Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20250502-en -
resource tags
arch:x64arch:x86image:win10v2004-20250502-enlocale:en-usos:windows10-2004-x64system -
submitted
19/05/2025, 14:47
Behavioral task
behavioral1
Sample
2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe
Resource
win10v2004-20250502-en
Behavioral task
behavioral2
Sample
2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe
Resource
win11-20250502-en
General
-
Target
2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe
-
Size
8.2MB
-
MD5
5d94c92d0e4d68fdd3b2bc6be6cef612
-
SHA1
cd2594f5a9da48781633962b78a22461b75dd54d
-
SHA256
b7bccca618d889b72c3ec43f142082cdf5e79df979817de0b884f6fbc2fac7d6
-
SHA512
fc04dc61ce316f16898ca6263687f562cd4a41ef5ed2dbe7b57e947d6672899e6d3e7bab6cb9be3c2d24af0e88dc4775d292a2bc62e866aa7e2b8f4363a99e9a
-
SSDEEP
49152:byyqWyWy0GyqWyWyMRPC1eHc785dxytlWF17:byyqWyWy0GyqWyWyMRPC1eHL5dxyjyp
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 12 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" 2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" 2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" Gaara.exe -
Modifies visibility of file extensions in Explorer 2 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Gaara.exe Set value (int) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" csrss.exe Set value (int) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" smss.exe Set value (int) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Kazekage.exe Set value (int) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" system32.exe Set value (int) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" 2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" smss.exe Set value (int) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" Kazekage.exe Set value (int) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" system32.exe Set value (int) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" 2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" Gaara.exe Set value (int) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" csrss.exe -
UAC bypass 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Kazekage.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" system32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Gaara.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe -
Disables RegEdit via registry modification 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" smss.exe Set value (int) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Kazekage.exe Set value (int) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" system32.exe Set value (int) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" 2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Gaara.exe Set value (int) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" csrss.exe -
Disables use of System Restore points 1 TTPs
-
Drops file in Drivers directory 24 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe Gaara.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe system32.exe File created C:\Windows\SysWOW64\drivers\system32.exe system32.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe smss.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe Kazekage.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe Kazekage.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe system32.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe Gaara.exe File created C:\Windows\SysWOW64\drivers\system32.exe Gaara.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe csrss.exe File created C:\Windows\SysWOW64\drivers\system32.exe csrss.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe csrss.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe Kazekage.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe system32.exe File created C:\Windows\SysWOW64\drivers\system32.exe smss.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe 2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe File created C:\Windows\SysWOW64\drivers\system32.exe 2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe Gaara.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe csrss.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe smss.exe File created C:\Windows\SysWOW64\drivers\system32.exe Kazekage.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe 2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe 2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe smss.exe -
Event Triggered Execution: Image File Execution Options Injection 1 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe\Debugger = "cmd.exe /c del" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe\Debugger = "drivers\\Kazekage.exe" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger = "drivers\\Kazekage.exe" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe\Debugger = "cmd.exe /c del" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe\Debugger = "cmd.exe /c del" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\Debugger = "cmd.exe /c del" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe\Debugger = "drivers\\Kazekage.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe\Debugger = "cmd.exe /c del" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe\Debugger = "drivers\\Kazekage.exe" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com 2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe\Debugger = "cmd.exe /c del" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe\Debugger = "cmd.exe /c del" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe\Debugger = "cmd.exe /c del" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe\Debugger = "cmd.exe /c del" 2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe\Debugger = "drivers\\Kazekage.exe" 2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe\Debugger = "drivers\\Kazekage.exe" 2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "drivers\\Kazekage.exe" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "drivers\\Kazekage.exe" 2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe 2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe\Debugger = "drivers\\Kazekage.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe\Debugger = "cmd.exe /c del" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe\Debugger = "cmd.exe /c del" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe\Debugger = "drivers\\Kazekage.exe" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe 2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe\Debugger = "cmd.exe /c del" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger = "drivers\\Kazekage.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "drivers\\Kazekage.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe\Debugger = "cmd.exe /c del" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger = "drivers\\Kazekage.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe\Debugger = "cmd.exe /c del" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe 2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe 2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe\Debugger = "cmd.exe /c del" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe 2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "drivers\\Kazekage.exe" 2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe\Debugger = "drivers\\Kazekage.exe" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe csrss.exe -
Executes dropped EXE 30 IoCs
pid Process 4624 smss.exe 4980 smss.exe 4832 Gaara.exe 4788 smss.exe 4368 Gaara.exe 3624 csrss.exe 2308 smss.exe 5624 Gaara.exe 5224 csrss.exe 6096 Kazekage.exe 4040 smss.exe 5916 Gaara.exe 4968 csrss.exe 5540 Kazekage.exe 3216 system32.exe 1640 smss.exe 3332 Gaara.exe 1296 csrss.exe 1012 Kazekage.exe 5300 system32.exe 5084 system32.exe 5004 Kazekage.exe 3364 system32.exe 3180 csrss.exe 5276 Kazekage.exe 1224 system32.exe 876 Gaara.exe 4128 csrss.exe 5628 Kazekage.exe 3852 system32.exe -
Loads dropped DLL 18 IoCs
pid Process 4624 smss.exe 4980 smss.exe 4832 Gaara.exe 4788 smss.exe 4368 Gaara.exe 3624 csrss.exe 2308 smss.exe 5624 Gaara.exe 5224 csrss.exe 4040 smss.exe 5916 Gaara.exe 4968 csrss.exe 1640 smss.exe 3332 Gaara.exe 1296 csrss.exe 3180 csrss.exe 876 Gaara.exe 4128 csrss.exe -
Adds Run key to start application 2 TTPs 24 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 19 - 5 - 2025\\smss.exe" 2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 19 - 5 - 2025\\Gaara.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 19 - 5 - 2025\\smss.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 19 - 5 - 2025\\Gaara.exe" 2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 19 - 5 - 2025\\smss.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "19-5-2025.exe" 2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" 2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "19-5-2025.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 19 - 5 - 2025\\Gaara.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "19-5-2025.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 19 - 5 - 2025\\Gaara.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "19-5-2025.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 19 - 5 - 2025\\smss.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 19 - 5 - 2025\\Gaara.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 19 - 5 - 2025\\smss.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "19-5-2025.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 19 - 5 - 2025\\smss.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 19 - 5 - 2025\\Gaara.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "19-5-2025.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" system32.exe -
Checks whether UAC is enabled 1 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Kazekage.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" system32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Gaara.exe -
Drops desktop.ini file(s) 64 IoCs
description ioc Process File opened for modification \??\L:\Desktop.ini 2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe File opened for modification \??\X:\Desktop.ini Kazekage.exe File opened for modification \??\V:\Desktop.ini system32.exe File opened for modification \??\E:\Desktop.ini csrss.exe File opened for modification \??\J:\Desktop.ini Kazekage.exe File opened for modification \??\P:\Desktop.ini Kazekage.exe File opened for modification \??\O:\Desktop.ini 2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe File opened for modification \??\R:\Desktop.ini 2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe File opened for modification \??\X:\Desktop.ini 2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe File opened for modification \??\T:\Desktop.ini Gaara.exe File opened for modification \??\R:\Desktop.ini Kazekage.exe File opened for modification \??\L:\Desktop.ini Gaara.exe File opened for modification C:\Desktop.ini Kazekage.exe File opened for modification \??\G:\Desktop.ini 2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe File opened for modification \??\O:\Desktop.ini Kazekage.exe File opened for modification \??\U:\Desktop.ini Gaara.exe File opened for modification D:\Desktop.ini 2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe File opened for modification D:\Desktop.ini system32.exe File opened for modification \??\E:\Desktop.ini 2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe File opened for modification \??\T:\Desktop.ini 2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe File opened for modification \??\T:\Desktop.ini system32.exe File opened for modification \??\B:\Desktop.ini Gaara.exe File opened for modification \??\G:\Desktop.ini Gaara.exe File opened for modification \??\I:\Desktop.ini csrss.exe File opened for modification \??\J:\Desktop.ini csrss.exe File opened for modification \??\E:\Desktop.ini smss.exe File opened for modification \??\K:\Desktop.ini 2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe File opened for modification \??\L:\Desktop.ini Kazekage.exe File opened for modification \??\Q:\Desktop.ini 2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe File opened for modification D:\Desktop.ini Kazekage.exe File opened for modification \??\L:\Desktop.ini system32.exe File opened for modification \??\M:\Desktop.ini 2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe File opened for modification \??\R:\Desktop.ini smss.exe File opened for modification \??\T:\Desktop.ini Kazekage.exe File opened for modification D:\Desktop.ini Gaara.exe File opened for modification \??\Y:\Desktop.ini Kazekage.exe File opened for modification \??\R:\Desktop.ini Gaara.exe File opened for modification \??\B:\Desktop.ini csrss.exe File opened for modification \??\G:\Desktop.ini csrss.exe File opened for modification F:\Desktop.ini Kazekage.exe File opened for modification \??\O:\Desktop.ini smss.exe File opened for modification \??\W:\Desktop.ini 2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe File opened for modification \??\Y:\Desktop.ini 2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe File opened for modification C:\Desktop.ini csrss.exe File opened for modification \??\X:\Desktop.ini csrss.exe File opened for modification \??\G:\Desktop.ini Kazekage.exe File opened for modification \??\I:\Desktop.ini 2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe File opened for modification \??\K:\Desktop.ini Kazekage.exe File opened for modification \??\N:\Desktop.ini Kazekage.exe File opened for modification \??\P:\Desktop.ini 2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe File opened for modification \??\Z:\Desktop.ini Kazekage.exe File opened for modification \??\B:\Desktop.ini system32.exe File opened for modification \??\K:\Desktop.ini system32.exe File opened for modification \??\Y:\Desktop.ini Gaara.exe File opened for modification \??\K:\Desktop.ini csrss.exe File opened for modification \??\V:\Desktop.ini csrss.exe File opened for modification \??\B:\Desktop.ini Kazekage.exe File opened for modification \??\U:\Desktop.ini csrss.exe File opened for modification \??\M:\Desktop.ini Kazekage.exe File opened for modification \??\S:\Desktop.ini smss.exe File opened for modification \??\L:\Desktop.ini csrss.exe File opened for modification \??\A:\Desktop.ini system32.exe File opened for modification \??\I:\Desktop.ini smss.exe File opened for modification \??\G:\Desktop.ini system32.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\U: csrss.exe File opened (read-only) \??\G: Kazekage.exe File opened (read-only) \??\K: 2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe File opened (read-only) \??\W: Kazekage.exe File opened (read-only) \??\Y: Kazekage.exe File opened (read-only) \??\S: Kazekage.exe File opened (read-only) \??\W: smss.exe File opened (read-only) \??\E: system32.exe File opened (read-only) \??\I: system32.exe File opened (read-only) \??\P: Kazekage.exe File opened (read-only) \??\V: 2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe File opened (read-only) \??\N: Gaara.exe File opened (read-only) \??\O: Gaara.exe File opened (read-only) \??\K: Gaara.exe File opened (read-only) \??\N: Kazekage.exe File opened (read-only) \??\X: Kazekage.exe File opened (read-only) \??\A: Kazekage.exe File opened (read-only) \??\A: 2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe File opened (read-only) \??\L: smss.exe File opened (read-only) \??\P: smss.exe File opened (read-only) \??\M: Gaara.exe File opened (read-only) \??\H: smss.exe File opened (read-only) \??\M: system32.exe File opened (read-only) \??\H: Gaara.exe File opened (read-only) \??\N: csrss.exe File opened (read-only) \??\Q: csrss.exe File opened (read-only) \??\H: 2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe File opened (read-only) \??\J: 2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe File opened (read-only) \??\L: Kazekage.exe File opened (read-only) \??\R: smss.exe File opened (read-only) \??\T: smss.exe File opened (read-only) \??\R: csrss.exe File opened (read-only) \??\J: system32.exe File opened (read-only) \??\K: system32.exe File opened (read-only) \??\N: system32.exe File opened (read-only) \??\S: smss.exe File opened (read-only) \??\R: Kazekage.exe File opened (read-only) \??\A: Gaara.exe File opened (read-only) \??\G: Gaara.exe File opened (read-only) \??\W: Gaara.exe File opened (read-only) \??\U: system32.exe File opened (read-only) \??\H: csrss.exe File opened (read-only) \??\L: system32.exe File opened (read-only) \??\Q: smss.exe File opened (read-only) \??\M: csrss.exe File opened (read-only) \??\M: smss.exe File opened (read-only) \??\O: smss.exe File opened (read-only) \??\P: system32.exe File opened (read-only) \??\Y: system32.exe File opened (read-only) \??\S: Gaara.exe File opened (read-only) \??\I: csrss.exe File opened (read-only) \??\J: smss.exe File opened (read-only) \??\L: 2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe File opened (read-only) \??\Q: Kazekage.exe File opened (read-only) \??\Q: 2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe File opened (read-only) \??\Q: system32.exe File opened (read-only) \??\S: system32.exe File opened (read-only) \??\U: smss.exe File opened (read-only) \??\X: smss.exe File opened (read-only) \??\W: 2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe File opened (read-only) \??\Z: system32.exe File opened (read-only) \??\U: Gaara.exe File opened (read-only) \??\V: csrss.exe File opened (read-only) \??\H: Kazekage.exe -
Drops autorun.inf file 1 TTPs 64 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification \??\J:\Autorun.inf smss.exe File created \??\W:\Autorun.inf smss.exe File opened for modification F:\Autorun.inf csrss.exe File created \??\L:\Autorun.inf csrss.exe File created \??\U:\Autorun.inf csrss.exe File opened for modification \??\S:\Autorun.inf csrss.exe File opened for modification \??\W:\Autorun.inf system32.exe File opened for modification \??\X:\Autorun.inf system32.exe File opened for modification \??\A:\Autorun.inf smss.exe File created \??\G:\Autorun.inf smss.exe File created \??\Q:\Autorun.inf Gaara.exe File opened for modification \??\A:\Autorun.inf csrss.exe File created \??\K:\Autorun.inf system32.exe File created \??\O:\Autorun.inf csrss.exe File opened for modification F:\Autorun.inf smss.exe File opened for modification D:\Autorun.inf Kazekage.exe File opened for modification \??\Q:\Autorun.inf Kazekage.exe File opened for modification \??\Y:\Autorun.inf Kazekage.exe File opened for modification D:\Autorun.inf Gaara.exe File opened for modification \??\H:\Autorun.inf 2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe File created \??\H:\Autorun.inf 2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe File created \??\V:\Autorun.inf 2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe File created \??\N:\Autorun.inf smss.exe File opened for modification \??\W:\Autorun.inf smss.exe File created \??\J:\Autorun.inf Gaara.exe File created D:\Autorun.inf Kazekage.exe File created \??\Y:\Autorun.inf 2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe File opened for modification \??\B:\Autorun.inf csrss.exe File created \??\N:\Autorun.inf csrss.exe File opened for modification \??\T:\Autorun.inf csrss.exe File created \??\T:\Autorun.inf csrss.exe File opened for modification \??\A:\Autorun.inf Kazekage.exe File created \??\L:\Autorun.inf Kazekage.exe File opened for modification \??\M:\Autorun.inf Kazekage.exe File created \??\X:\Autorun.inf 2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe File opened for modification \??\O:\Autorun.inf smss.exe File opened for modification \??\Q:\Autorun.inf Gaara.exe File created \??\R:\Autorun.inf Gaara.exe File created \??\U:\Autorun.inf Kazekage.exe File opened for modification \??\O:\Autorun.inf system32.exe File opened for modification \??\X:\Autorun.inf 2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe File opened for modification \??\H:\Autorun.inf smss.exe File opened for modification \??\R:\Autorun.inf smss.exe File created \??\A:\Autorun.inf Gaara.exe File opened for modification \??\G:\Autorun.inf Gaara.exe File created \??\T:\Autorun.inf Gaara.exe File created \??\M:\Autorun.inf Kazekage.exe File opened for modification \??\W:\Autorun.inf Kazekage.exe File opened for modification D:\Autorun.inf smss.exe File opened for modification \??\U:\Autorun.inf smss.exe File opened for modification \??\J:\Autorun.inf csrss.exe File opened for modification D:\Autorun.inf system32.exe File opened for modification \??\T:\Autorun.inf system32.exe File created \??\Q:\Autorun.inf 2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe File opened for modification \??\Y:\Autorun.inf 2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe File created \??\Z:\Autorun.inf 2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe File created \??\H:\Autorun.inf csrss.exe File opened for modification \??\M:\Autorun.inf csrss.exe File opened for modification \??\S:\Autorun.inf Kazekage.exe File opened for modification \??\J:\Autorun.inf system32.exe File created \??\U:\Autorun.inf system32.exe File opened for modification \??\I:\Autorun.inf Kazekage.exe File created \??\M:\Autorun.inf smss.exe File opened for modification \??\X:\Autorun.inf smss.exe -
Drops file in System32 directory 39 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Desktop.ini system32.exe File opened for modification C:\Windows\SysWOW64\19-5-2025.exe 2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\SysWOW64\19-5-2025.exe smss.exe File created C:\Windows\SysWOW64\msvbvm60.dll smss.exe File created C:\Windows\SysWOW64\msvbvm60.dll Gaara.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini smss.exe File opened for modification C:\Windows\SysWOW64\ smss.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini Gaara.exe File created C:\Windows\SysWOW64\msvbvm60.dll 2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\SysWOW64\19-5-2025.exe csrss.exe File created C:\Windows\SysWOW64\msvbvm60.dll Kazekage.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx 2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\SysWOW64\19-5-2025.exe Gaara.exe File opened for modification C:\Windows\SysWOW64\19-5-2025.exe system32.exe File created C:\Windows\SysWOW64\Desktop.ini 2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll smss.exe File created C:\Windows\SysWOW64\19-5-2025.exe 2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll 2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\SysWOW64\ csrss.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll csrss.exe File opened for modification C:\Windows\SysWOW64\ Kazekage.exe File opened for modification C:\Windows\SysWOW64\ Gaara.exe File created C:\Windows\SysWOW64\msvbvm60.dll system32.exe File opened for modification C:\Windows\SysWOW64\19-5-2025.exe Kazekage.exe File created C:\Windows\SysWOW64\mscomctl.ocx 2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini Kazekage.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll Kazekage.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini 2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx smss.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini csrss.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx Gaara.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx csrss.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx system32.exe File opened for modification C:\Windows\SysWOW64\ system32.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll Gaara.exe File created C:\Windows\SysWOW64\msvbvm60.dll csrss.exe File opened for modification C:\Windows\SysWOW64\ 2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx Kazekage.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll system32.exe -
Sets desktop wallpaper using registry 2 TTPs 6 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" 2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" system32.exe -
resource yara_rule behavioral1/memory/3160-0-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/files/0x000a000000024144-11.dat upx behavioral1/memory/4624-32-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/files/0x00050000000227e0-31.dat upx behavioral1/files/0x000a000000024148-57.dat upx behavioral1/files/0x000a000000024147-53.dat upx behavioral1/memory/4980-70-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/4832-78-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/4980-77-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/files/0x000b0000000240ea-75.dat upx behavioral1/files/0x000a000000024144-84.dat upx behavioral1/memory/4368-115-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/3624-120-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/files/0x000a000000024147-130.dat upx behavioral1/memory/3160-156-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/5224-159-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/5540-202-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/files/0x000a000000024145-212.dat upx behavioral1/memory/3852-270-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/5628-267-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/876-262-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/1224-259-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/5276-256-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/3216-253-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/3364-250-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/5004-244-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/5084-241-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/5300-238-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/6096-235-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/1012-234-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/3332-229-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/3624-224-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/3216-206-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/files/0x000a000000024148-205.dat upx behavioral1/memory/4832-196-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/5916-193-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/files/0x000a000000024145-170.dat upx behavioral1/memory/6096-164-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/4624-163-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/5624-153-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/files/0x000a000000024148-134.dat upx behavioral1/files/0x000a000000024145-126.dat upx behavioral1/files/0x000a000000024148-96.dat upx behavioral1/files/0x000a000000024147-92.dat upx behavioral1/files/0x000a000000024145-88.dat upx behavioral1/files/0x0008000000024205-458.dat upx -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\Windows\system\msvbvm60.dll Gaara.exe File opened for modification C:\Windows\msvbvm60.dll csrss.exe File created C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe system32.exe File created C:\Windows\Fonts\Admin 19 - 5 - 2025\msvbvm60.dll system32.exe File opened for modification C:\Windows\ csrss.exe File opened for modification C:\Windows\ Kazekage.exe File opened for modification C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe smss.exe File created C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe Kazekage.exe File opened for modification C:\Windows\mscomctl.ocx 2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\mscomctl.ocx system32.exe File opened for modification C:\Windows\ system32.exe File opened for modification C:\Windows\system\mscoree.dll 2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe File created C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe 2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe File created C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe Gaara.exe File created C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe csrss.exe File created C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe Kazekage.exe File opened for modification C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe Kazekage.exe File created C:\Windows\Fonts\Admin 19 - 5 - 2025\msvbvm60.dll 2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe File created C:\Windows\WBEM\msvbvm60.dll 2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\system\mscoree.dll Gaara.exe File created C:\Windows\Fonts\Admin 19 - 5 - 2025\msvbvm60.dll Gaara.exe File opened for modification C:\Windows\system\msvbvm60.dll csrss.exe File opened for modification C:\Windows\msvbvm60.dll Kazekage.exe File opened for modification C:\Windows\ 2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe File created C:\Windows\system\msvbvm60.dll 2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe Kazekage.exe File opened for modification C:\Windows\msvbvm60.dll system32.exe File created C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe Gaara.exe File created C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe Kazekage.exe File opened for modification C:\Windows\Fonts\The Kazekage.jpg 2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe File created C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe smss.exe File opened for modification C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe smss.exe File opened for modification C:\Windows\Fonts\The Kazekage.jpg Gaara.exe File opened for modification C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe Gaara.exe File opened for modification C:\Windows\system\mscoree.dll csrss.exe File created C:\Windows\WBEM\msvbvm60.dll csrss.exe File created C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe 2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe File created C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe csrss.exe File created C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe csrss.exe File opened for modification C:\Windows\system\msvbvm60.dll Kazekage.exe File created C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe system32.exe File opened for modification C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe system32.exe File opened for modification C:\Windows\ Gaara.exe File opened for modification C:\Windows\msvbvm60.dll Gaara.exe File opened for modification C:\Windows\Fonts\The Kazekage.jpg system32.exe File opened for modification C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe system32.exe File opened for modification C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe system32.exe File created C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe smss.exe File created C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe smss.exe File opened for modification C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe 2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\Fonts\Admin 19 - 5 - 2025\msvbvm60.dll 2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe File created C:\Windows\WBEM\msvbvm60.dll Kazekage.exe File opened for modification C:\Windows\system\mscoree.dll smss.exe File created C:\Windows\Fonts\Admin 19 - 5 - 2025\msvbvm60.dll smss.exe File opened for modification C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe csrss.exe File created C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe system32.exe File created C:\Windows\WBEM\msvbvm60.dll system32.exe File opened for modification C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe 2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe 2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\msvbvm60.dll 2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe Gaara.exe File created C:\Windows\WBEM\msvbvm60.dll Gaara.exe File opened for modification C:\Windows\Fonts\The Kazekage.jpg csrss.exe File created C:\Windows\Fonts\Admin 19 - 5 - 2025\msvbvm60.dll Kazekage.exe -
System Location Discovery: System Language Discovery 1 TTPs 63 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kazekage.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaara.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaara.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kazekage.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaara.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kazekage.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaara.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaara.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kazekage.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kazekage.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kazekage.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaara.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 32 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 1360 ping.exe 856 ping.exe 5072 ping.exe 2756 ping.exe 1628 ping.exe 2592 ping.exe 3428 ping.exe 1008 ping.exe 5264 ping.exe 3192 ping.exe 2912 ping.exe 2380 ping.exe 5672 ping.exe 5576 ping.exe 3696 ping.exe 3604 ping.exe 4396 ping.exe 5776 ping.exe 4564 ping.exe 928 ping.exe 3996 ping.exe 1932 ping.exe 4828 ping.exe 5628 ping.exe 3872 ping.exe 5124 ping.exe 4984 ping.exe 3208 ping.exe 5156 ping.exe 4720 ping.exe 3136 ping.exe 4132 ping.exe -
Modifies Control Panel 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" 2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe Key created \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Desktop Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" 2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" 2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" 2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" 2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe Key created \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Screen Saver.Marquee 2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" 2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Desktop\WallpaperStyle = "2" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Screen Saver.Marquee\Size = "72" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" 2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Screen Saver.Marquee\Size = "72" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Screen Saver.Marquee\Speed = "4" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" 2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Screen Saver.Marquee\Speed = "4" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Desktop\WallpaperStyle = "2" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" Gaara.exe Key created \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Desktop system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Desktop\WallpaperStyle = "2" system32.exe Key created \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Screen Saver.Marquee csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Screen Saver.Marquee\Size = "72" system32.exe Key created \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Desktop smss.exe Key created \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Desktop Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Screen Saver.Marquee\Size = "72" 2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Desktop\WallpaperStyle = "2" 2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" Gaara.exe Key created \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Screen Saver.Marquee Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" smss.exe Key created \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Screen Saver.Marquee smss.exe Key created \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Desktop 2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe Key created \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Desktop csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Screen Saver.Marquee\Size = "72" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Screen Saver.Marquee\Speed = "4" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Screen Saver.Marquee\Speed = "4" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" 2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Screen Saver.Marquee\Speed = "4" 2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe -
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" system32.exe Key created \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Software\Microsoft\Internet Explorer\Main 2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" 2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe Key created \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Software\Microsoft\Internet Explorer\Main Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" Gaara.exe Key created \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Software\Microsoft\Internet Explorer\Main csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" Kazekage.exe Key created \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Software\Microsoft\Internet Explorer\Main smss.exe Key created \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Software\Microsoft\Internet Explorer\Main Kazekage.exe Key created \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Software\Microsoft\Internet Explorer\Main system32.exe -
Modifies registry class 51 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command 2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command 2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command 2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command 2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" 2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" 2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" 2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" 2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe -
Runs ping.exe 1 TTPs 32 IoCs
pid Process 3208 ping.exe 5072 ping.exe 4984 ping.exe 5124 ping.exe 3428 ping.exe 4564 ping.exe 928 ping.exe 2592 ping.exe 5628 ping.exe 3872 ping.exe 5576 ping.exe 856 ping.exe 2380 ping.exe 2912 ping.exe 4396 ping.exe 1628 ping.exe 5672 ping.exe 5776 ping.exe 4828 ping.exe 4132 ping.exe 5156 ping.exe 4720 ping.exe 1008 ping.exe 5264 ping.exe 3604 ping.exe 3996 ping.exe 3136 ping.exe 2756 ping.exe 3696 ping.exe 3192 ping.exe 1932 ping.exe 1360 ping.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4832 Gaara.exe 4832 Gaara.exe 4832 Gaara.exe 4832 Gaara.exe 4832 Gaara.exe 4832 Gaara.exe 4832 Gaara.exe 4832 Gaara.exe 4832 Gaara.exe 4832 Gaara.exe 4832 Gaara.exe 4832 Gaara.exe 4832 Gaara.exe 4832 Gaara.exe 4832 Gaara.exe 4832 Gaara.exe 4832 Gaara.exe 4832 Gaara.exe 4832 Gaara.exe 4832 Gaara.exe 4832 Gaara.exe 4832 Gaara.exe 4832 Gaara.exe 4832 Gaara.exe 3624 csrss.exe 3624 csrss.exe 3624 csrss.exe 3624 csrss.exe 3624 csrss.exe 3624 csrss.exe 3624 csrss.exe 3624 csrss.exe 3624 csrss.exe 3624 csrss.exe 3624 csrss.exe 3624 csrss.exe 3624 csrss.exe 3624 csrss.exe 3624 csrss.exe 3624 csrss.exe 3624 csrss.exe 3624 csrss.exe 3624 csrss.exe 3624 csrss.exe 3624 csrss.exe 3624 csrss.exe 3624 csrss.exe 3624 csrss.exe 4832 Gaara.exe 4832 Gaara.exe 4832 Gaara.exe 4832 Gaara.exe 4832 Gaara.exe 4832 Gaara.exe 4832 Gaara.exe 4832 Gaara.exe 4832 Gaara.exe 4832 Gaara.exe 4832 Gaara.exe 4832 Gaara.exe 4832 Gaara.exe 4832 Gaara.exe 4832 Gaara.exe 4832 Gaara.exe -
Suspicious use of SetWindowsHookEx 31 IoCs
pid Process 3160 2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe 4624 smss.exe 4980 smss.exe 4832 Gaara.exe 4788 smss.exe 4368 Gaara.exe 3624 csrss.exe 2308 smss.exe 5624 Gaara.exe 5224 csrss.exe 6096 Kazekage.exe 4040 smss.exe 5916 Gaara.exe 4968 csrss.exe 5540 Kazekage.exe 3216 system32.exe 1640 smss.exe 3332 Gaara.exe 1296 csrss.exe 1012 Kazekage.exe 5300 system32.exe 5084 system32.exe 5004 Kazekage.exe 3364 system32.exe 3180 csrss.exe 5276 Kazekage.exe 1224 system32.exe 876 Gaara.exe 4128 csrss.exe 5628 Kazekage.exe 3852 system32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3160 wrote to memory of 4624 3160 2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe 89 PID 3160 wrote to memory of 4624 3160 2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe 89 PID 3160 wrote to memory of 4624 3160 2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe 89 PID 4624 wrote to memory of 4980 4624 smss.exe 90 PID 4624 wrote to memory of 4980 4624 smss.exe 90 PID 4624 wrote to memory of 4980 4624 smss.exe 90 PID 4624 wrote to memory of 4832 4624 smss.exe 91 PID 4624 wrote to memory of 4832 4624 smss.exe 91 PID 4624 wrote to memory of 4832 4624 smss.exe 91 PID 4832 wrote to memory of 4788 4832 Gaara.exe 92 PID 4832 wrote to memory of 4788 4832 Gaara.exe 92 PID 4832 wrote to memory of 4788 4832 Gaara.exe 92 PID 4832 wrote to memory of 4368 4832 Gaara.exe 93 PID 4832 wrote to memory of 4368 4832 Gaara.exe 93 PID 4832 wrote to memory of 4368 4832 Gaara.exe 93 PID 4832 wrote to memory of 3624 4832 Gaara.exe 94 PID 4832 wrote to memory of 3624 4832 Gaara.exe 94 PID 4832 wrote to memory of 3624 4832 Gaara.exe 94 PID 3624 wrote to memory of 2308 3624 csrss.exe 95 PID 3624 wrote to memory of 2308 3624 csrss.exe 95 PID 3624 wrote to memory of 2308 3624 csrss.exe 95 PID 3624 wrote to memory of 5624 3624 csrss.exe 96 PID 3624 wrote to memory of 5624 3624 csrss.exe 96 PID 3624 wrote to memory of 5624 3624 csrss.exe 96 PID 3624 wrote to memory of 5224 3624 csrss.exe 97 PID 3624 wrote to memory of 5224 3624 csrss.exe 97 PID 3624 wrote to memory of 5224 3624 csrss.exe 97 PID 3624 wrote to memory of 6096 3624 csrss.exe 98 PID 3624 wrote to memory of 6096 3624 csrss.exe 98 PID 3624 wrote to memory of 6096 3624 csrss.exe 98 PID 6096 wrote to memory of 4040 6096 Kazekage.exe 99 PID 6096 wrote to memory of 4040 6096 Kazekage.exe 99 PID 6096 wrote to memory of 4040 6096 Kazekage.exe 99 PID 6096 wrote to memory of 5916 6096 Kazekage.exe 100 PID 6096 wrote to memory of 5916 6096 Kazekage.exe 100 PID 6096 wrote to memory of 5916 6096 Kazekage.exe 100 PID 6096 wrote to memory of 4968 6096 Kazekage.exe 101 PID 6096 wrote to memory of 4968 6096 Kazekage.exe 101 PID 6096 wrote to memory of 4968 6096 Kazekage.exe 101 PID 6096 wrote to memory of 5540 6096 Kazekage.exe 102 PID 6096 wrote to memory of 5540 6096 Kazekage.exe 102 PID 6096 wrote to memory of 5540 6096 Kazekage.exe 102 PID 6096 wrote to memory of 3216 6096 Kazekage.exe 103 PID 6096 wrote to memory of 3216 6096 Kazekage.exe 103 PID 6096 wrote to memory of 3216 6096 Kazekage.exe 103 PID 3216 wrote to memory of 1640 3216 system32.exe 104 PID 3216 wrote to memory of 1640 3216 system32.exe 104 PID 3216 wrote to memory of 1640 3216 system32.exe 104 PID 3216 wrote to memory of 3332 3216 system32.exe 105 PID 3216 wrote to memory of 3332 3216 system32.exe 105 PID 3216 wrote to memory of 3332 3216 system32.exe 105 PID 3216 wrote to memory of 1296 3216 system32.exe 106 PID 3216 wrote to memory of 1296 3216 system32.exe 106 PID 3216 wrote to memory of 1296 3216 system32.exe 106 PID 3216 wrote to memory of 1012 3216 system32.exe 107 PID 3216 wrote to memory of 1012 3216 system32.exe 107 PID 3216 wrote to memory of 1012 3216 system32.exe 107 PID 3216 wrote to memory of 5300 3216 system32.exe 108 PID 3216 wrote to memory of 5300 3216 system32.exe 108 PID 3216 wrote to memory of 5300 3216 system32.exe 108 PID 3624 wrote to memory of 5084 3624 csrss.exe 109 PID 3624 wrote to memory of 5084 3624 csrss.exe 109 PID 3624 wrote to memory of 5084 3624 csrss.exe 109 PID 4832 wrote to memory of 5004 4832 Gaara.exe 110 -
System policy modification 1 TTPs 12 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System 2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Kazekage.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System system32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Gaara.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe"C:\Users\Admin\AppData\Local\Temp\2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe"1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3160 -
C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe"C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe"2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4624 -
C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe"C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4980
-
-
C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe"C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe"3⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4832 -
C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe"C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4788
-
-
C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe"C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4368
-
-
C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe"C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe"4⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3624 -
C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe"C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2308
-
-
C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe"C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5624
-
-
C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe"C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5224
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe5⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:6096 -
C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe"C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4040
-
-
C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe"C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5916
-
-
C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe"C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4968
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5540
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe6⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3216 -
C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe"C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1640
-
-
C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe"C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3332
-
-
C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe"C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1296
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1012
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5300
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655007⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3996
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655007⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4396
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655007⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:928
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655007⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3696
-
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655006⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3604
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655006⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2912
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655006⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:856
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655006⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4132
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655006⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4564
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655006⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5576
-
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5084
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655005⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3872
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655005⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5628
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655005⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5124
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655005⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3208
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655005⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3428
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655005⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5776
-
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5004
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3364
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655004⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5156
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655004⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2592
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655004⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1932
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655004⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1360
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655004⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5672
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655004⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1628
-
-
-
C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe"C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3180
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5276
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1224
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5264
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3192
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4720
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3136
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2756
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4984
-
-
-
C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe"C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:876
-
-
C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe"C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4128
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5628
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3852
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655002⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1008
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655002⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4828
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655002⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5072
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655002⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2380
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 19 - 5 - 2025\smss.exe1⤵PID:2832
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 19 - 5 - 2025\Gaara.exe1⤵PID:5928
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c 19-5-2025.exe1⤵PID:5168
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c drivers\csrss.exe1⤵PID:3432
Network
MITRE ATT&CK Enterprise v16
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Event Triggered Execution
1Image File Execution Options Injection
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Event Triggered Execution
1Image File Execution Options Injection
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
1Disable or Modify Tools
1Modify Registry
8Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
736B
MD5bb5d6abdf8d0948ac6895ce7fdfbc151
SHA19266b7a247a4685892197194d2b9b86c8f6dddbd
SHA2565db2e0915b5464d32e83484f8ae5e3c73d2c78f238fde5f58f9b40dbb5322de8
SHA512878444760e8df878d65bb62b4798177e168eb099def58ad3634f4348e96705c83f74324f9fa358f0eff389991976698a233ca53e9b72034ae11c86d42322a76c
-
Filesize
196B
MD51564dfe69ffed40950e5cb644e0894d1
SHA1201b6f7a01cc49bb698bea6d4945a082ed454ce4
SHA256be114a2dbcc08540b314b01882aa836a772a883322a77b67aab31233e26dc184
SHA51272df187e39674b657974392cfa268e71ef86dc101ebd2303896381ca56d3c05aa9db3f0ab7d0e428d7436e0108c8f19e94c2013814d30b0b95a23a6b9e341097
-
Filesize
8.2MB
MD5ab30cdc327911d812d365eb2682b6f14
SHA1000110c49df63032739224a822dca8181d2350a6
SHA256c21216746e591bda1efc52627070344fc1d2c1c959f77d9435818ca80af53ed2
SHA51280251f374d6c90d971321e10ac6620c6e07c96d9dfd9ce20235e23830a512127d2bd2271c7cc629db0477bafe4ffd631f186c0c6f74bc3d4fbdbe4ed7bb994e2
-
Filesize
8.2MB
MD55d94c92d0e4d68fdd3b2bc6be6cef612
SHA1cd2594f5a9da48781633962b78a22461b75dd54d
SHA256b7bccca618d889b72c3ec43f142082cdf5e79df979817de0b884f6fbc2fac7d6
SHA512fc04dc61ce316f16898ca6263687f562cd4a41ef5ed2dbe7b57e947d6672899e6d3e7bab6cb9be3c2d24af0e88dc4775d292a2bc62e866aa7e2b8f4363a99e9a
-
Filesize
8.2MB
MD5b5bd677dfc8d7b10c97fbafa25711035
SHA132801820f15d30ae990981a935ba1827d18462f8
SHA256c8b9fbfe3a954c9ffb3f68455298d1a8e9b18d97d8162fb4090ee1c95cfe20b3
SHA5122984d0cdfa0172e89940307ac88379082469baf3d923c4165a7a97af628b4c086f7f367b9538524e83e990e5dbdeb015d0db8d1aede9b92763f989bf77fc9755
-
Filesize
8.2MB
MD5afd29303db6ee02aa734410f3c01467a
SHA1066ab54884644cf713b05a861267a75f9fe753b1
SHA2563bb428094af0fe29ea786d9a4d21cadb0f781555980c2cbc6a71dac977256a94
SHA512e5bf3839f2b891d3441ceffff376d2e6a16a8459c05559123e6efa7ec3d277050f8afc7d5f344497a82b157e639288abb71c481d8225d11cf280a5d9b82207fc
-
Filesize
1.4MB
MD5d6b05020d4a0ec2a3a8b687099e335df
SHA1df239d830ebcd1cde5c68c46a7b76dad49d415f4
SHA2569824b98dab6af65a9e84c2ea40e9df948f9766ce2096e81feecad7db8dd6080a
SHA51278fd360faa4d34f5732056d6e9ad7b9930964441c69cf24535845d397de92179553b9377a25649c01eb5ac7d547c29cc964e69ede7f2af9fc677508a99251fff
-
Filesize
8.2MB
MD5146a99867d02ee314ef7e9a272195502
SHA1f26afa19a67cd7ff27664073a4c15271fa0a4030
SHA256fbe0025a648fd9ef8821edbc5ba5fa338f76e21a46766563be1326390121d8cc
SHA51292a6ad3c02b9b631bfc1a4d9fa312abfd3fcf7d3049d4be65517624ae1ebe142efdf7ce65b64ed96f5295096d58463e5b8fcddf62c057f20a70cf857235fe4b6
-
Filesize
8.2MB
MD5a04f7c845150dc86333958f02fe39bad
SHA12b6133562469d70ce18532865630fcd34303c2b5
SHA256786275f69251ad09f8af4b256ba17c26cb6447243cb26513a6d87bee68995f9d
SHA5120f141d2426e74dd7046bc3bb6772dcf8fdc04dfea87c0c24176a7d79b78c7070c1701dcbf7cde0f259a78dfdcd435ff6669eb04051aaf1b3dfb9af0dd2af251e
-
Filesize
8.2MB
MD58ec9eac2665e276c0a158fda5bbbcac9
SHA1001d59ca48d702d481e47c6d617a0bfb36e84a45
SHA2563ed6f555acf21238604fb8650203483e64f004c303bc3d2fe198a4f95b6e6a63
SHA512920cbd1a0b444c3354882408866ad75f8d02717b0d398ca70929a159bd224b3720338b88d73071ed21fd62316e3941a89d5fc7863dbd3b6b8018de46bda0ffe9
-
Filesize
8.2MB
MD573ad0531079c3da71e234fff12a2f0b4
SHA16ddca005f6cc9a447232b0271de6f59285c5d460
SHA256d0e0b0cbc200d849fc498021d8e3296532397d086650d4515d6cebc9f39691d7
SHA512d2b5967a0be49822702f05d8f97c42e675f3e6b63e6925d443a0a7b7c8b4df44b39e693ee229b72cdb2fc80bce5ee42a7cb98f9c54f74d4a351011186f407e04
-
Filesize
65B
MD564acfa7e03b01f48294cf30d201a0026
SHA110facd995b38a095f30b4a800fa454c0bcbf8438
SHA256ba8159d865d106e7b4d0043007a63d1541e1de455dc8d7ff0edd3013bd425c62
SHA51265a9b2e639de74a2a7faa83463a03f5f5b526495e3c793ec1e144c422ed0b842dd304cd5ff4f8aec3d76d826507030c5916f70a231429cea636ec2d8ab43931a
-
Filesize
8.2MB
MD539c26014038df5c722ce85ab22adbdd3
SHA180fd1d1bd7fd26db8d9cd4dc2fa117fcee0a2205
SHA2569c31878274cb12180466f20466187480ae98ed3ef42f5297be226882e0f1814b
SHA5121bec8f82c50f8abfc0ea636cbb4125824a0257ad12cb8ac5fbec895719343e9bb97e45a76bc40c298f588dfd0635ba01e6fcc346e0506c49f2f689adc46a5971
-
Filesize
8.2MB
MD5c120a1d9ea52655be12440c73bcef24d
SHA11033a713e5fc432dc207b5bb0cf77c3f8140a8fb
SHA25607983115433516c6b1d9175d16f1d82343c287575ebd107c01b9b3cbfd98c952
SHA512935968d5159e8ebdcd65d274d09f7d7ca56f37d7fb3cd18efabb948a0dd2b157f9a7b1711312d7a7828ce7a1d6f61e060f553d648fd99058213c8f101f6553c8
-
Filesize
8.2MB
MD5fffab0c0ed1f7dc1bd374b17f77d5c01
SHA198453ead12bf0b29d20aba56a8b61659c45a79d3
SHA2562fa4cebc8bfc3de7cb787d4e267b9252832b78c410b17023c82ae8cf960dc245
SHA512f7db684fc763392a0c7177c223145ef1d4d5756f2c26907ee99b54c570b0a0fd2c963ea141eca61765ecf45943a3bcdb2d2c3844c817f06ebeb719612535a134
-
Filesize
8.2MB
MD5084430f6e639cd980f5f3dd70679317f
SHA13258f33530907841187a40917660a73b89679705
SHA256863958e4582bef80c15e1b8c52cbd40d875e54500b8b493b4ade788aeb7bc735
SHA51232fef8486de0f316f8ea6f07b44f23437690358bbdd1eccb77006633574bd1ea0aa6a165a15d3cdfc6a89a475eefbc6f9292c5a0fe2c15d0c440ff394474f8df
-
Filesize
8.2MB
MD5e5a9999e3b680ff2ae33af57e8266496
SHA151601d01cc6b099b15b7f799b9b0fc87c3a42847
SHA256c8b3fce4df5741daafb8dc9e21bdcdb9a96899ce2891ae39d46322f13d94150b
SHA512cb1c72028cd0ee77cc5c2a29203bbe4686cec702dca0468bf0edba9674b5dd542b7c47d8440483f96e5cc8b3c39654a7c8d36f67dadf2e429bfa81491180abc5
-
Filesize
8.2MB
MD5f45bfc455b25678125656829daeaff37
SHA1bcd7dd66bb760406eb2309cb09d1485a72b79430
SHA256fa2f6cb1896cae9e32512ded50f8d5e9d9a2c35a5778e139fe3059ababb6ba5d
SHA5123edb43da90f3249a40d44c04ad122cbd373d337842413373b637c27327dd69682f8721e8b5bb325dd816fbe2317f3c3389c21790149595cd2e1cd4185b52481a
-
Filesize
8.2MB
MD5251b6481ab586bfe0b6e2b8da69e4858
SHA12136a61ecee914975df5c661dd060e70de2c1ed1
SHA2567bfc7f4ba3a24c5e461a6a29e72105db52e0a3c3810e376259ee1c7c738a08b8
SHA51289152e3d629ef85f5d08591f7d1e41fd44022adde7cbe4f9309c3a72e3ab5b052ef706eee92460427fc9fde48c3c5578b939910927a74eaf5a4e4d3906843135
-
Filesize
8.2MB
MD59b88e635d9fb6dbc87a4b1fac2bd66cb
SHA1b5eadf49ed0cb8b555643408a5f311b119e106d1
SHA256e50b01dabb2c888aac0e0f52d7b83e142cd8296f8e3a1ce42d7be4654fdd6b15
SHA512c23bf7fbb29e7e2e5f36ffec93a56337a4b88e246c44bb40777d80561eba6059b32d615fce390f46775e8107d506317ac78b821950351ad892a76289cb0d175e
-
Filesize
1.4MB
MD525f62c02619174b35851b0e0455b3d94
SHA14e8ee85157f1769f6e3f61c0acbe59072209da71
SHA256898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2
SHA512f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a