage.exe File opened for modification \??\P:\Desktop.ini csrss.exe File opened for modification \??\Y:\Desktop.ini Gaara.exe File opened for modification F:\Desktop.ini csrss.exe File opened for modification \??\J:\Desktop.ini csrss.exe File opened for modification \??\O:\Desktop.ini csrss.exe File opened for modification \??\R:\Desktop.ini Kazekage.exe File opened for modification D:\Desktop.ini Gaara.exe File opened for modification \??\I:\Desktop.ini Gaara.exe File opened for modification \??\O:\Desktop.ini Kazekage.exe File opened for modification \??\J:\Desktop.ini Gaara.exe File opened for modification \??\Q:\Desktop.ini Gaara.exe File opened for modification \??\Z:\Desktop.ini Gaara.exe File opened for modification \??\B:\Desktop.ini Gaara.exe File opened for modification \??\H:\Desktop.ini csrss.exe File opened for modification \??\Q:\Desktop.ini csrss.exe File opened for modification \??\Q:\Desktop.ini 2025-05-02_68c3ccf1747176dd33a3396e0a6df5b6_black-basta_elex_luca-stealer.exe File opened for modification \??\X:\Desktop.ini Kazekage.exe File opened for modification C:\Desktop.ini smss.exe File opened for modification \??\K:\Desktop.ini Kazekage.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\P: 2025-05-02_68c3ccf1747176dd33a3396e0a6df5b6_black-basta_elex_luca-stealer.exe File opened (read-only) \??\Y: Kazekage.exe File opened (read-only) \??\J: smss.exe File opened (read-only) \??\V: smss.exe File opened (read-only) \??\N: Gaara.exe File opened (read-only) \??\O: Gaara.exe File opened (read-only) \??\T: system32.exe File opened (read-only) \??\B: 2025-05-02_68c3ccf1747176dd33a3396e0a6df5b6_black-basta_elex_luca-stealer.exe File opened (read-only) \??\L: csrss.exe File opened (read-only) \??\B: Gaara.exe File opened (read-only) \??\J: Kazekage.exe File opened (read-only) \??\J: csrss.exe File opened (read-only) \??\M: 2025-05-02_68c3ccf1747176dd33a3396e0a6df5b6_black-basta_elex_luca-stealer.exe File opened (read-only) \??\O: Kazekage.exe File opened (read-only) \??\S: Kazekage.exe File opened (read-only) \??\H: Gaara.exe File opened (read-only) \??\X: Gaara.exe File opened (read-only) \??\K: Kazekage.exe File opened (read-only) \??\S: csrss.exe File opened (read-only) \??\A: Gaara.exe File opened (read-only) \??\B: system32.exe File opened (read-only) \??\I: Gaara.exe File opened (read-only) \??\Z: system32.exe File opened (read-only) \??\Z: 2025-05-02_68c3ccf1747176dd33a3396e0a6df5b6_black-basta_elex_luca-stealer.exe File opened (read-only) \??\L: smss.exe File opened (read-only) \??\M: system32.exe File opened (read-only) \??\M: Gaara.exe File opened (read-only) \??\R: Kazekage.exe File opened (read-only) \??\U: 2025-05-02_68c3ccf1747176dd33a3396e0a6df5b6_black-basta_elex_luca-stealer.exe File opened (read-only) \??\X: Kazekage.exe File opened (read-only) \??\K: smss.exe File opened (read-only) \??\S: smss.exe File opened (read-only) \??\E: Kazekage.exe File opened (read-only) \??\L: Kazekage.exe File opened (read-only) \??\T: Gaara.exe File opened (read-only) \??\Q: Kazekage.exe File opened (read-only) \??\Z: Gaara.exe File opened (read-only) \??\B: Kazekage.exe File opened (read-only) \??\Y: csrss.exe File opened (read-only) \??\A: smss.exe File opened (read-only) \??\M: smss.exe File opened (read-only) \??\U: Gaara.exe File opened (read-only) \??\E: smss.exe File opened (read-only) \??\O: smss.exe File opened (read-only) \??\W: smss.exe File opened (read-only) \??\G: Kazekage.exe File opened (read-only) \??\A: system32.exe File opened (read-only) \??\S: system32.exe File opened (read-only) \??\H: csrss.exe File opened (read-only) \??\M: Kazekage.exe File opened (read-only) \??\Q: 2025-05-02_68c3ccf1747176dd33a3396e0a6df5b6_black-basta_elex_luca-stealer.exe File opened (read-only) \??\X: smss.exe File opened (read-only) \??\H: 2025-05-02_68c3ccf1747176dd33a3396e0a6df5b6_black-basta_elex_luca-stealer.exe File opened (read-only) \??\L: 2025-05-02_68c3ccf1747176dd33a3396e0a6df5b6_black-basta_elex_luca-stealer.exe File opened (read-only) \??\O: csrss.exe File opened (read-only) \??\P: Kazekage.exe File opened (read-only) \??\G: system32.exe File opened (read-only) \??\R: csrss.exe File opened (read-only) \??\U: csrss.exe File opened (read-only) \??\L: Gaara.exe File opened (read-only) \??\A: Kazekage.exe File opened (read-only) \??\W: 2025-05-02_68c3ccf1747176dd33a3396e0a6df5b6_black-basta_elex_luca-stealer.exe File opened (read-only) \??\I: Kazekage.exe File opened (read-only) \??\V: 2025-05-02_68c3ccf1747176dd33a3396e0a6df5b6_black-basta_elex_luca-stealer.exe -
Drops autorun.inf file 1 TTPs 64 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification \??\Q:\Autorun.inf 2025-05-02_68c3ccf1747176dd33a3396e0a6df5b6_black-basta_elex_luca-stealer.exe File created \??\V:\Autorun.inf smss.exe File opened for modification D:\Autorun.inf csrss.exe File opened for modification \??\I:\Autorun.inf csrss.exe File opened for modification \??\L:\Autorun.inf csrss.exe File created \??\X:\Autorun.inf Kazekage.exe File created \??\A:\Autorun.inf system32.exe File opened for modification \??\N:\Autorun.inf Gaara.exe File created \??\B:\Autorun.inf 2025-05-02_68c3ccf1747176dd33a3396e0a6df5b6_black-basta_elex_luca-stealer.exe File opened for modification \??\U:\Autorun.inf 2025-05-02_68c3ccf1747176dd33a3396e0a6df5b6_black-basta_elex_luca-stealer.exe File opened for modification \??\N:\Autorun.inf smss.exe File created \??\T:\Autorun.inf smss.exe File opened for modification \??\H:\Autorun.inf csrss.exe File created \??\S:\Autorun.inf csrss.exe File created \??\G:\Autorun.inf system32.exe File created \??\U:\Autorun.inf smss.exe File opened for modification \??\B:\Autorun.inf csrss.exe File opened for modification \??\K:\Autorun.inf csrss.exe File created \??\S:\Autorun.inf Kazekage.exe File created \??\L:\Autorun.inf Gaara.exe File opened for modification \??\X:\Autorun.inf Gaara.exe File created \??\B:\Autorun.inf smss.exe File opened for modification \??\Y:\Autorun.inf csrss.exe File created \??\J:\Autorun.inf Kazekage.exe File opened for modification \??\U:\Autorun.inf Kazekage.exe File opened for modification \??\R:\Autorun.inf Gaara.exe File created \??\X:\Autorun.inf csrss.exe File created \??\K:\Autorun.inf system32.exe File opened for modification \??\M:\Autorun.inf system32.exe File created \??\S:\Autorun.inf system32.exe File opened for modification \??\X:\Autorun.inf system32.exe File opened for modification \??\Z:\Autorun.inf smss.exe File created \??\H:\Autorun.inf system32.exe File created \??\I:\Autorun.inf system32.exe File created \??\Y:\Autorun.inf smss.exe File opened for modification C:\Autorun.inf csrss.exe File created \??\H:\Autorun.inf Kazekage.exe File opened for modification \??\T:\Autorun.inf Kazekage.exe File created \??\V:\Autorun.inf system32.exe File opened for modification \??\K:\Autorun.inf 2025-05-02_68c3ccf1747176dd33a3396e0a6df5b6_black-basta_elex_luca-stealer.exe File opened for modification D:\Autorun.inf 2025-05-02_68c3ccf1747176dd33a3396e0a6df5b6_black-basta_elex_luca-stealer.exe File opened for modification \??\O:\Autorun.inf csrss.exe File created \??\R:\Autorun.inf Kazekage.exe File opened for modification \??\R:\Autorun.inf 2025-05-02_68c3ccf1747176dd33a3396e0a6df5b6_black-basta_elex_luca-stealer.exe File created \??\E:\Autorun.inf smss.exe File opened for modification \??\I:\Autorun.inf Gaara.exe File created D:\Autorun.inf 2025-05-02_68c3ccf1747176dd33a3396e0a6df5b6_black-basta_elex_luca-stealer.exe File created \??\S:\Autorun.inf 2025-05-02_68c3ccf1747176dd33a3396e0a6df5b6_black-basta_elex_luca-stealer.exe File created \??\U:\Autorun.inf 2025-05-02_68c3ccf1747176dd33a3396e0a6df5b6_black-basta_elex_luca-stealer.exe File opened for modification \??\O:\Autorun.inf smss.exe File opened for modification \??\P:\Autorun.inf smss.exe File created \??\T:\Autorun.inf Kazekage.exe File opened for modification \??\S:\Autorun.inf system32.exe File created \??\O:\Autorun.inf smss.exe File opened for modification \??\A:\Autorun.inf csrss.exe File opened for modification D:\Autorun.inf Kazekage.exe File opened for modification \??\N:\Autorun.inf Kazekage.exe File created \??\X:\Autorun.inf system32.exe File opened for modification \??\M:\Autorun.inf Gaara.exe File opened for modification \??\S:\Autorun.inf 2025-05-02_68c3ccf1747176dd33a3396e0a6df5b6_black-basta_elex_luca-stealer.exe File opened for modification \??\Q:\Autorun.inf csrss.exe File opened for modification \??\Z:\Autorun.inf Gaara.exe File created D:\Autorun.inf Gaara.exe File opened for modification \??\G:\Autorun.inf system32.exe -
Drops file in System32 directory 39 IoCs
description ioc Process File created C:\Windows\SysWOW64\mscomctl.ocx 2025-05-02_68c3ccf1747176dd33a3396e0a6df5b6_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\SysWOW64\ smss.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll smss.exe File created C:\Windows\SysWOW64\2-5-2025.exe 2025-05-02_68c3ccf1747176dd33a3396e0a6df5b6_black-basta_elex_luca-stealer.exe File created C:\Windows\SysWOW64\msvbvm60.dll Gaara.exe File opened for modification C:\Windows\SysWOW64\2-5-2025.exe csrss.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx smss.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll Kazekage.exe File opened for modification C:\Windows\SysWOW64\ system32.exe File created C:\Windows\SysWOW64\msvbvm60.dll 2025-05-02_68c3ccf1747176dd33a3396e0a6df5b6_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\SysWOW64\2-5-2025.exe Kazekage.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini smss.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx system32.exe File opened for modification C:\Windows\SysWOW64\2-5-2025.exe 2025-05-02_68c3ccf1747176dd33a3396e0a6df5b6_black-basta_elex_luca-stealer.exe File created C:\Windows\SysWOW64\msvbvm60.dll Kazekage.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini csrss.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx csrss.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx Kazekage.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll system32.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx Gaara.exe File created C:\Windows\SysWOW64\msvbvm60.dll smss.exe File opened for modification C:\Windows\SysWOW64\2-5-2025.exe Gaara.exe File created C:\Windows\SysWOW64\msvbvm60.dll system32.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx 2025-05-02_68c3ccf1747176dd33a3396e0a6df5b6_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll csrss.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini Kazekage.exe File opened for modification C:\Windows\SysWOW64\ Kazekage.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini 2025-05-02_68c3ccf1747176dd33a3396e0a6df5b6_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini system32.exe File opened for modification C:\Windows\SysWOW64\ Gaara.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll Gaara.exe File opened for modification C:\Windows\SysWOW64\2-5-2025.exe system32.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll 2025-05-02_68c3ccf1747176dd33a3396e0a6df5b6_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\SysWOW64\ csrss.exe File opened for modification C:\Windows\SysWOW64\2-5-2025.exe smss.exe File created C:\Windows\SysWOW64\msvbvm60.dll csrss.exe File created C:\Windows\SysWOW64\Desktop.ini 2025-05-02_68c3ccf1747176dd33a3396e0a6df5b6_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\SysWOW64\ 2025-05-02_68c3ccf1747176dd33a3396e0a6df5b6_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini Gaara.exe -
Sets desktop wallpaper using registry 2 TTPs 6 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" 2025-05-02_68c3ccf1747176dd33a3396e0a6df5b6_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" Kazekage.exe -
resource yara_rule behavioral2/memory/5932-0-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/files/0x001900000002b1d0-11.dat upx behavioral2/files/0x001900000002b1ce-33.dat upx behavioral2/memory/5832-32-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5536-70-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4640-75-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5536-77-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/files/0x001900000002b1cf-78.dat upx behavioral2/files/0x001900000002b1d1-90.dat upx behavioral2/files/0x001900000002b1d2-93.dat upx behavioral2/files/0x001900000002b1d3-97.dat upx behavioral2/memory/4812-114-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4880-119-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/files/0x001900000002b1d0-121.dat upx behavioral2/memory/5028-124-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/files/0x001900000002b1d2-134.dat upx behavioral2/memory/5092-168-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/files/0x001900000002b1d1-179.dat upx behavioral2/memory/3348-220-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1872-245-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1308-277-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5132-288-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4644-299-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1160-295-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5532-281-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3348-273-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4180-269-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/784-265-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5416-261-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5112-257-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4988-253-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3504-252-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5028-238-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/files/0x001900000002b1d1-226.dat upx behavioral2/files/0x001900000002b1d3-219.dat upx behavioral2/memory/1848-216-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4640-208-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4136-207-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5832-196-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4988-173-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5932-172-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5060-164-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5060-158-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4952-157-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4952-151-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/files/0x001900000002b1d3-139.dat upx behavioral2/memory/5932-300-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5832-301-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4640-302-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5028-303-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3348-305-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4988-304-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4640-308-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5932-318-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5832-409-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5028-424-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/files/0x001900000002b1f2-498.dat upx behavioral2/memory/4988-519-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3348-542-0x0000000000400000-0x000000000042A000-memory.dmp upx -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe csrss.exe File created C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe Gaara.exe File created C:\Windows\Fonts\Admin 2 - 5 - 2025\msvbvm60.dll Gaara.exe File created C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe csrss.exe File created C:\Windows\mscomctl.ocx 2025-05-02_68c3ccf1747176dd33a3396e0a6df5b6_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\mscomctl.ocx smss.exe File opened for modification C:\Windows\system\mscoree.dll 2025-05-02_68c3ccf1747176dd33a3396e0a6df5b6_black-basta_elex_luca-stealer.exe File created C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe csrss.exe File created C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe smss.exe File created C:\Windows\system\msvbvm60.dll 2025-05-02_68c3ccf1747176dd33a3396e0a6df5b6_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\system\mscoree.dll Gaara.exe File opened for modification C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe Kazekage.exe File opened for modification C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe system32.exe File created C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe smss.exe File opened for modification C:\Windows\ smss.exe File created C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe 2025-05-02_68c3ccf1747176dd33a3396e0a6df5b6_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe 2025-05-02_68c3ccf1747176dd33a3396e0a6df5b6_black-basta_elex_luca-stealer.exe File created C:\Windows\Fonts\Admin 2 - 5 - 2025\msvbvm60.dll smss.exe File opened for modification C:\Windows\msvbvm60.dll smss.exe File opened for modification C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe Gaara.exe File opened for modification C:\Windows\msvbvm60.dll Gaara.exe File opened for modification C:\Windows\msvbvm60.dll csrss.exe File created C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe Kazekage.exe File opened for modification C:\Windows\Fonts\The Kazekage.jpg Gaara.exe File created C:\Windows\Fonts\The Kazekage.jpg 2025-05-02_68c3ccf1747176dd33a3396e0a6df5b6_black-basta_elex_luca-stealer.exe File created C:\Windows\WBEM\msvbvm60.dll smss.exe File opened for modification C:\Windows\mscomctl.ocx system32.exe File created C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe Gaara.exe File opened for modification C:\Windows\ Gaara.exe File created C:\Windows\WBEM\msvbvm60.dll 2025-05-02_68c3ccf1747176dd33a3396e0a6df5b6_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\system\msvbvm60.dll smss.exe File opened for modification C:\Windows\ 2025-05-02_68c3ccf1747176dd33a3396e0a6df5b6_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\ Kazekage.exe File opened for modification C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe 2025-05-02_68c3ccf1747176dd33a3396e0a6df5b6_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\msvbvm60.dll 2025-05-02_68c3ccf1747176dd33a3396e0a6df5b6_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe smss.exe File created C:\Windows\WBEM\msvbvm60.dll Gaara.exe File created C:\Windows\Fonts\Admin 2 - 5 - 2025\msvbvm60.dll Kazekage.exe File opened for modification C:\Windows\system\mscoree.dll system32.exe File opened for modification C:\Windows\ csrss.exe File opened for modification C:\Windows\mscomctl.ocx Gaara.exe File created C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe Kazekage.exe File opened for modification C:\Windows\Fonts\Admin 2 - 5 - 2025\msvbvm60.dll 2025-05-02_68c3ccf1747176dd33a3396e0a6df5b6_black-basta_elex_luca-stealer.exe File created C:\Windows\msvbvm60.dll 2025-05-02_68c3ccf1747176dd33a3396e0a6df5b6_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\system\msvbvm60.dll Gaara.exe File opened for modification C:\Windows\Fonts\The Kazekage.jpg csrss.exe File opened for modification C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe csrss.exe File opened for modification C:\Windows\system\msvbvm60.dll csrss.exe File opened for modification C:\Windows\msvbvm60.dll system32.exe File created C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe csrss.exe File opened for modification C:\Windows\Fonts\The Kazekage.jpg 2025-05-02_68c3ccf1747176dd33a3396e0a6df5b6_black-basta_elex_luca-stealer.exe File created C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe 2025-05-02_68c3ccf1747176dd33a3396e0a6df5b6_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\system\mscoree.dll smss.exe File opened for modification C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe smss.exe File opened for modification C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe Gaara.exe File created C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe system32.exe File created C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe Gaara.exe File opened for modification C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe Kazekage.exe File opened for modification C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe system32.exe File opened for modification C:\Windows\ system32.exe File opened for modification C:\Windows\Fonts\The Kazekage.jpg smss.exe File opened for modification C:\Windows\system\mscoree.dll csrss.exe File created C:\Windows\WBEM\msvbvm60.dll csrss.exe File opened for modification C:\Windows\system\mscoree.dll Kazekage.exe -
System Location Discovery: System Language Discovery 1 TTPs 63 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaara.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaara.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kazekage.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaara.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaara.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kazekage.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kazekage.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaara.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-05-02_68c3ccf1747176dd33a3396e0a6df5b6_black-basta_elex_luca-stealer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kazekage.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kazekage.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kazekage.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaara.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 34 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 2348 ping.exe 5076 ping.exe 5636 ping.exe 3860 ping.exe 3512 ping.exe 1676 ping.exe 1444 ping.exe 996 ping.exe 5816 ping.exe 904 ping.exe 4820 ping.exe 4928 ping.exe 5788 ping.exe 3868 ping.exe 5856 ping.exe 2036 ping.exe 1808 ping.exe 2840 ping.exe 2140 ping.exe 4536 ping.exe 4052 ping.exe 6024 ping.exe 3524 ping.exe 5708 ping.exe 5108 ping.exe 6016 ping.exe 5432 ping.exe 4832 ping.exe 1056 ping.exe 6040 ping.exe 4676 ping.exe 572 ping.exe 1428 ping.exe 1140 ping.exe -
Modifies Control Panel 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" 2025-05-02_68c3ccf1747176dd33a3396e0a6df5b6_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" system32.exe Key created \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Control Panel\Screen Saver.Marquee 2025-05-02_68c3ccf1747176dd33a3396e0a6df5b6_black-basta_elex_luca-stealer.exe Key created \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Control Panel\Screen Saver.Marquee csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Control Panel\Screen Saver.Marquee\Size = "72" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Control Panel\Screen Saver.Marquee\Size = "72" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" smss.exe Key created \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Control Panel\Desktop Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Control Panel\Screen Saver.Marquee\Size = "72" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" 2025-05-02_68c3ccf1747176dd33a3396e0a6df5b6_black-basta_elex_luca-stealer.exe Key created \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Control Panel\Screen Saver.Marquee smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Control Panel\Screen Saver.Marquee\Size = "72" 2025-05-02_68c3ccf1747176dd33a3396e0a6df5b6_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Control Panel\Screen Saver.Marquee\Speed = "4" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Control Panel\Screen Saver.Marquee\Speed = "4" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Control Panel\Desktop\WallpaperStyle = "2" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Control Panel\Screen Saver.Marquee\Speed = "4" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" Gaara.exe Key created \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Control Panel\Desktop system32.exe Key created \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Control Panel\Screen Saver.Marquee system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Control Panel\Desktop\WallpaperStyle = "2" 2025-05-02_68c3ccf1747176dd33a3396e0a6df5b6_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" system32.exe Key created \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Control Panel\Desktop 2025-05-02_68c3ccf1747176dd33a3396e0a6df5b6_black-basta_elex_luca-stealer.exe Key created \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Control Panel\Desktop csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Control Panel\Desktop\WallpaperStyle = "2" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" 2025-05-02_68c3ccf1747176dd33a3396e0a6df5b6_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" 2025-05-02_68c3ccf1747176dd33a3396e0a6df5b6_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" 2025-05-02_68c3ccf1747176dd33a3396e0a6df5b6_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Control Panel\Desktop\WallpaperStyle = "2" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" Gaara.exe Key created \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Control Panel\Screen Saver.Marquee Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" system32.exe Key created \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Control Panel\Desktop smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" 2025-05-02_68c3ccf1747176dd33a3396e0a6df5b6_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" 2025-05-02_68c3ccf1747176dd33a3396e0a6df5b6_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" 2025-05-02_68c3ccf1747176dd33a3396e0a6df5b6_black-basta_elex_luca-stealer.exe -
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" csrss.exe Key created \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Internet Explorer\Main smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" Gaara.exe Key created \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Internet Explorer\Main Kazekage.exe Key created \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Internet Explorer\Main 2025-05-02_68c3ccf1747176dd33a3396e0a6df5b6_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" 2025-05-02_68c3ccf1747176dd33a3396e0a6df5b6_black-basta_elex_luca-stealer.exe Key created \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Internet Explorer\Main csrss.exe Key created \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Internet Explorer\Main Gaara.exe Key created \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Internet Explorer\Main system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3437575798-4173230203-4015467660-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" system32.exe -
Modifies registry class 54 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command 2025-05-02_68c3ccf1747176dd33a3396e0a6df5b6_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" 2025-05-02_68c3ccf1747176dd33a3396e0a6df5b6_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command 2025-05-02_68c3ccf1747176dd33a3396e0a6df5b6_black-basta_elex_luca-stealer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command 2025-05-02_68c3ccf1747176dd33a3396e0a6df5b6_black-basta_elex_luca-stealer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command 2025-05-02_68c3ccf1747176dd33a3396e0a6df5b6_black-basta_elex_luca-stealer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" 2025-05-02_68c3ccf1747176dd33a3396e0a6df5b6_black-basta_elex_luca-stealer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" 2025-05-02_68c3ccf1747176dd33a3396e0a6df5b6_black-basta_elex_luca-stealer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile 2025-05-02_68c3ccf1747176dd33a3396e0a6df5b6_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell 2025-05-02_68c3ccf1747176dd33a3396e0a6df5b6_black-basta_elex_luca-stealer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" 2025-05-02_68c3ccf1747176dd33a3396e0a6df5b6_black-basta_elex_luca-stealer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install 2025-05-02_68c3ccf1747176dd33a3396e0a6df5b6_black-basta_elex_luca-stealer.exe -
Runs ping.exe 1 TTPs 34 IoCs
pid Process 6024 ping.exe 1428 ping.exe 1140 ping.exe 5432 ping.exe 5788 ping.exe 1056 ping.exe 996 ping.exe 2840 ping.exe 5076 ping.exe 3512 ping.exe 3868 ping.exe 5856 ping.exe 1444 ping.exe 2348 ping.exe 4928 ping.exe 2036 ping.exe 3524 ping.exe 572 ping.exe 5108 ping.exe 5636 ping.exe 4536 ping.exe 6040 ping.exe 904 ping.exe 1676 ping.exe 4676 ping.exe 4832 ping.exe 5816 ping.exe 3860 ping.exe 2140 ping.exe 5708 ping.exe 1808 ping.exe 6016 ping.exe 4820 ping.exe 4052 ping.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 5932 2025-05-02_68c3ccf1747176dd33a3396e0a6df5b6_black-basta_elex_luca-stealer.exe 5932 2025-05-02_68c3ccf1747176dd33a3396e0a6df5b6_black-basta_elex_luca-stealer.exe 5932 2025-05-02_68c3ccf1747176dd33a3396e0a6df5b6_black-basta_elex_luca-stealer.exe 5932 2025-05-02_68c3ccf1747176dd33a3396e0a6df5b6_black-basta_elex_luca-stealer.exe 4988 Kazekage.exe 4988 Kazekage.exe 5932 2025-05-02_68c3ccf1747176dd33a3396e0a6df5b6_black-basta_elex_luca-stealer.exe 5932 2025-05-02_68c3ccf1747176dd33a3396e0a6df5b6_black-basta_elex_luca-stealer.exe 4988 Kazekage.exe 4988 Kazekage.exe 5932 2025-05-02_68c3ccf1747176dd33a3396e0a6df5b6_black-basta_elex_luca-stealer.exe 5932 2025-05-02_68c3ccf1747176dd33a3396e0a6df5b6_black-basta_elex_luca-stealer.exe 5932 2025-05-02_68c3ccf1747176dd33a3396e0a6df5b6_black-basta_elex_luca-stealer.exe 5932 2025-05-02_68c3ccf1747176dd33a3396e0a6df5b6_black-basta_elex_luca-stealer.exe 4988 Kazekage.exe 5932 2025-05-02_68c3ccf1747176dd33a3396e0a6df5b6_black-basta_elex_luca-stealer.exe 4988 Kazekage.exe 5932 2025-05-02_68c3ccf1747176dd33a3396e0a6df5b6_black-basta_elex_luca-stealer.exe 4988 Kazekage.exe 5932 2025-05-02_68c3ccf1747176dd33a3396e0a6df5b6_black-basta_elex_luca-stealer.exe 4988 Kazekage.exe 5932 2025-05-02_68c3ccf1747176dd33a3396e0a6df5b6_black-basta_elex_luca-stealer.exe 4988 Kazekage.exe 4988 Kazekage.exe 4988 Kazekage.exe 4988 Kazekage.exe 5932 2025-05-02_68c3ccf1747176dd33a3396e0a6df5b6_black-basta_elex_luca-stealer.exe 5932 2025-05-02_68c3ccf1747176dd33a3396e0a6df5b6_black-basta_elex_luca-stealer.exe 4988 Kazekage.exe 4988 Kazekage.exe 5932 2025-05-02_68c3ccf1747176dd33a3396e0a6df5b6_black-basta_elex_luca-stealer.exe 5932 2025-05-02_68c3ccf1747176dd33a3396e0a6df5b6_black-basta_elex_luca-stealer.exe 4988 Kazekage.exe 4988 Kazekage.exe 5932 2025-05-02_68c3ccf1747176dd33a3396e0a6df5b6_black-basta_elex_luca-stealer.exe 5932 2025-05-02_68c3ccf1747176dd33a3396e0a6df5b6_black-basta_elex_luca-stealer.exe 4988 Kazekage.exe 5932 2025-05-02_68c3ccf1747176dd33a3396e0a6df5b6_black-basta_elex_luca-stealer.exe 4988 Kazekage.exe 5932 2025-05-02_68c3ccf1747176dd33a3396e0a6df5b6_black-basta_elex_luca-stealer.exe 4988 Kazekage.exe 5932 2025-05-02_68c3ccf1747176dd33a3396e0a6df5b6_black-basta_elex_luca-stealer.exe 4988 Kazekage.exe 5932 2025-05-02_68c3ccf1747176dd33a3396e0a6df5b6_black-basta_elex_luca-stealer.exe 4988 Kazekage.exe 4988 Kazekage.exe 4988 Kazekage.exe 4988 Kazekage.exe 5028 csrss.exe 5028 csrss.exe 5028 csrss.exe 5028 csrss.exe 5028 csrss.exe 5028 csrss.exe 5028 csrss.exe 5028 csrss.exe 5028 csrss.exe 5028 csrss.exe 5028 csrss.exe 5028 csrss.exe 5028 csrss.exe 5028 csrss.exe 5028 csrss.exe 5028 csrss.exe -
Suspicious use of SetWindowsHookEx 31 IoCs
pid Process 5932 2025-05-02_68c3ccf1747176dd33a3396e0a6df5b6_black-basta_elex_luca-stealer.exe 5832 smss.exe 5536 smss.exe 4640 Gaara.exe 4812 smss.exe 4880 Gaara.exe 5028 csrss.exe 4952 smss.exe 5060 Gaara.exe 5092 csrss.exe 4988 Kazekage.exe 4004 smss.exe 4136 Gaara.exe 3384 csrss.exe 1848 Kazekage.exe 3348 system32.exe 3092 smss.exe 1872 Gaara.exe 3708 csrss.exe 3504 Kazekage.exe 5112 system32.exe 5416 system32.exe 784 Kazekage.exe 4180 system32.exe 5264 csrss.exe 1308 Kazekage.exe 5532 system32.exe 5132 Gaara.exe 6084 csrss.exe 1160 Kazekage.exe 4644 system32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 5932 wrote to memory of 5832 5932 2025-05-02_68c3ccf1747176dd33a3396e0a6df5b6_black-basta_elex_luca-stealer.exe 78 PID 5932 wrote to memory of 5832 5932 2025-05-02_68c3ccf1747176dd33a3396e0a6df5b6_black-basta_elex_luca-stealer.exe 78 PID 5932 wrote to memory of 5832 5932 2025-05-02_68c3ccf1747176dd33a3396e0a6df5b6_black-basta_elex_luca-stealer.exe 78 PID 5832 wrote to memory of 5536 5832 smss.exe 79 PID 5832 wrote to memory of 5536 5832 smss.exe 79 PID 5832 wrote to memory of 5536 5832 smss.exe 79 PID 5832 wrote to memory of 4640 5832 smss.exe 80 PID 5832 wrote to memory of 4640 5832 smss.exe 80 PID 5832 wrote to memory of 4640 5832 smss.exe 80 PID 4640 wrote to memory of 4812 4640 Gaara.exe 81 PID 4640 wrote to memory of 4812 4640 Gaara.exe 81 PID 4640 wrote to memory of 4812 4640 Gaara.exe 81 PID 4640 wrote to memory of 4880 4640 Gaara.exe 82 PID 4640 wrote to memory of 4880 4640 Gaara.exe 82 PID 4640 wrote to memory of 4880 4640 Gaara.exe 82 PID 4640 wrote to memory of 5028 4640 Gaara.exe 83 PID 4640 wrote to memory of 5028 4640 Gaara.exe 83 PID 4640 wrote to memory of 5028 4640 Gaara.exe 83 PID 5028 wrote to memory of 4952 5028 csrss.exe 84 PID 5028 wrote to memory of 4952 5028 csrss.exe 84 PID 5028 wrote to memory of 4952 5028 csrss.exe 84 PID 5028 wrote to memory of 5060 5028 csrss.exe 85 PID 5028 wrote to memory of 5060 5028 csrss.exe 85 PID 5028 wrote to memory of 5060 5028 csrss.exe 85 PID 5028 wrote to memory of 5092 5028 csrss.exe 86 PID 5028 wrote to memory of 5092 5028 csrss.exe 86 PID 5028 wrote to memory of 5092 5028 csrss.exe 86 PID 5028 wrote to memory of 4988 5028 csrss.exe 87 PID 5028 wrote to memory of 4988 5028 csrss.exe 87 PID 5028 wrote to memory of 4988 5028 csrss.exe 87 PID 4988 wrote to memory of 4004 4988 Kazekage.exe 88 PID 4988 wrote to memory of 4004 4988 Kazekage.exe 88 PID 4988 wrote to memory of 4004 4988 Kazekage.exe 88 PID 4988 wrote to memory of 4136 4988 Kazekage.exe 89 PID 4988 wrote to memory of 4136 4988 Kazekage.exe 89 PID 4988 wrote to memory of 4136 4988 Kazekage.exe 89 PID 4988 wrote to memory of 3384 4988 Kazekage.exe 90 PID 4988 wrote to memory of 3384 4988 Kazekage.exe 90 PID 4988 wrote to memory of 3384 4988 Kazekage.exe 90 PID 4988 wrote to memory of 1848 4988 Kazekage.exe 91 PID 4988 wrote to memory of 1848 4988 Kazekage.exe 91 PID 4988 wrote to memory of 1848 4988 Kazekage.exe 91 PID 4988 wrote to memory of 3348 4988 Kazekage.exe 92 PID 4988 wrote to memory of 3348 4988 Kazekage.exe 92 PID 4988 wrote to memory of 3348 4988 Kazekage.exe 92 PID 3348 wrote to memory of 3092 3348 system32.exe 93 PID 3348 wrote to memory of 3092 3348 system32.exe 93 PID 3348 wrote to memory of 3092 3348 system32.exe 93 PID 3348 wrote to memory of 1872 3348 system32.exe 94 PID 3348 wrote to memory of 1872 3348 system32.exe 94 PID 3348 wrote to memory of 1872 3348 system32.exe 94 PID 3348 wrote to memory of 3708 3348 system32.exe 95 PID 3348 wrote to memory of 3708 3348 system32.exe 95 PID 3348 wrote to memory of 3708 3348 system32.exe 95 PID 3348 wrote to memory of 3504 3348 system32.exe 96 PID 3348 wrote to memory of 3504 3348 system32.exe 96 PID 3348 wrote to memory of 3504 3348 system32.exe 96 PID 3348 wrote to memory of 5112 3348 system32.exe 97 PID 3348 wrote to memory of 5112 3348 system32.exe 97 PID 3348 wrote to memory of 5112 3348 system32.exe 97 PID 5028 wrote to memory of 5416 5028 csrss.exe 98 PID 5028 wrote to memory of 5416 5028 csrss.exe 98 PID 5028 wrote to memory of 5416 5028 csrss.exe 98 PID 4640 wrote to memory of 784 4640 Gaara.exe 99 -
System policy modification 1 TTPs 12 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System 2025-05-02_68c3ccf1747176dd33a3396e0a6df5b6_black-basta_elex_luca-stealer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Gaara.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Kazekage.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Kazekage.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 2025-05-02_68c3ccf1747176dd33a3396e0a6df5b6_black-basta_elex_luca-stealer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System system32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c3ccf1747176dd33a3396e0a6df5b6_black-basta_elex_luca-stealer.exe"C:\Users\Admin\AppData\Local\Temp\2025-05-02_68c3ccf1747176dd33a3396e0a6df5b6_black-basta_elex_luca-stealer.exe"1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:5932 -
C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe"C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe"2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:5832 -
C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe"C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5536
-
-
C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe"C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe"3⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4640 -
C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe"C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4812
-
-
C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe"C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4880
-
-
C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe"C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe"4⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:5028 -
C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe"C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4952
-
-
C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe"C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5060
-
-
C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe"C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5092
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe5⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4988 -
C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe"C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4004
-
-
C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe"C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4136
-
-
C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe"C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3384
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1848
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe6⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3348 -
C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe"C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3092
-
-
C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe"C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1872
-
-
C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe"C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3708
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3504
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5112
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655007⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5816
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655007⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5432
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655007⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5636
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655007⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1676
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655007⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:6040
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655007⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1808
-
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655006⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1140
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655006⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2348
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655006⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3868
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655006⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:904
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655006⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4052
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655006⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2036
-
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5416
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655005⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3524
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655005⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1428
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655005⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5708
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655005⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3512
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655005⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5856
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655005⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1056
-
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:784
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4180
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655004⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5788
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655004⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2140
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655004⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5108
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655004⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4928
-
-
-
C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe"C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5264
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1308
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5532
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:6016
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:6024
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:572
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3860
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4820
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4832
-
-
-
C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe"C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5132
-
-
C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe"C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:6084
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1160
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4644
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655002⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1444
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655002⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:996
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655002⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2840
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655002⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5076
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655002⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4536
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655002⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4676
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\smss.exe1⤵PID:3224
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\Gaara.exe1⤵PID:1844
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c 2-5-2025.exe1⤵PID:1628
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c drivers\csrss.exe1⤵PID:2124
Network
MITRE ATT&CK Enterprise v16
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Event Triggered Execution
1Image File Execution Options Injection
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Event Triggered Execution
1Image File Execution Options Injection
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
1Disable or Modify Tools
1Modify Registry
8Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
8.3MB
MD5337599d7ca17138688de4e9efe7b88ff
SHA1f3ebb730664b649353c23726905b50463c713174
SHA256405bf442f1e151e175bdcde4fa835754730ab3427dbcada143b664556ff23a85
SHA5120fa88c94182d5db648c9813d038df1c0af7c4c0a63c8b8f7e728adee9e584b728bfe0eb397c75b7e90509aa0708c742b1ed1ea6c5a0acda94c7f8f307e0b1044
-
Filesize
736B
MD5bb5d6abdf8d0948ac6895ce7fdfbc151
SHA19266b7a247a4685892197194d2b9b86c8f6dddbd
SHA2565db2e0915b5464d32e83484f8ae5e3c73d2c78f238fde5f58f9b40dbb5322de8
SHA512878444760e8df878d65bb62b4798177e168eb099def58ad3634f4348e96705c83f74324f9fa358f0eff389991976698a233ca53e9b72034ae11c86d42322a76c
-
Filesize
196B
MD51564dfe69ffed40950e5cb644e0894d1
SHA1201b6f7a01cc49bb698bea6d4945a082ed454ce4
SHA256be114a2dbcc08540b314b01882aa836a772a883322a77b67aab31233e26dc184
SHA51272df187e39674b657974392cfa268e71ef86dc101ebd2303896381ca56d3c05aa9db3f0ab7d0e428d7436e0108c8f19e94c2013814d30b0b95a23a6b9e341097
-
Filesize
8.3MB
MD504376594051c55613267c96649f87581
SHA1e828d299ea2ed893d181d848566c7f3107547ade
SHA25651f0ce83f9c7faf9cb5f388a5c72c7cc5dbb456e5b9bc7c8bedbbdf28840ef74
SHA512ee8a2cfd31570ecc06bb20168a69655d6711a7ce6556176dca33038bae378ad7e843c61e9b90f2bc9e9ee643169c5a10b17486ee097faf4cdf6b05983955b0a2
-
Filesize
8.3MB
MD568c3ccf1747176dd33a3396e0a6df5b6
SHA149a368528aa1bf37f3e46921d7ed127f7937b68b
SHA2566343149321470c22336072c0d6bbe1ad7781290cceb1b9ead202d9006d17236f
SHA512a45e5fc2ffc20a2fa177e0f337e90cb51a0e434e2ae77a0c71f0f01de3cb4598f9668b3ef680d6b44e0ec3086ca6e627dc44dfd4b298e80c7e97a60a8eeecad0
-
Filesize
8.3MB
MD5b04c938e341501e61cd6b78aa08368e9
SHA14d1263d160896d9db5ad914dfd3b629b2c2d70ce
SHA25667912f1c084858f1a469c0e8fe6fbbe5176f3deb3b0a661e60123b463f552c3d
SHA5122cecf5cea5fbd97753333925d7154479c46d1e330b984b547f984e7ec8a7c1557ec2c114d2e13d62b3885399cb221c02912b16857e580ec33fe38dd675c20b98
-
Filesize
8.3MB
MD596982677a2ae05dbb0f975e13d1610a2
SHA192007507d3d7d84c29b705b15749320a345233a7
SHA2565d815bbf5efda775e1f98f49d379ab0393fe5be24ae8d03466ca7e0944d89b43
SHA5128bf77f2cbec2865bcc47777c2fa9e1a99b0b3998bcad5ea121d258be5565b0f6cd4cfc7a6c7904a3516b57fe7fba2f55366ccc6dde1e384532b9b546f0957ff4
-
Filesize
1.4MB
MD5d6b05020d4a0ec2a3a8b687099e335df
SHA1df239d830ebcd1cde5c68c46a7b76dad49d415f4
SHA2569824b98dab6af65a9e84c2ea40e9df948f9766ce2096e81feecad7db8dd6080a
SHA51278fd360faa4d34f5732056d6e9ad7b9930964441c69cf24535845d397de92179553b9377a25649c01eb5ac7d547c29cc964e69ede7f2af9fc677508a99251fff
-
Filesize
8.3MB
MD5c634b9e2e3db1c225788eb423a97a6e4
SHA122febaad77f8a6e8555ca0d12afd5b78f6c0ccd9
SHA256cfb3294dd6d2c17a507d52746266236261129e395b68fbdc03a188fd475bbbe4
SHA512b1c38bfe75322eacb8d60944b3dbf5c79e48d72795868d082cdeba6cbebf9ffb736c375c1bad4768ae7c443a2b801ba7db218049dc5e2d51ab842dba972ca6f3
-
Filesize
8.3MB
MD5b3928686f34323a02943185c96ccc61a
SHA1420e071033d11b70811c6d9bad4be7e659503a9f
SHA256b36734500fd7482483341b88eb56030d9fc4ea4c0da1d43c5023249fe8d62c04
SHA512ee03494ca6ddcae8873c7fa19aaa83c602bf1083eb35aca380cc3ffbc9f7449ad3776e9d2c61e6d42cf9d4fc501b5b9b10aa667fd821a5942a9c03a4ec40c043
-
Filesize
8.3MB
MD565f7fa44f0cc72a682b163bcc051f52f
SHA14055a39a3fb8800ca4b5e2e600b4fa1042ef5bd1
SHA256784d9bc27bb75e552000ee5495639d37ed25332e4b515fcb9a4638e5f4ba7c71
SHA512ac2487948268ad55a5b6ba67c1dc36b928ee49faa6f3daf01d6c54bb4b3ed57b3793a6fad1f7e402988875fc49e1ee462a34a18b53b0ce18ec33c706ad949e4d
-
Filesize
65B
MD564acfa7e03b01f48294cf30d201a0026
SHA110facd995b38a095f30b4a800fa454c0bcbf8438
SHA256ba8159d865d106e7b4d0043007a63d1541e1de455dc8d7ff0edd3013bd425c62
SHA51265a9b2e639de74a2a7faa83463a03f5f5b526495e3c793ec1e144c422ed0b842dd304cd5ff4f8aec3d76d826507030c5916f70a231429cea636ec2d8ab43931a
-
Filesize
8.3MB
MD50dcfa56d7a20a8eebcdf019fd0cca56c
SHA1e837f19d3ed7c283f42c7c45499332e81f8fe279
SHA25640e073aed9a6ff39bc0ef60e36aa1d0a16d32ac5c75717ed89767f31425b0e4d
SHA512c989c65aaae63b46d0973c03fb3c95a5dbdd513f41c13d11f69dfcabe9216863d137f9d7d80081d9ee4fd936ddacaa0685ed02e6db0bba207da661b0a10a8a39
-
Filesize
8.3MB
MD517ab194c30b9d420ba816fb12d9b33f8
SHA1b136701f7d64e129d988b80d18065f85d8890728
SHA25610798c39cffc3cbd73b52dda250102b76cba51c2d4a5b5e3877b0f07367f68aa
SHA512f49a605fb58ee49323b2bf70c82c1e464be27c6a009877a78a1746e02d7fd1b5c312b6ccf8ffd02c344d967b17cead2655efcd9f1a1214dffa1fea58c3b03ae0
-
Filesize
8.3MB
MD51affe8fbd3c2815e95f9ce26f01eb368
SHA1bfd3e0ba2c299f128774131a8a878356b8a08ade
SHA256603017db04e11df2df18cfb53296eed0d26e605910060fa26dba836d27182f2a
SHA512b13a1eec1e006376e44f5928b2961cc4240b43029d237f8c3a0d956a6075c920cdeb9f55c3ea3d61a8411ac245138a8f7bf23e6ac2b98766b70bfdafcdfcdced
-
Filesize
8.3MB
MD5b96f2f1516d86f03483f8f6c88e46b27
SHA17d60cbec66d05362382640369f77947b916b877d
SHA2569e68ee80186c941bed1090f1c01e98564f742df7b0ccee9d3bede99797cf9c22
SHA51209308c319f1705aed3be8d19fa190417f16312008160fc7e7b9ad419a773c87c0500695895c372efcc32cc2a96eaba2bb1bbe9a3a82dc05eb03dc539a7a212c6
-
Filesize
8.3MB
MD5205a29c92620da8fd642e5bef59b2f32
SHA189831fb804b210985ff7c14e8cee408aab53f39a
SHA256963b09d45804c8f970027ae13c2aca06af2349929693b78796ceb20e6d8a32c8
SHA512acca2321567ec415f323e8bd1402add1442b29bb3bba9dfc170d447c996ef300728c87c8599abceb3a255b0ae60d8b057fc470b0f1c4f3ae2829297242b2fe80
-
Filesize
1.4MB
MD525f62c02619174b35851b0e0455b3d94
SHA14e8ee85157f1769f6e3f61c0acbe59072209da71
SHA256898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2
SHA512f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a