Analysis
-
max time kernel
150s -
max time network
139s -
platform
windows10-2004_x64 -
resource
win10v2004-20250502-en -
resource tags
arch:x64arch:x86image:win10v2004-20250502-enlocale:en-usos:windows10-2004-x64system -
submitted
18/05/2025, 11:07
Behavioral task
behavioral1
Sample
2025-05-18_075d5659cfd7bfab222f2ff0fda94070_amadey_black-basta_elex_luca-stealer.exe
Resource
win10v2004-20250502-en
General
-
Target
2025-05-18_075d5659cfd7bfab222f2ff0fda94070_amadey_black-basta_elex_luca-stealer.exe
-
Size
8.2MB
-
MD5
075d5659cfd7bfab222f2ff0fda94070
-
SHA1
29147210d4daa3f5c18098ca046753730c628159
-
SHA256
90f163aab3e9a9ddb52b99b61463a521562a06c02f51d23b4a77d9b8c96093f2
-
SHA512
10c16e4ecec9cc492e7fa79e78699db21c8333acbc4eb854b9a9e167fbb43c2640743024bf93c21d496c0ce44dc927bb4dbdd9479dd206091b5f85c184c0ca0f
-
SSDEEP
49152:qyyqWyWy0GyqWyWyMRPC1eHc785dxytlWF17:qyyqWyWy0GyqWyWyMRPC1eHL5dxyjyp
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 12 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" 2025-05-18_075d5659cfd7bfab222f2ff0fda94070_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" 2025-05-18_075d5659cfd7bfab222f2ff0fda94070_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" Gaara.exe -
Modifies visibility of file extensions in Explorer 2 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" system32.exe Set value (int) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Kazekage.exe Set value (int) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Gaara.exe Set value (int) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" smss.exe Set value (int) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" 2025-05-18_075d5659cfd7bfab222f2ff0fda94070_amadey_black-basta_elex_luca-stealer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" csrss.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" Kazekage.exe Set value (int) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" Gaara.exe Set value (int) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" smss.exe Set value (int) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" 2025-05-18_075d5659cfd7bfab222f2ff0fda94070_amadey_black-basta_elex_luca-stealer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" csrss.exe Set value (int) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" system32.exe -
UAC bypass 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Kazekage.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Gaara.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 2025-05-18_075d5659cfd7bfab222f2ff0fda94070_amadey_black-basta_elex_luca-stealer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" system32.exe -
Disables RegEdit via registry modification 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" smss.exe Set value (int) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" 2025-05-18_075d5659cfd7bfab222f2ff0fda94070_amadey_black-basta_elex_luca-stealer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" csrss.exe Set value (int) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" system32.exe Set value (int) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Kazekage.exe Set value (int) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Gaara.exe -
Disables use of System Restore points 1 TTPs
-
Drops file in Drivers directory 24 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe Kazekage.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe Kazekage.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe system32.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe 2025-05-18_075d5659cfd7bfab222f2ff0fda94070_amadey_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe smss.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe Gaara.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe Gaara.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe csrss.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe csrss.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe system32.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe smss.exe File created C:\Windows\SysWOW64\drivers\system32.exe smss.exe File created C:\Windows\SysWOW64\drivers\system32.exe csrss.exe File created C:\Windows\SysWOW64\drivers\system32.exe Kazekage.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe Kazekage.exe File created C:\Windows\SysWOW64\drivers\system32.exe 2025-05-18_075d5659cfd7bfab222f2ff0fda94070_amadey_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe smss.exe File created C:\Windows\SysWOW64\drivers\system32.exe system32.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe Gaara.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe csrss.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe 2025-05-18_075d5659cfd7bfab222f2ff0fda94070_amadey_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe 2025-05-18_075d5659cfd7bfab222f2ff0fda94070_amadey_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe system32.exe File created C:\Windows\SysWOW64\drivers\system32.exe Gaara.exe -
Event Triggered Execution: Image File Execution Options Injection 1 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe 2025-05-18_075d5659cfd7bfab222f2ff0fda94070_amadey_black-basta_elex_luca-stealer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe\Debugger = "drivers\\Kazekage.exe" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe 2025-05-18_075d5659cfd7bfab222f2ff0fda94070_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe\Debugger = "cmd.exe /c del" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe 2025-05-18_075d5659cfd7bfab222f2ff0fda94070_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "drivers\\Kazekage.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe\Debugger = "cmd.exe /c del" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\Debugger = "cmd.exe /c del" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "drivers\\Kazekage.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "drivers\\Kazekage.exe" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe\Debugger = "cmd.exe /c del" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe\Debugger = "cmd.exe /c del" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "drivers\\Kazekage.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe\Debugger = "drivers\\Kazekage.exe" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe 2025-05-18_075d5659cfd7bfab222f2ff0fda94070_amadey_black-basta_elex_luca-stealer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe\Debugger = "cmd.exe /c del" 2025-05-18_075d5659cfd7bfab222f2ff0fda94070_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe\Debugger = "cmd.exe /c del" 2025-05-18_075d5659cfd7bfab222f2ff0fda94070_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger = "drivers\\Kazekage.exe" 2025-05-18_075d5659cfd7bfab222f2ff0fda94070_amadey_black-basta_elex_luca-stealer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe\Debugger = "cmd.exe /c del" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe 2025-05-18_075d5659cfd7bfab222f2ff0fda94070_amadey_black-basta_elex_luca-stealer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe\Debugger = "cmd.exe /c del" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "drivers\\Kazekage.exe" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\Debugger = "cmd.exe /c del" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "drivers\\Kazekage.exe" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "drivers\\Kazekage.exe" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe 2025-05-18_075d5659cfd7bfab222f2ff0fda94070_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe\Debugger = "cmd.exe /c del" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe\Debugger = "cmd.exe /c del" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe\Debugger = "cmd.exe /c del" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe\Debugger = "cmd.exe /c del" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe\Debugger = "cmd.exe /c del" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe\Debugger = "cmd.exe /c del" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe 2025-05-18_075d5659cfd7bfab222f2ff0fda94070_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe\Debugger = "cmd.exe /c del" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe\Debugger = "cmd.exe /c del" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger = "drivers\\Kazekage.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe\Debugger = "cmd.exe /c del" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe\Debugger = "drivers\\Kazekage.exe" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe 2025-05-18_075d5659cfd7bfab222f2ff0fda94070_amadey_black-basta_elex_luca-stealer.exe -
Executes dropped EXE 30 IoCs
pid Process 3504 smss.exe 1580 smss.exe 4564 Gaara.exe 1896 smss.exe 1132 Gaara.exe 5716 csrss.exe 4852 smss.exe 5252 Gaara.exe 2884 csrss.exe 1972 Gaara.exe 5084 csrss.exe 5620 Kazekage.exe 5776 Kazekage.exe 2724 smss.exe 3120 Gaara.exe 4960 system32.exe 452 csrss.exe 744 csrss.exe 2636 Kazekage.exe 5368 Kazekage.exe 1364 smss.exe 6016 system32.exe 3296 system32.exe 5320 Gaara.exe 5096 system32.exe 3028 csrss.exe 3412 Kazekage.exe 4256 Kazekage.exe 3080 system32.exe 1040 system32.exe -
Loads dropped DLL 18 IoCs
pid Process 3504 smss.exe 1580 smss.exe 4564 Gaara.exe 1896 smss.exe 1132 Gaara.exe 5716 csrss.exe 4852 smss.exe 5252 Gaara.exe 2884 csrss.exe 1972 Gaara.exe 5084 csrss.exe 2724 smss.exe 3120 Gaara.exe 452 csrss.exe 744 csrss.exe 1364 smss.exe 5320 Gaara.exe 3028 csrss.exe -
Adds Run key to start application 2 TTPs 24 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 18 - 5 - 2025\\smss.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 18 - 5 - 2025\\smss.exe" 2025-05-18_075d5659cfd7bfab222f2ff0fda94070_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "18-5-2025.exe" 2025-05-18_075d5659cfd7bfab222f2ff0fda94070_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 18 - 5 - 2025\\Gaara.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "18-5-2025.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 18 - 5 - 2025\\Gaara.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 18 - 5 - 2025\\smss.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 18 - 5 - 2025\\Gaara.exe" 2025-05-18_075d5659cfd7bfab222f2ff0fda94070_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 18 - 5 - 2025\\smss.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 18 - 5 - 2025\\smss.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 18 - 5 - 2025\\Gaara.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "18-5-2025.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 18 - 5 - 2025\\Gaara.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "18-5-2025.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "18-5-2025.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "18-5-2025.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" 2025-05-18_075d5659cfd7bfab222f2ff0fda94070_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 18 - 5 - 2025\\Gaara.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 18 - 5 - 2025\\smss.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" Gaara.exe -
Checks whether UAC is enabled 1 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 2025-05-18_075d5659cfd7bfab222f2ff0fda94070_amadey_black-basta_elex_luca-stealer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" system32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Kazekage.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Gaara.exe -
Drops desktop.ini file(s) 64 IoCs
description ioc Process File opened for modification \??\E:\Desktop.ini Gaara.exe File opened for modification F:\Desktop.ini smss.exe File opened for modification \??\N:\Desktop.ini smss.exe File opened for modification \??\Q:\Desktop.ini smss.exe File opened for modification F:\Desktop.ini 2025-05-18_075d5659cfd7bfab222f2ff0fda94070_amadey_black-basta_elex_luca-stealer.exe File opened for modification \??\I:\Desktop.ini Gaara.exe File opened for modification \??\Y:\Desktop.ini Gaara.exe File opened for modification \??\L:\Desktop.ini 2025-05-18_075d5659cfd7bfab222f2ff0fda94070_amadey_black-basta_elex_luca-stealer.exe File opened for modification \??\P:\Desktop.ini csrss.exe File opened for modification \??\B:\Desktop.ini Kazekage.exe File opened for modification \??\M:\Desktop.ini Kazekage.exe File opened for modification \??\E:\Desktop.ini smss.exe File opened for modification \??\Q:\Desktop.ini 2025-05-18_075d5659cfd7bfab222f2ff0fda94070_amadey_black-basta_elex_luca-stealer.exe File opened for modification \??\H:\Desktop.ini csrss.exe File opened for modification \??\M:\Desktop.ini csrss.exe File opened for modification \??\V:\Desktop.ini Kazekage.exe File opened for modification \??\B:\Desktop.ini csrss.exe File opened for modification \??\L:\Desktop.ini smss.exe File opened for modification \??\Z:\Desktop.ini smss.exe File opened for modification \??\H:\Desktop.ini 2025-05-18_075d5659cfd7bfab222f2ff0fda94070_amadey_black-basta_elex_luca-stealer.exe File opened for modification \??\H:\Desktop.ini system32.exe File opened for modification \??\S:\Desktop.ini system32.exe File opened for modification \??\U:\Desktop.ini Kazekage.exe File opened for modification \??\K:\Desktop.ini Gaara.exe File opened for modification \??\W:\Desktop.ini 2025-05-18_075d5659cfd7bfab222f2ff0fda94070_amadey_black-basta_elex_luca-stealer.exe File opened for modification \??\G:\Desktop.ini csrss.exe File opened for modification \??\U:\Desktop.ini csrss.exe File opened for modification \??\J:\Desktop.ini system32.exe File opened for modification \??\U:\Desktop.ini system32.exe File opened for modification C:\Desktop.ini smss.exe File opened for modification \??\T:\Desktop.ini smss.exe File opened for modification \??\K:\Desktop.ini 2025-05-18_075d5659cfd7bfab222f2ff0fda94070_amadey_black-basta_elex_luca-stealer.exe File opened for modification \??\Y:\Desktop.ini csrss.exe File opened for modification \??\Q:\Desktop.ini system32.exe File opened for modification \??\Z:\Desktop.ini system32.exe File opened for modification \??\S:\Desktop.ini Gaara.exe File opened for modification \??\V:\Desktop.ini 2025-05-18_075d5659cfd7bfab222f2ff0fda94070_amadey_black-basta_elex_luca-stealer.exe File opened for modification \??\A:\Desktop.ini system32.exe File opened for modification C:\Desktop.ini Kazekage.exe File opened for modification \??\I:\Desktop.ini system32.exe File opened for modification \??\X:\Desktop.ini system32.exe File opened for modification \??\O:\Desktop.ini Kazekage.exe File opened for modification D:\Desktop.ini Gaara.exe File opened for modification \??\J:\Desktop.ini Gaara.exe File opened for modification \??\Y:\Desktop.ini system32.exe File opened for modification \??\Z:\Desktop.ini Kazekage.exe File opened for modification \??\Q:\Desktop.ini Gaara.exe File opened for modification \??\I:\Desktop.ini csrss.exe File opened for modification \??\N:\Desktop.ini Kazekage.exe File opened for modification \??\M:\Desktop.ini Gaara.exe File opened for modification \??\J:\Desktop.ini 2025-05-18_075d5659cfd7bfab222f2ff0fda94070_amadey_black-basta_elex_luca-stealer.exe File opened for modification \??\X:\Desktop.ini csrss.exe File opened for modification \??\R:\Desktop.ini Kazekage.exe File opened for modification F:\Desktop.ini Gaara.exe File opened for modification \??\S:\Desktop.ini csrss.exe File opened for modification \??\A:\Desktop.ini 2025-05-18_075d5659cfd7bfab222f2ff0fda94070_amadey_black-basta_elex_luca-stealer.exe File opened for modification D:\Desktop.ini 2025-05-18_075d5659cfd7bfab222f2ff0fda94070_amadey_black-basta_elex_luca-stealer.exe File opened for modification \??\W:\Desktop.ini csrss.exe File opened for modification \??\K:\Desktop.ini system32.exe File opened for modification \??\Y:\Desktop.ini Kazekage.exe File opened for modification \??\T:\Desktop.ini Gaara.exe File opened for modification \??\V:\Desktop.ini Gaara.exe File opened for modification \??\K:\Desktop.ini smss.exe File opened for modification \??\L:\Desktop.ini csrss.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\Q: 2025-05-18_075d5659cfd7bfab222f2ff0fda94070_amadey_black-basta_elex_luca-stealer.exe File opened (read-only) \??\A: csrss.exe File opened (read-only) \??\V: csrss.exe File opened (read-only) \??\Y: system32.exe File opened (read-only) \??\Z: system32.exe File opened (read-only) \??\H: smss.exe File opened (read-only) \??\W: 2025-05-18_075d5659cfd7bfab222f2ff0fda94070_amadey_black-basta_elex_luca-stealer.exe File opened (read-only) \??\O: csrss.exe File opened (read-only) \??\J: system32.exe File opened (read-only) \??\G: Gaara.exe File opened (read-only) \??\P: 2025-05-18_075d5659cfd7bfab222f2ff0fda94070_amadey_black-basta_elex_luca-stealer.exe File opened (read-only) \??\Q: Gaara.exe File opened (read-only) \??\G: smss.exe File opened (read-only) \??\J: smss.exe File opened (read-only) \??\B: csrss.exe File opened (read-only) \??\Y: csrss.exe File opened (read-only) \??\E: Kazekage.exe File opened (read-only) \??\W: Kazekage.exe File opened (read-only) \??\T: Gaara.exe File opened (read-only) \??\V: smss.exe File opened (read-only) \??\N: csrss.exe File opened (read-only) \??\A: Gaara.exe File opened (read-only) \??\L: Gaara.exe File opened (read-only) \??\E: smss.exe File opened (read-only) \??\N: smss.exe File opened (read-only) \??\N: 2025-05-18_075d5659cfd7bfab222f2ff0fda94070_amadey_black-basta_elex_luca-stealer.exe File opened (read-only) \??\A: system32.exe File opened (read-only) \??\M: system32.exe File opened (read-only) \??\S: Kazekage.exe File opened (read-only) \??\K: smss.exe File opened (read-only) \??\L: smss.exe File opened (read-only) \??\Y: 2025-05-18_075d5659cfd7bfab222f2ff0fda94070_amadey_black-basta_elex_luca-stealer.exe File opened (read-only) \??\H: Gaara.exe File opened (read-only) \??\P: smss.exe File opened (read-only) \??\Z: csrss.exe File opened (read-only) \??\Q: system32.exe File opened (read-only) \??\O: smss.exe File opened (read-only) \??\R: 2025-05-18_075d5659cfd7bfab222f2ff0fda94070_amadey_black-basta_elex_luca-stealer.exe File opened (read-only) \??\M: csrss.exe File opened (read-only) \??\N: Kazekage.exe File opened (read-only) \??\I: Gaara.exe File opened (read-only) \??\J: Gaara.exe File opened (read-only) \??\V: Gaara.exe File opened (read-only) \??\X: Gaara.exe File opened (read-only) \??\U: csrss.exe File opened (read-only) \??\P: Gaara.exe File opened (read-only) \??\I: 2025-05-18_075d5659cfd7bfab222f2ff0fda94070_amadey_black-basta_elex_luca-stealer.exe File opened (read-only) \??\K: 2025-05-18_075d5659cfd7bfab222f2ff0fda94070_amadey_black-basta_elex_luca-stealer.exe File opened (read-only) \??\L: csrss.exe File opened (read-only) \??\P: csrss.exe File opened (read-only) \??\B: system32.exe File opened (read-only) \??\Z: Gaara.exe File opened (read-only) \??\W: system32.exe File opened (read-only) \??\Z: smss.exe File opened (read-only) \??\A: smss.exe File opened (read-only) \??\U: smss.exe File opened (read-only) \??\W: csrss.exe File opened (read-only) \??\B: Kazekage.exe File opened (read-only) \??\I: Kazekage.exe File opened (read-only) \??\X: Kazekage.exe File opened (read-only) \??\B: 2025-05-18_075d5659cfd7bfab222f2ff0fda94070_amadey_black-basta_elex_luca-stealer.exe File opened (read-only) \??\G: system32.exe File opened (read-only) \??\S: Gaara.exe File opened (read-only) \??\L: 2025-05-18_075d5659cfd7bfab222f2ff0fda94070_amadey_black-basta_elex_luca-stealer.exe -
Drops autorun.inf file 1 TTPs 64 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification \??\S:\Autorun.inf Kazekage.exe File opened for modification \??\K:\Autorun.inf 2025-05-18_075d5659cfd7bfab222f2ff0fda94070_amadey_black-basta_elex_luca-stealer.exe File created \??\X:\Autorun.inf 2025-05-18_075d5659cfd7bfab222f2ff0fda94070_amadey_black-basta_elex_luca-stealer.exe File created \??\E:\Autorun.inf smss.exe File opened for modification \??\N:\Autorun.inf smss.exe File created \??\O:\Autorun.inf Kazekage.exe File created \??\U:\Autorun.inf Kazekage.exe File opened for modification \??\L:\Autorun.inf system32.exe File opened for modification \??\X:\Autorun.inf system32.exe File created \??\J:\Autorun.inf 2025-05-18_075d5659cfd7bfab222f2ff0fda94070_amadey_black-basta_elex_luca-stealer.exe File opened for modification \??\N:\Autorun.inf 2025-05-18_075d5659cfd7bfab222f2ff0fda94070_amadey_black-basta_elex_luca-stealer.exe File created \??\Q:\Autorun.inf smss.exe File opened for modification \??\B:\Autorun.inf csrss.exe File created \??\P:\Autorun.inf csrss.exe File created \??\L:\Autorun.inf 2025-05-18_075d5659cfd7bfab222f2ff0fda94070_amadey_black-basta_elex_luca-stealer.exe File created \??\Z:\Autorun.inf 2025-05-18_075d5659cfd7bfab222f2ff0fda94070_amadey_black-basta_elex_luca-stealer.exe File created \??\X:\Autorun.inf smss.exe File created D:\Autorun.inf Gaara.exe File created \??\G:\Autorun.inf Gaara.exe File created \??\Q:\Autorun.inf Gaara.exe File created D:\Autorun.inf csrss.exe File opened for modification \??\S:\Autorun.inf system32.exe File created \??\Y:\Autorun.inf system32.exe File created \??\A:\Autorun.inf Gaara.exe File created \??\V:\Autorun.inf Kazekage.exe File opened for modification \??\H:\Autorun.inf smss.exe File opened for modification \??\N:\Autorun.inf Gaara.exe File opened for modification \??\O:\Autorun.inf csrss.exe File created C:\Autorun.inf 2025-05-18_075d5659cfd7bfab222f2ff0fda94070_amadey_black-basta_elex_luca-stealer.exe File opened for modification \??\B:\Autorun.inf smss.exe File opened for modification \??\W:\Autorun.inf smss.exe File created \??\M:\Autorun.inf Gaara.exe File created \??\K:\Autorun.inf csrss.exe File created \??\W:\Autorun.inf csrss.exe File opened for modification \??\L:\Autorun.inf Gaara.exe File opened for modification \??\B:\Autorun.inf Kazekage.exe File opened for modification \??\O:\Autorun.inf system32.exe File opened for modification \??\T:\Autorun.inf system32.exe File created \??\A:\Autorun.inf 2025-05-18_075d5659cfd7bfab222f2ff0fda94070_amadey_black-basta_elex_luca-stealer.exe File opened for modification \??\R:\Autorun.inf smss.exe File created \??\E:\Autorun.inf Gaara.exe File opened for modification \??\X:\Autorun.inf Kazekage.exe File created \??\H:\Autorun.inf system32.exe File opened for modification \??\Q:\Autorun.inf system32.exe File created \??\R:\Autorun.inf system32.exe File created \??\S:\Autorun.inf system32.exe File created \??\V:\Autorun.inf 2025-05-18_075d5659cfd7bfab222f2ff0fda94070_amadey_black-basta_elex_luca-stealer.exe File opened for modification \??\E:\Autorun.inf Gaara.exe File created \??\Q:\Autorun.inf csrss.exe File created \??\S:\Autorun.inf csrss.exe File created \??\V:\Autorun.inf system32.exe File opened for modification \??\E:\Autorun.inf Kazekage.exe File opened for modification \??\H:\Autorun.inf Kazekage.exe File created \??\M:\Autorun.inf Kazekage.exe File opened for modification \??\Y:\Autorun.inf system32.exe File created \??\V:\Autorun.inf Gaara.exe File opened for modification \??\A:\Autorun.inf csrss.exe File opened for modification \??\A:\Autorun.inf Kazekage.exe File opened for modification F:\Autorun.inf system32.exe File created \??\U:\Autorun.inf smss.exe File opened for modification \??\X:\Autorun.inf smss.exe File created \??\Z:\Autorun.inf Gaara.exe File opened for modification \??\N:\Autorun.inf Kazekage.exe File created \??\Z:\Autorun.inf system32.exe -
Drops file in System32 directory 39 IoCs
description ioc Process File created C:\Windows\SysWOW64\18-5-2025.exe 2025-05-18_075d5659cfd7bfab222f2ff0fda94070_amadey_black-basta_elex_luca-stealer.exe File created C:\Windows\SysWOW64\msvbvm60.dll csrss.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx Kazekage.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx system32.exe File created C:\Windows\SysWOW64\msvbvm60.dll 2025-05-18_075d5659cfd7bfab222f2ff0fda94070_amadey_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\SysWOW64\18-5-2025.exe Kazekage.exe File created C:\Windows\SysWOW64\msvbvm60.dll system32.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll Gaara.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini csrss.exe File opened for modification C:\Windows\SysWOW64\ csrss.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll Kazekage.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll system32.exe File opened for modification C:\Windows\SysWOW64\18-5-2025.exe smss.exe File opened for modification C:\Windows\SysWOW64\ Gaara.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll csrss.exe File opened for modification C:\Windows\SysWOW64\ system32.exe File opened for modification C:\Windows\SysWOW64\18-5-2025.exe system32.exe File opened for modification C:\Windows\SysWOW64\ 2025-05-18_075d5659cfd7bfab222f2ff0fda94070_amadey_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx csrss.exe File opened for modification C:\Windows\SysWOW64\18-5-2025.exe Gaara.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx smss.exe File opened for modification C:\Windows\SysWOW64\18-5-2025.exe csrss.exe File created C:\Windows\SysWOW64\Desktop.ini 2025-05-18_075d5659cfd7bfab222f2ff0fda94070_amadey_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll 2025-05-18_075d5659cfd7bfab222f2ff0fda94070_amadey_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini smss.exe File opened for modification C:\Windows\SysWOW64\ smss.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll smss.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini system32.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini 2025-05-18_075d5659cfd7bfab222f2ff0fda94070_amadey_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx Gaara.exe File opened for modification C:\Windows\SysWOW64\ Kazekage.exe File opened for modification C:\Windows\SysWOW64\18-5-2025.exe 2025-05-18_075d5659cfd7bfab222f2ff0fda94070_amadey_black-basta_elex_luca-stealer.exe File created C:\Windows\SysWOW64\msvbvm60.dll smss.exe File created C:\Windows\SysWOW64\msvbvm60.dll Gaara.exe File created C:\Windows\SysWOW64\msvbvm60.dll Kazekage.exe File created C:\Windows\SysWOW64\mscomctl.ocx 2025-05-18_075d5659cfd7bfab222f2ff0fda94070_amadey_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx 2025-05-18_075d5659cfd7bfab222f2ff0fda94070_amadey_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini Gaara.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini Kazekage.exe -
Sets desktop wallpaper using registry 2 TTPs 6 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" 2025-05-18_075d5659cfd7bfab222f2ff0fda94070_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" system32.exe -
resource yara_rule behavioral1/memory/1052-0-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/files/0x0007000000024243-11.dat upx behavioral1/files/0x0007000000024241-32.dat upx behavioral1/memory/3504-34-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/files/0x0007000000024244-49.dat upx behavioral1/memory/1580-70-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/1580-73-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/files/0x0007000000024242-75.dat upx behavioral1/memory/4564-76-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/files/0x0007000000024243-84.dat upx behavioral1/files/0x0007000000024244-88.dat upx behavioral1/files/0x0007000000024247-96.dat upx behavioral1/files/0x0007000000024246-92.dat upx behavioral1/memory/1896-113-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/1132-116-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/5716-119-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/files/0x0007000000024246-132.dat upx behavioral1/files/0x0007000000024247-135.dat upx behavioral1/memory/1052-148-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/3504-151-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/5252-158-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/1972-163-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/2884-168-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/5084-174-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/1972-175-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/5620-173-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/4564-172-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/5776-184-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/files/0x0007000000024244-185.dat upx behavioral1/memory/5716-203-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/files/0x0007000000024247-190.dat upx behavioral1/memory/5084-188-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/2724-214-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/4960-215-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/5776-211-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/5620-225-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/3120-227-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/6016-245-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/2636-246-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/1364-250-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/5368-249-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/6016-251-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/4960-259-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/5320-260-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/3296-261-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/5096-266-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/4256-271-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/3412-272-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/1040-277-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/3080-278-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/files/0x0007000000024285-455.dat upx -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\Windows\Fonts\The Kazekage.jpg 2025-05-18_075d5659cfd7bfab222f2ff0fda94070_amadey_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\msvbvm60.dll smss.exe File created C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe csrss.exe File created C:\Windows\WBEM\msvbvm60.dll Kazekage.exe File opened for modification C:\Windows\system\mscoree.dll system32.exe File opened for modification C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe system32.exe File opened for modification C:\Windows\mscomctl.ocx system32.exe File created C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe 2025-05-18_075d5659cfd7bfab222f2ff0fda94070_amadey_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe Gaara.exe File opened for modification C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe Gaara.exe File opened for modification C:\Windows\msvbvm60.dll Gaara.exe File opened for modification C:\Windows\system\msvbvm60.dll Gaara.exe File created C:\Windows\WBEM\msvbvm60.dll Gaara.exe File created C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe csrss.exe File opened for modification C:\Windows\system\msvbvm60.dll csrss.exe File opened for modification C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe Gaara.exe File opened for modification C:\Windows\Fonts\The Kazekage.jpg csrss.exe File created C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe Kazekage.exe File opened for modification C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe Kazekage.exe File opened for modification C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe system32.exe File opened for modification C:\Windows\system\msvbvm60.dll smss.exe File opened for modification C:\Windows\system\mscoree.dll csrss.exe File created C:\Windows\WBEM\msvbvm60.dll system32.exe File created C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe 2025-05-18_075d5659cfd7bfab222f2ff0fda94070_amadey_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe smss.exe File opened for modification C:\Windows\Fonts\The Kazekage.jpg Kazekage.exe File opened for modification C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe Kazekage.exe File created C:\Windows\Fonts\Admin 18 - 5 - 2025\msvbvm60.dll system32.exe File opened for modification C:\Windows\msvbvm60.dll system32.exe File opened for modification C:\Windows\system\msvbvm60.dll system32.exe File opened for modification C:\Windows\ smss.exe File opened for modification C:\Windows\system\mscoree.dll 2025-05-18_075d5659cfd7bfab222f2ff0fda94070_amadey_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\system\mscoree.dll Gaara.exe File opened for modification C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe Kazekage.exe File opened for modification C:\Windows\mscomctl.ocx Kazekage.exe File opened for modification C:\Windows\ Kazekage.exe File opened for modification C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe smss.exe File created C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe Gaara.exe File opened for modification C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe csrss.exe File created C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe Kazekage.exe File opened for modification C:\Windows\Fonts\The Kazekage.jpg system32.exe File created C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe Gaara.exe File created C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe 2025-05-18_075d5659cfd7bfab222f2ff0fda94070_amadey_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\msvbvm60.dll 2025-05-18_075d5659cfd7bfab222f2ff0fda94070_amadey_black-basta_elex_luca-stealer.exe File created C:\Windows\system\msvbvm60.dll 2025-05-18_075d5659cfd7bfab222f2ff0fda94070_amadey_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\Fonts\The Kazekage.jpg smss.exe File created C:\Windows\WBEM\msvbvm60.dll csrss.exe File opened for modification C:\Windows\mscomctl.ocx Gaara.exe File opened for modification C:\Windows\ system32.exe File created C:\Windows\Fonts\The Kazekage.jpg 2025-05-18_075d5659cfd7bfab222f2ff0fda94070_amadey_black-basta_elex_luca-stealer.exe File created C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe Gaara.exe File opened for modification C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe csrss.exe File created C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe system32.exe File opened for modification C:\Windows\mscomctl.ocx 2025-05-18_075d5659cfd7bfab222f2ff0fda94070_amadey_black-basta_elex_luca-stealer.exe File created C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe smss.exe File opened for modification C:\Windows\mscomctl.ocx smss.exe File created C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe csrss.exe File opened for modification C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe csrss.exe File opened for modification C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe system32.exe File opened for modification C:\Windows\ 2025-05-18_075d5659cfd7bfab222f2ff0fda94070_amadey_black-basta_elex_luca-stealer.exe File created C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe smss.exe File created C:\Windows\WBEM\msvbvm60.dll smss.exe File opened for modification C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe 2025-05-18_075d5659cfd7bfab222f2ff0fda94070_amadey_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\system\msvbvm60.dll 2025-05-18_075d5659cfd7bfab222f2ff0fda94070_amadey_black-basta_elex_luca-stealer.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kazekage.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaara.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-05-18_075d5659cfd7bfab222f2ff0fda94070_amadey_black-basta_elex_luca-stealer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaara.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kazekage.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kazekage.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaara.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaara.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaara.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaara.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kazekage.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kazekage.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kazekage.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 34 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 3144 ping.exe 1084 ping.exe 5264 ping.exe 1124 ping.exe 4052 ping.exe 1096 ping.exe 6076 ping.exe 4984 ping.exe 968 ping.exe 4392 ping.exe 4684 ping.exe 3144 ping.exe 2396 ping.exe 400 ping.exe 3900 ping.exe 3748 ping.exe 4128 ping.exe 4776 ping.exe 2344 ping.exe 5500 ping.exe 6056 ping.exe 2080 ping.exe 4900 ping.exe 924 ping.exe 4784 ping.exe 2224 ping.exe 2892 ping.exe 5276 ping.exe 5776 ping.exe 4548 ping.exe 5044 ping.exe 6048 ping.exe 5616 ping.exe 4980 ping.exe -
Modifies Control Panel 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" smss.exe Key created \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Desktop Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Desktop\WallpaperStyle = "2" smss.exe Key created \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Desktop Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Screen Saver.Marquee\Speed = "4" 2025-05-18_075d5659cfd7bfab222f2ff0fda94070_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" Kazekage.exe Key created \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Desktop system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Screen Saver.Marquee\Speed = "4" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" Gaara.exe Key created \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Desktop 2025-05-18_075d5659cfd7bfab222f2ff0fda94070_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Desktop\WallpaperStyle = "2" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" csrss.exe Key created \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Screen Saver.Marquee system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Screen Saver.Marquee\Speed = "4" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Screen Saver.Marquee\Size = "72" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" 2025-05-18_075d5659cfd7bfab222f2ff0fda94070_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Desktop\WallpaperStyle = "2" 2025-05-18_075d5659cfd7bfab222f2ff0fda94070_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Screen Saver.Marquee\Speed = "4" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" 2025-05-18_075d5659cfd7bfab222f2ff0fda94070_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Screen Saver.Marquee\Size = "72" csrss.exe Key created \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Screen Saver.Marquee Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Desktop\WallpaperStyle = "2" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Screen Saver.Marquee\Size = "72" smss.exe Key created \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Screen Saver.Marquee 2025-05-18_075d5659cfd7bfab222f2ff0fda94070_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" 2025-05-18_075d5659cfd7bfab222f2ff0fda94070_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" 2025-05-18_075d5659cfd7bfab222f2ff0fda94070_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Desktop\WallpaperStyle = "2" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" 2025-05-18_075d5659cfd7bfab222f2ff0fda94070_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" 2025-05-18_075d5659cfd7bfab222f2ff0fda94070_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" 2025-05-18_075d5659cfd7bfab222f2ff0fda94070_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Screen Saver.Marquee\Speed = "4" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" Kazekage.exe Key created \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Screen Saver.Marquee Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Screen Saver.Marquee\Size = "72" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Screen Saver.Marquee\Speed = "4" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Desktop\WallpaperStyle = "2" Kazekage.exe Key created \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Screen Saver.Marquee smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" 2025-05-18_075d5659cfd7bfab222f2ff0fda94070_amadey_black-basta_elex_luca-stealer.exe -
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" Kazekage.exe Key created \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Software\Microsoft\Internet Explorer\Main Gaara.exe Key created \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Software\Microsoft\Internet Explorer\Main smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" smss.exe Key created \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Software\Microsoft\Internet Explorer\Main 2025-05-18_075d5659cfd7bfab222f2ff0fda94070_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" 2025-05-18_075d5659cfd7bfab222f2ff0fda94070_amadey_black-basta_elex_luca-stealer.exe Key created \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Software\Microsoft\Internet Explorer\Main csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" csrss.exe Key created \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Software\Microsoft\Internet Explorer\Main system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" system32.exe Key created \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Software\Microsoft\Internet Explorer\Main Kazekage.exe -
Modifies registry class 51 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" 2025-05-18_075d5659cfd7bfab222f2ff0fda94070_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" 2025-05-18_075d5659cfd7bfab222f2ff0fda94070_amadey_black-basta_elex_luca-stealer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command 2025-05-18_075d5659cfd7bfab222f2ff0fda94070_amadey_black-basta_elex_luca-stealer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command 2025-05-18_075d5659cfd7bfab222f2ff0fda94070_amadey_black-basta_elex_luca-stealer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command 2025-05-18_075d5659cfd7bfab222f2ff0fda94070_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command 2025-05-18_075d5659cfd7bfab222f2ff0fda94070_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" 2025-05-18_075d5659cfd7bfab222f2ff0fda94070_amadey_black-basta_elex_luca-stealer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" 2025-05-18_075d5659cfd7bfab222f2ff0fda94070_amadey_black-basta_elex_luca-stealer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" Kazekage.exe -
Runs ping.exe 1 TTPs 34 IoCs
pid Process 924 ping.exe 2344 ping.exe 1084 ping.exe 5276 ping.exe 5776 ping.exe 1124 ping.exe 2396 ping.exe 6048 ping.exe 6056 ping.exe 2892 ping.exe 4776 ping.exe 5616 ping.exe 2080 ping.exe 3144 ping.exe 4900 ping.exe 4984 ping.exe 5264 ping.exe 1096 ping.exe 2224 ping.exe 4052 ping.exe 4548 ping.exe 4784 ping.exe 4684 ping.exe 6076 ping.exe 3748 ping.exe 4980 ping.exe 4128 ping.exe 3144 ping.exe 3900 ping.exe 968 ping.exe 4392 ping.exe 400 ping.exe 5500 ping.exe 5044 ping.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3504 smss.exe 3504 smss.exe 3504 smss.exe 3504 smss.exe 3504 smss.exe 3504 smss.exe 3504 smss.exe 3504 smss.exe 3504 smss.exe 3504 smss.exe 3504 smss.exe 3504 smss.exe 3504 smss.exe 3504 smss.exe 3504 smss.exe 3504 smss.exe 3504 smss.exe 3504 smss.exe 3504 smss.exe 3504 smss.exe 3504 smss.exe 3504 smss.exe 3504 smss.exe 3504 smss.exe 1052 2025-05-18_075d5659cfd7bfab222f2ff0fda94070_amadey_black-basta_elex_luca-stealer.exe 1052 2025-05-18_075d5659cfd7bfab222f2ff0fda94070_amadey_black-basta_elex_luca-stealer.exe 1052 2025-05-18_075d5659cfd7bfab222f2ff0fda94070_amadey_black-basta_elex_luca-stealer.exe 1052 2025-05-18_075d5659cfd7bfab222f2ff0fda94070_amadey_black-basta_elex_luca-stealer.exe 1052 2025-05-18_075d5659cfd7bfab222f2ff0fda94070_amadey_black-basta_elex_luca-stealer.exe 1052 2025-05-18_075d5659cfd7bfab222f2ff0fda94070_amadey_black-basta_elex_luca-stealer.exe 1052 2025-05-18_075d5659cfd7bfab222f2ff0fda94070_amadey_black-basta_elex_luca-stealer.exe 1052 2025-05-18_075d5659cfd7bfab222f2ff0fda94070_amadey_black-basta_elex_luca-stealer.exe 1052 2025-05-18_075d5659cfd7bfab222f2ff0fda94070_amadey_black-basta_elex_luca-stealer.exe 1052 2025-05-18_075d5659cfd7bfab222f2ff0fda94070_amadey_black-basta_elex_luca-stealer.exe 1052 2025-05-18_075d5659cfd7bfab222f2ff0fda94070_amadey_black-basta_elex_luca-stealer.exe 1052 2025-05-18_075d5659cfd7bfab222f2ff0fda94070_amadey_black-basta_elex_luca-stealer.exe 1052 2025-05-18_075d5659cfd7bfab222f2ff0fda94070_amadey_black-basta_elex_luca-stealer.exe 1052 2025-05-18_075d5659cfd7bfab222f2ff0fda94070_amadey_black-basta_elex_luca-stealer.exe 1052 2025-05-18_075d5659cfd7bfab222f2ff0fda94070_amadey_black-basta_elex_luca-stealer.exe 1052 2025-05-18_075d5659cfd7bfab222f2ff0fda94070_amadey_black-basta_elex_luca-stealer.exe 1052 2025-05-18_075d5659cfd7bfab222f2ff0fda94070_amadey_black-basta_elex_luca-stealer.exe 1052 2025-05-18_075d5659cfd7bfab222f2ff0fda94070_amadey_black-basta_elex_luca-stealer.exe 1052 2025-05-18_075d5659cfd7bfab222f2ff0fda94070_amadey_black-basta_elex_luca-stealer.exe 1052 2025-05-18_075d5659cfd7bfab222f2ff0fda94070_amadey_black-basta_elex_luca-stealer.exe 1052 2025-05-18_075d5659cfd7bfab222f2ff0fda94070_amadey_black-basta_elex_luca-stealer.exe 1052 2025-05-18_075d5659cfd7bfab222f2ff0fda94070_amadey_black-basta_elex_luca-stealer.exe 1052 2025-05-18_075d5659cfd7bfab222f2ff0fda94070_amadey_black-basta_elex_luca-stealer.exe 1052 2025-05-18_075d5659cfd7bfab222f2ff0fda94070_amadey_black-basta_elex_luca-stealer.exe 5716 csrss.exe 5716 csrss.exe 5716 csrss.exe 5716 csrss.exe 5716 csrss.exe 5716 csrss.exe 5716 csrss.exe 5716 csrss.exe 5716 csrss.exe 5716 csrss.exe 5716 csrss.exe 5716 csrss.exe 5716 csrss.exe 5716 csrss.exe 5716 csrss.exe 5716 csrss.exe -
Suspicious use of SetWindowsHookEx 31 IoCs
pid Process 1052 2025-05-18_075d5659cfd7bfab222f2ff0fda94070_amadey_black-basta_elex_luca-stealer.exe 3504 smss.exe 1580 smss.exe 4564 Gaara.exe 1896 smss.exe 1132 Gaara.exe 5716 csrss.exe 4852 smss.exe 5252 Gaara.exe 2884 csrss.exe 1972 Gaara.exe 5084 csrss.exe 5620 Kazekage.exe 5776 Kazekage.exe 2724 smss.exe 4960 system32.exe 3120 Gaara.exe 452 csrss.exe 744 csrss.exe 2636 Kazekage.exe 5368 Kazekage.exe 1364 smss.exe 6016 system32.exe 5320 Gaara.exe 3296 system32.exe 3028 csrss.exe 5096 system32.exe 3412 Kazekage.exe 4256 Kazekage.exe 3080 system32.exe 1040 system32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1052 wrote to memory of 3504 1052 2025-05-18_075d5659cfd7bfab222f2ff0fda94070_amadey_black-basta_elex_luca-stealer.exe 86 PID 1052 wrote to memory of 3504 1052 2025-05-18_075d5659cfd7bfab222f2ff0fda94070_amadey_black-basta_elex_luca-stealer.exe 86 PID 1052 wrote to memory of 3504 1052 2025-05-18_075d5659cfd7bfab222f2ff0fda94070_amadey_black-basta_elex_luca-stealer.exe 86 PID 3504 wrote to memory of 1580 3504 smss.exe 89 PID 3504 wrote to memory of 1580 3504 smss.exe 89 PID 3504 wrote to memory of 1580 3504 smss.exe 89 PID 3504 wrote to memory of 4564 3504 smss.exe 92 PID 3504 wrote to memory of 4564 3504 smss.exe 92 PID 3504 wrote to memory of 4564 3504 smss.exe 92 PID 4564 wrote to memory of 1896 4564 Gaara.exe 95 PID 4564 wrote to memory of 1896 4564 Gaara.exe 95 PID 4564 wrote to memory of 1896 4564 Gaara.exe 95 PID 4564 wrote to memory of 1132 4564 Gaara.exe 97 PID 4564 wrote to memory of 1132 4564 Gaara.exe 97 PID 4564 wrote to memory of 1132 4564 Gaara.exe 97 PID 4564 wrote to memory of 5716 4564 Gaara.exe 98 PID 4564 wrote to memory of 5716 4564 Gaara.exe 98 PID 4564 wrote to memory of 5716 4564 Gaara.exe 98 PID 5716 wrote to memory of 4852 5716 csrss.exe 100 PID 5716 wrote to memory of 4852 5716 csrss.exe 100 PID 5716 wrote to memory of 4852 5716 csrss.exe 100 PID 5716 wrote to memory of 5252 5716 csrss.exe 101 PID 5716 wrote to memory of 5252 5716 csrss.exe 101 PID 5716 wrote to memory of 5252 5716 csrss.exe 101 PID 5716 wrote to memory of 2884 5716 csrss.exe 103 PID 5716 wrote to memory of 2884 5716 csrss.exe 103 PID 5716 wrote to memory of 2884 5716 csrss.exe 103 PID 1052 wrote to memory of 1972 1052 2025-05-18_075d5659cfd7bfab222f2ff0fda94070_amadey_black-basta_elex_luca-stealer.exe 105 PID 1052 wrote to memory of 1972 1052 2025-05-18_075d5659cfd7bfab222f2ff0fda94070_amadey_black-basta_elex_luca-stealer.exe 105 PID 1052 wrote to memory of 1972 1052 2025-05-18_075d5659cfd7bfab222f2ff0fda94070_amadey_black-basta_elex_luca-stealer.exe 105 PID 1052 wrote to memory of 5084 1052 2025-05-18_075d5659cfd7bfab222f2ff0fda94070_amadey_black-basta_elex_luca-stealer.exe 108 PID 1052 wrote to memory of 5084 1052 2025-05-18_075d5659cfd7bfab222f2ff0fda94070_amadey_black-basta_elex_luca-stealer.exe 108 PID 1052 wrote to memory of 5084 1052 2025-05-18_075d5659cfd7bfab222f2ff0fda94070_amadey_black-basta_elex_luca-stealer.exe 108 PID 5716 wrote to memory of 5620 5716 csrss.exe 107 PID 5716 wrote to memory of 5620 5716 csrss.exe 107 PID 5716 wrote to memory of 5620 5716 csrss.exe 107 PID 1052 wrote to memory of 5776 1052 2025-05-18_075d5659cfd7bfab222f2ff0fda94070_amadey_black-basta_elex_luca-stealer.exe 109 PID 1052 wrote to memory of 5776 1052 2025-05-18_075d5659cfd7bfab222f2ff0fda94070_amadey_black-basta_elex_luca-stealer.exe 109 PID 1052 wrote to memory of 5776 1052 2025-05-18_075d5659cfd7bfab222f2ff0fda94070_amadey_black-basta_elex_luca-stealer.exe 109 PID 5620 wrote to memory of 2724 5620 Kazekage.exe 110 PID 5620 wrote to memory of 2724 5620 Kazekage.exe 110 PID 5620 wrote to memory of 2724 5620 Kazekage.exe 110 PID 5620 wrote to memory of 3120 5620 Kazekage.exe 111 PID 5620 wrote to memory of 3120 5620 Kazekage.exe 111 PID 5620 wrote to memory of 3120 5620 Kazekage.exe 111 PID 1052 wrote to memory of 4960 1052 2025-05-18_075d5659cfd7bfab222f2ff0fda94070_amadey_black-basta_elex_luca-stealer.exe 112 PID 1052 wrote to memory of 4960 1052 2025-05-18_075d5659cfd7bfab222f2ff0fda94070_amadey_black-basta_elex_luca-stealer.exe 112 PID 1052 wrote to memory of 4960 1052 2025-05-18_075d5659cfd7bfab222f2ff0fda94070_amadey_black-basta_elex_luca-stealer.exe 112 PID 3504 wrote to memory of 452 3504 smss.exe 113 PID 3504 wrote to memory of 452 3504 smss.exe 113 PID 3504 wrote to memory of 452 3504 smss.exe 113 PID 5620 wrote to memory of 744 5620 Kazekage.exe 114 PID 5620 wrote to memory of 744 5620 Kazekage.exe 114 PID 5620 wrote to memory of 744 5620 Kazekage.exe 114 PID 3504 wrote to memory of 2636 3504 smss.exe 115 PID 3504 wrote to memory of 2636 3504 smss.exe 115 PID 3504 wrote to memory of 2636 3504 smss.exe 115 PID 5620 wrote to memory of 5368 5620 Kazekage.exe 116 PID 5620 wrote to memory of 5368 5620 Kazekage.exe 116 PID 5620 wrote to memory of 5368 5620 Kazekage.exe 116 PID 4960 wrote to memory of 1364 4960 system32.exe 117 PID 4960 wrote to memory of 1364 4960 system32.exe 117 PID 4960 wrote to memory of 1364 4960 system32.exe 117 PID 3504 wrote to memory of 6016 3504 smss.exe 118 -
System policy modification 1 TTPs 12 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System 2025-05-18_075d5659cfd7bfab222f2ff0fda94070_amadey_black-basta_elex_luca-stealer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 2025-05-18_075d5659cfd7bfab222f2ff0fda94070_amadey_black-basta_elex_luca-stealer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Kazekage.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Kazekage.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System smss.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2025-05-18_075d5659cfd7bfab222f2ff0fda94070_amadey_black-basta_elex_luca-stealer.exe"C:\Users\Admin\AppData\Local\Temp\2025-05-18_075d5659cfd7bfab222f2ff0fda94070_amadey_black-basta_elex_luca-stealer.exe"1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1052 -
C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe"C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe"2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3504 -
C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe"C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1580
-
-
C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe"C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe"3⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4564 -
C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe"C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1896
-
-
C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe"C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1132
-
-
C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe"C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe"4⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:5716 -
C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe"C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4852
-
-
C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe"C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5252
-
-
C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe"C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2884
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe5⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:5620 -
C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe"C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2724
-
-
C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe"C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3120
-
-
C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe"C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:744
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5368
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3296
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655006⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3900
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655006⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:6076
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655006⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5044
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655006⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1096
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655006⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4776
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655006⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4684
-
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5096
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655005⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3144
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655005⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2344
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655005⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3748
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655005⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5776
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655005⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4392
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655005⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2892
-
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3412
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3080
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655004⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4548
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655004⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4784
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655004⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:968
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655004⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5264
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655004⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2224
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655004⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2080
-
-
-
C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe"C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:452
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2636
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:6016
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655003⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4052
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:924
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5276
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5500
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1124
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:6056
-
-
-
C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe"C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1972
-
-
C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe"C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5084
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5776
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4960 -
C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe"C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1364
-
-
C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe"C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5320
-
-
C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe"C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3028
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4256
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1040
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:6048
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5616
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3144
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2396
-
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655002⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:400
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655002⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4900
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655002⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1084
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655002⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4984
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655002⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4980
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655002⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4128
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 18 - 5 - 2025\smss.exe1⤵PID:2988
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 18 - 5 - 2025\Gaara.exe1⤵PID:5824
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c 18-5-2025.exe1⤵PID:5496
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c drivers\csrss.exe1⤵PID:6084
Network
MITRE ATT&CK Enterprise v16
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Event Triggered Execution
1Image File Execution Options Injection
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Event Triggered Execution
1Image File Execution Options Injection
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
1Disable or Modify Tools
1Modify Registry
8Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
8.2MB
MD513ba623c78e37d42a85c40edce8b270c
SHA12681357415d6c5ef66b9df50511e0fc1c24153ec
SHA2569ff2f38e08f5217857d04ae7eb30c82fdfb7435ca89a48f35adc4843ad7fe743
SHA512a893ca4edf198b2c1c69fe58e73d2bd2160abdd3484d7ea9bf2db35a7742c992e06e1bc1fc6227771e78d32c39aef867ee2b37804dd652e163a14d185baea4ac
-
Filesize
736B
MD5bb5d6abdf8d0948ac6895ce7fdfbc151
SHA19266b7a247a4685892197194d2b9b86c8f6dddbd
SHA2565db2e0915b5464d32e83484f8ae5e3c73d2c78f238fde5f58f9b40dbb5322de8
SHA512878444760e8df878d65bb62b4798177e168eb099def58ad3634f4348e96705c83f74324f9fa358f0eff389991976698a233ca53e9b72034ae11c86d42322a76c
-
Filesize
196B
MD51564dfe69ffed40950e5cb644e0894d1
SHA1201b6f7a01cc49bb698bea6d4945a082ed454ce4
SHA256be114a2dbcc08540b314b01882aa836a772a883322a77b67aab31233e26dc184
SHA51272df187e39674b657974392cfa268e71ef86dc101ebd2303896381ca56d3c05aa9db3f0ab7d0e428d7436e0108c8f19e94c2013814d30b0b95a23a6b9e341097
-
Filesize
8.2MB
MD5d37f9450e7b2e079ff76eaf0fec6b5a7
SHA1e29319ab989784b5756ba5e52ad5e08c6f252b50
SHA256b303a820784be9a92870999185afc0d82bc77dbde3116a3b72396dc64c75d1fa
SHA512be38a4d53c7d72185df76a98b7087d5330ff3c99ca5b14d1216da3e3128b96aca9c4ae3fedd1eaa383b4db90be3eca56e1789fa05cba5a84862c6d8cec7edfd4
-
Filesize
8.2MB
MD5075d5659cfd7bfab222f2ff0fda94070
SHA129147210d4daa3f5c18098ca046753730c628159
SHA25690f163aab3e9a9ddb52b99b61463a521562a06c02f51d23b4a77d9b8c96093f2
SHA51210c16e4ecec9cc492e7fa79e78699db21c8333acbc4eb854b9a9e167fbb43c2640743024bf93c21d496c0ce44dc927bb4dbdd9479dd206091b5f85c184c0ca0f
-
Filesize
8.2MB
MD5e8f762fcb558102605a8f1195e55c82a
SHA188ee7c2ab49f575e45934c6f36805435412a56b5
SHA2561e3a69863a558defafb2d2d2599cf91293603048c1f4364136d5816516d4a11c
SHA512659e74489582aa113d6bc38116a2e94875e0560085e97ba897d7f9c39f6a9d81febaaff301b638efd8ee6f00f0b8b437852ff81646997eb1cf14a940488d6998
-
Filesize
8.2MB
MD583f63996e770349d6f22d77ddb8f209a
SHA1bd4e548956e0195aa2c6ba0c36a3feff50284343
SHA256d4c9c107cd8e30caa434f0811a1992358deea2093c60e36bcd31eb3ec5dd0182
SHA512b923ec1718446821e706a3c029e53bd3e6863695df2b6eaa86213b8829029ed9017110f2fac94acdf781209da49b8c8d92939ccd7a192b028b4a460ba92894aa
-
Filesize
1.4MB
MD5d6b05020d4a0ec2a3a8b687099e335df
SHA1df239d830ebcd1cde5c68c46a7b76dad49d415f4
SHA2569824b98dab6af65a9e84c2ea40e9df948f9766ce2096e81feecad7db8dd6080a
SHA51278fd360faa4d34f5732056d6e9ad7b9930964441c69cf24535845d397de92179553b9377a25649c01eb5ac7d547c29cc964e69ede7f2af9fc677508a99251fff
-
Filesize
8.2MB
MD51689d82880cef45e1323b6a70de1d4f4
SHA1ea3ae4acd28692a5c9f8af8d791b8921983051a0
SHA25685fa06f72d0eb5bc769d20cdac0bd22c2996cfe84905d33f5ab0a3763fe01496
SHA51224f66fcc869cfbd13c50b6ba263e4dd8a56f5b68d03c15aa6cd9d9b2222781b4da281431803717db0471b7ce980f53ca1ab9219e1019a1b75cd0d305b9003cd7
-
Filesize
8.2MB
MD5b2afa5d02838ad8cc17a1d7386d8130c
SHA19fb82c22704d7dcff8efcfb264c24f98f02cf8f9
SHA2566e881f088e016ad8cd354111897c5d6dd602e02785cb8b5eb6a9de9332c8e9df
SHA51270e3492e93c0e1f764268a9d8e0922633a78006db1f6dbcbfbe8b4113ff8181190b873b3d35daad79e91ad04b9a97ae983b82afecb185304fdf2a3e7f0955107
-
Filesize
8.2MB
MD5ac347192cffdcd7cb0d1e62221351354
SHA1673371d2708bb5c1651b445fdf7371c1269f9da4
SHA25627dec9de138fafc94a4b6f2a4f007161d844a6b84cc39e02adec6e9e20332b76
SHA512204198c2150ff245c321af1480c0e7561f84977c731b1d2942e3c80ab3c162f4db38a515652d6b7c8ddaa33a8af40a87733cd29519bbf9165914c00e47b38928
-
Filesize
65B
MD564acfa7e03b01f48294cf30d201a0026
SHA110facd995b38a095f30b4a800fa454c0bcbf8438
SHA256ba8159d865d106e7b4d0043007a63d1541e1de455dc8d7ff0edd3013bd425c62
SHA51265a9b2e639de74a2a7faa83463a03f5f5b526495e3c793ec1e144c422ed0b842dd304cd5ff4f8aec3d76d826507030c5916f70a231429cea636ec2d8ab43931a
-
Filesize
8.2MB
MD5ddea8c6d27deb0ae74644386d46aef3a
SHA1b930f72174ea87ac0d9efa0eebd83da0aba2f800
SHA2569414b7a7ec135a95dbe2244a733c1905894a8eb940f58e636cffa72212f81f5d
SHA5123a80b9cc759dd8e4c0fa5c7946d3700538787faca31e280330e97bea02f9b02a0167f666037bbdd89041bae449a90c55878602487d3aa23423a04c5b41ab9d2e
-
Filesize
8.2MB
MD575f451ace2467d102f5e35d672516fff
SHA1b205973e34933b29139d4af719e5fae3e0679bee
SHA256c8760afa32dd6e70cc92b46cd1b83605b5ad76ded4cbc210c500c51e008a82ab
SHA512da4babf508b7f09f71eb7b514123dc1444eaf4a7e00f3635d55511997739b5e85601675d44233cf0e6a58ec2806b2efaf24037dea6dd8251cea29e44263b4db2
-
Filesize
8.2MB
MD5e42244cad3826f8d8d6af7fc4ac1205c
SHA1153e434d69477ca696a13aafe77ed167797a0e7f
SHA25678e365e9d6e69912da47f1be9b39030cfc8573602cebaefbe6b0b6401c92615d
SHA512c80c7cf45c356d54b8ee7ce946978e60f16b60dd8bd656cbfb48e38f1bdaf1c54d90484f237c420f96562f6cef23eb9a67a98593fdc6529910020e8a4a46052b
-
Filesize
8.2MB
MD5c45d0d66cbbdb39a147c9c6dab69a5f9
SHA19d6d2f4614eb2c11d17890f2a7e60da6e842b232
SHA256abd07e1bd2581850bdeff3de4bf96d4adf6688f5b8487f660183b4f7bca1e932
SHA5120034513851539eb2984989ca3b467f07bbace4ac18fb0a1a7386d59ac89cf5b87eb4e55016152cbfc2557c5e03cc4f9b13a816f0adc6052b57a3ea1bbac0bde8
-
Filesize
8.2MB
MD5033918716ec21be7d8257e454680c377
SHA11ce34a7adf590d83ec356338884171eeed94884d
SHA25655fdead1812d529997270c91021ee348c328ffa16efc5834f0f6f557b39ba302
SHA512209e4d84c14e798ca75ec1d772b94120fc62a857ac88a114e4a22b56d4d5e49476cf8396c620a5640cc9fe6b28b3d6fae4edceceefbf4814bf782e546d4616b4
-
Filesize
1.4MB
MD525f62c02619174b35851b0e0455b3d94
SHA14e8ee85157f1769f6e3f61c0acbe59072209da71
SHA256898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2
SHA512f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a