Analysis
-
max time kernel
150s -
max time network
121s -
platform
windows11-21h2_x64 -
resource
win11-20250502-en -
resource tags
arch:x64arch:x86image:win11-20250502-enlocale:en-usos:windows11-21h2-x64system -
submitted
18/05/2025, 10:17
Behavioral task
behavioral1
Sample
2025-05-18_3634e9114c3bd0532cd09ef30d1edb0c_amadey_black-basta_elex_luca-stealer.exe
Resource
win10v2004-20250502-en
Behavioral task
behavioral2
Sample
2025-05-18_3634e9114c3bd0532cd09ef30d1edb0c_amadey_black-basta_elex_luca-stealer.exe
Resource
win11-20250502-en
General
-
Target
2025-05-18_3634e9114c3bd0532cd09ef30d1edb0c_amadey_black-basta_elex_luca-stealer.exe
-
Size
8.2MB
-
MD5
3634e9114c3bd0532cd09ef30d1edb0c
-
SHA1
2fe2b9a03c4ddd8500f826704d0e4bb081ee2d11
-
SHA256
d7e263ab3219fe6cf532476e1d51ac75d0f11bd7f011875b69d69a32debb75e1
-
SHA512
1cac989da54d317e32faf31dae043bbe8e7ebe3578c7ae51f4b2fcd998166b7c7f13092802cec915aa7a6675fc6e4d9ebed5caa1cabcf8b5ac1f676871a622a9
-
SSDEEP
49152:AyyqWyWy0GyqWyWyMRPC1eHc785dxytlWF17:AyyqWyWy0GyqWyWyMRPC1eHL5dxyjyp
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 12 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" 2025-05-18_3634e9114c3bd0532cd09ef30d1edb0c_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" 2025-05-18_3634e9114c3bd0532cd09ef30d1edb0c_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" Gaara.exe -
Modifies visibility of file extensions in Explorer 2 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Gaara.exe Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" csrss.exe Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Kazekage.exe Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" system32.exe Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" 2025-05-18_3634e9114c3bd0532cd09ef30d1edb0c_amadey_black-basta_elex_luca-stealer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" smss.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" csrss.exe Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" Kazekage.exe Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" system32.exe Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" 2025-05-18_3634e9114c3bd0532cd09ef30d1edb0c_amadey_black-basta_elex_luca-stealer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" smss.exe Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" Gaara.exe -
UAC bypass 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Gaara.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Kazekage.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" system32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 2025-05-18_3634e9114c3bd0532cd09ef30d1edb0c_amadey_black-basta_elex_luca-stealer.exe -
Disables RegEdit via registry modification 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" smss.exe Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Gaara.exe Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" csrss.exe Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Kazekage.exe Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" system32.exe Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" 2025-05-18_3634e9114c3bd0532cd09ef30d1edb0c_amadey_black-basta_elex_luca-stealer.exe -
Disables use of System Restore points 1 TTPs
-
Drops file in Drivers directory 24 IoCs
description ioc Process File created C:\Windows\SysWOW64\drivers\Kazekage.exe 2025-05-18_3634e9114c3bd0532cd09ef30d1edb0c_amadey_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe smss.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe Gaara.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe csrss.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe Kazekage.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe Kazekage.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe Kazekage.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe system32.exe File created C:\Windows\SysWOW64\drivers\system32.exe 2025-05-18_3634e9114c3bd0532cd09ef30d1edb0c_amadey_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe smss.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe system32.exe File created C:\Windows\SysWOW64\drivers\system32.exe smss.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe csrss.exe File created C:\Windows\SysWOW64\drivers\system32.exe Kazekage.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe Gaara.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe csrss.exe File created C:\Windows\SysWOW64\drivers\system32.exe system32.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe smss.exe File created C:\Windows\SysWOW64\drivers\system32.exe Gaara.exe File created C:\Windows\SysWOW64\drivers\system32.exe csrss.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe 2025-05-18_3634e9114c3bd0532cd09ef30d1edb0c_amadey_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe 2025-05-18_3634e9114c3bd0532cd09ef30d1edb0c_amadey_black-basta_elex_luca-stealer.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe system32.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe Gaara.exe -
Event Triggered Execution: Image File Execution Options Injection 1 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "drivers\\Kazekage.exe" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe 2025-05-18_3634e9114c3bd0532cd09ef30d1edb0c_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe\Debugger = "cmd.exe /c del" 2025-05-18_3634e9114c3bd0532cd09ef30d1edb0c_amadey_black-basta_elex_luca-stealer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com\Debugger = "cmd.exe /c del" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe\Debugger = "cmd.exe /c del" 2025-05-18_3634e9114c3bd0532cd09ef30d1edb0c_amadey_black-basta_elex_luca-stealer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe 2025-05-18_3634e9114c3bd0532cd09ef30d1edb0c_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe\Debugger = "cmd.exe /c del" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe\Debugger = "cmd.exe /c del" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "drivers\\Kazekage.exe" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe 2025-05-18_3634e9114c3bd0532cd09ef30d1edb0c_amadey_black-basta_elex_luca-stealer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "drivers\\Kazekage.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe\Debugger = "drivers\\Kazekage.exe" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe\Debugger = "drivers\\Kazekage.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "drivers\\Kazekage.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe\Debugger = "cmd.exe /c del" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger = "drivers\\Kazekage.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "drivers\\Kazekage.exe" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe 2025-05-18_3634e9114c3bd0532cd09ef30d1edb0c_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe\Debugger = "cmd.exe /c del" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe\Debugger = "cmd.exe /c del" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger = "drivers\\Kazekage.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe\Debugger = "cmd.exe /c del" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "drivers\\Kazekage.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe\Debugger = "cmd.exe /c del" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "drivers\\Kazekage.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe\Debugger = "cmd.exe /c del" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "drivers\\Kazekage.exe" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe 2025-05-18_3634e9114c3bd0532cd09ef30d1edb0c_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe\Debugger = "cmd.exe /c del" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe\Debugger = "drivers\\Kazekage.exe" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe\Debugger = "cmd.exe /c del" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe\Debugger = "cmd.exe /c del" 2025-05-18_3634e9114c3bd0532cd09ef30d1edb0c_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\Debugger = "cmd.exe /c del" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe\Debugger = "cmd.exe /c del" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe 2025-05-18_3634e9114c3bd0532cd09ef30d1edb0c_amadey_black-basta_elex_luca-stealer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "drivers\\Kazekage.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe\Debugger = "drivers\\Kazekage.exe" 2025-05-18_3634e9114c3bd0532cd09ef30d1edb0c_amadey_black-basta_elex_luca-stealer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe\Debugger = "drivers\\Kazekage.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe\Debugger = "cmd.exe /c del" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe\Debugger = "cmd.exe /c del" Gaara.exe -
Executes dropped EXE 30 IoCs
pid Process 5808 smss.exe 2436 smss.exe 5184 Gaara.exe 4796 smss.exe 4876 Gaara.exe 4972 csrss.exe 5384 smss.exe 3300 Gaara.exe 4060 csrss.exe 3316 Kazekage.exe 3680 smss.exe 5100 Gaara.exe 4168 csrss.exe 2364 Kazekage.exe 3348 system32.exe 3964 smss.exe 5068 Gaara.exe 4200 csrss.exe 3412 Kazekage.exe 1948 system32.exe 2864 system32.exe 4072 Kazekage.exe 248 system32.exe 3576 csrss.exe 6064 Kazekage.exe 1052 system32.exe 5220 Gaara.exe 4636 csrss.exe 6020 Kazekage.exe 4700 system32.exe -
Loads dropped DLL 18 IoCs
pid Process 5808 smss.exe 2436 smss.exe 5184 Gaara.exe 4796 smss.exe 4876 Gaara.exe 4972 csrss.exe 5384 smss.exe 3300 Gaara.exe 4060 csrss.exe 3680 smss.exe 5100 Gaara.exe 4168 csrss.exe 3964 smss.exe 5068 Gaara.exe 4200 csrss.exe 3576 csrss.exe 5220 Gaara.exe 4636 csrss.exe -
Adds Run key to start application 2 TTPs 24 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "18-5-2025.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 18 - 5 - 2025\\Gaara.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 18 - 5 - 2025\\Gaara.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" 2025-05-18_3634e9114c3bd0532cd09ef30d1edb0c_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "18-5-2025.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 18 - 5 - 2025\\smss.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 18 - 5 - 2025\\Gaara.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "18-5-2025.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "18-5-2025.exe" 2025-05-18_3634e9114c3bd0532cd09ef30d1edb0c_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 18 - 5 - 2025\\smss.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 18 - 5 - 2025\\smss.exe" 2025-05-18_3634e9114c3bd0532cd09ef30d1edb0c_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 18 - 5 - 2025\\Gaara.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 18 - 5 - 2025\\smss.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 18 - 5 - 2025\\Gaara.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 18 - 5 - 2025\\smss.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "18-5-2025.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "18-5-2025.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 18 - 5 - 2025\\Gaara.exe" 2025-05-18_3634e9114c3bd0532cd09ef30d1edb0c_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 18 - 5 - 2025\\smss.exe" smss.exe -
Checks whether UAC is enabled 1 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Gaara.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Kazekage.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" system32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 2025-05-18_3634e9114c3bd0532cd09ef30d1edb0c_amadey_black-basta_elex_luca-stealer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe -
Drops desktop.ini file(s) 64 IoCs
description ioc Process File opened for modification \??\G:\Desktop.ini csrss.exe File opened for modification \??\Q:\Desktop.ini csrss.exe File opened for modification \??\N:\Desktop.ini Kazekage.exe File opened for modification D:\Desktop.ini 2025-05-18_3634e9114c3bd0532cd09ef30d1edb0c_amadey_black-basta_elex_luca-stealer.exe File opened for modification \??\J:\Desktop.ini system32.exe File opened for modification \??\X:\Desktop.ini 2025-05-18_3634e9114c3bd0532cd09ef30d1edb0c_amadey_black-basta_elex_luca-stealer.exe File opened for modification \??\M:\Desktop.ini smss.exe File opened for modification \??\S:\Desktop.ini smss.exe File opened for modification \??\H:\Desktop.ini Kazekage.exe File opened for modification \??\L:\Desktop.ini system32.exe File opened for modification \??\A:\Desktop.ini smss.exe File opened for modification \??\B:\Desktop.ini smss.exe File opened for modification \??\Y:\Desktop.ini smss.exe File opened for modification \??\E:\Desktop.ini Gaara.exe File opened for modification F:\Desktop.ini Gaara.exe File opened for modification \??\H:\Desktop.ini csrss.exe File opened for modification \??\V:\Desktop.ini csrss.exe File opened for modification D:\Desktop.ini Gaara.exe File opened for modification \??\J:\Desktop.ini Gaara.exe File opened for modification \??\O:\Desktop.ini Kazekage.exe File opened for modification \??\W:\Desktop.ini Kazekage.exe File opened for modification \??\A:\Desktop.ini system32.exe File opened for modification \??\B:\Desktop.ini 2025-05-18_3634e9114c3bd0532cd09ef30d1edb0c_amadey_black-basta_elex_luca-stealer.exe File opened for modification \??\O:\Desktop.ini 2025-05-18_3634e9114c3bd0532cd09ef30d1edb0c_amadey_black-basta_elex_luca-stealer.exe File opened for modification \??\L:\Desktop.ini smss.exe File opened for modification F:\Desktop.ini csrss.exe File opened for modification \??\U:\Desktop.ini csrss.exe File opened for modification \??\G:\Desktop.ini Kazekage.exe File opened for modification \??\I:\Desktop.ini Kazekage.exe File opened for modification \??\L:\Desktop.ini Kazekage.exe File opened for modification \??\K:\Desktop.ini 2025-05-18_3634e9114c3bd0532cd09ef30d1edb0c_amadey_black-basta_elex_luca-stealer.exe File opened for modification \??\M:\Desktop.ini csrss.exe File opened for modification \??\M:\Desktop.ini 2025-05-18_3634e9114c3bd0532cd09ef30d1edb0c_amadey_black-basta_elex_luca-stealer.exe File opened for modification \??\N:\Desktop.ini 2025-05-18_3634e9114c3bd0532cd09ef30d1edb0c_amadey_black-basta_elex_luca-stealer.exe File opened for modification \??\V:\Desktop.ini smss.exe File opened for modification \??\W:\Desktop.ini smss.exe File opened for modification \??\Y:\Desktop.ini Gaara.exe File opened for modification \??\S:\Desktop.ini system32.exe File opened for modification \??\X:\Desktop.ini smss.exe File opened for modification \??\Z:\Desktop.ini 2025-05-18_3634e9114c3bd0532cd09ef30d1edb0c_amadey_black-basta_elex_luca-stealer.exe File opened for modification \??\S:\Desktop.ini csrss.exe File opened for modification \??\Q:\Desktop.ini Kazekage.exe File opened for modification \??\E:\Desktop.ini 2025-05-18_3634e9114c3bd0532cd09ef30d1edb0c_amadey_black-basta_elex_luca-stealer.exe File opened for modification \??\N:\Desktop.ini system32.exe File opened for modification \??\T:\Desktop.ini Gaara.exe File opened for modification \??\V:\Desktop.ini Gaara.exe File opened for modification \??\J:\Desktop.ini Kazekage.exe File opened for modification \??\P:\Desktop.ini Kazekage.exe File opened for modification \??\Z:\Desktop.ini smss.exe File opened for modification \??\L:\Desktop.ini Gaara.exe File opened for modification \??\B:\Desktop.ini Kazekage.exe File opened for modification \??\S:\Desktop.ini 2025-05-18_3634e9114c3bd0532cd09ef30d1edb0c_amadey_black-basta_elex_luca-stealer.exe File opened for modification \??\G:\Desktop.ini smss.exe File opened for modification \??\Q:\Desktop.ini smss.exe File opened for modification \??\U:\Desktop.ini Kazekage.exe File opened for modification D:\Desktop.ini system32.exe File opened for modification \??\E:\Desktop.ini system32.exe File opened for modification F:\Desktop.ini 2025-05-18_3634e9114c3bd0532cd09ef30d1edb0c_amadey_black-basta_elex_luca-stealer.exe File opened for modification \??\P:\Desktop.ini system32.exe File opened for modification \??\Q:\Desktop.ini 2025-05-18_3634e9114c3bd0532cd09ef30d1edb0c_amadey_black-basta_elex_luca-stealer.exe File opened for modification \??\J:\Desktop.ini smss.exe File opened for modification \??\Y:\Desktop.ini csrss.exe File opened for modification \??\I:\Desktop.ini Gaara.exe File opened for modification \??\M:\Desktop.ini Gaara.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\M: smss.exe File opened (read-only) \??\B: csrss.exe File opened (read-only) \??\L: csrss.exe File opened (read-only) \??\T: Kazekage.exe File opened (read-only) \??\K: system32.exe File opened (read-only) \??\S: system32.exe File opened (read-only) \??\R: csrss.exe File opened (read-only) \??\P: Kazekage.exe File opened (read-only) \??\Q: system32.exe File opened (read-only) \??\O: smss.exe File opened (read-only) \??\H: Gaara.exe File opened (read-only) \??\N: csrss.exe File opened (read-only) \??\K: 2025-05-18_3634e9114c3bd0532cd09ef30d1edb0c_amadey_black-basta_elex_luca-stealer.exe File opened (read-only) \??\K: smss.exe File opened (read-only) \??\Z: smss.exe File opened (read-only) \??\N: Gaara.exe File opened (read-only) \??\O: Gaara.exe File opened (read-only) \??\V: Gaara.exe File opened (read-only) \??\Q: csrss.exe File opened (read-only) \??\V: 2025-05-18_3634e9114c3bd0532cd09ef30d1edb0c_amadey_black-basta_elex_luca-stealer.exe File opened (read-only) \??\V: Kazekage.exe File opened (read-only) \??\L: 2025-05-18_3634e9114c3bd0532cd09ef30d1edb0c_amadey_black-basta_elex_luca-stealer.exe File opened (read-only) \??\L: smss.exe File opened (read-only) \??\E: Gaara.exe File opened (read-only) \??\W: Kazekage.exe File opened (read-only) \??\E: Kazekage.exe File opened (read-only) \??\T: system32.exe File opened (read-only) \??\Z: system32.exe File opened (read-only) \??\S: Gaara.exe File opened (read-only) \??\J: Kazekage.exe File opened (read-only) \??\A: 2025-05-18_3634e9114c3bd0532cd09ef30d1edb0c_amadey_black-basta_elex_luca-stealer.exe File opened (read-only) \??\N: system32.exe File opened (read-only) \??\J: smss.exe File opened (read-only) \??\V: smss.exe File opened (read-only) \??\G: Gaara.exe File opened (read-only) \??\R: system32.exe File opened (read-only) \??\R: smss.exe File opened (read-only) \??\H: csrss.exe File opened (read-only) \??\M: csrss.exe File opened (read-only) \??\T: csrss.exe File opened (read-only) \??\X: csrss.exe File opened (read-only) \??\Y: 2025-05-18_3634e9114c3bd0532cd09ef30d1edb0c_amadey_black-basta_elex_luca-stealer.exe File opened (read-only) \??\U: smss.exe File opened (read-only) \??\X: smss.exe File opened (read-only) \??\I: Kazekage.exe File opened (read-only) \??\E: 2025-05-18_3634e9114c3bd0532cd09ef30d1edb0c_amadey_black-basta_elex_luca-stealer.exe File opened (read-only) \??\J: system32.exe File opened (read-only) \??\R: 2025-05-18_3634e9114c3bd0532cd09ef30d1edb0c_amadey_black-basta_elex_luca-stealer.exe File opened (read-only) \??\X: system32.exe File opened (read-only) \??\G: smss.exe File opened (read-only) \??\O: csrss.exe File opened (read-only) \??\Y: csrss.exe File opened (read-only) \??\G: system32.exe File opened (read-only) \??\L: system32.exe File opened (read-only) \??\O: 2025-05-18_3634e9114c3bd0532cd09ef30d1edb0c_amadey_black-basta_elex_luca-stealer.exe File opened (read-only) \??\W: smss.exe File opened (read-only) \??\O: Kazekage.exe File opened (read-only) \??\Q: Kazekage.exe File opened (read-only) \??\O: system32.exe File opened (read-only) \??\U: 2025-05-18_3634e9114c3bd0532cd09ef30d1edb0c_amadey_black-basta_elex_luca-stealer.exe File opened (read-only) \??\I: Gaara.exe File opened (read-only) \??\U: Kazekage.exe File opened (read-only) \??\G: 2025-05-18_3634e9114c3bd0532cd09ef30d1edb0c_amadey_black-basta_elex_luca-stealer.exe File opened (read-only) \??\P: system32.exe -
Drops autorun.inf file 1 TTPs 64 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification \??\Y:\Autorun.inf Kazekage.exe File created \??\R:\Autorun.inf 2025-05-18_3634e9114c3bd0532cd09ef30d1edb0c_amadey_black-basta_elex_luca-stealer.exe File opened for modification \??\O:\Autorun.inf Gaara.exe File created \??\L:\Autorun.inf Kazekage.exe File opened for modification F:\Autorun.inf system32.exe File created \??\O:\Autorun.inf 2025-05-18_3634e9114c3bd0532cd09ef30d1edb0c_amadey_black-basta_elex_luca-stealer.exe File created \??\P:\Autorun.inf 2025-05-18_3634e9114c3bd0532cd09ef30d1edb0c_amadey_black-basta_elex_luca-stealer.exe File created \??\J:\Autorun.inf Gaara.exe File opened for modification \??\B:\Autorun.inf Kazekage.exe File created \??\M:\Autorun.inf Kazekage.exe File created \??\M:\Autorun.inf smss.exe File opened for modification \??\P:\Autorun.inf csrss.exe File opened for modification \??\W:\Autorun.inf csrss.exe File opened for modification \??\H:\Autorun.inf Kazekage.exe File created \??\P:\Autorun.inf Kazekage.exe File opened for modification \??\H:\Autorun.inf system32.exe File created \??\A:\Autorun.inf smss.exe File created \??\V:\Autorun.inf smss.exe File created \??\K:\Autorun.inf csrss.exe File created \??\N:\Autorun.inf 2025-05-18_3634e9114c3bd0532cd09ef30d1edb0c_amadey_black-basta_elex_luca-stealer.exe File created D:\Autorun.inf 2025-05-18_3634e9114c3bd0532cd09ef30d1edb0c_amadey_black-basta_elex_luca-stealer.exe File created \??\Z:\Autorun.inf 2025-05-18_3634e9114c3bd0532cd09ef30d1edb0c_amadey_black-basta_elex_luca-stealer.exe File opened for modification \??\U:\Autorun.inf smss.exe File created \??\W:\Autorun.inf Kazekage.exe File created D:\Autorun.inf system32.exe File created \??\K:\Autorun.inf system32.exe File opened for modification \??\A:\Autorun.inf smss.exe File opened for modification \??\M:\Autorun.inf Gaara.exe File created \??\P:\Autorun.inf csrss.exe File opened for modification C:\Autorun.inf system32.exe File created \??\L:\Autorun.inf 2025-05-18_3634e9114c3bd0532cd09ef30d1edb0c_amadey_black-basta_elex_luca-stealer.exe File opened for modification \??\Z:\Autorun.inf 2025-05-18_3634e9114c3bd0532cd09ef30d1edb0c_amadey_black-basta_elex_luca-stealer.exe File opened for modification \??\Q:\Autorun.inf smss.exe File opened for modification \??\Y:\Autorun.inf smss.exe File created \??\I:\Autorun.inf Kazekage.exe File created \??\O:\Autorun.inf system32.exe File created \??\P:\Autorun.inf smss.exe File opened for modification \??\E:\Autorun.inf Kazekage.exe File opened for modification \??\I:\Autorun.inf Kazekage.exe File opened for modification \??\V:\Autorun.inf 2025-05-18_3634e9114c3bd0532cd09ef30d1edb0c_amadey_black-basta_elex_luca-stealer.exe File created F:\Autorun.inf 2025-05-18_3634e9114c3bd0532cd09ef30d1edb0c_amadey_black-basta_elex_luca-stealer.exe File opened for modification \??\E:\Autorun.inf Gaara.exe File created \??\L:\Autorun.inf csrss.exe File opened for modification F:\Autorun.inf Kazekage.exe File created \??\N:\Autorun.inf Kazekage.exe File opened for modification \??\P:\Autorun.inf Kazekage.exe File created \??\G:\Autorun.inf 2025-05-18_3634e9114c3bd0532cd09ef30d1edb0c_amadey_black-basta_elex_luca-stealer.exe File opened for modification C:\Autorun.inf smss.exe File opened for modification \??\L:\Autorun.inf smss.exe File created \??\O:\Autorun.inf Gaara.exe File opened for modification \??\S:\Autorun.inf system32.exe File created \??\U:\Autorun.inf 2025-05-18_3634e9114c3bd0532cd09ef30d1edb0c_amadey_black-basta_elex_luca-stealer.exe File opened for modification \??\P:\Autorun.inf smss.exe File created \??\S:\Autorun.inf smss.exe File opened for modification \??\B:\Autorun.inf system32.exe File opened for modification \??\W:\Autorun.inf system32.exe File created \??\Y:\Autorun.inf system32.exe File created D:\Autorun.inf smss.exe File created D:\Autorun.inf Gaara.exe File created \??\Z:\Autorun.inf Kazekage.exe File opened for modification \??\N:\Autorun.inf 2025-05-18_3634e9114c3bd0532cd09ef30d1edb0c_amadey_black-basta_elex_luca-stealer.exe File opened for modification \??\K:\Autorun.inf smss.exe File opened for modification \??\O:\Autorun.inf smss.exe File created \??\H:\Autorun.inf csrss.exe -
Drops file in System32 directory 39 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\18-5-2025.exe 2025-05-18_3634e9114c3bd0532cd09ef30d1edb0c_amadey_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\SysWOW64\18-5-2025.exe Gaara.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini system32.exe File opened for modification C:\Windows\SysWOW64\ system32.exe File created C:\Windows\SysWOW64\18-5-2025.exe 2025-05-18_3634e9114c3bd0532cd09ef30d1edb0c_amadey_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\SysWOW64\18-5-2025.exe system32.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini smss.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini Kazekage.exe File opened for modification C:\Windows\SysWOW64\18-5-2025.exe csrss.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini Gaara.exe File opened for modification C:\Windows\SysWOW64\ Gaara.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx Kazekage.exe File opened for modification C:\Windows\SysWOW64\ Kazekage.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll Kazekage.exe File created C:\Windows\SysWOW64\msvbvm60.dll 2025-05-18_3634e9114c3bd0532cd09ef30d1edb0c_amadey_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\SysWOW64\18-5-2025.exe smss.exe File opened for modification C:\Windows\SysWOW64\18-5-2025.exe Kazekage.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx 2025-05-18_3634e9114c3bd0532cd09ef30d1edb0c_amadey_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\SysWOW64\ 2025-05-18_3634e9114c3bd0532cd09ef30d1edb0c_amadey_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx csrss.exe File opened for modification C:\Windows\SysWOW64\ csrss.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll system32.exe File created C:\Windows\SysWOW64\Desktop.ini 2025-05-18_3634e9114c3bd0532cd09ef30d1edb0c_amadey_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini csrss.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll csrss.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini 2025-05-18_3634e9114c3bd0532cd09ef30d1edb0c_amadey_black-basta_elex_luca-stealer.exe File created C:\Windows\SysWOW64\msvbvm60.dll csrss.exe File created C:\Windows\SysWOW64\mscomctl.ocx 2025-05-18_3634e9114c3bd0532cd09ef30d1edb0c_amadey_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll 2025-05-18_3634e9114c3bd0532cd09ef30d1edb0c_amadey_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\SysWOW64\ smss.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx Gaara.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll Gaara.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx system32.exe File created C:\Windows\SysWOW64\msvbvm60.dll Gaara.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx smss.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll smss.exe File created C:\Windows\SysWOW64\msvbvm60.dll system32.exe File created C:\Windows\SysWOW64\msvbvm60.dll smss.exe File created C:\Windows\SysWOW64\msvbvm60.dll Kazekage.exe -
Sets desktop wallpaper using registry 2 TTPs 6 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" 2025-05-18_3634e9114c3bd0532cd09ef30d1edb0c_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" system32.exe -
resource yara_rule behavioral2/memory/3876-0-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral2/files/0x001900000002b12d-11.dat upx behavioral2/files/0x001c00000002b12b-33.dat upx behavioral2/memory/5808-32-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral2/files/0x001900000002b133-57.dat upx behavioral2/memory/2436-70-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral2/files/0x001900000002b12c-74.dat upx behavioral2/memory/5184-77-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral2/files/0x001900000002b12d-84.dat upx behavioral2/files/0x001900000002b131-89.dat upx behavioral2/files/0x001900000002b133-96.dat upx behavioral2/files/0x001900000002b132-92.dat upx behavioral2/memory/2436-80-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral2/memory/4876-112-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral2/memory/4876-116-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral2/memory/4972-121-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral2/files/0x001900000002b132-132.dat upx behavioral2/memory/3316-164-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral2/files/0x001900000002b131-170.dat upx behavioral2/files/0x001900000002b133-174.dat upx behavioral2/memory/5808-187-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral2/memory/3876-163-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral2/memory/4060-160-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral2/memory/3300-156-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral2/files/0x001900000002b133-135.dat upx behavioral2/memory/2364-202-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral2/memory/2364-205-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral2/memory/3348-208-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral2/memory/5100-197-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral2/memory/4168-196-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral2/memory/5184-195-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral2/memory/4972-227-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral2/memory/5068-234-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral2/memory/3412-238-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral2/memory/3316-237-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral2/files/0x001e00000002b13c-244.dat upx behavioral2/memory/2864-247-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral2/memory/1948-241-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral2/memory/4072-250-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral2/memory/3348-256-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral2/memory/1052-260-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral2/memory/6064-263-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral2/memory/1052-264-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral2/memory/5220-268-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral2/memory/6020-272-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral2/memory/4700-275-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral2/memory/3576-257-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral2/memory/248-253-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral2/files/0x000100000000002c-500.dat upx -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe 2025-05-18_3634e9114c3bd0532cd09ef30d1edb0c_amadey_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe smss.exe File opened for modification C:\Windows\system\msvbvm60.dll Kazekage.exe File created C:\Windows\Fonts\Admin 18 - 5 - 2025\msvbvm60.dll system32.exe File opened for modification C:\Windows\mscomctl.ocx system32.exe File opened for modification C:\Windows\Fonts\The Kazekage.jpg csrss.exe File created C:\Windows\Fonts\The Kazekage.jpg 2025-05-18_3634e9114c3bd0532cd09ef30d1edb0c_amadey_black-basta_elex_luca-stealer.exe File created C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe 2025-05-18_3634e9114c3bd0532cd09ef30d1edb0c_amadey_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\system\msvbvm60.dll smss.exe File opened for modification C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe Gaara.exe File opened for modification C:\Windows\system\mscoree.dll system32.exe File opened for modification C:\Windows\mscomctl.ocx csrss.exe File opened for modification C:\Windows\ Kazekage.exe File created C:\Windows\WBEM\msvbvm60.dll Gaara.exe File opened for modification C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe Kazekage.exe File created C:\Windows\system\msvbvm60.dll 2025-05-18_3634e9114c3bd0532cd09ef30d1edb0c_amadey_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\msvbvm60.dll Gaara.exe File created C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe system32.exe File opened for modification C:\Windows\ system32.exe File created C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe csrss.exe File opened for modification C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe csrss.exe File created C:\Windows\mscomctl.ocx 2025-05-18_3634e9114c3bd0532cd09ef30d1edb0c_amadey_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\mscomctl.ocx Kazekage.exe File opened for modification C:\Windows\Fonts\The Kazekage.jpg smss.exe File created C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe smss.exe File opened for modification C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe csrss.exe File opened for modification C:\Windows\system\msvbvm60.dll system32.exe File opened for modification C:\Windows\ Gaara.exe File opened for modification C:\Windows\ csrss.exe File opened for modification C:\Windows\system\msvbvm60.dll csrss.exe File created C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe Gaara.exe File opened for modification C:\Windows\system\mscoree.dll smss.exe File opened for modification C:\Windows\system\mscoree.dll Kazekage.exe File created C:\Windows\Fonts\Admin 18 - 5 - 2025\msvbvm60.dll Kazekage.exe File created C:\Windows\WBEM\msvbvm60.dll system32.exe File opened for modification C:\Windows\ 2025-05-18_3634e9114c3bd0532cd09ef30d1edb0c_amadey_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe 2025-05-18_3634e9114c3bd0532cd09ef30d1edb0c_amadey_black-basta_elex_luca-stealer.exe File created C:\Windows\Fonts\Admin 18 - 5 - 2025\msvbvm60.dll 2025-05-18_3634e9114c3bd0532cd09ef30d1edb0c_amadey_black-basta_elex_luca-stealer.exe File created C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe Gaara.exe File created C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe csrss.exe File created C:\Windows\WBEM\msvbvm60.dll csrss.exe File opened for modification C:\Windows\Fonts\The Kazekage.jpg system32.exe File opened for modification C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe system32.exe File opened for modification C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe system32.exe File opened for modification C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe csrss.exe File opened for modification C:\Windows\msvbvm60.dll csrss.exe File created C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe 2025-05-18_3634e9114c3bd0532cd09ef30d1edb0c_amadey_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\system\msvbvm60.dll 2025-05-18_3634e9114c3bd0532cd09ef30d1edb0c_amadey_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe smss.exe File opened for modification C:\Windows\msvbvm60.dll smss.exe File opened for modification C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe Gaara.exe File opened for modification C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe Gaara.exe File created C:\Windows\Fonts\Admin 18 - 5 - 2025\msvbvm60.dll csrss.exe File created C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe Kazekage.exe File opened for modification C:\Windows\msvbvm60.dll 2025-05-18_3634e9114c3bd0532cd09ef30d1edb0c_amadey_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\Fonts\The Kazekage.jpg 2025-05-18_3634e9114c3bd0532cd09ef30d1edb0c_amadey_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\system\mscoree.dll 2025-05-18_3634e9114c3bd0532cd09ef30d1edb0c_amadey_black-basta_elex_luca-stealer.exe File created C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe 2025-05-18_3634e9114c3bd0532cd09ef30d1edb0c_amadey_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\msvbvm60.dll Kazekage.exe File created C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe system32.exe File created C:\Windows\msvbvm60.dll 2025-05-18_3634e9114c3bd0532cd09ef30d1edb0c_amadey_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe Kazekage.exe File opened for modification C:\Windows\msvbvm60.dll system32.exe File opened for modification C:\Windows\mscomctl.ocx 2025-05-18_3634e9114c3bd0532cd09ef30d1edb0c_amadey_black-basta_elex_luca-stealer.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kazekage.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-05-18_3634e9114c3bd0532cd09ef30d1edb0c_amadey_black-basta_elex_luca-stealer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kazekage.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaara.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaara.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaara.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaara.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kazekage.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaara.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kazekage.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaara.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kazekage.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kazekage.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 36 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 5640 ping.exe 1788 ping.exe 1000 ping.exe 4840 ping.exe 6032 ping.exe 2772 ping.exe 3488 ping.exe 3960 ping.exe 5488 ping.exe 1500 ping.exe 5512 ping.exe 3560 ping.exe 2804 ping.exe 1932 ping.exe 1512 ping.exe 452 ping.exe 4728 ping.exe 5848 ping.exe 4184 ping.exe 3068 ping.exe 3384 ping.exe 5176 ping.exe 3328 ping.exe 5104 ping.exe 2544 ping.exe 4460 ping.exe 4632 ping.exe 5868 ping.exe 232 ping.exe 4832 ping.exe 5996 ping.exe 2008 ping.exe 3360 ping.exe 5592 ping.exe 2216 ping.exe 1076 ping.exe -
Modifies Control Panel 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Control Panel\Desktop\WallpaperStyle = "2" smss.exe Key created \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Control Panel\Desktop csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" 2025-05-18_3634e9114c3bd0532cd09ef30d1edb0c_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Control Panel\Screen Saver.Marquee\Size = "72" Gaara.exe Key created \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Control Panel\Desktop Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Control Panel\Desktop\WallpaperStyle = "2" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Control Panel\Screen Saver.Marquee\Speed = "4" csrss.exe Key created \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Control Panel\Screen Saver.Marquee Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Control Panel\Screen Saver.Marquee\Size = "72" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" 2025-05-18_3634e9114c3bd0532cd09ef30d1edb0c_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Control Panel\Desktop\WallpaperStyle = "2" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Control Panel\Screen Saver.Marquee\Speed = "4" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Control Panel\Screen Saver.Marquee\Speed = "4" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Control Panel\Desktop\WallpaperStyle = "2" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Control Panel\Screen Saver.Marquee\Size = "72" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" 2025-05-18_3634e9114c3bd0532cd09ef30d1edb0c_amadey_black-basta_elex_luca-stealer.exe Key created \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Control Panel\Screen Saver.Marquee smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" 2025-05-18_3634e9114c3bd0532cd09ef30d1edb0c_amadey_black-basta_elex_luca-stealer.exe Key created \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Control Panel\Screen Saver.Marquee 2025-05-18_3634e9114c3bd0532cd09ef30d1edb0c_amadey_black-basta_elex_luca-stealer.exe Key created \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Control Panel\Desktop system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" 2025-05-18_3634e9114c3bd0532cd09ef30d1edb0c_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" 2025-05-18_3634e9114c3bd0532cd09ef30d1edb0c_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Control Panel\Screen Saver.Marquee\Size = "72" 2025-05-18_3634e9114c3bd0532cd09ef30d1edb0c_amadey_black-basta_elex_luca-stealer.exe Key created \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Control Panel\Screen Saver.Marquee Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Control Panel\Screen Saver.Marquee\Size = "72" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Control Panel\Screen Saver.Marquee\Speed = "4" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" 2025-05-18_3634e9114c3bd0532cd09ef30d1edb0c_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Control Panel\Screen Saver.Marquee\Speed = "4" 2025-05-18_3634e9114c3bd0532cd09ef30d1edb0c_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" 2025-05-18_3634e9114c3bd0532cd09ef30d1edb0c_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" smss.exe Key created \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Control Panel\Screen Saver.Marquee csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" Gaara.exe Key created \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Control Panel\Desktop smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" Gaara.exe Key created \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Control Panel\Screen Saver.Marquee system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" Gaara.exe Key created \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Control Panel\Desktop 2025-05-18_3634e9114c3bd0532cd09ef30d1edb0c_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Control Panel\Desktop\WallpaperStyle = "2" 2025-05-18_3634e9114c3bd0532cd09ef30d1edb0c_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Control Panel\Screen Saver.Marquee\Size = "72" smss.exe -
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" Gaara.exe Key created \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Internet Explorer\Main csrss.exe Key created \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Internet Explorer\Main system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" 2025-05-18_3634e9114c3bd0532cd09ef30d1edb0c_amadey_black-basta_elex_luca-stealer.exe Key created \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Internet Explorer\Main smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" smss.exe Key created \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Internet Explorer\Main Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" csrss.exe Key created \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Internet Explorer\Main Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" system32.exe Key created \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Internet Explorer\Main 2025-05-18_3634e9114c3bd0532cd09ef30d1edb0c_amadey_black-basta_elex_luca-stealer.exe -
Modifies registry class 51 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" 2025-05-18_3634e9114c3bd0532cd09ef30d1edb0c_amadey_black-basta_elex_luca-stealer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command 2025-05-18_3634e9114c3bd0532cd09ef30d1edb0c_amadey_black-basta_elex_luca-stealer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" 2025-05-18_3634e9114c3bd0532cd09ef30d1edb0c_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" 2025-05-18_3634e9114c3bd0532cd09ef30d1edb0c_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" 2025-05-18_3634e9114c3bd0532cd09ef30d1edb0c_amadey_black-basta_elex_luca-stealer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command 2025-05-18_3634e9114c3bd0532cd09ef30d1edb0c_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command 2025-05-18_3634e9114c3bd0532cd09ef30d1edb0c_amadey_black-basta_elex_luca-stealer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command 2025-05-18_3634e9114c3bd0532cd09ef30d1edb0c_amadey_black-basta_elex_luca-stealer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command csrss.exe -
Runs ping.exe 1 TTPs 36 IoCs
pid Process 4460 ping.exe 5848 ping.exe 5488 ping.exe 2216 ping.exe 4184 ping.exe 5868 ping.exe 1788 ping.exe 3960 ping.exe 2772 ping.exe 452 ping.exe 3328 ping.exe 2008 ping.exe 3488 ping.exe 3560 ping.exe 6032 ping.exe 3384 ping.exe 5176 ping.exe 5104 ping.exe 4728 ping.exe 1076 ping.exe 2804 ping.exe 2544 ping.exe 1500 ping.exe 5592 ping.exe 4832 ping.exe 1512 ping.exe 3360 ping.exe 5512 ping.exe 4632 ping.exe 1000 ping.exe 4840 ping.exe 5996 ping.exe 5640 ping.exe 1932 ping.exe 3068 ping.exe 232 ping.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4972 csrss.exe 4972 csrss.exe 4972 csrss.exe 4972 csrss.exe 4972 csrss.exe 4972 csrss.exe 4972 csrss.exe 4972 csrss.exe 4972 csrss.exe 4972 csrss.exe 4972 csrss.exe 4972 csrss.exe 4972 csrss.exe 4972 csrss.exe 4972 csrss.exe 4972 csrss.exe 4972 csrss.exe 4972 csrss.exe 4972 csrss.exe 4972 csrss.exe 4972 csrss.exe 4972 csrss.exe 4972 csrss.exe 4972 csrss.exe 3316 Kazekage.exe 3316 Kazekage.exe 3316 Kazekage.exe 3316 Kazekage.exe 3316 Kazekage.exe 3316 Kazekage.exe 3316 Kazekage.exe 3316 Kazekage.exe 3316 Kazekage.exe 3316 Kazekage.exe 3316 Kazekage.exe 3316 Kazekage.exe 3316 Kazekage.exe 3316 Kazekage.exe 3316 Kazekage.exe 3316 Kazekage.exe 3316 Kazekage.exe 3316 Kazekage.exe 3316 Kazekage.exe 3316 Kazekage.exe 3316 Kazekage.exe 3316 Kazekage.exe 3316 Kazekage.exe 3316 Kazekage.exe 3348 system32.exe 3348 system32.exe 3348 system32.exe 3348 system32.exe 3348 system32.exe 3348 system32.exe 3348 system32.exe 3348 system32.exe 3348 system32.exe 3348 system32.exe 3348 system32.exe 3348 system32.exe 3348 system32.exe 3348 system32.exe 3348 system32.exe 3348 system32.exe -
Suspicious use of SetWindowsHookEx 31 IoCs
pid Process 3876 2025-05-18_3634e9114c3bd0532cd09ef30d1edb0c_amadey_black-basta_elex_luca-stealer.exe 5808 smss.exe 2436 smss.exe 5184 Gaara.exe 4796 smss.exe 4876 Gaara.exe 4972 csrss.exe 5384 smss.exe 3300 Gaara.exe 4060 csrss.exe 3316 Kazekage.exe 3680 smss.exe 5100 Gaara.exe 4168 csrss.exe 2364 Kazekage.exe 3348 system32.exe 3964 smss.exe 5068 Gaara.exe 4200 csrss.exe 3412 Kazekage.exe 1948 system32.exe 2864 system32.exe 4072 Kazekage.exe 248 system32.exe 3576 csrss.exe 6064 Kazekage.exe 1052 system32.exe 5220 Gaara.exe 4636 csrss.exe 6020 Kazekage.exe 4700 system32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3876 wrote to memory of 5808 3876 2025-05-18_3634e9114c3bd0532cd09ef30d1edb0c_amadey_black-basta_elex_luca-stealer.exe 78 PID 3876 wrote to memory of 5808 3876 2025-05-18_3634e9114c3bd0532cd09ef30d1edb0c_amadey_black-basta_elex_luca-stealer.exe 78 PID 3876 wrote to memory of 5808 3876 2025-05-18_3634e9114c3bd0532cd09ef30d1edb0c_amadey_black-basta_elex_luca-stealer.exe 78 PID 5808 wrote to memory of 2436 5808 smss.exe 79 PID 5808 wrote to memory of 2436 5808 smss.exe 79 PID 5808 wrote to memory of 2436 5808 smss.exe 79 PID 5808 wrote to memory of 5184 5808 smss.exe 80 PID 5808 wrote to memory of 5184 5808 smss.exe 80 PID 5808 wrote to memory of 5184 5808 smss.exe 80 PID 5184 wrote to memory of 4796 5184 Gaara.exe 81 PID 5184 wrote to memory of 4796 5184 Gaara.exe 81 PID 5184 wrote to memory of 4796 5184 Gaara.exe 81 PID 5184 wrote to memory of 4876 5184 Gaara.exe 82 PID 5184 wrote to memory of 4876 5184 Gaara.exe 82 PID 5184 wrote to memory of 4876 5184 Gaara.exe 82 PID 5184 wrote to memory of 4972 5184 Gaara.exe 83 PID 5184 wrote to memory of 4972 5184 Gaara.exe 83 PID 5184 wrote to memory of 4972 5184 Gaara.exe 83 PID 4972 wrote to memory of 5384 4972 csrss.exe 84 PID 4972 wrote to memory of 5384 4972 csrss.exe 84 PID 4972 wrote to memory of 5384 4972 csrss.exe 84 PID 4972 wrote to memory of 3300 4972 csrss.exe 85 PID 4972 wrote to memory of 3300 4972 csrss.exe 85 PID 4972 wrote to memory of 3300 4972 csrss.exe 85 PID 4972 wrote to memory of 4060 4972 csrss.exe 86 PID 4972 wrote to memory of 4060 4972 csrss.exe 86 PID 4972 wrote to memory of 4060 4972 csrss.exe 86 PID 4972 wrote to memory of 3316 4972 csrss.exe 87 PID 4972 wrote to memory of 3316 4972 csrss.exe 87 PID 4972 wrote to memory of 3316 4972 csrss.exe 87 PID 3316 wrote to memory of 3680 3316 Kazekage.exe 88 PID 3316 wrote to memory of 3680 3316 Kazekage.exe 88 PID 3316 wrote to memory of 3680 3316 Kazekage.exe 88 PID 3316 wrote to memory of 5100 3316 Kazekage.exe 89 PID 3316 wrote to memory of 5100 3316 Kazekage.exe 89 PID 3316 wrote to memory of 5100 3316 Kazekage.exe 89 PID 3316 wrote to memory of 4168 3316 Kazekage.exe 90 PID 3316 wrote to memory of 4168 3316 Kazekage.exe 90 PID 3316 wrote to memory of 4168 3316 Kazekage.exe 90 PID 3316 wrote to memory of 2364 3316 Kazekage.exe 91 PID 3316 wrote to memory of 2364 3316 Kazekage.exe 91 PID 3316 wrote to memory of 2364 3316 Kazekage.exe 91 PID 3316 wrote to memory of 3348 3316 Kazekage.exe 92 PID 3316 wrote to memory of 3348 3316 Kazekage.exe 92 PID 3316 wrote to memory of 3348 3316 Kazekage.exe 92 PID 3348 wrote to memory of 3964 3348 system32.exe 93 PID 3348 wrote to memory of 3964 3348 system32.exe 93 PID 3348 wrote to memory of 3964 3348 system32.exe 93 PID 3348 wrote to memory of 5068 3348 system32.exe 94 PID 3348 wrote to memory of 5068 3348 system32.exe 94 PID 3348 wrote to memory of 5068 3348 system32.exe 94 PID 3348 wrote to memory of 4200 3348 system32.exe 95 PID 3348 wrote to memory of 4200 3348 system32.exe 95 PID 3348 wrote to memory of 4200 3348 system32.exe 95 PID 3348 wrote to memory of 3412 3348 system32.exe 96 PID 3348 wrote to memory of 3412 3348 system32.exe 96 PID 3348 wrote to memory of 3412 3348 system32.exe 96 PID 3348 wrote to memory of 1948 3348 system32.exe 97 PID 3348 wrote to memory of 1948 3348 system32.exe 97 PID 3348 wrote to memory of 1948 3348 system32.exe 97 PID 4972 wrote to memory of 2864 4972 csrss.exe 98 PID 4972 wrote to memory of 2864 4972 csrss.exe 98 PID 4972 wrote to memory of 2864 4972 csrss.exe 98 PID 5184 wrote to memory of 4072 5184 Gaara.exe 99 -
System policy modification 1 TTPs 12 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System 2025-05-18_3634e9114c3bd0532cd09ef30d1edb0c_amadey_black-basta_elex_luca-stealer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Gaara.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Gaara.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Kazekage.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 2025-05-18_3634e9114c3bd0532cd09ef30d1edb0c_amadey_black-basta_elex_luca-stealer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System system32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" system32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2025-05-18_3634e9114c3bd0532cd09ef30d1edb0c_amadey_black-basta_elex_luca-stealer.exe"C:\Users\Admin\AppData\Local\Temp\2025-05-18_3634e9114c3bd0532cd09ef30d1edb0c_amadey_black-basta_elex_luca-stealer.exe"1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3876 -
C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe"C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe"2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:5808 -
C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe"C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2436
-
-
C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe"C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe"3⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:5184 -
C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe"C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4796
-
-
C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe"C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4876
-
-
C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe"C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe"4⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4972 -
C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe"C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5384
-
-
C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe"C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3300
-
-
C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe"C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4060
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe5⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3316 -
C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe"C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3680
-
-
C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe"C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5100
-
-
C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe"C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4168
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2364
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe6⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3348 -
C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe"C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3964
-
-
C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe"C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5068
-
-
C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe"C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4200
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3412
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1948
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655007⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3560
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655007⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2804
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655007⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3360
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655007⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3068
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655007⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4184
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655007⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:232
-
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655006⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5868
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655006⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3488
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655006⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1500
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655006⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1512
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655006⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:452
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655006⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3328
-
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2864
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655005⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5640
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655005⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4632
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655005⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1000
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655005⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:6032
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655005⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2216
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655005⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5104
-
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4072
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:248
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655004⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4460
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655004⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5512
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655004⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5488
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655004⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1932
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655004⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4840
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655004⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4832
-
-
-
C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe"C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3576
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:6064
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1052
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2008
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1076
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3960
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1788
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5176
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2772
-
-
-
C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe"C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5220
-
-
C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe"C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4636
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:6020
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4700
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655002⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5996
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655002⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4728
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655002⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5848
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655002⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2544
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655002⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5592
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655002⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3384
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 18 - 5 - 2025\smss.exe1⤵PID:1612
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 18 - 5 - 2025\Gaara.exe1⤵PID:5616
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c 18-5-2025.exe1⤵PID:5620
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c drivers\csrss.exe1⤵PID:4520
Network
MITRE ATT&CK Enterprise v16
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Event Triggered Execution
1Image File Execution Options Injection
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Event Triggered Execution
1Image File Execution Options Injection
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
1Disable or Modify Tools
1Modify Registry
8Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
736B
MD5bb5d6abdf8d0948ac6895ce7fdfbc151
SHA19266b7a247a4685892197194d2b9b86c8f6dddbd
SHA2565db2e0915b5464d32e83484f8ae5e3c73d2c78f238fde5f58f9b40dbb5322de8
SHA512878444760e8df878d65bb62b4798177e168eb099def58ad3634f4348e96705c83f74324f9fa358f0eff389991976698a233ca53e9b72034ae11c86d42322a76c
-
Filesize
196B
MD51564dfe69ffed40950e5cb644e0894d1
SHA1201b6f7a01cc49bb698bea6d4945a082ed454ce4
SHA256be114a2dbcc08540b314b01882aa836a772a883322a77b67aab31233e26dc184
SHA51272df187e39674b657974392cfa268e71ef86dc101ebd2303896381ca56d3c05aa9db3f0ab7d0e428d7436e0108c8f19e94c2013814d30b0b95a23a6b9e341097
-
Filesize
8.2MB
MD54ae02f51f541355cfb976373e5a6ac47
SHA1e8b1df5073b683999c36fe251b4838d0b4c0a9f8
SHA25609738aeff91b9f057ad24caabb9f978cec960ffd37e474d92a9390a26390f836
SHA512433fa9e9c40e59b9344dd3ddbb51ad8716c334df969d1e4b7a6a7962ffd2cdd15e01fc6300b64e9c0028fafbffb3634df5ab3c1ef3ab34528e9e4a5093ee97c9
-
Filesize
8.2MB
MD5c91e6ab0ad1f5a94938c9858b2ca3ff8
SHA1e253a8338a4b386d50e83a46317ad6dbdd0f24a6
SHA256e546ab23047b5e793a4d6a8118d671349cf952bc9a65a95ffd9e9e4b0fe66d5b
SHA5127208669ee56204b97293d66a47c0a8439b98b74943f9fdc84c23f2f02a4869f9f2d8b38febafc38f70ba822f14e31e07cf5f00f009492f96252fdafd159fe6b3
-
Filesize
7.4MB
MD57e6f9c7e0330975134268b0868c513f5
SHA1738859efb777a14a94238d84906753e8ddd752b9
SHA25690c2962e4d3db6a6e69bb744ed76c0807152788577858ebb0cc9947d1a10a684
SHA51294233a367fa5eec1db3c04d6c1d3e2527a938347edae4cf46540d8cc8f3ed3ac5eb024ef81508514db95304d07d445991df177eb4d205ac3d90ab372d12d3d49
-
Filesize
8.2MB
MD5564a573b987350dfc461361ae1841222
SHA157460adea8d5d65385147ab7dce0388e8e877dd4
SHA25616ff430051b5f1d2b30ab45e8c90a52a0c23e34a096d4a36ff88b11568536e78
SHA512b294adba6e128613e6e67e19863c1014c2c25828923b5a6c51ea2020d5c6e2b8de79c52fbebdf0d38818c3b0039428f30ea0ba7c97755076df8798ae8b432347
-
Filesize
8.2MB
MD542a380c1be2ac909f47094fe2e563515
SHA1c6d6af6ce323aa5f94bdf2d8dc9953593699fdd1
SHA256e395957724140e61bec629e4f38174e7f13230ebc3a980bb52546c7e3b665d31
SHA51250d7e6ab602c8631ee550519ee6c9f306da3c3a28f974362acdbe5246a3a17791c5def9111e3d00a4f03ff5866f0df761faaf6e344deda45786b032191fe4f4b
-
Filesize
1.4MB
MD5d6b05020d4a0ec2a3a8b687099e335df
SHA1df239d830ebcd1cde5c68c46a7b76dad49d415f4
SHA2569824b98dab6af65a9e84c2ea40e9df948f9766ce2096e81feecad7db8dd6080a
SHA51278fd360faa4d34f5732056d6e9ad7b9930964441c69cf24535845d397de92179553b9377a25649c01eb5ac7d547c29cc964e69ede7f2af9fc677508a99251fff
-
Filesize
8.2MB
MD5145e040ca7c93e903223992aee8fdbf9
SHA1e85825a35d51f9a36e6f754b9ef6764f12d0980d
SHA256330098ca1350373fa86836a65683473f43971a85b869427a40ebe070a13d17bd
SHA5129061f9f9b13a1eb0f4ecf9af69ba8039be69aa6c353923d52ed3c03be2cd6d4e85b47bd4b6af3268cda60318fb4facba2486cf3ed33820a48af9aae165d4a774
-
Filesize
8.2MB
MD5673573d257e7f81ea81abead6b80a235
SHA113a35cfcb72e1f2f66f98fc936baa447decc663c
SHA25676b3ddee3e4de6ec6d88f5d474746a21791b578f031b5163de91b78befe0f6cf
SHA512a67d6cdecf97b344d9ad1404e2d2f1fe1d32015f5186cebf9fe065cb45dd70f5981a69010954a7460dcba85b028cb45ffc968e897d888ba98e73eede89e9b775
-
Filesize
65B
MD564acfa7e03b01f48294cf30d201a0026
SHA110facd995b38a095f30b4a800fa454c0bcbf8438
SHA256ba8159d865d106e7b4d0043007a63d1541e1de455dc8d7ff0edd3013bd425c62
SHA51265a9b2e639de74a2a7faa83463a03f5f5b526495e3c793ec1e144c422ed0b842dd304cd5ff4f8aec3d76d826507030c5916f70a231429cea636ec2d8ab43931a
-
Filesize
8.2MB
MD57481f20077ef89f66f69669907a2debc
SHA1f9423fd2854221b2aaf3240b3e7a393a1ba2958a
SHA2564aeb0a96ae48dac31b1e493322e4968a3157b0c671d5428a0468a4df75db9b47
SHA51264f0dae4df85c39c43800c0918eabb58b4bf23f3b810bddeb6864f823245845da42fb77acc0335404b136a6755411ac6fe73833ec35772f85ecf4ddc609c34da
-
Filesize
8.2MB
MD5bb2c15fd2c2973c0a4a268f11842a15c
SHA1bd3a11faad6d6090f3c88cc96477ab55166e64f9
SHA2563173697546287c5c518008e577477f10b926874eaf6d9054e0f98a99dc2bc9bd
SHA51276b6dc12dd22b8b06a374733c4f9d41848bc2a494e28a2c19e85f2c5a555b365d9d9840284a037e60a7159672daf774a2f39109cf40f3c723d9cf6e6835559ec
-
Filesize
8.2MB
MD5af3eac071e439160086bdfc5fd444276
SHA166f7b25ee468bb291dab47257a3aa03ce9e0b319
SHA25653fad15541eb30b59bf06ba295d673b3816e945777650555cea9fa0af612bdd0
SHA5127964a028af6b81c33a1a22887f1ce3be7fc1be8b7566fc212fe3dca10bd7556da99b1936029e84a61ce52242ceac4e7948157d8564590fce3a7ab745f782343b
-
Filesize
8.2MB
MD535e05538adb3177122c257594e647fd7
SHA1189b06bd1fb3e1570ac65d2163b02b6f63ffea99
SHA2569971a7548d031faa2fa721045a84f50cad512f7a51fc4f2f64e25fadfbf31572
SHA5127a3635702720ffa045875ef5125d990bc831218aa6b56daaf8ee06600bc755e22a711836fd4cf9cc97458232b2bfce2dd630dec8e4bb659bede6ebc92c9bf99a
-
Filesize
8.2MB
MD56fb4372f0d6eca51a5e38524282144ea
SHA114acdd0ab178485b39cec1bec8cc7a299f75ece5
SHA256970d12f16860dbcd9a6b74620e198fbd7a9ba5f8d6df9d6adf4505095abbb8d3
SHA51256263af0aee813482ed2f25062fd65e10c6830a7cd7fc16af64540a35dc2613091efab3ec92408df65d547df11c0fb1b814d90c8f141ab79b398b50d0a08fa12
-
Filesize
8.2MB
MD5dcfebcaaac6a4f538d73383ff2b2ff62
SHA19c1fc33a4caad04a94c9909675f8ddc2146f4ff6
SHA2566642d10da13ce8aee6492569cb268466bbecf86229ddeb58381538c172d5cb85
SHA51240680ca06e5cb25e9b25e59b70a947846330a2a11df40f54fd36a3e5dd0f3319cd107b5ff48cf80046030bd4487a22d42d09b553f00218320916085ab9a442dc
-
Filesize
1.4MB
MD525f62c02619174b35851b0e0455b3d94
SHA14e8ee85157f1769f6e3f61c0acbe59072209da71
SHA256898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2
SHA512f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a
-
Filesize
8.2MB
MD5634af4442fb1888e289ef3915dbebae2
SHA1e6f78438e65fe9f91132ad6c9e790de0e93134dd
SHA2560fa7d5bca304da6f9355dc4c8484764ede1bd74680f7e732b30080d222bfd26f
SHA51266f8b48c5c9b8371cf520766e917ab4b854d03050bd98bbdc6d352fb12f08608db8fb2fb1b06d1dee478e88947ed4454cd0a453f3ed15ef3c714c4a5c563af37