Analysis
-
max time kernel
149s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20250502-en -
resource tags
arch:x64arch:x86image:win10v2004-20250502-enlocale:en-usos:windows10-2004-x64system -
submitted
18/05/2025, 10:47
Behavioral task
behavioral1
Sample
2025-05-18_9b4432eb727a9219d5e88d3ad3643644_amadey_black-basta_elex_luca-stealer.exe
Resource
win10v2004-20250502-en
General
-
Target
2025-05-18_9b4432eb727a9219d5e88d3ad3643644_amadey_black-basta_elex_luca-stealer.exe
-
Size
8.2MB
-
MD5
9b4432eb727a9219d5e88d3ad3643644
-
SHA1
be5af80260e18da279d57d42fecd95a6d80d9400
-
SHA256
25ce3600ca36c785efa81485fa919ae06dee2254708a9e1b015019c8a699d026
-
SHA512
9d90078959b81dd43bc7b6cd3f240aba993b059a270fa4f5706a2f86dab7e9d9f693ff0f1acbcb70d1cf4a49cb8e30d1678a8ad5fd46527c8de239aa15562047
-
SSDEEP
49152:uyyqWyWy0GyqWyWyMRPC1eHc785dxytlWF17:uyyqWyWy0GyqWyWyMRPC1eHL5dxyjyp
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 12 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" 2025-05-18_9b4432eb727a9219d5e88d3ad3643644_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" 2025-05-18_9b4432eb727a9219d5e88d3ad3643644_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" Kazekage.exe -
Modifies visibility of file extensions in Explorer 2 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" system32.exe Set value (int) \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" 2025-05-18_9b4432eb727a9219d5e88d3ad3643644_amadey_black-basta_elex_luca-stealer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" csrss.exe Set value (int) \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Gaara.exe Set value (int) \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Kazekage.exe Set value (int) \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" smss.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" system32.exe Set value (int) \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" 2025-05-18_9b4432eb727a9219d5e88d3ad3643644_amadey_black-basta_elex_luca-stealer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" csrss.exe Set value (int) \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" Gaara.exe Set value (int) \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" Kazekage.exe Set value (int) \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" smss.exe -
UAC bypass 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" system32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 2025-05-18_9b4432eb727a9219d5e88d3ad3643644_amadey_black-basta_elex_luca-stealer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Gaara.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Kazekage.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe -
Disables RegEdit via registry modification 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" 2025-05-18_9b4432eb727a9219d5e88d3ad3643644_amadey_black-basta_elex_luca-stealer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" csrss.exe Set value (int) \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Gaara.exe Set value (int) \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Kazekage.exe Set value (int) \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" smss.exe Set value (int) \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" system32.exe -
Disables use of System Restore points 1 TTPs
-
Drops file in Drivers directory 24 IoCs
description ioc Process File created C:\Windows\SysWOW64\drivers\system32.exe smss.exe File created C:\Windows\SysWOW64\drivers\system32.exe Gaara.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe smss.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe Kazekage.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe system32.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe Gaara.exe File created C:\Windows\SysWOW64\drivers\system32.exe csrss.exe File created C:\Windows\SysWOW64\drivers\system32.exe Kazekage.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe 2025-05-18_9b4432eb727a9219d5e88d3ad3643644_amadey_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe 2025-05-18_9b4432eb727a9219d5e88d3ad3643644_amadey_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe 2025-05-18_9b4432eb727a9219d5e88d3ad3643644_amadey_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe smss.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe csrss.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe Kazekage.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe Kazekage.exe File created C:\Windows\SysWOW64\drivers\system32.exe 2025-05-18_9b4432eb727a9219d5e88d3ad3643644_amadey_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe Gaara.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe Gaara.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe system32.exe File created C:\Windows\SysWOW64\drivers\system32.exe system32.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe smss.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe csrss.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe csrss.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe system32.exe -
Event Triggered Execution: Image File Execution Options Injection 1 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe\Debugger = "cmd.exe /c del" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe\Debugger = "cmd.exe /c del" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "drivers\\Kazekage.exe" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe\Debugger = "drivers\\Kazekage.exe" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe\Debugger = "cmd.exe /c del" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe\Debugger = "cmd.exe /c del" 2025-05-18_9b4432eb727a9219d5e88d3ad3643644_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe\Debugger = "drivers\\Kazekage.exe" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe 2025-05-18_9b4432eb727a9219d5e88d3ad3643644_amadey_black-basta_elex_luca-stealer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe 2025-05-18_9b4432eb727a9219d5e88d3ad3643644_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe\Debugger = "cmd.exe /c del" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "drivers\\Kazekage.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "drivers\\Kazekage.exe" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe\Debugger = "cmd.exe /c del" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe 2025-05-18_9b4432eb727a9219d5e88d3ad3643644_amadey_black-basta_elex_luca-stealer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe 2025-05-18_9b4432eb727a9219d5e88d3ad3643644_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe\Debugger = "cmd.exe /c del" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe\Debugger = "drivers\\Kazekage.exe" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "drivers\\Kazekage.exe" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "drivers\\Kazekage.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe\Debugger = "cmd.exe /c del" 2025-05-18_9b4432eb727a9219d5e88d3ad3643644_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe\Debugger = "cmd.exe /c del" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger = "drivers\\Kazekage.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe\Debugger = "cmd.exe /c del" 2025-05-18_9b4432eb727a9219d5e88d3ad3643644_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe\Debugger = "drivers\\Kazekage.exe" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe\Debugger = "cmd.exe /c del" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe 2025-05-18_9b4432eb727a9219d5e88d3ad3643644_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe\Debugger = "cmd.exe /c del" 2025-05-18_9b4432eb727a9219d5e88d3ad3643644_amadey_black-basta_elex_luca-stealer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe\Debugger = "cmd.exe /c del" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe\Debugger = "cmd.exe /c del" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe\Debugger = "cmd.exe /c del" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe\Debugger = "cmd.exe /c del" 2025-05-18_9b4432eb727a9219d5e88d3ad3643644_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe\Debugger = "drivers\\Kazekage.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "drivers\\Kazekage.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe\Debugger = "cmd.exe /c del" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe\Debugger = "cmd.exe /c del" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe 2025-05-18_9b4432eb727a9219d5e88d3ad3643644_amadey_black-basta_elex_luca-stealer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe\Debugger = "cmd.exe /c del" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe\Debugger = "cmd.exe /c del" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe smss.exe -
Executes dropped EXE 30 IoCs
pid Process 1912 smss.exe 4896 smss.exe 4716 Gaara.exe 1816 smss.exe 4028 Gaara.exe 4192 csrss.exe 1484 smss.exe 3212 Gaara.exe 5692 Gaara.exe 816 csrss.exe 5532 csrss.exe 2532 Kazekage.exe 2744 Kazekage.exe 4052 csrss.exe 2432 Kazekage.exe 2632 system32.exe 2592 smss.exe 5956 system32.exe 6132 Gaara.exe 4508 smss.exe 656 Gaara.exe 5292 csrss.exe 4616 csrss.exe 4504 Kazekage.exe 4452 system32.exe 5220 Kazekage.exe 5400 Kazekage.exe 1156 system32.exe 3304 system32.exe 4104 system32.exe -
Loads dropped DLL 18 IoCs
pid Process 1912 smss.exe 4896 smss.exe 4716 Gaara.exe 1816 smss.exe 4028 Gaara.exe 4192 csrss.exe 1484 smss.exe 3212 Gaara.exe 5692 Gaara.exe 816 csrss.exe 5532 csrss.exe 4052 csrss.exe 2592 smss.exe 6132 Gaara.exe 4508 smss.exe 656 Gaara.exe 5292 csrss.exe 4616 csrss.exe -
Adds Run key to start application 2 TTPs 24 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 18 - 5 - 2025\\smss.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "18-5-2025.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 18 - 5 - 2025\\Gaara.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 18 - 5 - 2025\\Gaara.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 18 - 5 - 2025\\smss.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "18-5-2025.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 18 - 5 - 2025\\smss.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 18 - 5 - 2025\\smss.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "18-5-2025.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 18 - 5 - 2025\\smss.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 18 - 5 - 2025\\Gaara.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 18 - 5 - 2025\\Gaara.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 18 - 5 - 2025\\smss.exe" 2025-05-18_9b4432eb727a9219d5e88d3ad3643644_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "18-5-2025.exe" 2025-05-18_9b4432eb727a9219d5e88d3ad3643644_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 18 - 5 - 2025\\Gaara.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "18-5-2025.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "18-5-2025.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 18 - 5 - 2025\\Gaara.exe" 2025-05-18_9b4432eb727a9219d5e88d3ad3643644_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" 2025-05-18_9b4432eb727a9219d5e88d3ad3643644_amadey_black-basta_elex_luca-stealer.exe -
Checks whether UAC is enabled 1 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Gaara.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Kazekage.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" system32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 2025-05-18_9b4432eb727a9219d5e88d3ad3643644_amadey_black-basta_elex_luca-stealer.exe -
Drops desktop.ini file(s) 64 IoCs
description ioc Process File opened for modification \??\U:\Desktop.ini Kazekage.exe File opened for modification \??\Q:\Desktop.ini smss.exe File opened for modification \??\R:\Desktop.ini smss.exe File opened for modification D:\Desktop.ini csrss.exe File opened for modification \??\Y:\Desktop.ini 2025-05-18_9b4432eb727a9219d5e88d3ad3643644_amadey_black-basta_elex_luca-stealer.exe File opened for modification C:\Desktop.ini smss.exe File opened for modification \??\X:\Desktop.ini smss.exe File opened for modification \??\R:\Desktop.ini csrss.exe File opened for modification \??\V:\Desktop.ini Gaara.exe File opened for modification \??\S:\Desktop.ini Kazekage.exe File opened for modification \??\W:\Desktop.ini smss.exe File opened for modification F:\Desktop.ini 2025-05-18_9b4432eb727a9219d5e88d3ad3643644_amadey_black-basta_elex_luca-stealer.exe File opened for modification \??\L:\Desktop.ini Gaara.exe File opened for modification \??\J:\Desktop.ini smss.exe File opened for modification D:\Desktop.ini system32.exe File opened for modification C:\Desktop.ini Gaara.exe File opened for modification \??\E:\Desktop.ini Gaara.exe File opened for modification \??\X:\Desktop.ini csrss.exe File opened for modification \??\H:\Desktop.ini Kazekage.exe File opened for modification \??\K:\Desktop.ini Kazekage.exe File opened for modification \??\P:\Desktop.ini Kazekage.exe File opened for modification \??\I:\Desktop.ini smss.exe File opened for modification \??\P:\Desktop.ini smss.exe File opened for modification \??\O:\Desktop.ini Gaara.exe File opened for modification \??\X:\Desktop.ini Kazekage.exe File opened for modification F:\Desktop.ini smss.exe File opened for modification \??\O:\Desktop.ini system32.exe File opened for modification \??\S:\Desktop.ini system32.exe File opened for modification \??\K:\Desktop.ini 2025-05-18_9b4432eb727a9219d5e88d3ad3643644_amadey_black-basta_elex_luca-stealer.exe File opened for modification \??\I:\Desktop.ini csrss.exe File opened for modification \??\L:\Desktop.ini 2025-05-18_9b4432eb727a9219d5e88d3ad3643644_amadey_black-basta_elex_luca-stealer.exe File opened for modification \??\W:\Desktop.ini csrss.exe File opened for modification \??\Z:\Desktop.ini csrss.exe File opened for modification \??\Z:\Desktop.ini smss.exe File opened for modification \??\A:\Desktop.ini csrss.exe File opened for modification \??\J:\Desktop.ini 2025-05-18_9b4432eb727a9219d5e88d3ad3643644_amadey_black-basta_elex_luca-stealer.exe File opened for modification \??\K:\Desktop.ini csrss.exe File opened for modification \??\U:\Desktop.ini csrss.exe File opened for modification C:\Desktop.ini Kazekage.exe File opened for modification \??\K:\Desktop.ini system32.exe File opened for modification \??\B:\Desktop.ini 2025-05-18_9b4432eb727a9219d5e88d3ad3643644_amadey_black-basta_elex_luca-stealer.exe File opened for modification \??\J:\Desktop.ini Gaara.exe File opened for modification \??\T:\Desktop.ini csrss.exe File opened for modification \??\G:\Desktop.ini smss.exe File opened for modification \??\E:\Desktop.ini system32.exe File opened for modification \??\H:\Desktop.ini system32.exe File opened for modification \??\P:\Desktop.ini csrss.exe File opened for modification \??\A:\Desktop.ini Kazekage.exe File opened for modification \??\Z:\Desktop.ini Kazekage.exe File opened for modification \??\P:\Desktop.ini 2025-05-18_9b4432eb727a9219d5e88d3ad3643644_amadey_black-basta_elex_luca-stealer.exe File opened for modification \??\B:\Desktop.ini Kazekage.exe File opened for modification \??\V:\Desktop.ini smss.exe File opened for modification \??\Q:\Desktop.ini system32.exe File opened for modification D:\Desktop.ini Gaara.exe File opened for modification F:\Desktop.ini csrss.exe File opened for modification \??\H:\Desktop.ini csrss.exe File opened for modification \??\K:\Desktop.ini Gaara.exe File opened for modification \??\W:\Desktop.ini 2025-05-18_9b4432eb727a9219d5e88d3ad3643644_amadey_black-basta_elex_luca-stealer.exe File opened for modification \??\S:\Desktop.ini csrss.exe File opened for modification \??\K:\Desktop.ini smss.exe File opened for modification \??\J:\Desktop.ini system32.exe File opened for modification \??\U:\Desktop.ini system32.exe File opened for modification \??\W:\Desktop.ini system32.exe File opened for modification \??\A:\Desktop.ini 2025-05-18_9b4432eb727a9219d5e88d3ad3643644_amadey_black-basta_elex_luca-stealer.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\M: Kazekage.exe File opened (read-only) \??\R: Kazekage.exe File opened (read-only) \??\G: 2025-05-18_9b4432eb727a9219d5e88d3ad3643644_amadey_black-basta_elex_luca-stealer.exe File opened (read-only) \??\I: csrss.exe File opened (read-only) \??\L: Gaara.exe File opened (read-only) \??\E: 2025-05-18_9b4432eb727a9219d5e88d3ad3643644_amadey_black-basta_elex_luca-stealer.exe File opened (read-only) \??\B: smss.exe File opened (read-only) \??\K: smss.exe File opened (read-only) \??\H: Gaara.exe File opened (read-only) \??\J: Gaara.exe File opened (read-only) \??\Z: smss.exe File opened (read-only) \??\B: 2025-05-18_9b4432eb727a9219d5e88d3ad3643644_amadey_black-basta_elex_luca-stealer.exe File opened (read-only) \??\P: csrss.exe File opened (read-only) \??\Z: Gaara.exe File opened (read-only) \??\Q: system32.exe File opened (read-only) \??\H: system32.exe File opened (read-only) \??\T: system32.exe File opened (read-only) \??\L: 2025-05-18_9b4432eb727a9219d5e88d3ad3643644_amadey_black-basta_elex_luca-stealer.exe File opened (read-only) \??\O: 2025-05-18_9b4432eb727a9219d5e88d3ad3643644_amadey_black-basta_elex_luca-stealer.exe File opened (read-only) \??\Y: 2025-05-18_9b4432eb727a9219d5e88d3ad3643644_amadey_black-basta_elex_luca-stealer.exe File opened (read-only) \??\B: Kazekage.exe File opened (read-only) \??\P: smss.exe File opened (read-only) \??\Z: system32.exe File opened (read-only) \??\K: Kazekage.exe File opened (read-only) \??\B: Gaara.exe File opened (read-only) \??\U: csrss.exe File opened (read-only) \??\E: Kazekage.exe File opened (read-only) \??\Z: Kazekage.exe File opened (read-only) \??\X: smss.exe File opened (read-only) \??\A: smss.exe File opened (read-only) \??\E: smss.exe File opened (read-only) \??\O: smss.exe File opened (read-only) \??\M: system32.exe File opened (read-only) \??\M: 2025-05-18_9b4432eb727a9219d5e88d3ad3643644_amadey_black-basta_elex_luca-stealer.exe File opened (read-only) \??\N: Kazekage.exe File opened (read-only) \??\P: Kazekage.exe File opened (read-only) \??\U: Gaara.exe File opened (read-only) \??\Q: smss.exe File opened (read-only) \??\J: 2025-05-18_9b4432eb727a9219d5e88d3ad3643644_amadey_black-basta_elex_luca-stealer.exe File opened (read-only) \??\P: 2025-05-18_9b4432eb727a9219d5e88d3ad3643644_amadey_black-basta_elex_luca-stealer.exe File opened (read-only) \??\N: Gaara.exe File opened (read-only) \??\X: system32.exe File opened (read-only) \??\R: csrss.exe File opened (read-only) \??\L: csrss.exe File opened (read-only) \??\S: 2025-05-18_9b4432eb727a9219d5e88d3ad3643644_amadey_black-basta_elex_luca-stealer.exe File opened (read-only) \??\O: csrss.exe File opened (read-only) \??\Q: csrss.exe File opened (read-only) \??\O: system32.exe File opened (read-only) \??\P: system32.exe File opened (read-only) \??\G: csrss.exe File opened (read-only) \??\N: 2025-05-18_9b4432eb727a9219d5e88d3ad3643644_amadey_black-basta_elex_luca-stealer.exe File opened (read-only) \??\I: smss.exe File opened (read-only) \??\U: smss.exe File opened (read-only) \??\B: system32.exe File opened (read-only) \??\A: Gaara.exe File opened (read-only) \??\A: 2025-05-18_9b4432eb727a9219d5e88d3ad3643644_amadey_black-basta_elex_luca-stealer.exe File opened (read-only) \??\M: csrss.exe File opened (read-only) \??\A: Kazekage.exe File opened (read-only) \??\A: system32.exe File opened (read-only) \??\L: system32.exe File opened (read-only) \??\E: csrss.exe File opened (read-only) \??\K: csrss.exe File opened (read-only) \??\Y: csrss.exe File opened (read-only) \??\I: system32.exe -
Drops autorun.inf file 1 TTPs 64 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification F:\Autorun.inf smss.exe File opened for modification \??\S:\Autorun.inf smss.exe File created \??\E:\Autorun.inf system32.exe File created D:\Autorun.inf smss.exe File opened for modification \??\K:\Autorun.inf csrss.exe File opened for modification \??\L:\Autorun.inf 2025-05-18_9b4432eb727a9219d5e88d3ad3643644_amadey_black-basta_elex_luca-stealer.exe File created \??\X:\Autorun.inf Gaara.exe File created \??\U:\Autorun.inf Kazekage.exe File opened for modification \??\B:\Autorun.inf csrss.exe File opened for modification \??\J:\Autorun.inf 2025-05-18_9b4432eb727a9219d5e88d3ad3643644_amadey_black-basta_elex_luca-stealer.exe File opened for modification \??\X:\Autorun.inf smss.exe File created \??\G:\Autorun.inf csrss.exe File created \??\H:\Autorun.inf 2025-05-18_9b4432eb727a9219d5e88d3ad3643644_amadey_black-basta_elex_luca-stealer.exe File created \??\M:\Autorun.inf smss.exe File created \??\B:\Autorun.inf csrss.exe File created \??\G:\Autorun.inf 2025-05-18_9b4432eb727a9219d5e88d3ad3643644_amadey_black-basta_elex_luca-stealer.exe File opened for modification \??\H:\Autorun.inf smss.exe File created \??\H:\Autorun.inf system32.exe File opened for modification C:\Autorun.inf csrss.exe File opened for modification \??\G:\Autorun.inf csrss.exe File created \??\A:\Autorun.inf 2025-05-18_9b4432eb727a9219d5e88d3ad3643644_amadey_black-basta_elex_luca-stealer.exe File created \??\V:\Autorun.inf 2025-05-18_9b4432eb727a9219d5e88d3ad3643644_amadey_black-basta_elex_luca-stealer.exe File opened for modification \??\X:\Autorun.inf 2025-05-18_9b4432eb727a9219d5e88d3ad3643644_amadey_black-basta_elex_luca-stealer.exe File created \??\J:\Autorun.inf smss.exe File created \??\B:\Autorun.inf Gaara.exe File opened for modification \??\B:\Autorun.inf Kazekage.exe File opened for modification \??\J:\Autorun.inf smss.exe File opened for modification \??\J:\Autorun.inf Gaara.exe File created \??\U:\Autorun.inf smss.exe File opened for modification \??\Z:\Autorun.inf Gaara.exe File opened for modification \??\M:\Autorun.inf Kazekage.exe File opened for modification \??\B:\Autorun.inf system32.exe File created \??\X:\Autorun.inf system32.exe File opened for modification \??\V:\Autorun.inf smss.exe File opened for modification \??\Q:\Autorun.inf Kazekage.exe File created \??\R:\Autorun.inf smss.exe File created \??\X:\Autorun.inf smss.exe File opened for modification \??\Z:\Autorun.inf smss.exe File opened for modification \??\K:\Autorun.inf Gaara.exe File created \??\W:\Autorun.inf system32.exe File opened for modification \??\N:\Autorun.inf csrss.exe File created \??\I:\Autorun.inf smss.exe File created \??\L:\Autorun.inf 2025-05-18_9b4432eb727a9219d5e88d3ad3643644_amadey_black-basta_elex_luca-stealer.exe File created \??\O:\Autorun.inf 2025-05-18_9b4432eb727a9219d5e88d3ad3643644_amadey_black-basta_elex_luca-stealer.exe File created \??\E:\Autorun.inf Kazekage.exe File created \??\Q:\Autorun.inf Kazekage.exe File opened for modification \??\O:\Autorun.inf system32.exe File opened for modification \??\O:\Autorun.inf csrss.exe File created \??\Q:\Autorun.inf csrss.exe File created \??\B:\Autorun.inf Kazekage.exe File opened for modification \??\V:\Autorun.inf system32.exe File created \??\V:\Autorun.inf csrss.exe File opened for modification \??\X:\Autorun.inf csrss.exe File created \??\W:\Autorun.inf 2025-05-18_9b4432eb727a9219d5e88d3ad3643644_amadey_black-basta_elex_luca-stealer.exe File created \??\K:\Autorun.inf smss.exe File created \??\N:\Autorun.inf smss.exe File opened for modification \??\R:\Autorun.inf Gaara.exe File created \??\V:\Autorun.inf Gaara.exe File created \??\P:\Autorun.inf Kazekage.exe File opened for modification \??\T:\Autorun.inf system32.exe File created \??\J:\Autorun.inf 2025-05-18_9b4432eb727a9219d5e88d3ad3643644_amadey_black-basta_elex_luca-stealer.exe File created \??\L:\Autorun.inf smss.exe File opened for modification \??\W:\Autorun.inf smss.exe File created \??\W:\Autorun.inf Gaara.exe -
Drops file in System32 directory 39 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\ smss.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx Kazekage.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini csrss.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx csrss.exe File opened for modification C:\Windows\SysWOW64\ 2025-05-18_9b4432eb727a9219d5e88d3ad3643644_amadey_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\SysWOW64\18-5-2025.exe Gaara.exe File opened for modification C:\Windows\SysWOW64\18-5-2025.exe csrss.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini smss.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx smss.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini Gaara.exe File opened for modification C:\Windows\SysWOW64\ Gaara.exe File opened for modification C:\Windows\SysWOW64\ system32.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll 2025-05-18_9b4432eb727a9219d5e88d3ad3643644_amadey_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx Gaara.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini 2025-05-18_9b4432eb727a9219d5e88d3ad3643644_amadey_black-basta_elex_luca-stealer.exe File created C:\Windows\SysWOW64\msvbvm60.dll 2025-05-18_9b4432eb727a9219d5e88d3ad3643644_amadey_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\SysWOW64\18-5-2025.exe Kazekage.exe File created C:\Windows\SysWOW64\msvbvm60.dll Kazekage.exe File opened for modification C:\Windows\SysWOW64\18-5-2025.exe system32.exe File opened for modification C:\Windows\SysWOW64\ Kazekage.exe File created C:\Windows\SysWOW64\Desktop.ini 2025-05-18_9b4432eb727a9219d5e88d3ad3643644_amadey_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini system32.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx system32.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll system32.exe File created C:\Windows\SysWOW64\msvbvm60.dll Gaara.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll smss.exe File opened for modification C:\Windows\SysWOW64\ csrss.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll Gaara.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini Kazekage.exe File created C:\Windows\SysWOW64\msvbvm60.dll smss.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx 2025-05-18_9b4432eb727a9219d5e88d3ad3643644_amadey_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll Kazekage.exe File created C:\Windows\SysWOW64\mscomctl.ocx 2025-05-18_9b4432eb727a9219d5e88d3ad3643644_amadey_black-basta_elex_luca-stealer.exe File created C:\Windows\SysWOW64\18-5-2025.exe 2025-05-18_9b4432eb727a9219d5e88d3ad3643644_amadey_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\SysWOW64\18-5-2025.exe 2025-05-18_9b4432eb727a9219d5e88d3ad3643644_amadey_black-basta_elex_luca-stealer.exe File created C:\Windows\SysWOW64\msvbvm60.dll system32.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll csrss.exe File opened for modification C:\Windows\SysWOW64\18-5-2025.exe smss.exe File created C:\Windows\SysWOW64\msvbvm60.dll csrss.exe -
Sets desktop wallpaper using registry 2 TTPs 6 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" 2025-05-18_9b4432eb727a9219d5e88d3ad3643644_amadey_black-basta_elex_luca-stealer.exe -
resource yara_rule behavioral1/memory/2256-0-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/files/0x0007000000024247-11.dat upx behavioral1/files/0x0007000000024245-31.dat upx behavioral1/memory/1912-34-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/files/0x0007000000024247-46.dat upx behavioral1/files/0x0007000000024248-49.dat upx behavioral1/files/0x0007000000024249-53.dat upx behavioral1/files/0x0008000000024240-57.dat upx behavioral1/memory/4896-70-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/4716-78-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/files/0x0007000000024246-76.dat upx behavioral1/memory/4896-74-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/files/0x0007000000024247-84.dat upx behavioral1/files/0x0007000000024248-88.dat upx behavioral1/files/0x0007000000024249-94.dat upx behavioral1/files/0x0008000000024240-96.dat upx behavioral1/memory/4028-113-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/2256-112-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/4028-117-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/4192-120-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/files/0x0007000000024249-132.dat upx behavioral1/memory/1912-140-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/4716-153-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/816-163-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/3212-167-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/5692-166-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/816-172-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/5532-175-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/2744-179-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/2532-177-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/4192-183-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/files/0x0008000000024240-207.dat upx behavioral1/memory/2632-210-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/2744-206-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/files/0x0007000000024248-193.dat upx behavioral1/memory/2432-219-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/2592-225-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/files/0x0007000000024248-227.dat upx behavioral1/memory/2532-236-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/5956-239-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/4508-243-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/6132-244-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/656-249-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/2632-254-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/4504-255-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/4452-262-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/5220-263-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/5400-264-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/3304-271-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/4104-272-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/1156-273-0x0000000000400000-0x000000000042B000-memory.dmp upx -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\Windows\Fonts\The Kazekage.jpg 2025-05-18_9b4432eb727a9219d5e88d3ad3643644_amadey_black-basta_elex_luca-stealer.exe File created C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe 2025-05-18_9b4432eb727a9219d5e88d3ad3643644_amadey_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\Fonts\The Kazekage.jpg Gaara.exe File opened for modification C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe Kazekage.exe File created C:\Windows\Fonts\Admin 18 - 5 - 2025\msvbvm60.dll Kazekage.exe File opened for modification C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe system32.exe File created C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe Gaara.exe File opened for modification C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe csrss.exe File opened for modification C:\Windows\system\mscoree.dll Kazekage.exe File created C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe Kazekage.exe File created C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe 2025-05-18_9b4432eb727a9219d5e88d3ad3643644_amadey_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\msvbvm60.dll 2025-05-18_9b4432eb727a9219d5e88d3ad3643644_amadey_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe smss.exe File opened for modification C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe Gaara.exe File opened for modification C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe csrss.exe File created C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe csrss.exe File opened for modification C:\Windows\msvbvm60.dll system32.exe File opened for modification C:\Windows\system\mscoree.dll Gaara.exe File created C:\Windows\WBEM\msvbvm60.dll Gaara.exe File opened for modification C:\Windows\Fonts\The Kazekage.jpg Kazekage.exe File opened for modification C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe Kazekage.exe File opened for modification C:\Windows\system\msvbvm60.dll Kazekage.exe File opened for modification C:\Windows\Fonts\The Kazekage.jpg system32.exe File opened for modification C:\Windows\ Gaara.exe File opened for modification C:\Windows\mscomctl.ocx system32.exe File opened for modification C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe 2025-05-18_9b4432eb727a9219d5e88d3ad3643644_amadey_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\system\msvbvm60.dll Gaara.exe File opened for modification C:\Windows\system\mscoree.dll csrss.exe File opened for modification C:\Windows\system\msvbvm60.dll system32.exe File opened for modification C:\Windows\system\mscoree.dll 2025-05-18_9b4432eb727a9219d5e88d3ad3643644_amadey_black-basta_elex_luca-stealer.exe File created C:\Windows\Fonts\Admin 18 - 5 - 2025\msvbvm60.dll 2025-05-18_9b4432eb727a9219d5e88d3ad3643644_amadey_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\Fonts\Admin 18 - 5 - 2025\msvbvm60.dll 2025-05-18_9b4432eb727a9219d5e88d3ad3643644_amadey_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\system\msvbvm60.dll csrss.exe File created C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe system32.exe File opened for modification C:\Windows\mscomctl.ocx smss.exe File opened for modification C:\Windows\ Kazekage.exe File created C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe smss.exe File created C:\Windows\Fonts\Admin 18 - 5 - 2025\msvbvm60.dll csrss.exe File opened for modification C:\Windows\msvbvm60.dll csrss.exe File opened for modification C:\Windows\system\mscoree.dll system32.exe File created C:\Windows\mscomctl.ocx 2025-05-18_9b4432eb727a9219d5e88d3ad3643644_amadey_black-basta_elex_luca-stealer.exe File created C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe smss.exe File opened for modification C:\Windows\mscomctl.ocx Kazekage.exe File created C:\Windows\WBEM\msvbvm60.dll 2025-05-18_9b4432eb727a9219d5e88d3ad3643644_amadey_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe Gaara.exe File opened for modification C:\Windows\msvbvm60.dll Gaara.exe File created C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe csrss.exe File created C:\Windows\msvbvm60.dll 2025-05-18_9b4432eb727a9219d5e88d3ad3643644_amadey_black-basta_elex_luca-stealer.exe File created C:\Windows\Fonts\Admin 18 - 5 - 2025\msvbvm60.dll smss.exe File opened for modification C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe system32.exe File created C:\Windows\Fonts\Admin 18 - 5 - 2025\msvbvm60.dll system32.exe File created C:\Windows\system\msvbvm60.dll 2025-05-18_9b4432eb727a9219d5e88d3ad3643644_amadey_black-basta_elex_luca-stealer.exe File created C:\Windows\Fonts\Admin 18 - 5 - 2025\msvbvm60.dll Gaara.exe File created C:\Windows\WBEM\msvbvm60.dll csrss.exe File opened for modification C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe 2025-05-18_9b4432eb727a9219d5e88d3ad3643644_amadey_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe 2025-05-18_9b4432eb727a9219d5e88d3ad3643644_amadey_black-basta_elex_luca-stealer.exe File created C:\Windows\WBEM\msvbvm60.dll smss.exe File opened for modification C:\Windows\Fonts\The Kazekage.jpg csrss.exe File created C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe csrss.exe File opened for modification C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe csrss.exe File opened for modification C:\Windows\msvbvm60.dll Kazekage.exe File opened for modification C:\Windows\system\msvbvm60.dll smss.exe File opened for modification C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe Gaara.exe File created C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe system32.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kazekage.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kazekage.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kazekage.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kazekage.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kazekage.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaara.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaara.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaara.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaara.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kazekage.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaara.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-05-18_9b4432eb727a9219d5e88d3ad3643644_amadey_black-basta_elex_luca-stealer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 36 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 4660 ping.exe 5860 ping.exe 1648 ping.exe 4768 ping.exe 5892 ping.exe 1124 ping.exe 4892 ping.exe 4604 ping.exe 5784 ping.exe 2888 ping.exe 3880 ping.exe 4888 ping.exe 6024 ping.exe 1940 ping.exe 540 ping.exe 532 ping.exe 4288 ping.exe 4648 ping.exe 3788 ping.exe 1456 ping.exe 5976 ping.exe 4688 ping.exe 2228 ping.exe 4936 ping.exe 4652 ping.exe 2432 ping.exe 3152 ping.exe 5448 ping.exe 3744 ping.exe 3320 ping.exe 3984 ping.exe 4896 ping.exe 5668 ping.exe 4056 ping.exe 1964 ping.exe 5860 ping.exe -
Modifies Control Panel 64 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\Control Panel\Screen Saver.Marquee Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\Control Panel\Desktop\WallpaperStyle = "2" Gaara.exe Key created \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\Control Panel\Screen Saver.Marquee system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" csrss.exe Key created \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\Control Panel\Screen Saver.Marquee smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\Control Panel\Screen Saver.Marquee\Speed = "4" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" 2025-05-18_9b4432eb727a9219d5e88d3ad3643644_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\Control Panel\Screen Saver.Marquee\Speed = "4" 2025-05-18_9b4432eb727a9219d5e88d3ad3643644_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\Control Panel\Screen Saver.Marquee\Speed = "4" csrss.exe Key created \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\Control Panel\Desktop smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\Control Panel\Desktop\WallpaperStyle = "2" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\Control Panel\Screen Saver.Marquee\Speed = "4" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" 2025-05-18_9b4432eb727a9219d5e88d3ad3643644_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\Control Panel\Desktop\WallpaperStyle = "2" 2025-05-18_9b4432eb727a9219d5e88d3ad3643644_amadey_black-basta_elex_luca-stealer.exe Key created \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\Control Panel\Desktop Kazekage.exe Key created \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\Control Panel\Desktop system32.exe Key created \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\Control Panel\Screen Saver.Marquee csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\Control Panel\Desktop\WallpaperStyle = "2" smss.exe Key created \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\Control Panel\Screen Saver.Marquee 2025-05-18_9b4432eb727a9219d5e88d3ad3643644_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" 2025-05-18_9b4432eb727a9219d5e88d3ad3643644_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\Control Panel\Screen Saver.Marquee\Size = "72" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" Kazekage.exe Key created \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\Control Panel\Desktop 2025-05-18_9b4432eb727a9219d5e88d3ad3643644_amadey_black-basta_elex_luca-stealer.exe Key created \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\Control Panel\Desktop Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" 2025-05-18_9b4432eb727a9219d5e88d3ad3643644_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" 2025-05-18_9b4432eb727a9219d5e88d3ad3643644_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" Kazekage.exe Key created \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\Control Panel\Screen Saver.Marquee Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\Control Panel\Desktop\WallpaperStyle = "2" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\Control Panel\Desktop\WallpaperStyle = "2" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" 2025-05-18_9b4432eb727a9219d5e88d3ad3643644_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" csrss.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\Software\Microsoft\Internet Explorer\Main smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" system32.exe Key created \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\Software\Microsoft\Internet Explorer\Main 2025-05-18_9b4432eb727a9219d5e88d3ad3643644_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" Gaara.exe Key created \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\Software\Microsoft\Internet Explorer\Main Kazekage.exe Key created \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\Software\Microsoft\Internet Explorer\Main system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" 2025-05-18_9b4432eb727a9219d5e88d3ad3643644_amadey_black-basta_elex_luca-stealer.exe Key created \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\Software\Microsoft\Internet Explorer\Main csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" csrss.exe Key created \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\Software\Microsoft\Internet Explorer\Main Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" Kazekage.exe -
Modifies registry class 51 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" 2025-05-18_9b4432eb727a9219d5e88d3ad3643644_amadey_black-basta_elex_luca-stealer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command 2025-05-18_9b4432eb727a9219d5e88d3ad3643644_amadey_black-basta_elex_luca-stealer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command 2025-05-18_9b4432eb727a9219d5e88d3ad3643644_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command 2025-05-18_9b4432eb727a9219d5e88d3ad3643644_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" 2025-05-18_9b4432eb727a9219d5e88d3ad3643644_amadey_black-basta_elex_luca-stealer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command 2025-05-18_9b4432eb727a9219d5e88d3ad3643644_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" 2025-05-18_9b4432eb727a9219d5e88d3ad3643644_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" 2025-05-18_9b4432eb727a9219d5e88d3ad3643644_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" Gaara.exe -
Runs ping.exe 1 TTPs 36 IoCs
pid Process 4892 ping.exe 4888 ping.exe 5860 ping.exe 3880 ping.exe 2888 ping.exe 1124 ping.exe 540 ping.exe 4936 ping.exe 4652 ping.exe 4288 ping.exe 4660 ping.exe 4604 ping.exe 3984 ping.exe 4896 ping.exe 4056 ping.exe 6024 ping.exe 1940 ping.exe 1964 ping.exe 5976 ping.exe 5860 ping.exe 1456 ping.exe 1648 ping.exe 5892 ping.exe 5784 ping.exe 2228 ping.exe 3152 ping.exe 3320 ping.exe 3788 ping.exe 5668 ping.exe 532 ping.exe 4768 ping.exe 3744 ping.exe 4648 ping.exe 4688 ping.exe 5448 ping.exe 2432 ping.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1912 smss.exe 1912 smss.exe 1912 smss.exe 1912 smss.exe 1912 smss.exe 1912 smss.exe 1912 smss.exe 1912 smss.exe 1912 smss.exe 1912 smss.exe 1912 smss.exe 1912 smss.exe 1912 smss.exe 1912 smss.exe 1912 smss.exe 1912 smss.exe 1912 smss.exe 1912 smss.exe 1912 smss.exe 1912 smss.exe 1912 smss.exe 1912 smss.exe 1912 smss.exe 1912 smss.exe 2632 system32.exe 2632 system32.exe 2632 system32.exe 2632 system32.exe 2632 system32.exe 2632 system32.exe 2632 system32.exe 2632 system32.exe 2632 system32.exe 2632 system32.exe 2632 system32.exe 2632 system32.exe 2632 system32.exe 2632 system32.exe 2632 system32.exe 2632 system32.exe 2632 system32.exe 2632 system32.exe 2632 system32.exe 2632 system32.exe 2632 system32.exe 2632 system32.exe 2632 system32.exe 2632 system32.exe 2256 2025-05-18_9b4432eb727a9219d5e88d3ad3643644_amadey_black-basta_elex_luca-stealer.exe 2256 2025-05-18_9b4432eb727a9219d5e88d3ad3643644_amadey_black-basta_elex_luca-stealer.exe 2256 2025-05-18_9b4432eb727a9219d5e88d3ad3643644_amadey_black-basta_elex_luca-stealer.exe 2256 2025-05-18_9b4432eb727a9219d5e88d3ad3643644_amadey_black-basta_elex_luca-stealer.exe 2256 2025-05-18_9b4432eb727a9219d5e88d3ad3643644_amadey_black-basta_elex_luca-stealer.exe 2256 2025-05-18_9b4432eb727a9219d5e88d3ad3643644_amadey_black-basta_elex_luca-stealer.exe 2256 2025-05-18_9b4432eb727a9219d5e88d3ad3643644_amadey_black-basta_elex_luca-stealer.exe 2256 2025-05-18_9b4432eb727a9219d5e88d3ad3643644_amadey_black-basta_elex_luca-stealer.exe 2256 2025-05-18_9b4432eb727a9219d5e88d3ad3643644_amadey_black-basta_elex_luca-stealer.exe 2256 2025-05-18_9b4432eb727a9219d5e88d3ad3643644_amadey_black-basta_elex_luca-stealer.exe 2256 2025-05-18_9b4432eb727a9219d5e88d3ad3643644_amadey_black-basta_elex_luca-stealer.exe 2256 2025-05-18_9b4432eb727a9219d5e88d3ad3643644_amadey_black-basta_elex_luca-stealer.exe 2256 2025-05-18_9b4432eb727a9219d5e88d3ad3643644_amadey_black-basta_elex_luca-stealer.exe 2256 2025-05-18_9b4432eb727a9219d5e88d3ad3643644_amadey_black-basta_elex_luca-stealer.exe 2256 2025-05-18_9b4432eb727a9219d5e88d3ad3643644_amadey_black-basta_elex_luca-stealer.exe 2256 2025-05-18_9b4432eb727a9219d5e88d3ad3643644_amadey_black-basta_elex_luca-stealer.exe -
Suspicious use of SetWindowsHookEx 31 IoCs
pid Process 2256 2025-05-18_9b4432eb727a9219d5e88d3ad3643644_amadey_black-basta_elex_luca-stealer.exe 1912 smss.exe 4896 smss.exe 4716 Gaara.exe 1816 smss.exe 4028 Gaara.exe 4192 csrss.exe 1484 smss.exe 3212 Gaara.exe 5692 Gaara.exe 816 csrss.exe 5532 csrss.exe 2532 Kazekage.exe 2744 Kazekage.exe 4052 csrss.exe 2632 system32.exe 2432 Kazekage.exe 2592 smss.exe 5956 system32.exe 6132 Gaara.exe 4508 smss.exe 656 Gaara.exe 5292 csrss.exe 4616 csrss.exe 4504 Kazekage.exe 4452 system32.exe 5220 Kazekage.exe 5400 Kazekage.exe 3304 system32.exe 1156 system32.exe 4104 system32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2256 wrote to memory of 1912 2256 2025-05-18_9b4432eb727a9219d5e88d3ad3643644_amadey_black-basta_elex_luca-stealer.exe 88 PID 2256 wrote to memory of 1912 2256 2025-05-18_9b4432eb727a9219d5e88d3ad3643644_amadey_black-basta_elex_luca-stealer.exe 88 PID 2256 wrote to memory of 1912 2256 2025-05-18_9b4432eb727a9219d5e88d3ad3643644_amadey_black-basta_elex_luca-stealer.exe 88 PID 1912 wrote to memory of 4896 1912 smss.exe 90 PID 1912 wrote to memory of 4896 1912 smss.exe 90 PID 1912 wrote to memory of 4896 1912 smss.exe 90 PID 1912 wrote to memory of 4716 1912 smss.exe 91 PID 1912 wrote to memory of 4716 1912 smss.exe 91 PID 1912 wrote to memory of 4716 1912 smss.exe 91 PID 4716 wrote to memory of 1816 4716 Gaara.exe 93 PID 4716 wrote to memory of 1816 4716 Gaara.exe 93 PID 4716 wrote to memory of 1816 4716 Gaara.exe 93 PID 4716 wrote to memory of 4028 4716 Gaara.exe 94 PID 4716 wrote to memory of 4028 4716 Gaara.exe 94 PID 4716 wrote to memory of 4028 4716 Gaara.exe 94 PID 4716 wrote to memory of 4192 4716 Gaara.exe 97 PID 4716 wrote to memory of 4192 4716 Gaara.exe 97 PID 4716 wrote to memory of 4192 4716 Gaara.exe 97 PID 4192 wrote to memory of 1484 4192 csrss.exe 101 PID 4192 wrote to memory of 1484 4192 csrss.exe 101 PID 4192 wrote to memory of 1484 4192 csrss.exe 101 PID 4192 wrote to memory of 3212 4192 csrss.exe 102 PID 4192 wrote to memory of 3212 4192 csrss.exe 102 PID 4192 wrote to memory of 3212 4192 csrss.exe 102 PID 2256 wrote to memory of 5692 2256 2025-05-18_9b4432eb727a9219d5e88d3ad3643644_amadey_black-basta_elex_luca-stealer.exe 103 PID 2256 wrote to memory of 5692 2256 2025-05-18_9b4432eb727a9219d5e88d3ad3643644_amadey_black-basta_elex_luca-stealer.exe 103 PID 2256 wrote to memory of 5692 2256 2025-05-18_9b4432eb727a9219d5e88d3ad3643644_amadey_black-basta_elex_luca-stealer.exe 103 PID 4192 wrote to memory of 816 4192 csrss.exe 104 PID 4192 wrote to memory of 816 4192 csrss.exe 104 PID 4192 wrote to memory of 816 4192 csrss.exe 104 PID 2256 wrote to memory of 5532 2256 2025-05-18_9b4432eb727a9219d5e88d3ad3643644_amadey_black-basta_elex_luca-stealer.exe 105 PID 2256 wrote to memory of 5532 2256 2025-05-18_9b4432eb727a9219d5e88d3ad3643644_amadey_black-basta_elex_luca-stealer.exe 105 PID 2256 wrote to memory of 5532 2256 2025-05-18_9b4432eb727a9219d5e88d3ad3643644_amadey_black-basta_elex_luca-stealer.exe 105 PID 2256 wrote to memory of 2744 2256 2025-05-18_9b4432eb727a9219d5e88d3ad3643644_amadey_black-basta_elex_luca-stealer.exe 108 PID 2256 wrote to memory of 2744 2256 2025-05-18_9b4432eb727a9219d5e88d3ad3643644_amadey_black-basta_elex_luca-stealer.exe 108 PID 2256 wrote to memory of 2744 2256 2025-05-18_9b4432eb727a9219d5e88d3ad3643644_amadey_black-basta_elex_luca-stealer.exe 108 PID 4192 wrote to memory of 2532 4192 csrss.exe 107 PID 4192 wrote to memory of 2532 4192 csrss.exe 107 PID 4192 wrote to memory of 2532 4192 csrss.exe 107 PID 1912 wrote to memory of 4052 1912 smss.exe 110 PID 1912 wrote to memory of 4052 1912 smss.exe 110 PID 1912 wrote to memory of 4052 1912 smss.exe 110 PID 1912 wrote to memory of 2432 1912 smss.exe 111 PID 1912 wrote to memory of 2432 1912 smss.exe 111 PID 1912 wrote to memory of 2432 1912 smss.exe 111 PID 2256 wrote to memory of 2632 2256 2025-05-18_9b4432eb727a9219d5e88d3ad3643644_amadey_black-basta_elex_luca-stealer.exe 112 PID 2256 wrote to memory of 2632 2256 2025-05-18_9b4432eb727a9219d5e88d3ad3643644_amadey_black-basta_elex_luca-stealer.exe 112 PID 2256 wrote to memory of 2632 2256 2025-05-18_9b4432eb727a9219d5e88d3ad3643644_amadey_black-basta_elex_luca-stealer.exe 112 PID 2532 wrote to memory of 2592 2532 Kazekage.exe 113 PID 2532 wrote to memory of 2592 2532 Kazekage.exe 113 PID 2532 wrote to memory of 2592 2532 Kazekage.exe 113 PID 1912 wrote to memory of 5956 1912 smss.exe 116 PID 1912 wrote to memory of 5956 1912 smss.exe 116 PID 1912 wrote to memory of 5956 1912 smss.exe 116 PID 2532 wrote to memory of 6132 2532 Kazekage.exe 117 PID 2532 wrote to memory of 6132 2532 Kazekage.exe 117 PID 2532 wrote to memory of 6132 2532 Kazekage.exe 117 PID 2632 wrote to memory of 4508 2632 system32.exe 118 PID 2632 wrote to memory of 4508 2632 system32.exe 118 PID 2632 wrote to memory of 4508 2632 system32.exe 118 PID 2632 wrote to memory of 656 2632 system32.exe 120 PID 2632 wrote to memory of 656 2632 system32.exe 120 PID 2632 wrote to memory of 656 2632 system32.exe 120 PID 2532 wrote to memory of 5292 2532 Kazekage.exe 121 -
System policy modification 1 TTPs 12 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System system32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" system32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Gaara.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System 2025-05-18_9b4432eb727a9219d5e88d3ad3643644_amadey_black-basta_elex_luca-stealer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 2025-05-18_9b4432eb727a9219d5e88d3ad3643644_amadey_black-basta_elex_luca-stealer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Gaara.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2025-05-18_9b4432eb727a9219d5e88d3ad3643644_amadey_black-basta_elex_luca-stealer.exe"C:\Users\Admin\AppData\Local\Temp\2025-05-18_9b4432eb727a9219d5e88d3ad3643644_amadey_black-basta_elex_luca-stealer.exe"1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2256 -
C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe"C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe"2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1912 -
C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe"C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4896
-
-
C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe"C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe"3⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4716 -
C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe"C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1816
-
-
C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe"C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4028
-
-
C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe"C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe"4⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4192 -
C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe"C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1484
-
-
C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe"C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3212
-
-
C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe"C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:816
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe5⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2532 -
C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe"C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2592
-
-
C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe"C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:6132
-
-
C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe"C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5292
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4504
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4452
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655006⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4648
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655006⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4888
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655006⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4896
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655006⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1964
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655006⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1648
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655006⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:532
-
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1156
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655005⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4660
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655005⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4892
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655005⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1456
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655005⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4688
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655005⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2888
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655005⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4936
-
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5220
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3304
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655004⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3320
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655004⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1124
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655004⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3984
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655004⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5784
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655004⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4056
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655004⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5668
-
-
-
C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe"C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4052
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2432
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5956
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3744
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4288
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1940
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:540
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5448
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3880
-
-
-
C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe"C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5692
-
-
C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe"C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5532
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2744
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2632 -
C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe"C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:4508
-
-
C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe"C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:656
-
-
C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe"C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4616
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5400
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4104
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4604
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5860
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5976
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2228
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4768
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4652
-
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655002⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5892
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655002⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2432
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655002⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3788
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655002⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:6024
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655002⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3152
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655002⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5860
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 18 - 5 - 2025\smss.exe1⤵PID:5304
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 18 - 5 - 2025\Gaara.exe1⤵PID:1784
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c 18-5-2025.exe1⤵PID:1984
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c drivers\csrss.exe1⤵PID:1800
Network
MITRE ATT&CK Enterprise v16
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Event Triggered Execution
1Image File Execution Options Injection
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Event Triggered Execution
1Image File Execution Options Injection
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
1Disable or Modify Tools
1Modify Registry
8Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
736B
MD5bb5d6abdf8d0948ac6895ce7fdfbc151
SHA19266b7a247a4685892197194d2b9b86c8f6dddbd
SHA2565db2e0915b5464d32e83484f8ae5e3c73d2c78f238fde5f58f9b40dbb5322de8
SHA512878444760e8df878d65bb62b4798177e168eb099def58ad3634f4348e96705c83f74324f9fa358f0eff389991976698a233ca53e9b72034ae11c86d42322a76c
-
Filesize
196B
MD51564dfe69ffed40950e5cb644e0894d1
SHA1201b6f7a01cc49bb698bea6d4945a082ed454ce4
SHA256be114a2dbcc08540b314b01882aa836a772a883322a77b67aab31233e26dc184
SHA51272df187e39674b657974392cfa268e71ef86dc101ebd2303896381ca56d3c05aa9db3f0ab7d0e428d7436e0108c8f19e94c2013814d30b0b95a23a6b9e341097
-
Filesize
8.2MB
MD513cc0e7abad80b608f8cdaa51d950dad
SHA1687721857753064879660fd7a0fafa7239b8b336
SHA256a2ee7a885d68f4bcb164ee96721f69abbc7d8d3cd4e31125956dabc61e0c37fd
SHA5120d837e527e12829c45c50adbf18f7ed8e411d71a2ce366ad74ebceef216278e26e6fc553db4e0497ebc1391b14e6054de1a54fe53944c960c5e144ec854b9885
-
Filesize
8.2MB
MD59b4432eb727a9219d5e88d3ad3643644
SHA1be5af80260e18da279d57d42fecd95a6d80d9400
SHA25625ce3600ca36c785efa81485fa919ae06dee2254708a9e1b015019c8a699d026
SHA5129d90078959b81dd43bc7b6cd3f240aba993b059a270fa4f5706a2f86dab7e9d9f693ff0f1acbcb70d1cf4a49cb8e30d1678a8ad5fd46527c8de239aa15562047
-
Filesize
8.2MB
MD5a1eb5bb162f7487608796006a671bf98
SHA1868fb4504c2a59304c2d1dd6ef81e8b8b94ad07d
SHA2564ffe585f154b3e6796e325be79e3c22ba593aea258819a27be3f4e708f48d061
SHA512db25401ba8c48508c251493e905b10e613bc2e88276bb9874212e66fdfcaa55165cd0224c05cdd1097e114c6faf824ac5cde6de08526ca9a99eddff0915f9525
-
Filesize
8.2MB
MD5106b6cdd9b455c3207198e611c6baa77
SHA1f2f85bfed6aa62b8c964b240ccadda6cab302916
SHA2568ce05ed854feb28dca5e669f6c56943c12b44f222cb365e40e704db47b0cf26e
SHA512f6d8b47aa6289506ebf16770f5f90b7f3b8166b79a91c0cd51adf5ce66dd492a5a0707ed327487b5b53890a8a30f64c3ec2a424cca8cb9f8966e70b2e3849f93
-
Filesize
8.2MB
MD5fe1313250cc3a8b49dfa4d1bd474fc29
SHA19adbdf3635b3a8824939c7a8cdcc5de9f16a3b87
SHA2563b878a35580dba3028adde444b3ed4a98310be40601d146334905669c92723a2
SHA51229daf863c944ceba37401bbd97a46de7b75e7a9820900a96da1d3a382061c38f13193f439ec583a255a9bd6628b0f080b77e736ef65e28a6361f011f366419d0
-
Filesize
1.4MB
MD5d6b05020d4a0ec2a3a8b687099e335df
SHA1df239d830ebcd1cde5c68c46a7b76dad49d415f4
SHA2569824b98dab6af65a9e84c2ea40e9df948f9766ce2096e81feecad7db8dd6080a
SHA51278fd360faa4d34f5732056d6e9ad7b9930964441c69cf24535845d397de92179553b9377a25649c01eb5ac7d547c29cc964e69ede7f2af9fc677508a99251fff
-
Filesize
8.2MB
MD5f08cd08360cd75abed42de35c4164722
SHA1c918fc66a3d43efe3cd44ec3e1eea028a8617b6c
SHA2565010ba947844e69ec2d886b9eae646b5c5b7c402c0c6bd570d334745bf6771f6
SHA5127732759a313e34e8d0ff633a23777d797b46d9821c448d7fe508d1375e9947d6e0fb2edd5ae610efaf9434490f2c14294f240009dbbc2aa2626a154085df30f2
-
Filesize
8.2MB
MD54e2e4721627f960a2b543b11cc03ab2e
SHA15be921ced7ccecaae948219d2135b4748e232d0b
SHA2567c02d2ca729a14b68f4525c6dfb8516c4859dc6d11fe429f7e3f3345b0dee001
SHA512a31183f480fe545650fa46898b78f307656909ca54c9b5d8769b489a4ff68ea1834ea388ee34125608451fb6cc003963616fac7561891fc09887845bc63579f5
-
Filesize
8.2MB
MD5d262600bb9e7b2840a6b99bd7bf7ce78
SHA15785a5177b52d74a614effbdb0ef06853e890787
SHA25665122fed9ac10d3c813d90dc6fc942f1331eb8b33aa7fb8cd0ec93c973790e43
SHA51241f9754022d4c93430781a68ce9a5514a0a0d287053aba08c821e12565354deeb004fff66523aa13f27a758a72ab3911504ec2714103eed0393fdabac2bb4460
-
Filesize
8.2MB
MD5264019dc0616f25b68aeaf3ee6e6ced1
SHA1c31b9f17108e06a2f441e7689293ec6f7959285a
SHA2563431acf74dc0db44d14da6beba349995f3192abd623ed98a28bb94685d4ff642
SHA512177b15ddb8322a6c2d8d013bf992c447c34fab7302faa423c51fe27678e0601b6093a6eb776bd478ab57726756729374042545a79d4a9bf7e6b68ef3408877c4
-
Filesize
65B
MD564acfa7e03b01f48294cf30d201a0026
SHA110facd995b38a095f30b4a800fa454c0bcbf8438
SHA256ba8159d865d106e7b4d0043007a63d1541e1de455dc8d7ff0edd3013bd425c62
SHA51265a9b2e639de74a2a7faa83463a03f5f5b526495e3c793ec1e144c422ed0b842dd304cd5ff4f8aec3d76d826507030c5916f70a231429cea636ec2d8ab43931a
-
Filesize
8.2MB
MD51be6b1b740db575bd82068a86d79b7e4
SHA15a171547e68aefc0ffb4be6c326d72cdb56bbc71
SHA2569febfe6c3048abe804578b8932666d467460b89645c3c86b88c7e7a1d503527c
SHA512ef0599fcc971023bd2290a6bb8b49becf7cde8390f0b50916630ad29585742922762beab61299555cc490206fd98240b1ddf871a0f49afef60f8af6135ad2254
-
Filesize
8.2MB
MD59e3ca8ddcc2feff543be42f27ab750a3
SHA1851fe856ea2ae5500b64a7dcf2c5082887297bbb
SHA256255c7a4aef322afc62727c11155e67217a60a95ffede9b8e6e81e3135b3841a8
SHA512b2c6f4d9020725c2fa212d406910771c11984dc63ea6ead6e14a1829ac723987390e4afef3779a85e9692939eee8c1b7e29021fd7e4b3b405b5f2630346281d0
-
Filesize
8.2MB
MD57349206444271f9f4e7e206e612ae0af
SHA1d2de0239ec469466b9bfb0a31fa85133feb8a719
SHA256bd055237c25690e5276b6330e6157f0072895179a85bc35f8644d438c75662b8
SHA51258092dcb1d871618fda55ab2afc8d06d2819785cd42d29d9f8f48b58d48173a7b1c2fbde391ccbfd1038ce5aa8bd0366c50c8f8a5dbba5130de0e17228722a14
-
Filesize
8.2MB
MD584a9c36bd73865680516d0c4242aac77
SHA1e1b4e085edb56f8231d4e92628ee76ec29a12b20
SHA256e452e0656b0c1228a102121d09de46edb5c79a02cb8b72f44d5953f62c45c9bd
SHA512948b10a5c05d7d10174cba77add2a75a76adb347bc1a6754aa4cd06f4d1ee9d0c649526c984abaad447b166728c4d90f16981be8044d1c09f6bd9a3e6c6609a6
-
Filesize
8.2MB
MD5d02a0ff7950c96edfe22d96a6993034f
SHA10718b701d891414450b90d74c1ea5da5e594c7c8
SHA256b63070330993441548b4d31201757d83f433176cb32e8b6a7d15ef8c4a030b19
SHA5126f1d970494b3296490160061aa4033535abd04908fd6a800826c6f3485cdfc230a6d5c85942eb7f0356a9a6390bc4f857f4ff86f27aeb28868c0a0587dee650d
-
Filesize
8.2MB
MD5dd92b133000e3b55aa6a99620c6249a6
SHA134df75486500cd5258e412e9d7e94e170d11b7aa
SHA25603ff993c9d4e36c281759b01b567f65fafbcbd4bc806e93fad8b89e44747d7bb
SHA51277f7b74c7b2f95a8fce91fac4ce619030c29b922c8c3cc0fc9dfe2110dbfe3299f365bbd5dcab1ade4b67956baa16c820a870f80a53eb13a1c84dabf50dd29a0
-
Filesize
1.4MB
MD525f62c02619174b35851b0e0455b3d94
SHA14e8ee85157f1769f6e3f61c0acbe59072209da71
SHA256898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2
SHA512f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a