Analysis
-
max time kernel
149s -
max time network
142s -
platform
windows10-2004_x64 -
resource
win10v2004-20250502-en -
resource tags
arch:x64arch:x86image:win10v2004-20250502-enlocale:en-usos:windows10-2004-x64system -
submitted
18/05/2025, 10:17
Behavioral task
behavioral1
Sample
2025-05-18_3634e9114c3bd0532cd09ef30d1edb0c_amadey_black-basta_elex_luca-stealer.exe
Resource
win10v2004-20250502-en
Behavioral task
behavioral2
Sample
2025-05-18_3634e9114c3bd0532cd09ef30d1edb0c_amadey_black-basta_elex_luca-stealer.exe
Resource
win11-20250502-en
General
-
Target
2025-05-18_3634e9114c3bd0532cd09ef30d1edb0c_amadey_black-basta_elex_luca-stealer.exe
-
Size
8.2MB
-
MD5
3634e9114c3bd0532cd09ef30d1edb0c
-
SHA1
2fe2b9a03c4ddd8500f826704d0e4bb081ee2d11
-
SHA256
d7e263ab3219fe6cf532476e1d51ac75d0f11bd7f011875b69d69a32debb75e1
-
SHA512
1cac989da54d317e32faf31dae043bbe8e7ebe3578c7ae51f4b2fcd998166b7c7f13092802cec915aa7a6675fc6e4d9ebed5caa1cabcf8b5ac1f676871a622a9
-
SSDEEP
49152:AyyqWyWy0GyqWyWyMRPC1eHc785dxytlWF17:AyyqWyWy0GyqWyWyMRPC1eHL5dxyjyp
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 12 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" 2025-05-18_3634e9114c3bd0532cd09ef30d1edb0c_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" 2025-05-18_3634e9114c3bd0532cd09ef30d1edb0c_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" Kazekage.exe -
Modifies visibility of file extensions in Explorer 2 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" smss.exe Set value (int) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" csrss.exe Set value (int) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" system32.exe Set value (int) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Kazekage.exe Set value (int) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" 2025-05-18_3634e9114c3bd0532cd09ef30d1edb0c_amadey_black-basta_elex_luca-stealer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Gaara.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" Gaara.exe Set value (int) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" smss.exe Set value (int) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" csrss.exe Set value (int) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" system32.exe Set value (int) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" Kazekage.exe Set value (int) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" 2025-05-18_3634e9114c3bd0532cd09ef30d1edb0c_amadey_black-basta_elex_luca-stealer.exe -
UAC bypass 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" system32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Kazekage.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 2025-05-18_3634e9114c3bd0532cd09ef30d1edb0c_amadey_black-basta_elex_luca-stealer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Gaara.exe -
Disables RegEdit via registry modification 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" csrss.exe Set value (int) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" system32.exe Set value (int) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Kazekage.exe Set value (int) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" 2025-05-18_3634e9114c3bd0532cd09ef30d1edb0c_amadey_black-basta_elex_luca-stealer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Gaara.exe Set value (int) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" smss.exe -
Disables use of System Restore points 1 TTPs
-
Drops file in Drivers directory 24 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\drivers\system32.exe smss.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe Gaara.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe Gaara.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe csrss.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe csrss.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe Kazekage.exe File created C:\Windows\SysWOW64\drivers\system32.exe 2025-05-18_3634e9114c3bd0532cd09ef30d1edb0c_amadey_black-basta_elex_luca-stealer.exe File created C:\Windows\SysWOW64\drivers\system32.exe system32.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe system32.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe smss.exe File created C:\Windows\SysWOW64\drivers\system32.exe smss.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe Gaara.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe csrss.exe File created C:\Windows\SysWOW64\drivers\system32.exe Kazekage.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe 2025-05-18_3634e9114c3bd0532cd09ef30d1edb0c_amadey_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe 2025-05-18_3634e9114c3bd0532cd09ef30d1edb0c_amadey_black-basta_elex_luca-stealer.exe File created C:\Windows\SysWOW64\drivers\system32.exe Gaara.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe 2025-05-18_3634e9114c3bd0532cd09ef30d1edb0c_amadey_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe smss.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe system32.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe system32.exe File created C:\Windows\SysWOW64\drivers\system32.exe csrss.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe Kazekage.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe Kazekage.exe -
Event Triggered Execution: Image File Execution Options Injection 1 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe\Debugger = "cmd.exe /c del" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger = "drivers\\Kazekage.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "drivers\\Kazekage.exe" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com\Debugger = "cmd.exe /c del" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe 2025-05-18_3634e9114c3bd0532cd09ef30d1edb0c_amadey_black-basta_elex_luca-stealer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe\Debugger = "cmd.exe /c del" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe 2025-05-18_3634e9114c3bd0532cd09ef30d1edb0c_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe\Debugger = "cmd.exe /c del" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe 2025-05-18_3634e9114c3bd0532cd09ef30d1edb0c_amadey_black-basta_elex_luca-stealer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe 2025-05-18_3634e9114c3bd0532cd09ef30d1edb0c_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe\Debugger = "drivers\\Kazekage.exe" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe\Debugger = "cmd.exe /c del" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger = "drivers\\Kazekage.exe" 2025-05-18_3634e9114c3bd0532cd09ef30d1edb0c_amadey_black-basta_elex_luca-stealer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com 2025-05-18_3634e9114c3bd0532cd09ef30d1edb0c_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "drivers\\Kazekage.exe" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe\Debugger = "cmd.exe /c del" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe\Debugger = "drivers\\Kazekage.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe\Debugger = "cmd.exe /c del" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "drivers\\Kazekage.exe" 2025-05-18_3634e9114c3bd0532cd09ef30d1edb0c_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com\Debugger = "cmd.exe /c del" 2025-05-18_3634e9114c3bd0532cd09ef30d1edb0c_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe\Debugger = "cmd.exe /c del" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "drivers\\Kazekage.exe" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe\Debugger = "cmd.exe /c del" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe\Debugger = "cmd.exe /c del" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe\Debugger = "cmd.exe /c del" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "drivers\\Kazekage.exe" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe\Debugger = "cmd.exe /c del" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe\Debugger = "cmd.exe /c del" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe 2025-05-18_3634e9114c3bd0532cd09ef30d1edb0c_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "drivers\\Kazekage.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe\Debugger = "cmd.exe /c del" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe\Debugger = "cmd.exe /c del" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe\Debugger = "cmd.exe /c del" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe\Debugger = "cmd.exe /c del" 2025-05-18_3634e9114c3bd0532cd09ef30d1edb0c_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe\Debugger = "cmd.exe /c del" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe\Debugger = "drivers\\Kazekage.exe" 2025-05-18_3634e9114c3bd0532cd09ef30d1edb0c_amadey_black-basta_elex_luca-stealer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\Debugger = "cmd.exe /c del" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe Kazekage.exe -
Executes dropped EXE 30 IoCs
pid Process 2196 smss.exe 4736 smss.exe 4976 Gaara.exe 5012 smss.exe 4612 Gaara.exe 972 csrss.exe 1040 smss.exe 5632 Gaara.exe 2776 Gaara.exe 5000 csrss.exe 3180 csrss.exe 5184 Kazekage.exe 5416 Kazekage.exe 1536 csrss.exe 4552 smss.exe 4064 system32.exe 2128 Kazekage.exe 2536 Gaara.exe 4152 csrss.exe 3884 system32.exe 1352 smss.exe 896 Kazekage.exe 4128 Kazekage.exe 2280 Gaara.exe 3360 system32.exe 4544 csrss.exe 2832 system32.exe 6136 system32.exe 3436 Kazekage.exe 3700 system32.exe -
Loads dropped DLL 18 IoCs
pid Process 2196 smss.exe 4736 smss.exe 4976 Gaara.exe 5012 smss.exe 4612 Gaara.exe 972 csrss.exe 1040 smss.exe 5632 Gaara.exe 2776 Gaara.exe 5000 csrss.exe 3180 csrss.exe 1536 csrss.exe 4552 smss.exe 2536 Gaara.exe 4152 csrss.exe 1352 smss.exe 2280 Gaara.exe 4544 csrss.exe -
Adds Run key to start application 2 TTPs 24 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 18 - 5 - 2025\\Gaara.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "18-5-2025.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 18 - 5 - 2025\\Gaara.exe" 2025-05-18_3634e9114c3bd0532cd09ef30d1edb0c_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "18-5-2025.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 18 - 5 - 2025\\smss.exe" 2025-05-18_3634e9114c3bd0532cd09ef30d1edb0c_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "18-5-2025.exe" 2025-05-18_3634e9114c3bd0532cd09ef30d1edb0c_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 18 - 5 - 2025\\Gaara.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 18 - 5 - 2025\\smss.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "18-5-2025.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 18 - 5 - 2025\\smss.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 18 - 5 - 2025\\Gaara.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 18 - 5 - 2025\\smss.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 18 - 5 - 2025\\smss.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 18 - 5 - 2025\\smss.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 18 - 5 - 2025\\Gaara.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" 2025-05-18_3634e9114c3bd0532cd09ef30d1edb0c_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 18 - 5 - 2025\\Gaara.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "18-5-2025.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "18-5-2025.exe" system32.exe -
Checks whether UAC is enabled 1 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" system32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Kazekage.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 2025-05-18_3634e9114c3bd0532cd09ef30d1edb0c_amadey_black-basta_elex_luca-stealer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Gaara.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe -
Drops desktop.ini file(s) 64 IoCs
description ioc Process File opened for modification F:\Desktop.ini csrss.exe File opened for modification \??\I:\Desktop.ini Gaara.exe File opened for modification \??\Q:\Desktop.ini Gaara.exe File opened for modification \??\W:\Desktop.ini csrss.exe File opened for modification \??\W:\Desktop.ini smss.exe File opened for modification C:\Desktop.ini Kazekage.exe File opened for modification \??\M:\Desktop.ini 2025-05-18_3634e9114c3bd0532cd09ef30d1edb0c_amadey_black-basta_elex_luca-stealer.exe File opened for modification \??\A:\Desktop.ini smss.exe File opened for modification \??\E:\Desktop.ini smss.exe File opened for modification \??\I:\Desktop.ini smss.exe File opened for modification \??\R:\Desktop.ini csrss.exe File opened for modification \??\B:\Desktop.ini Kazekage.exe File opened for modification \??\V:\Desktop.ini smss.exe File opened for modification \??\X:\Desktop.ini smss.exe File opened for modification D:\Desktop.ini 2025-05-18_3634e9114c3bd0532cd09ef30d1edb0c_amadey_black-basta_elex_luca-stealer.exe File opened for modification \??\E:\Desktop.ini system32.exe File opened for modification \??\H:\Desktop.ini system32.exe File opened for modification \??\K:\Desktop.ini system32.exe File opened for modification \??\N:\Desktop.ini system32.exe File opened for modification \??\S:\Desktop.ini system32.exe File opened for modification \??\X:\Desktop.ini Gaara.exe File opened for modification \??\V:\Desktop.ini system32.exe File opened for modification \??\O:\Desktop.ini Gaara.exe File opened for modification \??\O:\Desktop.ini system32.exe File opened for modification \??\Y:\Desktop.ini csrss.exe File opened for modification \??\H:\Desktop.ini Kazekage.exe File opened for modification \??\N:\Desktop.ini 2025-05-18_3634e9114c3bd0532cd09ef30d1edb0c_amadey_black-basta_elex_luca-stealer.exe File opened for modification C:\Desktop.ini system32.exe File opened for modification \??\M:\Desktop.ini system32.exe File opened for modification \??\X:\Desktop.ini csrss.exe File opened for modification \??\L:\Desktop.ini Gaara.exe File opened for modification \??\S:\Desktop.ini Gaara.exe File opened for modification \??\Y:\Desktop.ini Gaara.exe File opened for modification \??\S:\Desktop.ini Kazekage.exe File opened for modification \??\R:\Desktop.ini 2025-05-18_3634e9114c3bd0532cd09ef30d1edb0c_amadey_black-basta_elex_luca-stealer.exe File opened for modification \??\V:\Desktop.ini 2025-05-18_3634e9114c3bd0532cd09ef30d1edb0c_amadey_black-basta_elex_luca-stealer.exe File opened for modification F:\Desktop.ini Gaara.exe File opened for modification \??\G:\Desktop.ini system32.exe File opened for modification \??\A:\Desktop.ini Kazekage.exe File opened for modification F:\Desktop.ini Kazekage.exe File opened for modification \??\A:\Desktop.ini 2025-05-18_3634e9114c3bd0532cd09ef30d1edb0c_amadey_black-basta_elex_luca-stealer.exe File opened for modification \??\Q:\Desktop.ini csrss.exe File opened for modification \??\P:\Desktop.ini Gaara.exe File opened for modification \??\V:\Desktop.ini csrss.exe File opened for modification \??\K:\Desktop.ini Kazekage.exe File opened for modification \??\G:\Desktop.ini Gaara.exe File opened for modification \??\W:\Desktop.ini Gaara.exe File opened for modification \??\W:\Desktop.ini system32.exe File opened for modification \??\A:\Desktop.ini csrss.exe File opened for modification \??\L:\Desktop.ini 2025-05-18_3634e9114c3bd0532cd09ef30d1edb0c_amadey_black-basta_elex_luca-stealer.exe File opened for modification \??\K:\Desktop.ini smss.exe File opened for modification \??\R:\Desktop.ini smss.exe File opened for modification \??\T:\Desktop.ini smss.exe File opened for modification \??\Y:\Desktop.ini smss.exe File opened for modification \??\P:\Desktop.ini Kazekage.exe File opened for modification \??\K:\Desktop.ini 2025-05-18_3634e9114c3bd0532cd09ef30d1edb0c_amadey_black-basta_elex_luca-stealer.exe File opened for modification \??\I:\Desktop.ini csrss.exe File opened for modification \??\E:\Desktop.ini Gaara.exe File opened for modification \??\S:\Desktop.ini csrss.exe File opened for modification \??\T:\Desktop.ini system32.exe File opened for modification \??\G:\Desktop.ini Kazekage.exe File opened for modification D:\Desktop.ini smss.exe File opened for modification \??\J:\Desktop.ini csrss.exe File opened for modification \??\O:\Desktop.ini 2025-05-18_3634e9114c3bd0532cd09ef30d1edb0c_amadey_black-basta_elex_luca-stealer.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\E: Gaara.exe File opened (read-only) \??\J: Gaara.exe File opened (read-only) \??\N: smss.exe File opened (read-only) \??\N: system32.exe File opened (read-only) \??\V: Gaara.exe File opened (read-only) \??\I: csrss.exe File opened (read-only) \??\P: system32.exe File opened (read-only) \??\I: 2025-05-18_3634e9114c3bd0532cd09ef30d1edb0c_amadey_black-basta_elex_luca-stealer.exe File opened (read-only) \??\H: csrss.exe File opened (read-only) \??\Y: system32.exe File opened (read-only) \??\H: Kazekage.exe File opened (read-only) \??\Z: Kazekage.exe File opened (read-only) \??\J: csrss.exe File opened (read-only) \??\T: smss.exe File opened (read-only) \??\A: 2025-05-18_3634e9114c3bd0532cd09ef30d1edb0c_amadey_black-basta_elex_luca-stealer.exe File opened (read-only) \??\H: Gaara.exe File opened (read-only) \??\H: system32.exe File opened (read-only) \??\R: csrss.exe File opened (read-only) \??\A: Kazekage.exe File opened (read-only) \??\V: smss.exe File opened (read-only) \??\X: system32.exe File opened (read-only) \??\T: Kazekage.exe File opened (read-only) \??\J: smss.exe File opened (read-only) \??\O: Gaara.exe File opened (read-only) \??\S: smss.exe File opened (read-only) \??\N: Kazekage.exe File opened (read-only) \??\E: 2025-05-18_3634e9114c3bd0532cd09ef30d1edb0c_amadey_black-basta_elex_luca-stealer.exe File opened (read-only) \??\H: 2025-05-18_3634e9114c3bd0532cd09ef30d1edb0c_amadey_black-basta_elex_luca-stealer.exe File opened (read-only) \??\T: 2025-05-18_3634e9114c3bd0532cd09ef30d1edb0c_amadey_black-basta_elex_luca-stealer.exe File opened (read-only) \??\V: 2025-05-18_3634e9114c3bd0532cd09ef30d1edb0c_amadey_black-basta_elex_luca-stealer.exe File opened (read-only) \??\B: csrss.exe File opened (read-only) \??\I: Gaara.exe File opened (read-only) \??\M: system32.exe File opened (read-only) \??\Q: Kazekage.exe File opened (read-only) \??\U: 2025-05-18_3634e9114c3bd0532cd09ef30d1edb0c_amadey_black-basta_elex_luca-stealer.exe File opened (read-only) \??\G: csrss.exe File opened (read-only) \??\O: system32.exe File opened (read-only) \??\U: smss.exe File opened (read-only) \??\E: csrss.exe File opened (read-only) \??\Q: Gaara.exe File opened (read-only) \??\R: system32.exe File opened (read-only) \??\L: csrss.exe File opened (read-only) \??\K: system32.exe File opened (read-only) \??\P: Gaara.exe File opened (read-only) \??\T: csrss.exe File opened (read-only) \??\X: csrss.exe File opened (read-only) \??\G: Gaara.exe File opened (read-only) \??\X: Gaara.exe File opened (read-only) \??\Z: smss.exe File opened (read-only) \??\K: Kazekage.exe File opened (read-only) \??\I: Kazekage.exe File opened (read-only) \??\B: smss.exe File opened (read-only) \??\R: smss.exe File opened (read-only) \??\W: 2025-05-18_3634e9114c3bd0532cd09ef30d1edb0c_amadey_black-basta_elex_luca-stealer.exe File opened (read-only) \??\N: csrss.exe File opened (read-only) \??\O: smss.exe File opened (read-only) \??\V: csrss.exe File opened (read-only) \??\S: system32.exe File opened (read-only) \??\X: smss.exe File opened (read-only) \??\K: 2025-05-18_3634e9114c3bd0532cd09ef30d1edb0c_amadey_black-basta_elex_luca-stealer.exe File opened (read-only) \??\Z: 2025-05-18_3634e9114c3bd0532cd09ef30d1edb0c_amadey_black-basta_elex_luca-stealer.exe File opened (read-only) \??\H: smss.exe File opened (read-only) \??\K: csrss.exe File opened (read-only) \??\V: system32.exe -
Drops autorun.inf file 1 TTPs 64 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification \??\H:\Autorun.inf Kazekage.exe File created \??\S:\Autorun.inf 2025-05-18_3634e9114c3bd0532cd09ef30d1edb0c_amadey_black-basta_elex_luca-stealer.exe File created \??\N:\Autorun.inf 2025-05-18_3634e9114c3bd0532cd09ef30d1edb0c_amadey_black-basta_elex_luca-stealer.exe File created \??\N:\Autorun.inf Gaara.exe File opened for modification \??\O:\Autorun.inf Gaara.exe File created \??\R:\Autorun.inf Gaara.exe File opened for modification F:\Autorun.inf csrss.exe File created \??\H:\Autorun.inf csrss.exe File opened for modification \??\Q:\Autorun.inf 2025-05-18_3634e9114c3bd0532cd09ef30d1edb0c_amadey_black-basta_elex_luca-stealer.exe File created \??\T:\Autorun.inf Gaara.exe File created \??\U:\Autorun.inf Gaara.exe File opened for modification \??\L:\Autorun.inf Kazekage.exe File opened for modification \??\Q:\Autorun.inf csrss.exe File opened for modification \??\V:\Autorun.inf csrss.exe File opened for modification \??\X:\Autorun.inf Kazekage.exe File created \??\X:\Autorun.inf Kazekage.exe File opened for modification \??\T:\Autorun.inf smss.exe File created \??\P:\Autorun.inf Gaara.exe File opened for modification \??\Q:\Autorun.inf Gaara.exe File created \??\A:\Autorun.inf csrss.exe File created \??\W:\Autorun.inf csrss.exe File opened for modification \??\K:\Autorun.inf Kazekage.exe File opened for modification \??\V:\Autorun.inf Kazekage.exe File created \??\X:\Autorun.inf smss.exe File created \??\Y:\Autorun.inf smss.exe File created \??\X:\Autorun.inf Gaara.exe File opened for modification \??\A:\Autorun.inf csrss.exe File created \??\E:\Autorun.inf Kazekage.exe File opened for modification \??\B:\Autorun.inf system32.exe File created \??\T:\Autorun.inf csrss.exe File created \??\U:\Autorun.inf csrss.exe File opened for modification \??\T:\Autorun.inf Kazekage.exe File opened for modification \??\I:\Autorun.inf system32.exe File opened for modification \??\R:\Autorun.inf system32.exe File opened for modification \??\V:\Autorun.inf system32.exe File created \??\P:\Autorun.inf 2025-05-18_3634e9114c3bd0532cd09ef30d1edb0c_amadey_black-basta_elex_luca-stealer.exe File created \??\Q:\Autorun.inf 2025-05-18_3634e9114c3bd0532cd09ef30d1edb0c_amadey_black-basta_elex_luca-stealer.exe File opened for modification \??\V:\Autorun.inf 2025-05-18_3634e9114c3bd0532cd09ef30d1edb0c_amadey_black-basta_elex_luca-stealer.exe File created \??\A:\Autorun.inf Kazekage.exe File created \??\G:\Autorun.inf Kazekage.exe File opened for modification \??\O:\Autorun.inf Kazekage.exe File opened for modification \??\J:\Autorun.inf system32.exe File opened for modification \??\B:\Autorun.inf 2025-05-18_3634e9114c3bd0532cd09ef30d1edb0c_amadey_black-basta_elex_luca-stealer.exe File created \??\M:\Autorun.inf 2025-05-18_3634e9114c3bd0532cd09ef30d1edb0c_amadey_black-basta_elex_luca-stealer.exe File opened for modification \??\J:\Autorun.inf csrss.exe File opened for modification \??\L:\Autorun.inf csrss.exe File created \??\V:\Autorun.inf csrss.exe File opened for modification \??\L:\Autorun.inf Gaara.exe File created \??\I:\Autorun.inf 2025-05-18_3634e9114c3bd0532cd09ef30d1edb0c_amadey_black-basta_elex_luca-stealer.exe File opened for modification \??\E:\Autorun.inf smss.exe File opened for modification \??\L:\Autorun.inf smss.exe File created \??\S:\Autorun.inf csrss.exe File created \??\J:\Autorun.inf system32.exe File created \??\R:\Autorun.inf 2025-05-18_3634e9114c3bd0532cd09ef30d1edb0c_amadey_black-basta_elex_luca-stealer.exe File created \??\B:\Autorun.inf smss.exe File created \??\E:\Autorun.inf smss.exe File opened for modification \??\K:\Autorun.inf Gaara.exe File created \??\T:\Autorun.inf system32.exe File created \??\G:\Autorun.inf csrss.exe File opened for modification \??\J:\Autorun.inf Kazekage.exe File created \??\E:\Autorun.inf 2025-05-18_3634e9114c3bd0532cd09ef30d1edb0c_amadey_black-basta_elex_luca-stealer.exe File opened for modification \??\A:\Autorun.inf Gaara.exe File opened for modification \??\M:\Autorun.inf Gaara.exe File created \??\B:\Autorun.inf csrss.exe -
Drops file in System32 directory 39 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\18-5-2025.exe csrss.exe File created C:\Windows\SysWOW64\msvbvm60.dll csrss.exe File created C:\Windows\SysWOW64\msvbvm60.dll system32.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll 2025-05-18_3634e9114c3bd0532cd09ef30d1edb0c_amadey_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\SysWOW64\ Gaara.exe File opened for modification C:\Windows\SysWOW64\ csrss.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll csrss.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini 2025-05-18_3634e9114c3bd0532cd09ef30d1edb0c_amadey_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll smss.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll Gaara.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx csrss.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx Kazekage.exe File opened for modification C:\Windows\SysWOW64\ system32.exe File created C:\Windows\SysWOW64\msvbvm60.dll 2025-05-18_3634e9114c3bd0532cd09ef30d1edb0c_amadey_black-basta_elex_luca-stealer.exe File created C:\Windows\SysWOW64\msvbvm60.dll smss.exe File opened for modification C:\Windows\SysWOW64\18-5-2025.exe Gaara.exe File created C:\Windows\SysWOW64\msvbvm60.dll Kazekage.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx Gaara.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini csrss.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini system32.exe File opened for modification C:\Windows\SysWOW64\18-5-2025.exe 2025-05-18_3634e9114c3bd0532cd09ef30d1edb0c_amadey_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\SysWOW64\18-5-2025.exe smss.exe File opened for modification C:\Windows\SysWOW64\18-5-2025.exe Kazekage.exe File opened for modification C:\Windows\SysWOW64\18-5-2025.exe system32.exe File created C:\Windows\SysWOW64\Desktop.ini 2025-05-18_3634e9114c3bd0532cd09ef30d1edb0c_amadey_black-basta_elex_luca-stealer.exe File created C:\Windows\SysWOW64\mscomctl.ocx 2025-05-18_3634e9114c3bd0532cd09ef30d1edb0c_amadey_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll Kazekage.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx system32.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll system32.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx 2025-05-18_3634e9114c3bd0532cd09ef30d1edb0c_amadey_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx smss.exe File opened for modification C:\Windows\SysWOW64\ smss.exe File created C:\Windows\SysWOW64\18-5-2025.exe 2025-05-18_3634e9114c3bd0532cd09ef30d1edb0c_amadey_black-basta_elex_luca-stealer.exe File created C:\Windows\SysWOW64\msvbvm60.dll Gaara.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini Kazekage.exe File opened for modification C:\Windows\SysWOW64\ Kazekage.exe File opened for modification C:\Windows\SysWOW64\ 2025-05-18_3634e9114c3bd0532cd09ef30d1edb0c_amadey_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini smss.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini Gaara.exe -
Sets desktop wallpaper using registry 2 TTPs 6 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" 2025-05-18_3634e9114c3bd0532cd09ef30d1edb0c_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" system32.exe -
resource yara_rule behavioral1/memory/3336-0-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/files/0x0007000000024257-11.dat upx behavioral1/files/0x0007000000024254-30.dat upx behavioral1/memory/2196-32-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/files/0x000700000002425a-57.dat upx behavioral1/memory/4736-70-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/4736-73-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/files/0x0007000000024255-75.dat upx behavioral1/memory/4976-76-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/files/0x0007000000024258-89.dat upx behavioral1/files/0x000700000002425a-96.dat upx behavioral1/files/0x0007000000024259-92.dat upx behavioral1/memory/3336-112-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/5012-114-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/4612-117-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/files/0x0007000000024257-119.dat upx behavioral1/memory/2196-120-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/972-121-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/files/0x0007000000024259-133.dat upx behavioral1/memory/5632-155-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/1040-156-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/4976-154-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/5632-170-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/5000-165-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/2776-172-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/5184-177-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/5000-179-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/5416-182-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/972-205-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/files/0x000700000002425a-194.dat upx behavioral1/memory/4064-215-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/5416-214-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/4552-225-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/2536-237-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/2128-240-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/5184-239-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/3884-238-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/3884-249-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/896-258-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/4064-260-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/2280-261-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/4128-262-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/3360-267-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/2832-268-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/6136-273-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/3436-274-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/3700-277-0x0000000000400000-0x000000000042B000-memory.dmp upx -
Drops file in Windows directory 64 IoCs
description ioc Process File created C:\Windows\Fonts\Admin 18 - 5 - 2025\msvbvm60.dll Gaara.exe File opened for modification C:\Windows\msvbvm60.dll csrss.exe File created C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe Kazekage.exe File opened for modification C:\Windows\ smss.exe File opened for modification C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe Gaara.exe File created C:\Windows\Fonts\The Kazekage.jpg 2025-05-18_3634e9114c3bd0532cd09ef30d1edb0c_amadey_black-basta_elex_luca-stealer.exe File created C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe 2025-05-18_3634e9114c3bd0532cd09ef30d1edb0c_amadey_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\system\mscoree.dll csrss.exe File created C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe csrss.exe File created C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe Gaara.exe File opened for modification C:\Windows\mscomctl.ocx csrss.exe File opened for modification C:\Windows\system\mscoree.dll 2025-05-18_3634e9114c3bd0532cd09ef30d1edb0c_amadey_black-basta_elex_luca-stealer.exe File created C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe 2025-05-18_3634e9114c3bd0532cd09ef30d1edb0c_amadey_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\Fonts\Admin 18 - 5 - 2025\msvbvm60.dll 2025-05-18_3634e9114c3bd0532cd09ef30d1edb0c_amadey_black-basta_elex_luca-stealer.exe File created C:\Windows\WBEM\msvbvm60.dll smss.exe File opened for modification C:\Windows\system\mscoree.dll Gaara.exe File created C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe csrss.exe File created C:\Windows\WBEM\msvbvm60.dll system32.exe File opened for modification C:\Windows\mscomctl.ocx smss.exe File created C:\Windows\system\msvbvm60.dll 2025-05-18_3634e9114c3bd0532cd09ef30d1edb0c_amadey_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\system\msvbvm60.dll 2025-05-18_3634e9114c3bd0532cd09ef30d1edb0c_amadey_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe Gaara.exe File created C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe Gaara.exe File opened for modification C:\Windows\msvbvm60.dll Gaara.exe File opened for modification C:\Windows\system\msvbvm60.dll csrss.exe File opened for modification C:\Windows\system\mscoree.dll Kazekage.exe File opened for modification C:\Windows\system\mscoree.dll system32.exe File opened for modification C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe 2025-05-18_3634e9114c3bd0532cd09ef30d1edb0c_amadey_black-basta_elex_luca-stealer.exe File created C:\Windows\mscomctl.ocx 2025-05-18_3634e9114c3bd0532cd09ef30d1edb0c_amadey_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\mscomctl.ocx 2025-05-18_3634e9114c3bd0532cd09ef30d1edb0c_amadey_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\mscomctl.ocx system32.exe File opened for modification C:\Windows\msvbvm60.dll 2025-05-18_3634e9114c3bd0532cd09ef30d1edb0c_amadey_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe Gaara.exe File opened for modification C:\Windows\Fonts\The Kazekage.jpg csrss.exe File opened for modification C:\Windows\Fonts\The Kazekage.jpg Kazekage.exe File created C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe system32.exe File created C:\Windows\Fonts\Admin 18 - 5 - 2025\msvbvm60.dll 2025-05-18_3634e9114c3bd0532cd09ef30d1edb0c_amadey_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe smss.exe File opened for modification C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe system32.exe File created C:\Windows\Fonts\Admin 18 - 5 - 2025\msvbvm60.dll system32.exe File opened for modification C:\Windows\Fonts\The Kazekage.jpg 2025-05-18_3634e9114c3bd0532cd09ef30d1edb0c_amadey_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe 2025-05-18_3634e9114c3bd0532cd09ef30d1edb0c_amadey_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\system\mscoree.dll smss.exe File opened for modification C:\Windows\system\msvbvm60.dll smss.exe File created C:\Windows\WBEM\msvbvm60.dll Gaara.exe File created C:\Windows\WBEM\msvbvm60.dll csrss.exe File created C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe Kazekage.exe File created C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe smss.exe File created C:\Windows\msvbvm60.dll 2025-05-18_3634e9114c3bd0532cd09ef30d1edb0c_amadey_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\msvbvm60.dll smss.exe File opened for modification C:\Windows\Fonts\The Kazekage.jpg Gaara.exe File created C:\Windows\Fonts\Admin 18 - 5 - 2025\msvbvm60.dll Kazekage.exe File created C:\Windows\WBEM\msvbvm60.dll Kazekage.exe File opened for modification C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe system32.exe File opened for modification C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe system32.exe File opened for modification C:\Windows\system\msvbvm60.dll system32.exe File opened for modification C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe smss.exe File opened for modification C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe smss.exe File created C:\Windows\Fonts\Admin 18 - 5 - 2025\msvbvm60.dll smss.exe File opened for modification C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe Kazekage.exe File created C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe smss.exe File opened for modification C:\Windows\mscomctl.ocx Kazekage.exe File created C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe Gaara.exe File opened for modification C:\Windows\system\msvbvm60.dll Gaara.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kazekage.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kazekage.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kazekage.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kazekage.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-05-18_3634e9114c3bd0532cd09ef30d1edb0c_amadey_black-basta_elex_luca-stealer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaara.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaara.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaara.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaara.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kazekage.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaara.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaara.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kazekage.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 36 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 3572 ping.exe 1744 ping.exe 5332 ping.exe 2728 ping.exe 4816 ping.exe 2700 ping.exe 5248 ping.exe 4196 ping.exe 3316 ping.exe 5552 ping.exe 3808 ping.exe 5108 ping.exe 4836 ping.exe 2088 ping.exe 1344 ping.exe 3988 ping.exe 4252 ping.exe 6048 ping.exe 3300 ping.exe 4660 ping.exe 5900 ping.exe 5460 ping.exe 3748 ping.exe 5212 ping.exe 3700 ping.exe 6032 ping.exe 5576 ping.exe 5240 ping.exe 2424 ping.exe 1572 ping.exe 1608 ping.exe 5248 ping.exe 5784 ping.exe 3812 ping.exe 2964 ping.exe 1740 ping.exe -
Modifies Control Panel 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000\Control Panel\Desktop\WallpaperStyle = "2" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000\Control Panel\Screen Saver.Marquee\Speed = "4" Gaara.exe Key created \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000\Control Panel\Screen Saver.Marquee smss.exe Key created \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000\Control Panel\Screen Saver.Marquee system32.exe Key created \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000\Control Panel\Desktop smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000\Control Panel\Screen Saver.Marquee\Size = "72" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" 2025-05-18_3634e9114c3bd0532cd09ef30d1edb0c_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" 2025-05-18_3634e9114c3bd0532cd09ef30d1edb0c_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" 2025-05-18_3634e9114c3bd0532cd09ef30d1edb0c_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000\Control Panel\Screen Saver.Marquee\Size = "72" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000\Control Panel\Screen Saver.Marquee\Size = "72" 2025-05-18_3634e9114c3bd0532cd09ef30d1edb0c_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000\Control Panel\Desktop\WallpaperStyle = "2" 2025-05-18_3634e9114c3bd0532cd09ef30d1edb0c_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" csrss.exe Key created \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000\Control Panel\Desktop system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000\Control Panel\Desktop\WallpaperStyle = "2" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" 2025-05-18_3634e9114c3bd0532cd09ef30d1edb0c_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000\Control Panel\Screen Saver.Marquee\Speed = "4" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" 2025-05-18_3634e9114c3bd0532cd09ef30d1edb0c_amadey_black-basta_elex_luca-stealer.exe Key created \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000\Control Panel\Desktop Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000\Control Panel\Desktop\WallpaperStyle = "2" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000\Control Panel\Screen Saver.Marquee\Size = "72" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" system32.exe Key created \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000\Control Panel\Screen Saver.Marquee 2025-05-18_3634e9114c3bd0532cd09ef30d1edb0c_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000\Control Panel\Screen Saver.Marquee\Speed = "4" 2025-05-18_3634e9114c3bd0532cd09ef30d1edb0c_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" smss.exe Key created \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000\Control Panel\Screen Saver.Marquee Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000\Control Panel\Screen Saver.Marquee\Speed = "4" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000\Control Panel\Screen Saver.Marquee\Speed = "4" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" system32.exe Key created \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000\Control Panel\Desktop 2025-05-18_3634e9114c3bd0532cd09ef30d1edb0c_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000\Control Panel\Screen Saver.Marquee\Speed = "4" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" Gaara.exe Key created \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000\Control Panel\Desktop Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000\Control Panel\Screen Saver.Marquee\Size = "72" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" system32.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000\Software\Microsoft\Internet Explorer\Main Gaara.exe Key created \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000\Software\Microsoft\Internet Explorer\Main csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" csrss.exe Key created \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000\Software\Microsoft\Internet Explorer\Main Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" Kazekage.exe Key created \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000\Software\Microsoft\Internet Explorer\Main 2025-05-18_3634e9114c3bd0532cd09ef30d1edb0c_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" 2025-05-18_3634e9114c3bd0532cd09ef30d1edb0c_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" Gaara.exe Key created \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000\Software\Microsoft\Internet Explorer\Main smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" smss.exe Key created \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000\Software\Microsoft\Internet Explorer\Main system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" system32.exe -
Modifies registry class 51 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command 2025-05-18_3634e9114c3bd0532cd09ef30d1edb0c_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" 2025-05-18_3634e9114c3bd0532cd09ef30d1edb0c_amadey_black-basta_elex_luca-stealer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" 2025-05-18_3634e9114c3bd0532cd09ef30d1edb0c_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" 2025-05-18_3634e9114c3bd0532cd09ef30d1edb0c_amadey_black-basta_elex_luca-stealer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command 2025-05-18_3634e9114c3bd0532cd09ef30d1edb0c_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" 2025-05-18_3634e9114c3bd0532cd09ef30d1edb0c_amadey_black-basta_elex_luca-stealer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command 2025-05-18_3634e9114c3bd0532cd09ef30d1edb0c_amadey_black-basta_elex_luca-stealer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command 2025-05-18_3634e9114c3bd0532cd09ef30d1edb0c_amadey_black-basta_elex_luca-stealer.exe -
Runs ping.exe 1 TTPs 36 IoCs
pid Process 3808 ping.exe 5240 ping.exe 3572 ping.exe 1608 ping.exe 5784 ping.exe 5332 ping.exe 3300 ping.exe 5248 ping.exe 2728 ping.exe 1740 ping.exe 1572 ping.exe 5552 ping.exe 5900 ping.exe 4252 ping.exe 5212 ping.exe 4816 ping.exe 2424 ping.exe 3316 ping.exe 4660 ping.exe 1744 ping.exe 4196 ping.exe 5108 ping.exe 5248 ping.exe 2700 ping.exe 5460 ping.exe 2964 ping.exe 3988 ping.exe 3748 ping.exe 3812 ping.exe 2088 ping.exe 3700 ping.exe 6032 ping.exe 5576 ping.exe 6048 ping.exe 4836 ping.exe 1344 ping.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4976 Gaara.exe 4976 Gaara.exe 4976 Gaara.exe 4976 Gaara.exe 4976 Gaara.exe 4976 Gaara.exe 4976 Gaara.exe 4976 Gaara.exe 4976 Gaara.exe 4976 Gaara.exe 4976 Gaara.exe 4976 Gaara.exe 4976 Gaara.exe 4976 Gaara.exe 2196 smss.exe 4976 Gaara.exe 2196 smss.exe 4976 Gaara.exe 2196 smss.exe 4976 Gaara.exe 2196 smss.exe 4976 Gaara.exe 2196 smss.exe 4976 Gaara.exe 2196 smss.exe 4976 Gaara.exe 4976 Gaara.exe 4976 Gaara.exe 4976 Gaara.exe 4976 Gaara.exe 972 csrss.exe 972 csrss.exe 972 csrss.exe 972 csrss.exe 972 csrss.exe 972 csrss.exe 972 csrss.exe 972 csrss.exe 972 csrss.exe 972 csrss.exe 972 csrss.exe 972 csrss.exe 972 csrss.exe 972 csrss.exe 972 csrss.exe 972 csrss.exe 972 csrss.exe 972 csrss.exe 972 csrss.exe 972 csrss.exe 972 csrss.exe 972 csrss.exe 972 csrss.exe 972 csrss.exe 2196 smss.exe 2196 smss.exe 2196 smss.exe 2196 smss.exe 2196 smss.exe 2196 smss.exe 2196 smss.exe 2196 smss.exe 2196 smss.exe 2196 smss.exe -
Suspicious use of SetWindowsHookEx 31 IoCs
pid Process 3336 2025-05-18_3634e9114c3bd0532cd09ef30d1edb0c_amadey_black-basta_elex_luca-stealer.exe 2196 smss.exe 4736 smss.exe 4976 Gaara.exe 5012 smss.exe 4612 Gaara.exe 972 csrss.exe 1040 smss.exe 5632 Gaara.exe 2776 Gaara.exe 5000 csrss.exe 3180 csrss.exe 5184 Kazekage.exe 5416 Kazekage.exe 1536 csrss.exe 4552 smss.exe 4064 system32.exe 2128 Kazekage.exe 2536 Gaara.exe 4152 csrss.exe 3884 system32.exe 1352 smss.exe 896 Kazekage.exe 4128 Kazekage.exe 2280 Gaara.exe 3360 system32.exe 2832 system32.exe 4544 csrss.exe 6136 system32.exe 3436 Kazekage.exe 3700 system32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3336 wrote to memory of 2196 3336 2025-05-18_3634e9114c3bd0532cd09ef30d1edb0c_amadey_black-basta_elex_luca-stealer.exe 87 PID 3336 wrote to memory of 2196 3336 2025-05-18_3634e9114c3bd0532cd09ef30d1edb0c_amadey_black-basta_elex_luca-stealer.exe 87 PID 3336 wrote to memory of 2196 3336 2025-05-18_3634e9114c3bd0532cd09ef30d1edb0c_amadey_black-basta_elex_luca-stealer.exe 87 PID 2196 wrote to memory of 4736 2196 smss.exe 90 PID 2196 wrote to memory of 4736 2196 smss.exe 90 PID 2196 wrote to memory of 4736 2196 smss.exe 90 PID 2196 wrote to memory of 4976 2196 smss.exe 91 PID 2196 wrote to memory of 4976 2196 smss.exe 91 PID 2196 wrote to memory of 4976 2196 smss.exe 91 PID 4976 wrote to memory of 5012 4976 Gaara.exe 94 PID 4976 wrote to memory of 5012 4976 Gaara.exe 94 PID 4976 wrote to memory of 5012 4976 Gaara.exe 94 PID 4976 wrote to memory of 4612 4976 Gaara.exe 97 PID 4976 wrote to memory of 4612 4976 Gaara.exe 97 PID 4976 wrote to memory of 4612 4976 Gaara.exe 97 PID 4976 wrote to memory of 972 4976 Gaara.exe 98 PID 4976 wrote to memory of 972 4976 Gaara.exe 98 PID 4976 wrote to memory of 972 4976 Gaara.exe 98 PID 972 wrote to memory of 1040 972 csrss.exe 101 PID 972 wrote to memory of 1040 972 csrss.exe 101 PID 972 wrote to memory of 1040 972 csrss.exe 101 PID 972 wrote to memory of 5632 972 csrss.exe 103 PID 972 wrote to memory of 5632 972 csrss.exe 103 PID 972 wrote to memory of 5632 972 csrss.exe 103 PID 3336 wrote to memory of 2776 3336 2025-05-18_3634e9114c3bd0532cd09ef30d1edb0c_amadey_black-basta_elex_luca-stealer.exe 104 PID 3336 wrote to memory of 2776 3336 2025-05-18_3634e9114c3bd0532cd09ef30d1edb0c_amadey_black-basta_elex_luca-stealer.exe 104 PID 3336 wrote to memory of 2776 3336 2025-05-18_3634e9114c3bd0532cd09ef30d1edb0c_amadey_black-basta_elex_luca-stealer.exe 104 PID 972 wrote to memory of 5000 972 csrss.exe 106 PID 972 wrote to memory of 5000 972 csrss.exe 106 PID 972 wrote to memory of 5000 972 csrss.exe 106 PID 3336 wrote to memory of 3180 3336 2025-05-18_3634e9114c3bd0532cd09ef30d1edb0c_amadey_black-basta_elex_luca-stealer.exe 107 PID 3336 wrote to memory of 3180 3336 2025-05-18_3634e9114c3bd0532cd09ef30d1edb0c_amadey_black-basta_elex_luca-stealer.exe 107 PID 3336 wrote to memory of 3180 3336 2025-05-18_3634e9114c3bd0532cd09ef30d1edb0c_amadey_black-basta_elex_luca-stealer.exe 107 PID 972 wrote to memory of 5184 972 csrss.exe 109 PID 972 wrote to memory of 5184 972 csrss.exe 109 PID 972 wrote to memory of 5184 972 csrss.exe 109 PID 3336 wrote to memory of 5416 3336 2025-05-18_3634e9114c3bd0532cd09ef30d1edb0c_amadey_black-basta_elex_luca-stealer.exe 110 PID 3336 wrote to memory of 5416 3336 2025-05-18_3634e9114c3bd0532cd09ef30d1edb0c_amadey_black-basta_elex_luca-stealer.exe 110 PID 3336 wrote to memory of 5416 3336 2025-05-18_3634e9114c3bd0532cd09ef30d1edb0c_amadey_black-basta_elex_luca-stealer.exe 110 PID 2196 wrote to memory of 1536 2196 smss.exe 112 PID 2196 wrote to memory of 1536 2196 smss.exe 112 PID 2196 wrote to memory of 1536 2196 smss.exe 112 PID 5184 wrote to memory of 4552 5184 Kazekage.exe 113 PID 5184 wrote to memory of 4552 5184 Kazekage.exe 113 PID 5184 wrote to memory of 4552 5184 Kazekage.exe 113 PID 3336 wrote to memory of 4064 3336 2025-05-18_3634e9114c3bd0532cd09ef30d1edb0c_amadey_black-basta_elex_luca-stealer.exe 114 PID 3336 wrote to memory of 4064 3336 2025-05-18_3634e9114c3bd0532cd09ef30d1edb0c_amadey_black-basta_elex_luca-stealer.exe 114 PID 3336 wrote to memory of 4064 3336 2025-05-18_3634e9114c3bd0532cd09ef30d1edb0c_amadey_black-basta_elex_luca-stealer.exe 114 PID 2196 wrote to memory of 2128 2196 smss.exe 115 PID 2196 wrote to memory of 2128 2196 smss.exe 115 PID 2196 wrote to memory of 2128 2196 smss.exe 115 PID 5184 wrote to memory of 2536 5184 Kazekage.exe 116 PID 5184 wrote to memory of 2536 5184 Kazekage.exe 116 PID 5184 wrote to memory of 2536 5184 Kazekage.exe 116 PID 5184 wrote to memory of 4152 5184 Kazekage.exe 117 PID 5184 wrote to memory of 4152 5184 Kazekage.exe 117 PID 5184 wrote to memory of 4152 5184 Kazekage.exe 117 PID 2196 wrote to memory of 3884 2196 smss.exe 118 PID 2196 wrote to memory of 3884 2196 smss.exe 118 PID 2196 wrote to memory of 3884 2196 smss.exe 118 PID 4064 wrote to memory of 1352 4064 system32.exe 119 PID 4064 wrote to memory of 1352 4064 system32.exe 119 PID 4064 wrote to memory of 1352 4064 system32.exe 119 PID 4976 wrote to memory of 896 4976 Gaara.exe 120 -
System policy modification 1 TTPs 12 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Gaara.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Kazekage.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System 2025-05-18_3634e9114c3bd0532cd09ef30d1edb0c_amadey_black-basta_elex_luca-stealer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 2025-05-18_3634e9114c3bd0532cd09ef30d1edb0c_amadey_black-basta_elex_luca-stealer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System system32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2025-05-18_3634e9114c3bd0532cd09ef30d1edb0c_amadey_black-basta_elex_luca-stealer.exe"C:\Users\Admin\AppData\Local\Temp\2025-05-18_3634e9114c3bd0532cd09ef30d1edb0c_amadey_black-basta_elex_luca-stealer.exe"1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3336 -
C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe"C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe"2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2196 -
C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe"C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4736
-
-
C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe"C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe"3⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4976 -
C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe"C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5012
-
-
C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe"C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4612
-
-
C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe"C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe"4⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:972 -
C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe"C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1040
-
-
C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe"C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5632
-
-
C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe"C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5000
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe5⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:5184 -
C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe"C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4552
-
-
C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe"C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2536
-
-
C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe"C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4152
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4128
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2832
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655006⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2964
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655006⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4816
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655006⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1572
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655006⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3572
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655006⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5900
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655006⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5460
-
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe5⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:6136
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655005⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2728
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655005⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3700
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655005⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5108
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655005⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1740
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655005⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5784
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655005⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5248
-
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:896
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3360
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655004⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5212
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655004⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3808
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655004⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2424
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655004⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3300
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655004⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4660
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655004⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1344
-
-
-
C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe"C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1536
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2128
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3884
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655003⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5332
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5248
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5240
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2700
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655003⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3988
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2088
-
-
-
C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe"C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2776
-
-
C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe"C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3180
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5416
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4064 -
C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe"C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1352
-
-
C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe"C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2280
-
-
C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe"C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4544
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3436
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3700
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4196
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:6032
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3316
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4836
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3748
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3812
-
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655002⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4252
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655002⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1744
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655002⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5576
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655002⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:6048
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655002⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5552
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655002⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1608
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 18 - 5 - 2025\smss.exe1⤵PID:1032
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 18 - 5 - 2025\Gaara.exe1⤵PID:4164
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c 18-5-2025.exe1⤵PID:4248
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c drivers\csrss.exe1⤵PID:1072
Network
MITRE ATT&CK Enterprise v16
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Event Triggered Execution
1Image File Execution Options Injection
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Event Triggered Execution
1Image File Execution Options Injection
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
1Disable or Modify Tools
1Modify Registry
8Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
736B
MD5bb5d6abdf8d0948ac6895ce7fdfbc151
SHA19266b7a247a4685892197194d2b9b86c8f6dddbd
SHA2565db2e0915b5464d32e83484f8ae5e3c73d2c78f238fde5f58f9b40dbb5322de8
SHA512878444760e8df878d65bb62b4798177e168eb099def58ad3634f4348e96705c83f74324f9fa358f0eff389991976698a233ca53e9b72034ae11c86d42322a76c
-
Filesize
196B
MD51564dfe69ffed40950e5cb644e0894d1
SHA1201b6f7a01cc49bb698bea6d4945a082ed454ce4
SHA256be114a2dbcc08540b314b01882aa836a772a883322a77b67aab31233e26dc184
SHA51272df187e39674b657974392cfa268e71ef86dc101ebd2303896381ca56d3c05aa9db3f0ab7d0e428d7436e0108c8f19e94c2013814d30b0b95a23a6b9e341097
-
Filesize
8.2MB
MD52365043f1c8901f23cd8f48d6db645b0
SHA1067786d3adec3847981a984806f91f261dd971ac
SHA256164c30af21772ff64288c0ae9e3136d13b7635d8032c807df035006435dd7303
SHA5124bec7c5d1909d5b057c3d842afb4e38c937b1f0e1c833c83f86979ef80488939c4895693bf2417119598e1b3fda11aaa842ef0e19fb9665cd5ccd773ac28bce0
-
Filesize
8.2MB
MD53634e9114c3bd0532cd09ef30d1edb0c
SHA12fe2b9a03c4ddd8500f826704d0e4bb081ee2d11
SHA256d7e263ab3219fe6cf532476e1d51ac75d0f11bd7f011875b69d69a32debb75e1
SHA5121cac989da54d317e32faf31dae043bbe8e7ebe3578c7ae51f4b2fcd998166b7c7f13092802cec915aa7a6675fc6e4d9ebed5caa1cabcf8b5ac1f676871a622a9
-
Filesize
8.2MB
MD5b8960a07a26449bc9bd028ecf6c62bc6
SHA18a4bc8a8ec8f3412ac60d4cd41a183ae584e3207
SHA25699917f78704e49b44af677f715abfbe555ff01d9f3e52f245c395e5d04f3d4e7
SHA512efbc99ffdd80a0aabfd6b9360ebafe19ffbeac5bdf566d3210fd8285e022137b91c9a2198d1c047271ee8f2af79797ce463f33ea4b439d20cc8d8b82e1024d70
-
Filesize
8.2MB
MD5316d523270f906f999a05482e65987f4
SHA13b1ec8dfee342b6c713c26bd92458b0ad7e5d286
SHA256fcf55344d9203c5b270ba0ad4b74c1c0b3bf4382f490edef289a07b43fbba5f1
SHA512513c2d4b7e47e45585b3a7d08a5ca71f008756749c9a78fd92cb6de8590fb3c3f9353d27a8445453269f30412fcb8580958108918acfa2a54016fab778b5bc93
-
Filesize
1.4MB
MD5d6b05020d4a0ec2a3a8b687099e335df
SHA1df239d830ebcd1cde5c68c46a7b76dad49d415f4
SHA2569824b98dab6af65a9e84c2ea40e9df948f9766ce2096e81feecad7db8dd6080a
SHA51278fd360faa4d34f5732056d6e9ad7b9930964441c69cf24535845d397de92179553b9377a25649c01eb5ac7d547c29cc964e69ede7f2af9fc677508a99251fff
-
Filesize
8.2MB
MD583effef91ded9a8cacada4dcf3d74363
SHA1fb2d36bdd3ae65c1789a67e51f4a00328502bc5d
SHA25656d8707feed0d90d2ba81019d6b42b664a0259a8162b99220a868a6c28ee4cd7
SHA5127734df20ac9c64c6756a85cf1a1b52aa6b9f98263e6ac38791c7dc7359ba4fc00e44927f81ec33de6d1d62bac187fd2086e751e34d3f2738b32ee35f5573857d
-
Filesize
65B
MD564acfa7e03b01f48294cf30d201a0026
SHA110facd995b38a095f30b4a800fa454c0bcbf8438
SHA256ba8159d865d106e7b4d0043007a63d1541e1de455dc8d7ff0edd3013bd425c62
SHA51265a9b2e639de74a2a7faa83463a03f5f5b526495e3c793ec1e144c422ed0b842dd304cd5ff4f8aec3d76d826507030c5916f70a231429cea636ec2d8ab43931a
-
Filesize
8.2MB
MD53c775cb7a892e5e6f9bf81e69210541b
SHA1ccd1e61e4bdb9aa0b928c54fc85ae4d511fffc77
SHA2567d2202d0eb4276c327e134f457f89953f239c6546f0e8e7fe233a07b2d422624
SHA512ce952dfcfeda0f55fb6b48885a7dccba2b1e85196013fbbb5a73818b231d7c0d7e954a93b7f1906a48ceb8a66285776b43abf6a67f5cd2b2cc1ea8e1cbfb7fd8
-
Filesize
8.2MB
MD5b9cd4b555e37c2d6a9507c194f76d5e0
SHA1702ce0d54d4c759b9f6e0678c51a974de7868aed
SHA2565401e93ccd0d94c23278e699f99dda3aa1f6f73d17a030d4dbb9bf37c0b8dfbe
SHA5122faf5dc219b9e8d2d7226fe5f63ff9970ec1d18b6903e0fb49d7e31a0df58f7257bfa2d0c5c66db9d3e6940a466706ae62d57f93bb4db10b282d60c471300838
-
Filesize
8.2MB
MD5af9a5278ec206a6b57e7827e64f58bf0
SHA15a8bea26218e1b1cb66601d1bc39c837b20a5bd5
SHA2561e1476c3e1d1168393af7c68fbe014d942ce8604ee1f9f8bc0ef5326c362276e
SHA5123a850770dadb2bb6d980e29c06f6b6b13d0ad3a5078991b5787b44676152722edb6b4feb0e100e9cc4ae006ea8869203df1ae4b19735b0f6df03e272829c32d2
-
Filesize
8.2MB
MD56fb4372f0d6eca51a5e38524282144ea
SHA114acdd0ab178485b39cec1bec8cc7a299f75ece5
SHA256970d12f16860dbcd9a6b74620e198fbd7a9ba5f8d6df9d6adf4505095abbb8d3
SHA51256263af0aee813482ed2f25062fd65e10c6830a7cd7fc16af64540a35dc2613091efab3ec92408df65d547df11c0fb1b814d90c8f141ab79b398b50d0a08fa12
-
Filesize
8.2MB
MD5ae0842460543f8c2a0455a7ad11c49fd
SHA1834df960083ae47ffb09c6559f273ef8abef054d
SHA256b62af3b44f41a70c1d1a00f01660d70f18d77be398548e4209216dbaa67b7ddf
SHA51264822190191d265105d4ec6bf0a19aad2eadd6353b3fa8827b86fc17fd4321b7e859bc722fc3b722c732af8d369fde1fa30887c45a17eb84fb2e266f14b0453f
-
Filesize
1.4MB
MD525f62c02619174b35851b0e0455b3d94
SHA14e8ee85157f1769f6e3f61c0acbe59072209da71
SHA256898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2
SHA512f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a