Analysis
-
max time kernel
149s -
max time network
139s -
platform
windows10-2004_x64 -
resource
win10v2004-20250502-en -
resource tags
arch:x64arch:x86image:win10v2004-20250502-enlocale:en-usos:windows10-2004-x64system -
submitted
19/05/2025, 13:26
Behavioral task
behavioral1
Sample
2025-05-19_b8b2a4463646a9a50b5ef886d05b2bc0_amadey_black-basta_elex_luca-stealer.exe
Resource
win10v2004-20250502-en
Behavioral task
behavioral2
Sample
2025-05-19_b8b2a4463646a9a50b5ef886d05b2bc0_amadey_black-basta_elex_luca-stealer.exe
Resource
win11-20250502-en
General
-
Target
2025-05-19_b8b2a4463646a9a50b5ef886d05b2bc0_amadey_black-basta_elex_luca-stealer.exe
-
Size
8.1MB
-
MD5
b8b2a4463646a9a50b5ef886d05b2bc0
-
SHA1
6260b19ffd864de7e9c1828ff59f7176e83f1ac0
-
SHA256
fd3413c6e3fd46d8a89123b5146a5895b0c48ec7da50f5dde698609714e9c5af
-
SHA512
e31bf80d6bbd23ebe1008ee8322a317fb61ee5d9be13b98e67dd0a6ecbe9d259ecd44420bcdf60a79d6ed9368c0aa2128138e621addc21c9b52848cfbcb42094
-
SSDEEP
49152:6GyqWyWy0GyqWyWyMRPC1eHc785dxytlWF17:6GyqWyWy0GyqWyWyMRPC1eHL5dxyjyp
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 12 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" 2025-05-19_b8b2a4463646a9a50b5ef886d05b2bc0_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" 2025-05-19_b8b2a4463646a9a50b5ef886d05b2bc0_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" smss.exe -
Modifies visibility of file extensions in Explorer 2 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" 2025-05-19_b8b2a4463646a9a50b5ef886d05b2bc0_amadey_black-basta_elex_luca-stealer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" system32.exe Set value (int) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" csrss.exe Set value (int) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Kazekage.exe Set value (int) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" smss.exe Set value (int) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Gaara.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" 2025-05-19_b8b2a4463646a9a50b5ef886d05b2bc0_amadey_black-basta_elex_luca-stealer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" system32.exe Set value (int) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" csrss.exe Set value (int) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" Kazekage.exe Set value (int) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" smss.exe Set value (int) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" Gaara.exe -
UAC bypass 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Kazekage.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Gaara.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 2025-05-19_b8b2a4463646a9a50b5ef886d05b2bc0_amadey_black-basta_elex_luca-stealer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" system32.exe -
Disables RegEdit via registry modification 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Gaara.exe Set value (int) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" 2025-05-19_b8b2a4463646a9a50b5ef886d05b2bc0_amadey_black-basta_elex_luca-stealer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" system32.exe Set value (int) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" csrss.exe Set value (int) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Kazekage.exe Set value (int) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" smss.exe -
Disables use of System Restore points 1 TTPs
-
Drops file in Drivers directory 24 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe 2025-05-19_b8b2a4463646a9a50b5ef886d05b2bc0_amadey_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe Gaara.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe system32.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe system32.exe File created C:\Windows\SysWOW64\drivers\system32.exe system32.exe File created C:\Windows\SysWOW64\drivers\system32.exe smss.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe Gaara.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe Gaara.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe csrss.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe Kazekage.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe smss.exe File created C:\Windows\SysWOW64\drivers\system32.exe Gaara.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe 2025-05-19_b8b2a4463646a9a50b5ef886d05b2bc0_amadey_black-basta_elex_luca-stealer.exe File created C:\Windows\SysWOW64\drivers\system32.exe 2025-05-19_b8b2a4463646a9a50b5ef886d05b2bc0_amadey_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe 2025-05-19_b8b2a4463646a9a50b5ef886d05b2bc0_amadey_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe smss.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe csrss.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe Kazekage.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe Kazekage.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe csrss.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe smss.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe system32.exe File created C:\Windows\SysWOW64\drivers\system32.exe csrss.exe File created C:\Windows\SysWOW64\drivers\system32.exe Kazekage.exe -
Event Triggered Execution: Image File Execution Options Injection 1 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe\Debugger = "cmd.exe /c del" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe\Debugger = "drivers\\Kazekage.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger = "drivers\\Kazekage.exe" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe 2025-05-19_b8b2a4463646a9a50b5ef886d05b2bc0_amadey_black-basta_elex_luca-stealer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "drivers\\Kazekage.exe" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe\Debugger = "cmd.exe /c del" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe\Debugger = "drivers\\Kazekage.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com\Debugger = "cmd.exe /c del" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "drivers\\Kazekage.exe" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe\Debugger = "drivers\\Kazekage.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\Debugger = "cmd.exe /c del" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe\Debugger = "drivers\\Kazekage.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe\Debugger = "cmd.exe /c del" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe\Debugger = "cmd.exe /c del" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe 2025-05-19_b8b2a4463646a9a50b5ef886d05b2bc0_amadey_black-basta_elex_luca-stealer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe\Debugger = "cmd.exe /c del" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger = "drivers\\Kazekage.exe" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "drivers\\Kazekage.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe\Debugger = "drivers\\Kazekage.exe" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "drivers\\Kazekage.exe" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com 2025-05-19_b8b2a4463646a9a50b5ef886d05b2bc0_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe\Debugger = "cmd.exe /c del" 2025-05-19_b8b2a4463646a9a50b5ef886d05b2bc0_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe\Debugger = "cmd.exe /c del" 2025-05-19_b8b2a4463646a9a50b5ef886d05b2bc0_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe\Debugger = "cmd.exe /c del" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe\Debugger = "cmd.exe /c del" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe\Debugger = "cmd.exe /c del" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe\Debugger = "drivers\\Kazekage.exe" 2025-05-19_b8b2a4463646a9a50b5ef886d05b2bc0_amadey_black-basta_elex_luca-stealer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe\Debugger = "cmd.exe /c del" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com\Debugger = "cmd.exe /c del" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe\Debugger = "cmd.exe /c del" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe\Debugger = "cmd.exe /c del" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "drivers\\Kazekage.exe" 2025-05-19_b8b2a4463646a9a50b5ef886d05b2bc0_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "drivers\\Kazekage.exe" 2025-05-19_b8b2a4463646a9a50b5ef886d05b2bc0_amadey_black-basta_elex_luca-stealer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger = "drivers\\Kazekage.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe\Debugger = "cmd.exe /c del" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe\Debugger = "drivers\\Kazekage.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe\Debugger = "cmd.exe /c del" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe\Debugger = "drivers\\Kazekage.exe" smss.exe -
Executes dropped EXE 30 IoCs
pid Process 1844 smss.exe 1892 smss.exe 1004 Gaara.exe 2192 smss.exe 4492 Gaara.exe 3284 csrss.exe 3332 smss.exe 4072 Gaara.exe 436 csrss.exe 4136 Gaara.exe 728 csrss.exe 3124 Kazekage.exe 3444 Kazekage.exe 1748 smss.exe 740 system32.exe 4824 csrss.exe 1788 Gaara.exe 2372 Kazekage.exe 1704 csrss.exe 4760 smss.exe 4000 system32.exe 1532 Kazekage.exe 3628 Gaara.exe 1856 system32.exe 5068 csrss.exe 2596 Kazekage.exe 3832 Kazekage.exe 3216 system32.exe 1168 system32.exe 4932 system32.exe -
Loads dropped DLL 18 IoCs
pid Process 1844 smss.exe 1892 smss.exe 1004 Gaara.exe 2192 smss.exe 4492 Gaara.exe 3284 csrss.exe 3332 smss.exe 4072 Gaara.exe 436 csrss.exe 4136 Gaara.exe 728 csrss.exe 1748 smss.exe 4824 csrss.exe 1788 Gaara.exe 1704 csrss.exe 4760 smss.exe 3628 Gaara.exe 5068 csrss.exe -
Adds Run key to start application 2 TTPs 24 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 19 - 5 - 2025\\smss.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "19-5-2025.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 19 - 5 - 2025\\smss.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 19 - 5 - 2025\\smss.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 19 - 5 - 2025\\Gaara.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 19 - 5 - 2025\\Gaara.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "19-5-2025.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 19 - 5 - 2025\\smss.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 19 - 5 - 2025\\smss.exe" 2025-05-19_b8b2a4463646a9a50b5ef886d05b2bc0_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "19-5-2025.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 19 - 5 - 2025\\Gaara.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 19 - 5 - 2025\\smss.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 19 - 5 - 2025\\Gaara.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "19-5-2025.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "19-5-2025.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 19 - 5 - 2025\\Gaara.exe" 2025-05-19_b8b2a4463646a9a50b5ef886d05b2bc0_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "19-5-2025.exe" 2025-05-19_b8b2a4463646a9a50b5ef886d05b2bc0_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" 2025-05-19_b8b2a4463646a9a50b5ef886d05b2bc0_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 19 - 5 - 2025\\Gaara.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" system32.exe -
Checks whether UAC is enabled 1 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Kazekage.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Gaara.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 2025-05-19_b8b2a4463646a9a50b5ef886d05b2bc0_amadey_black-basta_elex_luca-stealer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" system32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe -
Drops desktop.ini file(s) 64 IoCs
description ioc Process File opened for modification \??\R:\Desktop.ini 2025-05-19_b8b2a4463646a9a50b5ef886d05b2bc0_amadey_black-basta_elex_luca-stealer.exe File opened for modification C:\Desktop.ini csrss.exe File opened for modification \??\I:\Desktop.ini csrss.exe File opened for modification \??\M:\Desktop.ini csrss.exe File opened for modification \??\J:\Desktop.ini smss.exe File opened for modification \??\G:\Desktop.ini 2025-05-19_b8b2a4463646a9a50b5ef886d05b2bc0_amadey_black-basta_elex_luca-stealer.exe File opened for modification \??\B:\Desktop.ini system32.exe File opened for modification D:\Desktop.ini Kazekage.exe File opened for modification \??\R:\Desktop.ini Kazekage.exe File opened for modification \??\K:\Desktop.ini smss.exe File opened for modification \??\R:\Desktop.ini smss.exe File opened for modification \??\T:\Desktop.ini smss.exe File opened for modification \??\V:\Desktop.ini smss.exe File opened for modification \??\Q:\Desktop.ini 2025-05-19_b8b2a4463646a9a50b5ef886d05b2bc0_amadey_black-basta_elex_luca-stealer.exe File opened for modification \??\A:\Desktop.ini system32.exe File opened for modification \??\Z:\Desktop.ini system32.exe File opened for modification \??\O:\Desktop.ini csrss.exe File opened for modification \??\G:\Desktop.ini Gaara.exe File opened for modification \??\H:\Desktop.ini Gaara.exe File opened for modification \??\Y:\Desktop.ini Gaara.exe File opened for modification \??\B:\Desktop.ini 2025-05-19_b8b2a4463646a9a50b5ef886d05b2bc0_amadey_black-basta_elex_luca-stealer.exe File opened for modification \??\K:\Desktop.ini 2025-05-19_b8b2a4463646a9a50b5ef886d05b2bc0_amadey_black-basta_elex_luca-stealer.exe File opened for modification \??\O:\Desktop.ini 2025-05-19_b8b2a4463646a9a50b5ef886d05b2bc0_amadey_black-basta_elex_luca-stealer.exe File opened for modification \??\I:\Desktop.ini system32.exe File opened for modification \??\Z:\Desktop.ini csrss.exe File opened for modification \??\N:\Desktop.ini Kazekage.exe File opened for modification \??\X:\Desktop.ini smss.exe File opened for modification \??\V:\Desktop.ini Gaara.exe File opened for modification \??\P:\Desktop.ini Gaara.exe File opened for modification \??\U:\Desktop.ini Gaara.exe File opened for modification \??\E:\Desktop.ini 2025-05-19_b8b2a4463646a9a50b5ef886d05b2bc0_amadey_black-basta_elex_luca-stealer.exe File opened for modification \??\S:\Desktop.ini 2025-05-19_b8b2a4463646a9a50b5ef886d05b2bc0_amadey_black-basta_elex_luca-stealer.exe File opened for modification \??\B:\Desktop.ini Kazekage.exe File opened for modification \??\H:\Desktop.ini Kazekage.exe File opened for modification \??\S:\Desktop.ini Gaara.exe File opened for modification \??\A:\Desktop.ini Kazekage.exe File opened for modification \??\A:\Desktop.ini smss.exe File opened for modification \??\Y:\Desktop.ini smss.exe File opened for modification \??\Z:\Desktop.ini 2025-05-19_b8b2a4463646a9a50b5ef886d05b2bc0_amadey_black-basta_elex_luca-stealer.exe File opened for modification \??\H:\Desktop.ini system32.exe File opened for modification \??\U:\Desktop.ini csrss.exe File opened for modification \??\K:\Desktop.ini Kazekage.exe File opened for modification \??\P:\Desktop.ini Kazekage.exe File opened for modification D:\Desktop.ini system32.exe File opened for modification \??\T:\Desktop.ini system32.exe File opened for modification \??\R:\Desktop.ini csrss.exe File opened for modification \??\T:\Desktop.ini Kazekage.exe File opened for modification \??\Y:\Desktop.ini Kazekage.exe File opened for modification \??\L:\Desktop.ini smss.exe File opened for modification \??\Q:\Desktop.ini Gaara.exe File opened for modification \??\A:\Desktop.ini 2025-05-19_b8b2a4463646a9a50b5ef886d05b2bc0_amadey_black-basta_elex_luca-stealer.exe File opened for modification \??\V:\Desktop.ini 2025-05-19_b8b2a4463646a9a50b5ef886d05b2bc0_amadey_black-basta_elex_luca-stealer.exe File opened for modification \??\Y:\Desktop.ini 2025-05-19_b8b2a4463646a9a50b5ef886d05b2bc0_amadey_black-basta_elex_luca-stealer.exe File opened for modification \??\R:\Desktop.ini system32.exe File opened for modification \??\E:\Desktop.ini smss.exe File opened for modification \??\J:\Desktop.ini 2025-05-19_b8b2a4463646a9a50b5ef886d05b2bc0_amadey_black-basta_elex_luca-stealer.exe File opened for modification \??\W:\Desktop.ini 2025-05-19_b8b2a4463646a9a50b5ef886d05b2bc0_amadey_black-basta_elex_luca-stealer.exe File opened for modification D:\Desktop.ini csrss.exe File opened for modification \??\I:\Desktop.ini Kazekage.exe File opened for modification F:\Desktop.ini smss.exe File opened for modification \??\W:\Desktop.ini Gaara.exe File opened for modification \??\U:\Desktop.ini system32.exe File opened for modification \??\S:\Desktop.ini csrss.exe File opened for modification \??\T:\Desktop.ini csrss.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\L: Gaara.exe File opened (read-only) \??\S: Kazekage.exe File opened (read-only) \??\K: smss.exe File opened (read-only) \??\N: Gaara.exe File opened (read-only) \??\P: Gaara.exe File opened (read-only) \??\T: system32.exe File opened (read-only) \??\R: smss.exe File opened (read-only) \??\W: smss.exe File opened (read-only) \??\X: smss.exe File opened (read-only) \??\U: Gaara.exe File opened (read-only) \??\P: smss.exe File opened (read-only) \??\U: smss.exe File opened (read-only) \??\I: csrss.exe File opened (read-only) \??\E: Kazekage.exe File opened (read-only) \??\G: Kazekage.exe File opened (read-only) \??\M: Kazekage.exe File opened (read-only) \??\O: smss.exe File opened (read-only) \??\H: Kazekage.exe File opened (read-only) \??\E: smss.exe File opened (read-only) \??\L: smss.exe File opened (read-only) \??\Y: csrss.exe File opened (read-only) \??\Z: csrss.exe File opened (read-only) \??\N: Kazekage.exe File opened (read-only) \??\O: Gaara.exe File opened (read-only) \??\Z: Gaara.exe File opened (read-only) \??\Y: 2025-05-19_b8b2a4463646a9a50b5ef886d05b2bc0_amadey_black-basta_elex_luca-stealer.exe File opened (read-only) \??\A: csrss.exe File opened (read-only) \??\Q: system32.exe File opened (read-only) \??\J: csrss.exe File opened (read-only) \??\M: csrss.exe File opened (read-only) \??\I: Gaara.exe File opened (read-only) \??\M: Gaara.exe File opened (read-only) \??\K: Kazekage.exe File opened (read-only) \??\Q: Gaara.exe File opened (read-only) \??\Y: Gaara.exe File opened (read-only) \??\J: 2025-05-19_b8b2a4463646a9a50b5ef886d05b2bc0_amadey_black-basta_elex_luca-stealer.exe File opened (read-only) \??\G: csrss.exe File opened (read-only) \??\N: csrss.exe File opened (read-only) \??\Q: smss.exe File opened (read-only) \??\H: 2025-05-19_b8b2a4463646a9a50b5ef886d05b2bc0_amadey_black-basta_elex_luca-stealer.exe File opened (read-only) \??\T: Kazekage.exe File opened (read-only) \??\K: csrss.exe File opened (read-only) \??\S: Gaara.exe File opened (read-only) \??\X: Gaara.exe File opened (read-only) \??\E: 2025-05-19_b8b2a4463646a9a50b5ef886d05b2bc0_amadey_black-basta_elex_luca-stealer.exe File opened (read-only) \??\G: 2025-05-19_b8b2a4463646a9a50b5ef886d05b2bc0_amadey_black-basta_elex_luca-stealer.exe File opened (read-only) \??\K: system32.exe File opened (read-only) \??\T: csrss.exe File opened (read-only) \??\L: Kazekage.exe File opened (read-only) \??\H: smss.exe File opened (read-only) \??\V: csrss.exe File opened (read-only) \??\V: Kazekage.exe File opened (read-only) \??\B: 2025-05-19_b8b2a4463646a9a50b5ef886d05b2bc0_amadey_black-basta_elex_luca-stealer.exe File opened (read-only) \??\N: system32.exe File opened (read-only) \??\O: csrss.exe File opened (read-only) \??\I: 2025-05-19_b8b2a4463646a9a50b5ef886d05b2bc0_amadey_black-basta_elex_luca-stealer.exe File opened (read-only) \??\K: 2025-05-19_b8b2a4463646a9a50b5ef886d05b2bc0_amadey_black-basta_elex_luca-stealer.exe File opened (read-only) \??\X: 2025-05-19_b8b2a4463646a9a50b5ef886d05b2bc0_amadey_black-basta_elex_luca-stealer.exe File opened (read-only) \??\Z: 2025-05-19_b8b2a4463646a9a50b5ef886d05b2bc0_amadey_black-basta_elex_luca-stealer.exe File opened (read-only) \??\A: system32.exe File opened (read-only) \??\B: csrss.exe File opened (read-only) \??\G: system32.exe File opened (read-only) \??\W: system32.exe File opened (read-only) \??\R: 2025-05-19_b8b2a4463646a9a50b5ef886d05b2bc0_amadey_black-basta_elex_luca-stealer.exe -
Drops autorun.inf file 1 TTPs 64 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File created \??\L:\Autorun.inf csrss.exe File created \??\N:\Autorun.inf csrss.exe File opened for modification \??\J:\Autorun.inf system32.exe File created D:\Autorun.inf 2025-05-19_b8b2a4463646a9a50b5ef886d05b2bc0_amadey_black-basta_elex_luca-stealer.exe File opened for modification \??\B:\Autorun.inf Gaara.exe File opened for modification \??\T:\Autorun.inf Gaara.exe File created \??\U:\Autorun.inf csrss.exe File created \??\X:\Autorun.inf Kazekage.exe File opened for modification \??\I:\Autorun.inf system32.exe File opened for modification \??\S:\Autorun.inf system32.exe File created \??\N:\Autorun.inf Gaara.exe File opened for modification \??\X:\Autorun.inf smss.exe File opened for modification \??\I:\Autorun.inf Gaara.exe File opened for modification \??\W:\Autorun.inf Kazekage.exe File created \??\Z:\Autorun.inf Kazekage.exe File opened for modification \??\L:\Autorun.inf system32.exe File created \??\W:\Autorun.inf system32.exe File created \??\X:\Autorun.inf system32.exe File opened for modification \??\P:\Autorun.inf smss.exe File created \??\P:\Autorun.inf csrss.exe File opened for modification \??\Z:\Autorun.inf csrss.exe File opened for modification \??\O:\Autorun.inf Kazekage.exe File created \??\Y:\Autorun.inf Kazekage.exe File opened for modification \??\H:\Autorun.inf system32.exe File created \??\X:\Autorun.inf 2025-05-19_b8b2a4463646a9a50b5ef886d05b2bc0_amadey_black-basta_elex_luca-stealer.exe File created \??\E:\Autorun.inf csrss.exe File created \??\I:\Autorun.inf smss.exe File opened for modification \??\G:\Autorun.inf Gaara.exe File created \??\Y:\Autorun.inf csrss.exe File opened for modification \??\V:\Autorun.inf 2025-05-19_b8b2a4463646a9a50b5ef886d05b2bc0_amadey_black-basta_elex_luca-stealer.exe File opened for modification \??\H:\Autorun.inf smss.exe File opened for modification \??\J:\Autorun.inf Gaara.exe File created \??\B:\Autorun.inf csrss.exe File opened for modification \??\A:\Autorun.inf Kazekage.exe File created \??\B:\Autorun.inf system32.exe File opened for modification \??\B:\Autorun.inf 2025-05-19_b8b2a4463646a9a50b5ef886d05b2bc0_amadey_black-basta_elex_luca-stealer.exe File opened for modification \??\T:\Autorun.inf 2025-05-19_b8b2a4463646a9a50b5ef886d05b2bc0_amadey_black-basta_elex_luca-stealer.exe File created \??\A:\Autorun.inf Gaara.exe File created \??\S:\Autorun.inf 2025-05-19_b8b2a4463646a9a50b5ef886d05b2bc0_amadey_black-basta_elex_luca-stealer.exe File created D:\Autorun.inf Gaara.exe File opened for modification \??\X:\Autorun.inf Gaara.exe File opened for modification \??\V:\Autorun.inf csrss.exe File created \??\A:\Autorun.inf Kazekage.exe File opened for modification \??\B:\Autorun.inf system32.exe File opened for modification \??\U:\Autorun.inf 2025-05-19_b8b2a4463646a9a50b5ef886d05b2bc0_amadey_black-basta_elex_luca-stealer.exe File opened for modification \??\L:\Autorun.inf csrss.exe File opened for modification \??\X:\Autorun.inf Kazekage.exe File created \??\O:\Autorun.inf system32.exe File opened for modification \??\Q:\Autorun.inf 2025-05-19_b8b2a4463646a9a50b5ef886d05b2bc0_amadey_black-basta_elex_luca-stealer.exe File opened for modification \??\J:\Autorun.inf csrss.exe File created \??\J:\Autorun.inf csrss.exe File created \??\S:\Autorun.inf system32.exe File created \??\H:\Autorun.inf 2025-05-19_b8b2a4463646a9a50b5ef886d05b2bc0_amadey_black-basta_elex_luca-stealer.exe File created \??\N:\Autorun.inf 2025-05-19_b8b2a4463646a9a50b5ef886d05b2bc0_amadey_black-basta_elex_luca-stealer.exe File created \??\U:\Autorun.inf 2025-05-19_b8b2a4463646a9a50b5ef886d05b2bc0_amadey_black-basta_elex_luca-stealer.exe File opened for modification \??\A:\Autorun.inf smss.exe File created \??\I:\Autorun.inf Gaara.exe File created \??\N:\Autorun.inf Kazekage.exe File opened for modification \??\Y:\Autorun.inf Kazekage.exe File created \??\J:\Autorun.inf system32.exe File opened for modification \??\R:\Autorun.inf system32.exe File opened for modification \??\S:\Autorun.inf smss.exe File created \??\G:\Autorun.inf Gaara.exe File created \??\W:\Autorun.inf Gaara.exe -
Drops file in System32 directory 39 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\msvbvm60.dll 2025-05-19_b8b2a4463646a9a50b5ef886d05b2bc0_amadey_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\SysWOW64\19-5-2025.exe 2025-05-19_b8b2a4463646a9a50b5ef886d05b2bc0_amadey_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx smss.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini Gaara.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll csrss.exe File opened for modification C:\Windows\SysWOW64\19-5-2025.exe smss.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini smss.exe File created C:\Windows\SysWOW64\msvbvm60.dll 2025-05-19_b8b2a4463646a9a50b5ef886d05b2bc0_amadey_black-basta_elex_luca-stealer.exe File created C:\Windows\SysWOW64\msvbvm60.dll csrss.exe File opened for modification C:\Windows\SysWOW64\19-5-2025.exe system32.exe File opened for modification C:\Windows\SysWOW64\ smss.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll smss.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx csrss.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll Kazekage.exe File created C:\Windows\SysWOW64\msvbvm60.dll Gaara.exe File created C:\Windows\SysWOW64\mscomctl.ocx smss.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll system32.exe File created C:\Windows\SysWOW64\19-5-2025.exe 2025-05-19_b8b2a4463646a9a50b5ef886d05b2bc0_amadey_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\SysWOW64\19-5-2025.exe Kazekage.exe File created C:\Windows\SysWOW64\Desktop.ini smss.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini csrss.exe File opened for modification C:\Windows\SysWOW64\ Kazekage.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx system32.exe File opened for modification C:\Windows\SysWOW64\ Gaara.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx Kazekage.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini system32.exe File opened for modification C:\Windows\SysWOW64\ system32.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx 2025-05-19_b8b2a4463646a9a50b5ef886d05b2bc0_amadey_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini Kazekage.exe File opened for modification C:\Windows\SysWOW64\19-5-2025.exe Gaara.exe File opened for modification C:\Windows\SysWOW64\19-5-2025.exe csrss.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx Gaara.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll Gaara.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini 2025-05-19_b8b2a4463646a9a50b5ef886d05b2bc0_amadey_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\SysWOW64\ 2025-05-19_b8b2a4463646a9a50b5ef886d05b2bc0_amadey_black-basta_elex_luca-stealer.exe File created C:\Windows\SysWOW64\msvbvm60.dll smss.exe File created C:\Windows\SysWOW64\msvbvm60.dll Kazekage.exe File created C:\Windows\SysWOW64\msvbvm60.dll system32.exe File opened for modification C:\Windows\SysWOW64\ csrss.exe -
Sets desktop wallpaper using registry 2 TTPs 6 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" 2025-05-19_b8b2a4463646a9a50b5ef886d05b2bc0_amadey_black-basta_elex_luca-stealer.exe -
resource yara_rule behavioral1/memory/1388-0-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/files/0x00070000000241df-11.dat upx behavioral1/files/0x00070000000241dd-31.dat upx behavioral1/memory/1844-32-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/files/0x00070000000241df-46.dat upx behavioral1/files/0x00070000000241e1-53.dat upx behavioral1/memory/1892-70-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1892-74-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1004-77-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/files/0x00070000000241de-78.dat upx behavioral1/files/0x00070000000241df-85.dat upx behavioral1/files/0x00070000000241e2-97.dat upx behavioral1/files/0x00070000000241e1-93.dat upx behavioral1/memory/4492-118-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3284-122-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1388-121-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/files/0x00070000000241e1-135.dat upx behavioral1/files/0x00070000000241e2-138.dat upx behavioral1/memory/1844-141-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/4072-164-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1004-168-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/436-173-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/728-178-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3124-184-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/4136-177-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3444-188-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/728-191-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/files/0x00070000000241e0-196.dat upx behavioral1/files/0x00070000000241e2-200.dat upx behavioral1/memory/3284-213-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/740-219-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3444-221-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/4824-227-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1788-230-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2372-239-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/4824-241-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1788-253-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/4760-254-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/4000-260-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3124-259-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2372-263-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/4000-272-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1532-276-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/740-278-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1856-290-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/5068-289-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1168-295-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2596-297-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3832-301-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3216-303-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1168-307-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/4932-308-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1388-309-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1844-310-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3124-311-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/740-312-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1004-313-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3284-314-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1388-315-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1844-316-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1388-321-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1844-362-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1004-374-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3284-416-0x0000000000400000-0x000000000042A000-memory.dmp upx -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe smss.exe File created C:\Windows\Fonts\Admin 19 - 5 - 2025\msvbvm60.dll smss.exe File opened for modification C:\Windows\system\msvbvm60.dll Gaara.exe File created C:\Windows\WBEM\msvbvm60.dll Gaara.exe File opened for modification C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe Kazekage.exe File created C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe Gaara.exe File created C:\Windows\WBEM\msvbvm60.dll 2025-05-19_b8b2a4463646a9a50b5ef886d05b2bc0_amadey_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe Gaara.exe File opened for modification C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe Kazekage.exe File opened for modification C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe system32.exe File opened for modification C:\Windows\system\msvbvm60.dll system32.exe File opened for modification C:\Windows\ Kazekage.exe File opened for modification C:\Windows\system\mscoree.dll 2025-05-19_b8b2a4463646a9a50b5ef886d05b2bc0_amadey_black-basta_elex_luca-stealer.exe File created C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe csrss.exe File created C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe Kazekage.exe File opened for modification C:\Windows\mscomctl.ocx smss.exe File opened for modification C:\Windows\mscomctl.ocx csrss.exe File opened for modification C:\Windows\Fonts\The Kazekage.jpg 2025-05-19_b8b2a4463646a9a50b5ef886d05b2bc0_amadey_black-basta_elex_luca-stealer.exe File created C:\Windows\Fonts\The Kazekage.jpg 2025-05-19_b8b2a4463646a9a50b5ef886d05b2bc0_amadey_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\Fonts\The Kazekage.jpg csrss.exe File opened for modification C:\Windows\system\msvbvm60.dll csrss.exe File created C:\Windows\WBEM\msvbvm60.dll Kazekage.exe File opened for modification C:\Windows\msvbvm60.dll system32.exe File opened for modification C:\Windows\ Gaara.exe File opened for modification C:\Windows\mscomctl.ocx Kazekage.exe File created C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe 2025-05-19_b8b2a4463646a9a50b5ef886d05b2bc0_amadey_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\Fonts\The Kazekage.jpg smss.exe File opened for modification C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe smss.exe File opened for modification C:\Windows\msvbvm60.dll csrss.exe File created C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe Kazekage.exe File created C:\Windows\system\msvbvm60.dll 2025-05-19_b8b2a4463646a9a50b5ef886d05b2bc0_amadey_black-basta_elex_luca-stealer.exe File created C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe csrss.exe File created C:\Windows\Fonts\Admin 19 - 5 - 2025\msvbvm60.dll Kazekage.exe File opened for modification C:\Windows\msvbvm60.dll Kazekage.exe File opened for modification C:\Windows\system\mscoree.dll system32.exe File created C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe system32.exe File opened for modification C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe 2025-05-19_b8b2a4463646a9a50b5ef886d05b2bc0_amadey_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe 2025-05-19_b8b2a4463646a9a50b5ef886d05b2bc0_amadey_black-basta_elex_luca-stealer.exe File created C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe smss.exe File opened for modification C:\Windows\system\msvbvm60.dll smss.exe File opened for modification C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe csrss.exe File opened for modification C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe Kazekage.exe File opened for modification C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe system32.exe File opened for modification C:\Windows\ csrss.exe File opened for modification C:\Windows\msvbvm60.dll 2025-05-19_b8b2a4463646a9a50b5ef886d05b2bc0_amadey_black-basta_elex_luca-stealer.exe File created C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe csrss.exe File opened for modification C:\Windows\system\mscoree.dll Kazekage.exe File opened for modification C:\Windows\Fonts\The Kazekage.jpg system32.exe File opened for modification C:\Windows\ system32.exe File opened for modification C:\Windows\msvbvm60.dll smss.exe File opened for modification C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe Gaara.exe File created C:\Windows\Fonts\Admin 19 - 5 - 2025\msvbvm60.dll Gaara.exe File opened for modification C:\Windows\mscomctl.ocx 2025-05-19_b8b2a4463646a9a50b5ef886d05b2bc0_amadey_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\Fonts\Admin 19 - 5 - 2025\msvbvm60.dll 2025-05-19_b8b2a4463646a9a50b5ef886d05b2bc0_amadey_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe smss.exe File opened for modification C:\Windows\system\mscoree.dll csrss.exe File opened for modification C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe csrss.exe File created C:\Windows\WBEM\msvbvm60.dll csrss.exe File opened for modification C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe system32.exe File opened for modification C:\Windows\ smss.exe File opened for modification C:\Windows\system\msvbvm60.dll 2025-05-19_b8b2a4463646a9a50b5ef886d05b2bc0_amadey_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\system\mscoree.dll smss.exe File created C:\Windows\WBEM\msvbvm60.dll smss.exe File opened for modification C:\Windows\mscomctl.ocx Gaara.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kazekage.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaara.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaara.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kazekage.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kazekage.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaara.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kazekage.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kazekage.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaara.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaara.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaara.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-05-19_b8b2a4463646a9a50b5ef886d05b2bc0_amadey_black-basta_elex_luca-stealer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system32.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 36 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 3656 ping.exe 1864 ping.exe 2468 ping.exe 4672 ping.exe 3356 ping.exe 1540 ping.exe 2736 ping.exe 3236 ping.exe 2776 ping.exe 4404 ping.exe 2468 ping.exe 2192 ping.exe 3308 ping.exe 400 ping.exe 4764 ping.exe 1660 ping.exe 3404 ping.exe 1272 ping.exe 4472 ping.exe 2016 ping.exe 1412 ping.exe 3596 ping.exe 4540 ping.exe 3292 ping.exe 3712 ping.exe 2312 ping.exe 4500 ping.exe 1172 ping.exe 4052 ping.exe 3320 ping.exe 400 ping.exe 2268 ping.exe 1664 ping.exe 4900 ping.exe 3652 ping.exe 3684 ping.exe -
Modifies Control Panel 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" 2025-05-19_b8b2a4463646a9a50b5ef886d05b2bc0_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\Screen Saver.Marquee\Size = "72" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\Screen Saver.Marquee\Speed = "4" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\Screen Saver.Marquee\Speed = "4" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\Desktop\WallpaperStyle = "2" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\Desktop\WallpaperStyle = "2" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\Screen Saver.Marquee\Speed = "4" smss.exe Key created \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\Screen Saver.Marquee Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\Desktop\WallpaperStyle = "2" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\Screen Saver.Marquee\Speed = "4" 2025-05-19_b8b2a4463646a9a50b5ef886d05b2bc0_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\Screen Saver.Marquee\Size = "72" 2025-05-19_b8b2a4463646a9a50b5ef886d05b2bc0_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" Kazekage.exe Key created \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\Screen Saver.Marquee smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\Desktop\WallpaperStyle = "2" 2025-05-19_b8b2a4463646a9a50b5ef886d05b2bc0_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" smss.exe Key created \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\Desktop system32.exe Key created \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\Screen Saver.Marquee 2025-05-19_b8b2a4463646a9a50b5ef886d05b2bc0_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" 2025-05-19_b8b2a4463646a9a50b5ef886d05b2bc0_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" 2025-05-19_b8b2a4463646a9a50b5ef886d05b2bc0_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\Screen Saver.Marquee\Speed = "4" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\Screen Saver.Marquee\Size = "72" Kazekage.exe Key created \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\Desktop smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\Desktop\WallpaperStyle = "2" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" 2025-05-19_b8b2a4463646a9a50b5ef886d05b2bc0_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" csrss.exe Key created \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\Desktop csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" 2025-05-19_b8b2a4463646a9a50b5ef886d05b2bc0_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" 2025-05-19_b8b2a4463646a9a50b5ef886d05b2bc0_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" 2025-05-19_b8b2a4463646a9a50b5ef886d05b2bc0_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\Screen Saver.Marquee\Size = "72" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" system32.exe Key created \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\Screen Saver.Marquee csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" 2025-05-19_b8b2a4463646a9a50b5ef886d05b2bc0_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" csrss.exe Key created \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\Desktop Kazekage.exe Key created \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\Screen Saver.Marquee system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" Kazekage.exe Key created \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\Screen Saver.Marquee Kazekage.exe -
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" 2025-05-19_b8b2a4463646a9a50b5ef886d05b2bc0_amadey_black-basta_elex_luca-stealer.exe Key created \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Software\Microsoft\Internet Explorer\Main system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" csrss.exe Key created \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Software\Microsoft\Internet Explorer\Main Kazekage.exe Key created \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Software\Microsoft\Internet Explorer\Main smss.exe Key created \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Software\Microsoft\Internet Explorer\Main Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" system32.exe Key created \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Software\Microsoft\Internet Explorer\Main csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" Gaara.exe Key created \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Software\Microsoft\Internet Explorer\Main 2025-05-19_b8b2a4463646a9a50b5ef886d05b2bc0_amadey_black-basta_elex_luca-stealer.exe -
Modifies registry class 51 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command 2025-05-19_b8b2a4463646a9a50b5ef886d05b2bc0_amadey_black-basta_elex_luca-stealer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install 2025-05-19_b8b2a4463646a9a50b5ef886d05b2bc0_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" 2025-05-19_b8b2a4463646a9a50b5ef886d05b2bc0_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" 2025-05-19_b8b2a4463646a9a50b5ef886d05b2bc0_amadey_black-basta_elex_luca-stealer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command 2025-05-19_b8b2a4463646a9a50b5ef886d05b2bc0_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command 2025-05-19_b8b2a4463646a9a50b5ef886d05b2bc0_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" 2025-05-19_b8b2a4463646a9a50b5ef886d05b2bc0_amadey_black-basta_elex_luca-stealer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command 2025-05-19_b8b2a4463646a9a50b5ef886d05b2bc0_amadey_black-basta_elex_luca-stealer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell 2025-05-19_b8b2a4463646a9a50b5ef886d05b2bc0_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" 2025-05-19_b8b2a4463646a9a50b5ef886d05b2bc0_amadey_black-basta_elex_luca-stealer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile 2025-05-19_b8b2a4463646a9a50b5ef886d05b2bc0_amadey_black-basta_elex_luca-stealer.exe -
Runs ping.exe 1 TTPs 36 IoCs
pid Process 400 ping.exe 3684 ping.exe 2312 ping.exe 400 ping.exe 1412 ping.exe 2268 ping.exe 2776 ping.exe 4900 ping.exe 3292 ping.exe 4404 ping.exe 3404 ping.exe 1864 ping.exe 2468 ping.exe 4052 ping.exe 3320 ping.exe 4472 ping.exe 1660 ping.exe 2468 ping.exe 4500 ping.exe 1664 ping.exe 4764 ping.exe 3356 ping.exe 2736 ping.exe 1172 ping.exe 2016 ping.exe 3656 ping.exe 3652 ping.exe 1540 ping.exe 2192 ping.exe 3712 ping.exe 3596 ping.exe 4540 ping.exe 3236 ping.exe 3308 ping.exe 4672 ping.exe 1272 ping.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1388 2025-05-19_b8b2a4463646a9a50b5ef886d05b2bc0_amadey_black-basta_elex_luca-stealer.exe 1388 2025-05-19_b8b2a4463646a9a50b5ef886d05b2bc0_amadey_black-basta_elex_luca-stealer.exe 1388 2025-05-19_b8b2a4463646a9a50b5ef886d05b2bc0_amadey_black-basta_elex_luca-stealer.exe 1388 2025-05-19_b8b2a4463646a9a50b5ef886d05b2bc0_amadey_black-basta_elex_luca-stealer.exe 1388 2025-05-19_b8b2a4463646a9a50b5ef886d05b2bc0_amadey_black-basta_elex_luca-stealer.exe 1388 2025-05-19_b8b2a4463646a9a50b5ef886d05b2bc0_amadey_black-basta_elex_luca-stealer.exe 1388 2025-05-19_b8b2a4463646a9a50b5ef886d05b2bc0_amadey_black-basta_elex_luca-stealer.exe 1388 2025-05-19_b8b2a4463646a9a50b5ef886d05b2bc0_amadey_black-basta_elex_luca-stealer.exe 1388 2025-05-19_b8b2a4463646a9a50b5ef886d05b2bc0_amadey_black-basta_elex_luca-stealer.exe 1388 2025-05-19_b8b2a4463646a9a50b5ef886d05b2bc0_amadey_black-basta_elex_luca-stealer.exe 1388 2025-05-19_b8b2a4463646a9a50b5ef886d05b2bc0_amadey_black-basta_elex_luca-stealer.exe 1388 2025-05-19_b8b2a4463646a9a50b5ef886d05b2bc0_amadey_black-basta_elex_luca-stealer.exe 1388 2025-05-19_b8b2a4463646a9a50b5ef886d05b2bc0_amadey_black-basta_elex_luca-stealer.exe 1388 2025-05-19_b8b2a4463646a9a50b5ef886d05b2bc0_amadey_black-basta_elex_luca-stealer.exe 1388 2025-05-19_b8b2a4463646a9a50b5ef886d05b2bc0_amadey_black-basta_elex_luca-stealer.exe 1388 2025-05-19_b8b2a4463646a9a50b5ef886d05b2bc0_amadey_black-basta_elex_luca-stealer.exe 1388 2025-05-19_b8b2a4463646a9a50b5ef886d05b2bc0_amadey_black-basta_elex_luca-stealer.exe 1388 2025-05-19_b8b2a4463646a9a50b5ef886d05b2bc0_amadey_black-basta_elex_luca-stealer.exe 1388 2025-05-19_b8b2a4463646a9a50b5ef886d05b2bc0_amadey_black-basta_elex_luca-stealer.exe 1388 2025-05-19_b8b2a4463646a9a50b5ef886d05b2bc0_amadey_black-basta_elex_luca-stealer.exe 1388 2025-05-19_b8b2a4463646a9a50b5ef886d05b2bc0_amadey_black-basta_elex_luca-stealer.exe 1388 2025-05-19_b8b2a4463646a9a50b5ef886d05b2bc0_amadey_black-basta_elex_luca-stealer.exe 1388 2025-05-19_b8b2a4463646a9a50b5ef886d05b2bc0_amadey_black-basta_elex_luca-stealer.exe 1388 2025-05-19_b8b2a4463646a9a50b5ef886d05b2bc0_amadey_black-basta_elex_luca-stealer.exe 740 system32.exe 740 system32.exe 740 system32.exe 740 system32.exe 740 system32.exe 740 system32.exe 740 system32.exe 740 system32.exe 740 system32.exe 740 system32.exe 740 system32.exe 740 system32.exe 740 system32.exe 740 system32.exe 740 system32.exe 740 system32.exe 740 system32.exe 740 system32.exe 740 system32.exe 740 system32.exe 740 system32.exe 740 system32.exe 740 system32.exe 740 system32.exe 3284 csrss.exe 3284 csrss.exe 3284 csrss.exe 3284 csrss.exe 3284 csrss.exe 3284 csrss.exe 3284 csrss.exe 3284 csrss.exe 3284 csrss.exe 3284 csrss.exe 3284 csrss.exe 3284 csrss.exe 3284 csrss.exe 3284 csrss.exe 3284 csrss.exe 3284 csrss.exe -
Suspicious use of SetWindowsHookEx 31 IoCs
pid Process 1388 2025-05-19_b8b2a4463646a9a50b5ef886d05b2bc0_amadey_black-basta_elex_luca-stealer.exe 1844 smss.exe 1892 smss.exe 1004 Gaara.exe 2192 smss.exe 4492 Gaara.exe 3284 csrss.exe 3332 smss.exe 4072 Gaara.exe 436 csrss.exe 4136 Gaara.exe 728 csrss.exe 3124 Kazekage.exe 3444 Kazekage.exe 1748 smss.exe 740 system32.exe 4824 csrss.exe 1788 Gaara.exe 2372 Kazekage.exe 1704 csrss.exe 4760 smss.exe 4000 system32.exe 1532 Kazekage.exe 3628 Gaara.exe 1856 system32.exe 5068 csrss.exe 2596 Kazekage.exe 3832 Kazekage.exe 3216 system32.exe 1168 system32.exe 4932 system32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1388 wrote to memory of 1844 1388 2025-05-19_b8b2a4463646a9a50b5ef886d05b2bc0_amadey_black-basta_elex_luca-stealer.exe 86 PID 1388 wrote to memory of 1844 1388 2025-05-19_b8b2a4463646a9a50b5ef886d05b2bc0_amadey_black-basta_elex_luca-stealer.exe 86 PID 1388 wrote to memory of 1844 1388 2025-05-19_b8b2a4463646a9a50b5ef886d05b2bc0_amadey_black-basta_elex_luca-stealer.exe 86 PID 1844 wrote to memory of 1892 1844 smss.exe 89 PID 1844 wrote to memory of 1892 1844 smss.exe 89 PID 1844 wrote to memory of 1892 1844 smss.exe 89 PID 1844 wrote to memory of 1004 1844 smss.exe 90 PID 1844 wrote to memory of 1004 1844 smss.exe 90 PID 1844 wrote to memory of 1004 1844 smss.exe 90 PID 1004 wrote to memory of 2192 1004 Gaara.exe 93 PID 1004 wrote to memory of 2192 1004 Gaara.exe 93 PID 1004 wrote to memory of 2192 1004 Gaara.exe 93 PID 1004 wrote to memory of 4492 1004 Gaara.exe 96 PID 1004 wrote to memory of 4492 1004 Gaara.exe 96 PID 1004 wrote to memory of 4492 1004 Gaara.exe 96 PID 1004 wrote to memory of 3284 1004 Gaara.exe 97 PID 1004 wrote to memory of 3284 1004 Gaara.exe 97 PID 1004 wrote to memory of 3284 1004 Gaara.exe 97 PID 3284 wrote to memory of 3332 3284 csrss.exe 99 PID 3284 wrote to memory of 3332 3284 csrss.exe 99 PID 3284 wrote to memory of 3332 3284 csrss.exe 99 PID 3284 wrote to memory of 4072 3284 csrss.exe 101 PID 3284 wrote to memory of 4072 3284 csrss.exe 101 PID 3284 wrote to memory of 4072 3284 csrss.exe 101 PID 3284 wrote to memory of 436 3284 csrss.exe 102 PID 3284 wrote to memory of 436 3284 csrss.exe 102 PID 3284 wrote to memory of 436 3284 csrss.exe 102 PID 1388 wrote to memory of 4136 1388 2025-05-19_b8b2a4463646a9a50b5ef886d05b2bc0_amadey_black-basta_elex_luca-stealer.exe 103 PID 1388 wrote to memory of 4136 1388 2025-05-19_b8b2a4463646a9a50b5ef886d05b2bc0_amadey_black-basta_elex_luca-stealer.exe 103 PID 1388 wrote to memory of 4136 1388 2025-05-19_b8b2a4463646a9a50b5ef886d05b2bc0_amadey_black-basta_elex_luca-stealer.exe 103 PID 1388 wrote to memory of 728 1388 2025-05-19_b8b2a4463646a9a50b5ef886d05b2bc0_amadey_black-basta_elex_luca-stealer.exe 105 PID 1388 wrote to memory of 728 1388 2025-05-19_b8b2a4463646a9a50b5ef886d05b2bc0_amadey_black-basta_elex_luca-stealer.exe 105 PID 1388 wrote to memory of 728 1388 2025-05-19_b8b2a4463646a9a50b5ef886d05b2bc0_amadey_black-basta_elex_luca-stealer.exe 105 PID 3284 wrote to memory of 3124 3284 csrss.exe 104 PID 3284 wrote to memory of 3124 3284 csrss.exe 104 PID 3284 wrote to memory of 3124 3284 csrss.exe 104 PID 1388 wrote to memory of 3444 1388 2025-05-19_b8b2a4463646a9a50b5ef886d05b2bc0_amadey_black-basta_elex_luca-stealer.exe 107 PID 1388 wrote to memory of 3444 1388 2025-05-19_b8b2a4463646a9a50b5ef886d05b2bc0_amadey_black-basta_elex_luca-stealer.exe 107 PID 1388 wrote to memory of 3444 1388 2025-05-19_b8b2a4463646a9a50b5ef886d05b2bc0_amadey_black-basta_elex_luca-stealer.exe 107 PID 3124 wrote to memory of 1748 3124 Kazekage.exe 109 PID 3124 wrote to memory of 1748 3124 Kazekage.exe 109 PID 3124 wrote to memory of 1748 3124 Kazekage.exe 109 PID 1388 wrote to memory of 740 1388 2025-05-19_b8b2a4463646a9a50b5ef886d05b2bc0_amadey_black-basta_elex_luca-stealer.exe 111 PID 1388 wrote to memory of 740 1388 2025-05-19_b8b2a4463646a9a50b5ef886d05b2bc0_amadey_black-basta_elex_luca-stealer.exe 111 PID 1388 wrote to memory of 740 1388 2025-05-19_b8b2a4463646a9a50b5ef886d05b2bc0_amadey_black-basta_elex_luca-stealer.exe 111 PID 1844 wrote to memory of 4824 1844 smss.exe 112 PID 1844 wrote to memory of 4824 1844 smss.exe 112 PID 1844 wrote to memory of 4824 1844 smss.exe 112 PID 3124 wrote to memory of 1788 3124 Kazekage.exe 113 PID 3124 wrote to memory of 1788 3124 Kazekage.exe 113 PID 3124 wrote to memory of 1788 3124 Kazekage.exe 113 PID 1844 wrote to memory of 2372 1844 smss.exe 114 PID 1844 wrote to memory of 2372 1844 smss.exe 114 PID 1844 wrote to memory of 2372 1844 smss.exe 114 PID 3124 wrote to memory of 1704 3124 Kazekage.exe 115 PID 3124 wrote to memory of 1704 3124 Kazekage.exe 115 PID 3124 wrote to memory of 1704 3124 Kazekage.exe 115 PID 740 wrote to memory of 4760 740 system32.exe 116 PID 740 wrote to memory of 4760 740 system32.exe 116 PID 740 wrote to memory of 4760 740 system32.exe 116 PID 1844 wrote to memory of 4000 1844 smss.exe 117 PID 1844 wrote to memory of 4000 1844 smss.exe 117 PID 1844 wrote to memory of 4000 1844 smss.exe 117 PID 3124 wrote to memory of 1532 3124 Kazekage.exe 118 -
System policy modification 1 TTPs 12 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Gaara.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" system32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Kazekage.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Kazekage.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System 2025-05-19_b8b2a4463646a9a50b5ef886d05b2bc0_amadey_black-basta_elex_luca-stealer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 2025-05-19_b8b2a4463646a9a50b5ef886d05b2bc0_amadey_black-basta_elex_luca-stealer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System csrss.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2025-05-19_b8b2a4463646a9a50b5ef886d05b2bc0_amadey_black-basta_elex_luca-stealer.exe"C:\Users\Admin\AppData\Local\Temp\2025-05-19_b8b2a4463646a9a50b5ef886d05b2bc0_amadey_black-basta_elex_luca-stealer.exe"1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1388 -
C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe"C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe"2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1844 -
C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe"C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1892
-
-
C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe"C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe"3⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1004 -
C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe"C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2192
-
-
C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe"C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4492
-
-
C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe"C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe"4⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3284 -
C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe"C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3332
-
-
C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe"C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4072
-
-
C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe"C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:436
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe5⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3124 -
C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe"C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1748
-
-
C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe"C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1788
-
-
C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe"C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1704
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1532
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1856
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655006⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3320
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655006⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2016
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655006⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4672
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655006⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4500
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655006⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3356
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655006⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1540
-
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3216
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655005⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3292
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655005⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4052
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655005⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3308
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655005⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2268
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655005⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2468
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655005⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4764
-
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2596
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1168
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655004⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1172
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655004⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3684
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655004⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1412
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655004⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:400
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655004⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4900
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655004⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3652
-
-
-
C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe"C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4824
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2372
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4000
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4540
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3236
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3404
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2468
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:400
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3712
-
-
-
C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe"C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4136
-
-
C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe"C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:728
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3444
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:740 -
C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe"C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:4760
-
-
C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe"C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3628
-
-
C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe"C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5068
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3832
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4932
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3656
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1864
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1664
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1272
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4472
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2192
-
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655002⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2736
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655002⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3596
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655002⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1660
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655002⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2312
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655002⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2776
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655002⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4404
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 19 - 5 - 2025\smss.exe1⤵PID:3968
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 19 - 5 - 2025\Gaara.exe1⤵PID:1148
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c 19-5-2025.exe1⤵PID:3468
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c drivers\csrss.exe1⤵PID:384
Network
MITRE ATT&CK Enterprise v16
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Event Triggered Execution
1Image File Execution Options Injection
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Event Triggered Execution
1Image File Execution Options Injection
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
1Disable or Modify Tools
1Modify Registry
8Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
736B
MD5bb5d6abdf8d0948ac6895ce7fdfbc151
SHA19266b7a247a4685892197194d2b9b86c8f6dddbd
SHA2565db2e0915b5464d32e83484f8ae5e3c73d2c78f238fde5f58f9b40dbb5322de8
SHA512878444760e8df878d65bb62b4798177e168eb099def58ad3634f4348e96705c83f74324f9fa358f0eff389991976698a233ca53e9b72034ae11c86d42322a76c
-
Filesize
196B
MD51564dfe69ffed40950e5cb644e0894d1
SHA1201b6f7a01cc49bb698bea6d4945a082ed454ce4
SHA256be114a2dbcc08540b314b01882aa836a772a883322a77b67aab31233e26dc184
SHA51272df187e39674b657974392cfa268e71ef86dc101ebd2303896381ca56d3c05aa9db3f0ab7d0e428d7436e0108c8f19e94c2013814d30b0b95a23a6b9e341097
-
Filesize
8.1MB
MD53df692b7ddc2757c884e3b9aebb9398b
SHA1adb9ad44233afd1ec5ae855a457ad7efa2277ae9
SHA256d7d67980e293650a4b7623328a1b06441683e67cc62c7195c203947821315ccd
SHA5126771b2cb2ea49de367084b7d3efad47611c84d012d82d8ba574b76622b04e681e1509e0e05a7a3ff50032c5ed0e08aba78c7754906b2c7b179d1de882555bb85
-
Filesize
8.1MB
MD5b8b2a4463646a9a50b5ef886d05b2bc0
SHA16260b19ffd864de7e9c1828ff59f7176e83f1ac0
SHA256fd3413c6e3fd46d8a89123b5146a5895b0c48ec7da50f5dde698609714e9c5af
SHA512e31bf80d6bbd23ebe1008ee8322a317fb61ee5d9be13b98e67dd0a6ecbe9d259ecd44420bcdf60a79d6ed9368c0aa2128138e621addc21c9b52848cfbcb42094
-
Filesize
8.1MB
MD513e9d4c4b4d4b2128ce3982347a8a668
SHA11d243d51520c2088c8705e891b97debbbc7c5ba7
SHA2564667f1e9260d0826ce431c79f077bdc9f2bb66f37b950f456b0cd64ce0ab1d3f
SHA5121f3eeac634890f32bc65b8f8e32083bdf542bbc149f4a84f42491953ad292e4a1ce216d3798437d0c46c7ad8f056d867b0f749d801288b52b2dbb9c4dcc4f034
-
Filesize
8.1MB
MD5957527f2d9b8c57d8bf997f5002a43c1
SHA17bcfa15a618f8651ddd7d277292f6be964e8f9e1
SHA256c07cf6cb0539719a628177eb4161dc06d7d6c511939780055c180bb7686506b1
SHA512e57dc2f59525d3c775ccf3619692e6ee6e7b464b837ef1bc99837dce2edbd1815cd4c9a98e0ed3d743497c7618a75fab96fa04f7772625bba73b636441909d27
-
Filesize
8.1MB
MD51a83b5cf772454decef6853477e08c7c
SHA1eea0b69d9393d179494e047c459f16d077236e83
SHA256071605e6255f13f58770364162b50170a187d03ac1828afb716bffce070fc80a
SHA512aed860165b0fea26be408a92ae4311b76ac1c088203cd323dbd4024737da88b5a55f13450203e0b26507d088a111956f3a5d1b65a3a472ea008791c6f2c0ee39
-
Filesize
1.4MB
MD5d6b05020d4a0ec2a3a8b687099e335df
SHA1df239d830ebcd1cde5c68c46a7b76dad49d415f4
SHA2569824b98dab6af65a9e84c2ea40e9df948f9766ce2096e81feecad7db8dd6080a
SHA51278fd360faa4d34f5732056d6e9ad7b9930964441c69cf24535845d397de92179553b9377a25649c01eb5ac7d547c29cc964e69ede7f2af9fc677508a99251fff
-
Filesize
8.1MB
MD5bb3e8447a82d251c6027f7fce6333ea7
SHA1d1594361ce4622d1de32a59035be3633ba0cbf34
SHA256e72f64461b19b9e0b43128b1ad125e413621ac953b508ffc1daf36f85ac1023e
SHA512841dfc96b2cb2239fbda35203f49b8bbd585f3def9372d78254b18f77a27d2691b7628f4e712da284e32874f63c91936f06dcfd33251be8eb56a0605c07df2ac
-
Filesize
65B
MD564acfa7e03b01f48294cf30d201a0026
SHA110facd995b38a095f30b4a800fa454c0bcbf8438
SHA256ba8159d865d106e7b4d0043007a63d1541e1de455dc8d7ff0edd3013bd425c62
SHA51265a9b2e639de74a2a7faa83463a03f5f5b526495e3c793ec1e144c422ed0b842dd304cd5ff4f8aec3d76d826507030c5916f70a231429cea636ec2d8ab43931a
-
Filesize
8.1MB
MD5f04ccfada02001f14b3112c000825f66
SHA104559da58e84a66f0447394c8733652197176cf4
SHA2569b34ec0f5d18bc26c66abe5fb74830a83783d495fc8059bb859e5e802c2f03a1
SHA51289e3e251ff3987bf3f7bfb5609637eff2b60577b508516d80e8bf5871b7d072dae36bae28b18661bb1b5112a260e6557c0250d5e833857e52364c87ded507c96
-
Filesize
8.1MB
MD586dee1ac790976cbd4967154c4539199
SHA1e3ef4b706b72e92b91afe65542b4dc876894e570
SHA256c28cd8375e8323948bd97443756a56c1273652c428d62eacb981f4dda4b5457b
SHA512cf5b58aae16adfdc37e82d75c6f1deec0c90ae2ebb9b2a3810b54ae65b624fd4c82a75b0cca1ee3a0ecdee39f260f96eb92a13f9a79fed0b2012566095284bb4
-
Filesize
8.1MB
MD58f9e0ba499c51cc6a3cc3a5a7b67e9f3
SHA18ed9c517d37a1a046d612a62934439c014180556
SHA2563d5b7a5421232fd030a92205a75da965bc3ab6ef004b651a78b21e9e95cbab71
SHA512d867d79e15d02ab3ac7ec2de612a6a40e9fe9781b4cd862ea680199ba3744cddc3b699893fc7235c10adafff5198a05df102f9c712a0e873fc7e46043ecb02bd
-
Filesize
8.1MB
MD587a0977b73a1f136f5be126b8382c03d
SHA1f13ef620ea88eec1ab5bd60cddc681564be16471
SHA2560da343a46e37f086f99d9dd8e00d7b925e78c0fa712c4a862d97791047ca040e
SHA51222f8c46d1c11b5520dbd97a27a70c3a86f05f51db65baf077c975fb1688884365cb01520b5e74568a574240ebdd2c8f2fea5acada6da3adeed0f5d22b29c2705
-
Filesize
8.1MB
MD58a29fe1674162c0ea029115411eccf22
SHA1d372969d7e65920f8f2c5f3124842d1d2d4b98b4
SHA256d8bf193ecc3d900837b4c123e3019359eb394f9109028d49ee2fb3089d9e759f
SHA512bed92eed390270995f16dd897cb236b51cde5c65f07d075de67532ac57488c76fa4bda2b403a2ff8a3e2e04e3859611ac4759e394e87e907a10e54732f52788e
-
Filesize
8.1MB
MD5447155b4b7b27e1f70c14ecc10d0649e
SHA130493995cba519b46b0ddf04d3933c28229a05db
SHA256560f30049922a4ce769564b62f1826a30c041b5bb6528654f512f2f2f841026e
SHA512f94d54f4c7d82a7560065dbee0d87c51c47724132fb19efbf6948a9594f61aac4ab8421018e49de138909783989c9994944cc21272ea9dcf0d1155baeb077ed3
-
Filesize
1.4MB
MD525f62c02619174b35851b0e0455b3d94
SHA14e8ee85157f1769f6e3f61c0acbe59072209da71
SHA256898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2
SHA512f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a