Analysis
-
max time kernel
150s -
max time network
141s -
platform
windows10-2004_x64 -
resource
win10v2004-20250502-en -
resource tags
arch:x64arch:x86image:win10v2004-20250502-enlocale:en-usos:windows10-2004-x64system -
submitted
18/05/2025, 11:11
Behavioral task
behavioral1
Sample
2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe
Resource
win10v2004-20250502-en
Behavioral task
behavioral2
Sample
2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe
Resource
win11-20250502-en
General
-
Target
2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe
-
Size
8.2MB
-
MD5
6db685c7c2e3c7b1262455f5dd2607f0
-
SHA1
795ac9de22496df1395ac03c2960d75e9fbb5264
-
SHA256
4e7db50b82d6096cc22d0e64a0513005e021cd11401799294d43f075ff960d39
-
SHA512
ac262ceb58e43899a5c08ab0abe45522855e1c88c2ff801190172f2f94fe7add8eae3aa43d95dbd2e8a74080486699c2ea25fba6be2ecf31c515d0e1e428be51
-
SSDEEP
49152:xyyqWyWy0GyqWyWyMRPC1eHc785dxytlWF17:xyyqWyWy0GyqWyWyMRPC1eHL5dxyjyp
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 12 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" 2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" 2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" csrss.exe -
Modifies visibility of file extensions in Explorer 2 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" 2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Gaara.exe Set value (int) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" system32.exe Set value (int) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" smss.exe Set value (int) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Kazekage.exe Set value (int) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" csrss.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" 2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" Gaara.exe Set value (int) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" system32.exe Set value (int) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" smss.exe Set value (int) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" Kazekage.exe Set value (int) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" csrss.exe -
UAC bypass 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Kazekage.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Gaara.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" system32.exe -
Disables RegEdit via registry modification 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" smss.exe Set value (int) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Kazekage.exe Set value (int) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" csrss.exe Set value (int) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" 2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Gaara.exe Set value (int) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" system32.exe -
Disables use of System Restore points 1 TTPs
-
Drops file in Drivers directory 24 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\drivers\system32.exe Kazekage.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe 2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe smss.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe Gaara.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe system32.exe File created C:\Windows\SysWOW64\drivers\system32.exe Gaara.exe File created C:\Windows\SysWOW64\drivers\system32.exe csrss.exe File created C:\Windows\SysWOW64\drivers\system32.exe 2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe csrss.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe Kazekage.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe system32.exe File created C:\Windows\SysWOW64\drivers\system32.exe system32.exe File created C:\Windows\SysWOW64\drivers\system32.exe smss.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe Gaara.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe csrss.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe Kazekage.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe 2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe 2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe smss.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe Gaara.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe csrss.exe File created C:\Windows\SysWOW64\drivers\system32.exe Kazekage.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe system32.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe smss.exe -
Event Triggered Execution: Image File Execution Options Injection 1 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe\Debugger = "cmd.exe /c del" 2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe 2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe\Debugger = "drivers\\Kazekage.exe" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe 2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe 2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe 2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger = "drivers\\Kazekage.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "drivers\\Kazekage.exe" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\Debugger = "cmd.exe /c del" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe\Debugger = "cmd.exe /c del" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "drivers\\Kazekage.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe\Debugger = "cmd.exe /c del" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe\Debugger = "cmd.exe /c del" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe\Debugger = "drivers\\Kazekage.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe\Debugger = "cmd.exe /c del" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe\Debugger = "cmd.exe /c del" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe\Debugger = "drivers\\Kazekage.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe\Debugger = "cmd.exe /c del" 2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe\Debugger = "cmd.exe /c del" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe\Debugger = "cmd.exe /c del" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe\Debugger = "cmd.exe /c del" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe\Debugger = "drivers\\Kazekage.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe\Debugger = "cmd.exe /c del" 2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "drivers\\Kazekage.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe\Debugger = "cmd.exe /c del" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe\Debugger = "cmd.exe /c del" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe 2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "drivers\\Kazekage.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe\Debugger = "cmd.exe /c del" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "drivers\\Kazekage.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com\Debugger = "cmd.exe /c del" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe\Debugger = "cmd.exe /c del" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe\Debugger = "cmd.exe /c del" 2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\Debugger = "cmd.exe /c del" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "drivers\\Kazekage.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe\Debugger = "cmd.exe /c del" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "drivers\\Kazekage.exe" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe\Debugger = "cmd.exe /c del" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe\Debugger = "drivers\\Kazekage.exe" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe Gaara.exe -
Executes dropped EXE 30 IoCs
pid Process 1492 smss.exe 3580 smss.exe 2868 Gaara.exe 4684 smss.exe 116 Gaara.exe 3020 csrss.exe 1744 smss.exe 2296 Gaara.exe 4852 csrss.exe 536 Kazekage.exe 2240 Gaara.exe 3604 csrss.exe 4460 smss.exe 2916 Gaara.exe 1952 Kazekage.exe 4620 csrss.exe 3840 system32.exe 4864 csrss.exe 1916 Kazekage.exe 2696 Kazekage.exe 4064 system32.exe 4412 smss.exe 3608 system32.exe 1804 system32.exe 4684 Gaara.exe 5036 csrss.exe 704 Kazekage.exe 212 Kazekage.exe 1832 system32.exe 3708 system32.exe -
Loads dropped DLL 18 IoCs
pid Process 1492 smss.exe 3580 smss.exe 2868 Gaara.exe 4684 smss.exe 116 Gaara.exe 3020 csrss.exe 1744 smss.exe 2296 Gaara.exe 4852 csrss.exe 2240 Gaara.exe 3604 csrss.exe 4460 smss.exe 2916 Gaara.exe 4620 csrss.exe 4864 csrss.exe 4412 smss.exe 4684 Gaara.exe 5036 csrss.exe -
Adds Run key to start application 2 TTPs 24 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "18-5-2025.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 18 - 5 - 2025\\Gaara.exe" 2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 18 - 5 - 2025\\Gaara.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "18-5-2025.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 18 - 5 - 2025\\smss.exe" 2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "18-5-2025.exe" 2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "18-5-2025.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "18-5-2025.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 18 - 5 - 2025\\Gaara.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "18-5-2025.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 18 - 5 - 2025\\Gaara.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" 2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 18 - 5 - 2025\\smss.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 18 - 5 - 2025\\Gaara.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 18 - 5 - 2025\\smss.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 18 - 5 - 2025\\smss.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 18 - 5 - 2025\\Gaara.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 18 - 5 - 2025\\smss.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 18 - 5 - 2025\\smss.exe" Kazekage.exe -
Checks whether UAC is enabled 1 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Kazekage.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Gaara.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" system32.exe -
Drops desktop.ini file(s) 64 IoCs
description ioc Process File opened for modification \??\Y:\Desktop.ini Kazekage.exe File opened for modification F:\Desktop.ini 2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe File opened for modification \??\L:\Desktop.ini 2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe File opened for modification \??\E:\Desktop.ini system32.exe File opened for modification \??\I:\Desktop.ini system32.exe File opened for modification \??\Q:\Desktop.ini smss.exe File opened for modification \??\G:\Desktop.ini Kazekage.exe File opened for modification \??\T:\Desktop.ini Kazekage.exe File opened for modification \??\H:\Desktop.ini csrss.exe File opened for modification \??\W:\Desktop.ini csrss.exe File opened for modification \??\Z:\Desktop.ini csrss.exe File opened for modification \??\O:\Desktop.ini 2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe File opened for modification \??\I:\Desktop.ini Gaara.exe File opened for modification \??\S:\Desktop.ini Kazekage.exe File opened for modification C:\Desktop.ini 2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe File opened for modification \??\O:\Desktop.ini csrss.exe File opened for modification \??\U:\Desktop.ini 2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe File opened for modification \??\M:\Desktop.ini Gaara.exe File opened for modification \??\P:\Desktop.ini Gaara.exe File opened for modification \??\W:\Desktop.ini system32.exe File opened for modification \??\U:\Desktop.ini Kazekage.exe File opened for modification \??\X:\Desktop.ini Kazekage.exe File opened for modification D:\Desktop.ini csrss.exe File opened for modification \??\W:\Desktop.ini 2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe File opened for modification \??\H:\Desktop.ini Gaara.exe File opened for modification \??\V:\Desktop.ini system32.exe File opened for modification \??\A:\Desktop.ini Kazekage.exe File opened for modification C:\Desktop.ini Kazekage.exe File opened for modification \??\Z:\Desktop.ini 2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe File opened for modification \??\P:\Desktop.ini 2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe File opened for modification \??\O:\Desktop.ini Gaara.exe File opened for modification F:\Desktop.ini csrss.exe File opened for modification C:\Desktop.ini Gaara.exe File opened for modification D:\Desktop.ini system32.exe File opened for modification F:\Desktop.ini smss.exe File opened for modification \??\J:\Desktop.ini smss.exe File opened for modification \??\O:\Desktop.ini Kazekage.exe File opened for modification \??\P:\Desktop.ini Kazekage.exe File opened for modification \??\N:\Desktop.ini csrss.exe File opened for modification \??\S:\Desktop.ini 2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe File opened for modification \??\T:\Desktop.ini 2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe File opened for modification \??\L:\Desktop.ini Gaara.exe File opened for modification \??\A:\Desktop.ini csrss.exe File opened for modification \??\L:\Desktop.ini smss.exe File opened for modification \??\U:\Desktop.ini smss.exe File opened for modification C:\Desktop.ini system32.exe File opened for modification \??\U:\Desktop.ini system32.exe File opened for modification C:\Desktop.ini smss.exe File opened for modification \??\I:\Desktop.ini smss.exe File opened for modification \??\V:\Desktop.ini smss.exe File opened for modification C:\Desktop.ini csrss.exe File opened for modification \??\Z:\Desktop.ini Gaara.exe File opened for modification \??\K:\Desktop.ini system32.exe File opened for modification \??\R:\Desktop.ini system32.exe File opened for modification \??\W:\Desktop.ini smss.exe File opened for modification \??\V:\Desktop.ini Kazekage.exe File opened for modification \??\T:\Desktop.ini csrss.exe File opened for modification \??\A:\Desktop.ini system32.exe File opened for modification D:\Desktop.ini Kazekage.exe File opened for modification \??\Q:\Desktop.ini Kazekage.exe File opened for modification \??\R:\Desktop.ini Kazekage.exe File opened for modification \??\K:\Desktop.ini csrss.exe File opened for modification \??\L:\Desktop.ini csrss.exe File opened for modification \??\S:\Desktop.ini system32.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\O: smss.exe File opened (read-only) \??\W: Kazekage.exe File opened (read-only) \??\J: Kazekage.exe File opened (read-only) \??\T: Kazekage.exe File opened (read-only) \??\A: csrss.exe File opened (read-only) \??\A: 2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe File opened (read-only) \??\B: smss.exe File opened (read-only) \??\Q: smss.exe File opened (read-only) \??\P: Kazekage.exe File opened (read-only) \??\V: Kazekage.exe File opened (read-only) \??\K: csrss.exe File opened (read-only) \??\S: csrss.exe File opened (read-only) \??\G: 2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe File opened (read-only) \??\S: 2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe File opened (read-only) \??\E: csrss.exe File opened (read-only) \??\L: Gaara.exe File opened (read-only) \??\M: Gaara.exe File opened (read-only) \??\X: system32.exe File opened (read-only) \??\Y: Kazekage.exe File opened (read-only) \??\B: 2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe File opened (read-only) \??\P: Gaara.exe File opened (read-only) \??\V: Gaara.exe File opened (read-only) \??\J: smss.exe File opened (read-only) \??\B: Kazekage.exe File opened (read-only) \??\B: csrss.exe File opened (read-only) \??\V: csrss.exe File opened (read-only) \??\K: smss.exe File opened (read-only) \??\R: smss.exe File opened (read-only) \??\K: 2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe File opened (read-only) \??\X: 2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe File opened (read-only) \??\J: Gaara.exe File opened (read-only) \??\P: smss.exe File opened (read-only) \??\W: smss.exe File opened (read-only) \??\X: smss.exe File opened (read-only) \??\U: Kazekage.exe File opened (read-only) \??\U: csrss.exe File opened (read-only) \??\Y: csrss.exe File opened (read-only) \??\P: 2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe File opened (read-only) \??\Q: 2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe File opened (read-only) \??\E: 2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe File opened (read-only) \??\J: 2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe File opened (read-only) \??\G: system32.exe File opened (read-only) \??\R: system32.exe File opened (read-only) \??\W: system32.exe File opened (read-only) \??\T: smss.exe File opened (read-only) \??\J: csrss.exe File opened (read-only) \??\M: csrss.exe File opened (read-only) \??\P: csrss.exe File opened (read-only) \??\T: Gaara.exe File opened (read-only) \??\N: smss.exe File opened (read-only) \??\U: Gaara.exe File opened (read-only) \??\H: system32.exe File opened (read-only) \??\G: smss.exe File opened (read-only) \??\I: smss.exe File opened (read-only) \??\U: smss.exe File opened (read-only) \??\L: csrss.exe File opened (read-only) \??\T: 2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe File opened (read-only) \??\Q: Gaara.exe File opened (read-only) \??\W: Gaara.exe File opened (read-only) \??\A: Gaara.exe File opened (read-only) \??\G: Gaara.exe File opened (read-only) \??\O: Gaara.exe File opened (read-only) \??\H: Kazekage.exe File opened (read-only) \??\N: Kazekage.exe -
Drops autorun.inf file 1 TTPs 64 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File created \??\N:\Autorun.inf Kazekage.exe File created \??\T:\Autorun.inf Kazekage.exe File opened for modification \??\M:\Autorun.inf 2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe File created \??\N:\Autorun.inf smss.exe File opened for modification \??\M:\Autorun.inf Gaara.exe File opened for modification \??\B:\Autorun.inf csrss.exe File created \??\X:\Autorun.inf csrss.exe File created \??\B:\Autorun.inf smss.exe File created \??\M:\Autorun.inf 2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe File created \??\A:\Autorun.inf Gaara.exe File created \??\V:\Autorun.inf system32.exe File opened for modification \??\B:\Autorun.inf 2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe File opened for modification D:\Autorun.inf smss.exe File opened for modification \??\X:\Autorun.inf smss.exe File created \??\H:\Autorun.inf smss.exe File opened for modification \??\H:\Autorun.inf Gaara.exe File opened for modification \??\Y:\Autorun.inf csrss.exe File created \??\R:\Autorun.inf 2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe File created \??\V:\Autorun.inf smss.exe File opened for modification \??\O:\Autorun.inf csrss.exe File opened for modification \??\K:\Autorun.inf Kazekage.exe File opened for modification \??\L:\Autorun.inf system32.exe File opened for modification \??\O:\Autorun.inf system32.exe File opened for modification \??\X:\Autorun.inf system32.exe File created \??\E:\Autorun.inf 2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe File created \??\T:\Autorun.inf smss.exe File created \??\U:\Autorun.inf csrss.exe File created \??\W:\Autorun.inf Kazekage.exe File created \??\N:\Autorun.inf system32.exe File opened for modification \??\G:\Autorun.inf Gaara.exe File created \??\S:\Autorun.inf Gaara.exe File opened for modification \??\N:\Autorun.inf csrss.exe File opened for modification \??\S:\Autorun.inf csrss.exe File opened for modification F:\Autorun.inf 2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe File created \??\I:\Autorun.inf 2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe File created \??\W:\Autorun.inf csrss.exe File created \??\E:\Autorun.inf system32.exe File created \??\B:\Autorun.inf 2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe File created \??\S:\Autorun.inf 2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe File created \??\R:\Autorun.inf csrss.exe File opened for modification \??\G:\Autorun.inf Kazekage.exe File created \??\J:\Autorun.inf Kazekage.exe File opened for modification \??\K:\Autorun.inf 2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe File opened for modification C:\Autorun.inf smss.exe File opened for modification \??\A:\Autorun.inf Kazekage.exe File opened for modification \??\H:\Autorun.inf Kazekage.exe File opened for modification \??\M:\Autorun.inf Kazekage.exe File opened for modification \??\N:\Autorun.inf Kazekage.exe File opened for modification \??\B:\Autorun.inf system32.exe File opened for modification \??\M:\Autorun.inf system32.exe File created \??\R:\Autorun.inf Gaara.exe File opened for modification \??\X:\Autorun.inf Gaara.exe File created \??\B:\Autorun.inf Kazekage.exe File created \??\E:\Autorun.inf Kazekage.exe File created \??\Q:\Autorun.inf system32.exe File opened for modification \??\V:\Autorun.inf 2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe File created \??\P:\Autorun.inf csrss.exe File created \??\O:\Autorun.inf system32.exe File opened for modification \??\X:\Autorun.inf 2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe File created \??\J:\Autorun.inf smss.exe File opened for modification \??\K:\Autorun.inf smss.exe File opened for modification \??\Z:\Autorun.inf smss.exe File opened for modification \??\R:\Autorun.inf Gaara.exe File created \??\L:\Autorun.inf 2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe -
Drops file in System32 directory 39 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\18-5-2025.exe Gaara.exe File opened for modification C:\Windows\SysWOW64\18-5-2025.exe csrss.exe File created C:\Windows\SysWOW64\Desktop.ini 2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx Kazekage.exe File opened for modification C:\Windows\SysWOW64\ Kazekage.exe File opened for modification C:\Windows\SysWOW64\18-5-2025.exe 2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\SysWOW64\18-5-2025.exe Kazekage.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx 2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini smss.exe File created C:\Windows\SysWOW64\msvbvm60.dll smss.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini csrss.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx csrss.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll system32.exe File opened for modification C:\Windows\SysWOW64\18-5-2025.exe system32.exe File created C:\Windows\SysWOW64\mscomctl.ocx 2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx Gaara.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll Gaara.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll csrss.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini system32.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx system32.exe File created C:\Windows\SysWOW64\msvbvm60.dll csrss.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll 2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\SysWOW64\ csrss.exe File created C:\Windows\SysWOW64\18-5-2025.exe 2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\SysWOW64\18-5-2025.exe smss.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll smss.exe File opened for modification C:\Windows\SysWOW64\ Gaara.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll Kazekage.exe File created C:\Windows\SysWOW64\msvbvm60.dll Gaara.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini 2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx smss.exe File opened for modification C:\Windows\SysWOW64\ smss.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini Gaara.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini Kazekage.exe File created C:\Windows\SysWOW64\msvbvm60.dll 2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe File created C:\Windows\SysWOW64\msvbvm60.dll Kazekage.exe File created C:\Windows\SysWOW64\msvbvm60.dll system32.exe File opened for modification C:\Windows\SysWOW64\ 2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\SysWOW64\ system32.exe -
Sets desktop wallpaper using registry 2 TTPs 6 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" 2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" Kazekage.exe -
resource yara_rule behavioral1/memory/3120-0-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/files/0x0031000000023fa6-11.dat upx behavioral1/files/0x000a000000023fa4-33.dat upx behavioral1/memory/1492-32-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/files/0x000a000000023faa-57.dat upx behavioral1/memory/3580-70-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/files/0x000a000000023fa9-53.dat upx behavioral1/files/0x0031000000023fa7-49.dat upx behavioral1/memory/3580-73-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/files/0x000a000000023fa5-75.dat upx behavioral1/memory/2868-76-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/files/0x0031000000023fa6-84.dat upx behavioral1/files/0x000a000000023faa-96.dat upx behavioral1/memory/116-119-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/3020-121-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/3120-120-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/1492-127-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/files/0x0031000000023fa7-128.dat upx behavioral1/files/0x000a000000023faa-137.dat upx behavioral1/memory/2296-153-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/2868-158-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/2296-160-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/4852-162-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/files/0x000a000000023fa9-164.dat upx behavioral1/memory/536-166-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/files/0x0031000000023fa7-176.dat upx behavioral1/memory/3020-195-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/2240-193-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/4460-205-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/1952-207-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/3604-209-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/1952-215-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/files/0x000a000000023faa-216.dat upx behavioral1/memory/3840-217-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/2916-213-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/536-226-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/4864-234-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/1916-237-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/3608-247-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/2696-249-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/4064-255-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/3608-259-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/4684-261-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/1804-262-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/3840-260-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/704-267-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/1832-273-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/212-272-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/3708-276-0x0000000000400000-0x000000000042B000-memory.dmp upx -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\Windows\msvbvm60.dll 2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\Fonts\The Kazekage.jpg smss.exe File opened for modification C:\Windows\system\mscoree.dll smss.exe File opened for modification C:\Windows\system\msvbvm60.dll Gaara.exe File opened for modification C:\Windows\msvbvm60.dll csrss.exe File created C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe smss.exe File opened for modification C:\Windows\mscomctl.ocx smss.exe File created C:\Windows\Fonts\Admin 18 - 5 - 2025\msvbvm60.dll 2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe File created C:\Windows\Fonts\Admin 18 - 5 - 2025\msvbvm60.dll Gaara.exe File created C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe csrss.exe File created C:\Windows\WBEM\msvbvm60.dll csrss.exe File created C:\Windows\Fonts\Admin 18 - 5 - 2025\msvbvm60.dll Kazekage.exe File created C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe system32.exe File created C:\Windows\WBEM\msvbvm60.dll system32.exe File opened for modification C:\Windows\mscomctl.ocx system32.exe File created C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe 2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe File created C:\Windows\WBEM\msvbvm60.dll 2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\system\mscoree.dll csrss.exe File created C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe Kazekage.exe File created C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe system32.exe File opened for modification C:\Windows\Fonts\Admin 18 - 5 - 2025\msvbvm60.dll 2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe File created C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe smss.exe File created C:\Windows\Fonts\Admin 18 - 5 - 2025\msvbvm60.dll smss.exe File opened for modification C:\Windows\system\msvbvm60.dll smss.exe File opened for modification C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe Gaara.exe File created C:\Windows\Fonts\Admin 18 - 5 - 2025\msvbvm60.dll csrss.exe File opened for modification C:\Windows\system\msvbvm60.dll Kazekage.exe File created C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe Gaara.exe File created C:\Windows\WBEM\msvbvm60.dll Gaara.exe File opened for modification C:\Windows\ system32.exe File opened for modification C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe 2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\Fonts\The Kazekage.jpg Gaara.exe File opened for modification C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe csrss.exe File opened for modification C:\Windows\ Gaara.exe File opened for modification C:\Windows\msvbvm60.dll smss.exe File created C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe Kazekage.exe File opened for modification C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe Kazekage.exe File created C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe Gaara.exe File created C:\Windows\system\msvbvm60.dll 2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe File created C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe Gaara.exe File opened for modification C:\Windows\system\msvbvm60.dll csrss.exe File opened for modification C:\Windows\mscomctl.ocx Gaara.exe File opened for modification C:\Windows\mscomctl.ocx Kazekage.exe File opened for modification C:\Windows\system\mscoree.dll 2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\ 2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe smss.exe File opened for modification C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe smss.exe File opened for modification C:\Windows\system\mscoree.dll Gaara.exe File created C:\Windows\Fonts\The Kazekage.jpg 2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe File created C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe 2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe Gaara.exe File opened for modification C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe Kazekage.exe File opened for modification C:\Windows\Fonts\The Kazekage.jpg 2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe 2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\Fonts\The Kazekage.jpg csrss.exe File created C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe csrss.exe File opened for modification C:\Windows\msvbvm60.dll Kazekage.exe File created C:\Windows\WBEM\msvbvm60.dll Kazekage.exe File created C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe system32.exe File opened for modification C:\Windows\mscomctl.ocx csrss.exe File opened for modification C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe 2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe smss.exe File opened for modification C:\Windows\system\mscoree.dll Kazekage.exe File opened for modification C:\Windows\system\mscoree.dll system32.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kazekage.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaara.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaara.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kazekage.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kazekage.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kazekage.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kazekage.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaara.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kazekage.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaara.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaara.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaara.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 34 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 4472 ping.exe 2700 ping.exe 1904 ping.exe 2252 ping.exe 5048 ping.exe 4808 ping.exe 2864 ping.exe 3572 ping.exe 4544 ping.exe 748 ping.exe 3348 ping.exe 2940 ping.exe 2304 ping.exe 1836 ping.exe 4088 ping.exe 4696 ping.exe 5036 ping.exe 1676 ping.exe 212 ping.exe 3656 ping.exe 4292 ping.exe 1044 ping.exe 1536 ping.exe 3856 ping.exe 1156 ping.exe 564 ping.exe 2856 ping.exe 3964 ping.exe 4244 ping.exe 4504 ping.exe 3592 ping.exe 4088 ping.exe 2024 ping.exe 996 ping.exe -
Modifies Control Panel 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\Screen Saver.Marquee\Speed = "4" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" 2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe Key created \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\Screen Saver.Marquee smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" 2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" 2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" 2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" 2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\Desktop\WallpaperStyle = "2" 2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\Desktop\WallpaperStyle = "2" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\Screen Saver.Marquee\Speed = "4" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" Kazekage.exe Key created \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\Desktop 2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" Gaara.exe Key created \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\Desktop csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\Desktop\WallpaperStyle = "2" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" Kazekage.exe Key created \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\Screen Saver.Marquee csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\Desktop\WallpaperStyle = "2" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\Screen Saver.Marquee\Size = "72" Kazekage.exe Key created \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\Screen Saver.Marquee 2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\Screen Saver.Marquee\Size = "72" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\Screen Saver.Marquee\Speed = "4" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" system32.exe Key created \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\Screen Saver.Marquee system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" 2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\Screen Saver.Marquee\Size = "72" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\Screen Saver.Marquee\Size = "72" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\Screen Saver.Marquee\Speed = "4" system32.exe Key created \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\Desktop system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" 2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\Screen Saver.Marquee\Size = "72" 2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\Screen Saver.Marquee\Size = "72" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" 2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe Key created \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\Screen Saver.Marquee Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" Kazekage.exe Key created \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\Screen Saver.Marquee Kazekage.exe -
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" system32.exe Key created \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Software\Microsoft\Internet Explorer\Main smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" 2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe Key created \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Software\Microsoft\Internet Explorer\Main system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" smss.exe Key created \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Software\Microsoft\Internet Explorer\Main Kazekage.exe Key created \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Software\Microsoft\Internet Explorer\Main csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" csrss.exe Key created \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Software\Microsoft\Internet Explorer\Main 2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe Key created \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Software\Microsoft\Internet Explorer\Main Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" Gaara.exe -
Modifies registry class 51 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" 2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" 2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" 2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command 2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command 2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command 2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" 2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command 2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe -
Runs ping.exe 1 TTPs 34 IoCs
pid Process 1156 ping.exe 3592 ping.exe 996 ping.exe 4472 ping.exe 2024 ping.exe 1904 ping.exe 5048 ping.exe 3572 ping.exe 5036 ping.exe 4244 ping.exe 3856 ping.exe 564 ping.exe 2304 ping.exe 3656 ping.exe 748 ping.exe 1836 ping.exe 1536 ping.exe 1676 ping.exe 4292 ping.exe 4696 ping.exe 1044 ping.exe 2864 ping.exe 4088 ping.exe 212 ping.exe 4504 ping.exe 4808 ping.exe 4088 ping.exe 2252 ping.exe 2856 ping.exe 2700 ping.exe 4544 ping.exe 3348 ping.exe 3964 ping.exe 2940 ping.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1492 smss.exe 1492 smss.exe 1492 smss.exe 1492 smss.exe 1492 smss.exe 1492 smss.exe 1492 smss.exe 1492 smss.exe 1492 smss.exe 1492 smss.exe 1492 smss.exe 1492 smss.exe 1492 smss.exe 1492 smss.exe 1492 smss.exe 1492 smss.exe 1492 smss.exe 1492 smss.exe 1492 smss.exe 1492 smss.exe 1492 smss.exe 1492 smss.exe 1492 smss.exe 1492 smss.exe 536 Kazekage.exe 536 Kazekage.exe 536 Kazekage.exe 536 Kazekage.exe 536 Kazekage.exe 536 Kazekage.exe 536 Kazekage.exe 536 Kazekage.exe 536 Kazekage.exe 536 Kazekage.exe 536 Kazekage.exe 536 Kazekage.exe 536 Kazekage.exe 536 Kazekage.exe 536 Kazekage.exe 536 Kazekage.exe 536 Kazekage.exe 536 Kazekage.exe 536 Kazekage.exe 536 Kazekage.exe 536 Kazekage.exe 536 Kazekage.exe 536 Kazekage.exe 536 Kazekage.exe 3020 csrss.exe 3020 csrss.exe 3020 csrss.exe 3020 csrss.exe 3020 csrss.exe 3020 csrss.exe 3020 csrss.exe 3020 csrss.exe 3020 csrss.exe 3020 csrss.exe 3020 csrss.exe 3020 csrss.exe 3020 csrss.exe 3020 csrss.exe 3020 csrss.exe 3020 csrss.exe -
Suspicious use of SetWindowsHookEx 31 IoCs
pid Process 3120 2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe 1492 smss.exe 3580 smss.exe 2868 Gaara.exe 4684 smss.exe 116 Gaara.exe 3020 csrss.exe 1744 smss.exe 2296 Gaara.exe 4852 csrss.exe 536 Kazekage.exe 2240 Gaara.exe 3604 csrss.exe 4460 smss.exe 2916 Gaara.exe 1952 Kazekage.exe 4620 csrss.exe 3840 system32.exe 4864 csrss.exe 1916 Kazekage.exe 2696 Kazekage.exe 4064 system32.exe 4412 smss.exe 3608 system32.exe 1804 system32.exe 4684 Gaara.exe 5036 csrss.exe 704 Kazekage.exe 212 Kazekage.exe 1832 system32.exe 3708 system32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3120 wrote to memory of 1492 3120 2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe 85 PID 3120 wrote to memory of 1492 3120 2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe 85 PID 3120 wrote to memory of 1492 3120 2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe 85 PID 1492 wrote to memory of 3580 1492 smss.exe 87 PID 1492 wrote to memory of 3580 1492 smss.exe 87 PID 1492 wrote to memory of 3580 1492 smss.exe 87 PID 1492 wrote to memory of 2868 1492 smss.exe 88 PID 1492 wrote to memory of 2868 1492 smss.exe 88 PID 1492 wrote to memory of 2868 1492 smss.exe 88 PID 2868 wrote to memory of 4684 2868 Gaara.exe 89 PID 2868 wrote to memory of 4684 2868 Gaara.exe 89 PID 2868 wrote to memory of 4684 2868 Gaara.exe 89 PID 2868 wrote to memory of 116 2868 Gaara.exe 91 PID 2868 wrote to memory of 116 2868 Gaara.exe 91 PID 2868 wrote to memory of 116 2868 Gaara.exe 91 PID 2868 wrote to memory of 3020 2868 Gaara.exe 92 PID 2868 wrote to memory of 3020 2868 Gaara.exe 92 PID 2868 wrote to memory of 3020 2868 Gaara.exe 92 PID 3020 wrote to memory of 1744 3020 csrss.exe 95 PID 3020 wrote to memory of 1744 3020 csrss.exe 95 PID 3020 wrote to memory of 1744 3020 csrss.exe 95 PID 3020 wrote to memory of 2296 3020 csrss.exe 98 PID 3020 wrote to memory of 2296 3020 csrss.exe 98 PID 3020 wrote to memory of 2296 3020 csrss.exe 98 PID 3020 wrote to memory of 4852 3020 csrss.exe 99 PID 3020 wrote to memory of 4852 3020 csrss.exe 99 PID 3020 wrote to memory of 4852 3020 csrss.exe 99 PID 3020 wrote to memory of 536 3020 csrss.exe 100 PID 3020 wrote to memory of 536 3020 csrss.exe 100 PID 3020 wrote to memory of 536 3020 csrss.exe 100 PID 3120 wrote to memory of 2240 3120 2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe 102 PID 3120 wrote to memory of 2240 3120 2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe 102 PID 3120 wrote to memory of 2240 3120 2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe 102 PID 3120 wrote to memory of 3604 3120 2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe 103 PID 3120 wrote to memory of 3604 3120 2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe 103 PID 3120 wrote to memory of 3604 3120 2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe 103 PID 536 wrote to memory of 4460 536 Kazekage.exe 104 PID 536 wrote to memory of 4460 536 Kazekage.exe 104 PID 536 wrote to memory of 4460 536 Kazekage.exe 104 PID 536 wrote to memory of 2916 536 Kazekage.exe 106 PID 536 wrote to memory of 2916 536 Kazekage.exe 106 PID 536 wrote to memory of 2916 536 Kazekage.exe 106 PID 3120 wrote to memory of 1952 3120 2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe 107 PID 3120 wrote to memory of 1952 3120 2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe 107 PID 3120 wrote to memory of 1952 3120 2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe 107 PID 536 wrote to memory of 4620 536 Kazekage.exe 110 PID 536 wrote to memory of 4620 536 Kazekage.exe 110 PID 536 wrote to memory of 4620 536 Kazekage.exe 110 PID 3120 wrote to memory of 3840 3120 2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe 111 PID 3120 wrote to memory of 3840 3120 2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe 111 PID 3120 wrote to memory of 3840 3120 2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe 111 PID 1492 wrote to memory of 4864 1492 smss.exe 112 PID 1492 wrote to memory of 4864 1492 smss.exe 112 PID 1492 wrote to memory of 4864 1492 smss.exe 112 PID 536 wrote to memory of 1916 536 Kazekage.exe 113 PID 536 wrote to memory of 1916 536 Kazekage.exe 113 PID 536 wrote to memory of 1916 536 Kazekage.exe 113 PID 1492 wrote to memory of 2696 1492 smss.exe 114 PID 1492 wrote to memory of 2696 1492 smss.exe 114 PID 1492 wrote to memory of 2696 1492 smss.exe 114 PID 536 wrote to memory of 4064 536 Kazekage.exe 115 PID 536 wrote to memory of 4064 536 Kazekage.exe 115 PID 536 wrote to memory of 4064 536 Kazekage.exe 115 PID 3840 wrote to memory of 4412 3840 system32.exe 116 -
System policy modification 1 TTPs 12 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System 2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Kazekage.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Gaara.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System system32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe"C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe"1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3120 -
C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe"C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe"2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1492 -
C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe"C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3580
-
-
C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe"C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe"3⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2868 -
C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe"C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4684
-
-
C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe"C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:116
-
-
C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe"C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe"4⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3020 -
C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe"C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1744
-
-
C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe"C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2296
-
-
C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe"C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4852
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe5⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:536 -
C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe"C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4460
-
-
C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe"C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2916
-
-
C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe"C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4620
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1916
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4064
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655006⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4696
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655006⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:212
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655006⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4808
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655006⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5048
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655006⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2304
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655006⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5036
-
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1804
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655005⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4088
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655005⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4292
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655005⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2252
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655005⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:564
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655005⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4472
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655005⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4544
-
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:704
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1832
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655004⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3348
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655004⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1676
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655004⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1044
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655004⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3592
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655004⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2700
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655004⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2940
-
-
-
C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe"C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4864
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2696
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3608
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1536
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1836
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1156
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655003⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4504
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3572
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2864
-
-
-
C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe"C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2240
-
-
C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe"C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3604
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1952
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3840 -
C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe"C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4412
-
-
C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe"C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4684
-
-
C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe"C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5036
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:212
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3708
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4244
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3964
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4088
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3656
-
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655002⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2024
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655002⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:748
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655002⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1904
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655002⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3856
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655002⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2856
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655002⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:996
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 18 - 5 - 2025\smss.exe1⤵PID:4936
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 18 - 5 - 2025\Gaara.exe1⤵PID:1688
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c 18-5-2025.exe1⤵PID:1852
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c drivers\csrss.exe1⤵PID:3236
Network
MITRE ATT&CK Enterprise v16
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Event Triggered Execution
1Image File Execution Options Injection
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Event Triggered Execution
1Image File Execution Options Injection
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
1Disable or Modify Tools
1Modify Registry
8Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
736B
MD5bb5d6abdf8d0948ac6895ce7fdfbc151
SHA19266b7a247a4685892197194d2b9b86c8f6dddbd
SHA2565db2e0915b5464d32e83484f8ae5e3c73d2c78f238fde5f58f9b40dbb5322de8
SHA512878444760e8df878d65bb62b4798177e168eb099def58ad3634f4348e96705c83f74324f9fa358f0eff389991976698a233ca53e9b72034ae11c86d42322a76c
-
Filesize
196B
MD51564dfe69ffed40950e5cb644e0894d1
SHA1201b6f7a01cc49bb698bea6d4945a082ed454ce4
SHA256be114a2dbcc08540b314b01882aa836a772a883322a77b67aab31233e26dc184
SHA51272df187e39674b657974392cfa268e71ef86dc101ebd2303896381ca56d3c05aa9db3f0ab7d0e428d7436e0108c8f19e94c2013814d30b0b95a23a6b9e341097
-
Filesize
8.2MB
MD5b40505dd9bfbd4cee5bbd3330764476b
SHA1260c7cf6363e052534320347f4c70e37649086d2
SHA256ba7960c02ac5bac9103b539efd0132c675444dd92a34c8d8b12f7f0446366fc0
SHA512a184224fefe6bb5ec0c2897c11a944e130db16a159fc4b047b997971a90b75028354f9d2c459eaf12d664d8ca9689d0ea38ae08147c7b6a1e6f561940825b33b
-
Filesize
8.2MB
MD56db685c7c2e3c7b1262455f5dd2607f0
SHA1795ac9de22496df1395ac03c2960d75e9fbb5264
SHA2564e7db50b82d6096cc22d0e64a0513005e021cd11401799294d43f075ff960d39
SHA512ac262ceb58e43899a5c08ab0abe45522855e1c88c2ff801190172f2f94fe7add8eae3aa43d95dbd2e8a74080486699c2ea25fba6be2ecf31c515d0e1e428be51
-
Filesize
8.2MB
MD50587e4f8237ea92f227b596ddeffe39b
SHA1b34b8ff8969df0a0a65eb5bdd2e4262f813dca98
SHA2563e284151765d98efa1fcb69c46e14c0bd594dd04179fefef3d662e4fe5423c81
SHA51212bcbc6b6872059fd8ae52271ae89daeebef5c44e0871ed94ad377db086111499e899c704d266f23c437772628ee59236a5a6ae3c1b9aa2c1dfcf9cb46e7ff9d
-
Filesize
8.2MB
MD5c1e12c8e320ba1262fb0d7b48f7830d8
SHA1b34424dde2a2de4edb039392f23b656032e59b93
SHA2566f861cfbd3569e9069f4c44459e8c05f428417eb6791ee52ba221d18646e67f5
SHA512fd9c257c47427f1e3315d7cf8e3c751c2a14f9e0beba86eeeb2259dccc0698b16a727126cfeca01f62315667df772394819aab754afdb09558cacd4acd59f244
-
Filesize
1.4MB
MD5d6b05020d4a0ec2a3a8b687099e335df
SHA1df239d830ebcd1cde5c68c46a7b76dad49d415f4
SHA2569824b98dab6af65a9e84c2ea40e9df948f9766ce2096e81feecad7db8dd6080a
SHA51278fd360faa4d34f5732056d6e9ad7b9930964441c69cf24535845d397de92179553b9377a25649c01eb5ac7d547c29cc964e69ede7f2af9fc677508a99251fff
-
Filesize
8.2MB
MD59cfaa7f33f099a3a2111c467818a9453
SHA1e80ddc7b4d8ee03b035461f4621b690d9907dc0b
SHA256d36ce338e7609b4befad73350b8a1838cb908a64a1fc2462f5dd0910b3099b92
SHA512503b5643a6477cefa3f47e123e31ba33f5ec6339f9b840f7181525db1f6cc9526044237e508c1565da04e764476616ca95c7432d72a1946f3fee2da7478bff42
-
Filesize
8.2MB
MD573046555826e790b83611bcf283f89be
SHA162119c7facf960b4253a8798d5ba10c96bf9f721
SHA25693fbada7fd924b04f8ede0b55f8844968e43414e99c46127147c47f2a064660c
SHA51265971365bd97c1891569693712036ff0f8f7a9c4de675eed5e29e5327a4b5fe8c8796b71603663843b1f0ee42a59eca3a8df1e5b38071a6b674d6cd231ec489f
-
Filesize
8.2MB
MD582f89e0efd5366bf83fa3088cfee942e
SHA13b5d55ba9602668dca5d91e16e30efb7e66b9f07
SHA25650b7e07979abc00b558d66758f53fca92e51292fa0993eca7082a85c74f3c426
SHA512d06f9f4bc0214a25b602d1d41f0fed7bd11b766d20ad1d972f85d434fa4e56bcd28e65c83c40b4815d29e9110dd7347458cc42d3294ceb8211c868e98328876b
-
Filesize
65B
MD564acfa7e03b01f48294cf30d201a0026
SHA110facd995b38a095f30b4a800fa454c0bcbf8438
SHA256ba8159d865d106e7b4d0043007a63d1541e1de455dc8d7ff0edd3013bd425c62
SHA51265a9b2e639de74a2a7faa83463a03f5f5b526495e3c793ec1e144c422ed0b842dd304cd5ff4f8aec3d76d826507030c5916f70a231429cea636ec2d8ab43931a
-
Filesize
8.2MB
MD511d664154930e8524ec6f9c2ca5ec54a
SHA1a00e400329656d34f1e0f06f71e0bf71f3291997
SHA25699c87383e7ab52e3f32d9adc98aa275afee8304850d476495b035ebf6654c4a6
SHA512401f4259eb4af2abb8779fa26c5e94a9afffadbfe32538f0b667bd748ffd0463fc35a30adf73adaae15b1c2224a9bfb0dbb03c024d433c3ba518c2a7683045b7
-
Filesize
8.2MB
MD5b8856d5dc116af4b7b7b5acdfa60807f
SHA1573546145d4563bf060c0a46b4eee2d4da4dca2f
SHA256e4f94219841169ca940eb69ded9e54038e3e7c09b46dc8548f039448232bab0e
SHA512f2baec56290e3bfd139b4b726d057cf74a1fdf5c158ee845c6828b73a8fded3aacafd6e3f35a2c8eb173d2727991155f21ebd83213ce5c8e421be050b74fd91f
-
Filesize
8.2MB
MD543b3acde70a8e97ec5c1f56820746ef3
SHA1f5c85ecd27d36622a181c13009244befc9ba2ea6
SHA2567b4a68fd4cc6d6da139f0da8ca52ac170c1c939fa2c9bf499577a91bda8197c6
SHA512c0c94e4eb717622a9bb6d78eb886cc07577fbd9ad818828e5aa04e060e77540c05fc31768b0b565cc90cb011780b5fbc3e80b25177441029904d1db9f6919600
-
Filesize
8.2MB
MD52be3a78a67d8a21a0e57d09d8dc5b88d
SHA12196b991d80ed0ea9caa58dc8519cc2df9f63d67
SHA256c6d7e90e370c726fe78562dfbf095a8651139598400ab7e9b3a850767d40cb04
SHA51262540a1a6dc71de6b6916ce8bbc1e7483d387de9d6aae9f01866076a28af4ff6f2e54f4023b710d715e9d9a0fb5f436db2a4bba6e7e61b1b5ce2fd726cc3f51c
-
Filesize
8.2MB
MD5b90ebbf53af4a626ce927f6e6db5957f
SHA1e3e4eb6892b405d851f90f85405d2aa293a2f139
SHA256d401c64f7ce91605ebc2d4a556dce17a3a3a757305e2c21a22794fd67e6ab434
SHA5123a0158c06539e87994ff6420df79a017c17d483aade391c40cdc554453dfdcbe280bb93382a9b5a6c3ee2e2c52b0d47956d2d96543d987b7fec8ebba15e2e868
-
Filesize
8.2MB
MD505ceb1872969e2a0aa00d134559f611c
SHA19362de422bee0e6f17628573b992abe6e6f54db8
SHA256e2d0736f22fe1fffe8f0f08d1c0b60810eaee0522f748a32a5f6651ae3543e5e
SHA512eba0dce6e8ffd002672d552e06eb4169194264695919a68f3aa007dcecb6bc3ac77ad3870a8a60e2e46daf2f552d7f9c6da88cad1a56210350ee16f00d841f8a
-
Filesize
1.4MB
MD525f62c02619174b35851b0e0455b3d94
SHA14e8ee85157f1769f6e3f61c0acbe59072209da71
SHA256898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2
SHA512f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a