Analysis
-
max time kernel
150s -
max time network
142s -
platform
windows10-2004_x64 -
resource
win10v2004-20250502-en -
resource tags
arch:x64arch:x86image:win10v2004-20250502-enlocale:en-usos:windows10-2004-x64system -
submitted
19/05/2025, 14:28
Behavioral task
behavioral1
Sample
2025-05-19_98fb17cd44481c16e1b7ee97315b8d15_amadey_black-basta_elex_luca-stealer.exe
Resource
win10v2004-20250502-en
General
-
Target
2025-05-19_98fb17cd44481c16e1b7ee97315b8d15_amadey_black-basta_elex_luca-stealer.exe
-
Size
8.2MB
-
MD5
98fb17cd44481c16e1b7ee97315b8d15
-
SHA1
e736aca23e63bd7fb337a3015ed2a6aa86d63947
-
SHA256
c57a979d2d6317bec84e4c9ec97fee642d6188aa9f4b018a018bea332a4ebba8
-
SHA512
f250029f0f13d0a00d65b6ee63fa3108ad7fc4eb847317a9b525fe46006fd20b47de42cbd96bf188dff107443f6eaecff7de8022991985e4e01e296c2b53ca14
-
SSDEEP
49152:HyyqWyWy0GyqWyWyMRPC1eHc785dxytlWF17:HyyqWyWy0GyqWyWyMRPC1eHL5dxyjyp
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 12 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" 2025-05-19_98fb17cd44481c16e1b7ee97315b8d15_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" 2025-05-19_98fb17cd44481c16e1b7ee97315b8d15_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" Kazekage.exe -
Modifies visibility of file extensions in Explorer 2 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" csrss.exe Set value (int) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" 2025-05-19_98fb17cd44481c16e1b7ee97315b8d15_amadey_black-basta_elex_luca-stealer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" system32.exe Set value (int) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" smss.exe Set value (int) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Kazekage.exe Set value (int) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Gaara.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" csrss.exe Set value (int) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" 2025-05-19_98fb17cd44481c16e1b7ee97315b8d15_amadey_black-basta_elex_luca-stealer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" system32.exe Set value (int) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" smss.exe Set value (int) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" Kazekage.exe Set value (int) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" Gaara.exe -
UAC bypass 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 2025-05-19_98fb17cd44481c16e1b7ee97315b8d15_amadey_black-basta_elex_luca-stealer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" system32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Kazekage.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Gaara.exe -
Disables RegEdit via registry modification 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" csrss.exe Set value (int) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" 2025-05-19_98fb17cd44481c16e1b7ee97315b8d15_amadey_black-basta_elex_luca-stealer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" system32.exe Set value (int) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" smss.exe Set value (int) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Kazekage.exe Set value (int) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Gaara.exe -
Disables use of System Restore points 1 TTPs
-
Drops file in Drivers directory 24 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe smss.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe system32.exe File created C:\Windows\SysWOW64\drivers\system32.exe system32.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe Gaara.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe csrss.exe File created C:\Windows\SysWOW64\drivers\system32.exe csrss.exe File created C:\Windows\SysWOW64\drivers\system32.exe Kazekage.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe system32.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe 2025-05-19_98fb17cd44481c16e1b7ee97315b8d15_amadey_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe smss.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe Gaara.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe csrss.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe Kazekage.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe smss.exe File created C:\Windows\SysWOW64\drivers\system32.exe smss.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe 2025-05-19_98fb17cd44481c16e1b7ee97315b8d15_amadey_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe Gaara.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe csrss.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe system32.exe File created C:\Windows\SysWOW64\drivers\system32.exe Gaara.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe Kazekage.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe Kazekage.exe File created C:\Windows\SysWOW64\drivers\system32.exe 2025-05-19_98fb17cd44481c16e1b7ee97315b8d15_amadey_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe 2025-05-19_98fb17cd44481c16e1b7ee97315b8d15_amadey_black-basta_elex_luca-stealer.exe -
Event Triggered Execution: Image File Execution Options Injection 1 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe\Debugger = "drivers\\Kazekage.exe" 2025-05-19_98fb17cd44481c16e1b7ee97315b8d15_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "drivers\\Kazekage.exe" 2025-05-19_98fb17cd44481c16e1b7ee97315b8d15_amadey_black-basta_elex_luca-stealer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe\Debugger = "drivers\\Kazekage.exe" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe\Debugger = "cmd.exe /c del" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger = "drivers\\Kazekage.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe\Debugger = "cmd.exe /c del" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "drivers\\Kazekage.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger = "drivers\\Kazekage.exe" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "drivers\\Kazekage.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe\Debugger = "cmd.exe /c del" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe\Debugger = "drivers\\Kazekage.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe\Debugger = "cmd.exe /c del" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger = "drivers\\Kazekage.exe" 2025-05-19_98fb17cd44481c16e1b7ee97315b8d15_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe\Debugger = "cmd.exe /c del" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe 2025-05-19_98fb17cd44481c16e1b7ee97315b8d15_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe\Debugger = "drivers\\Kazekage.exe" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe\Debugger = "cmd.exe /c del" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com\Debugger = "cmd.exe /c del" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "drivers\\Kazekage.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com\Debugger = "cmd.exe /c del" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "drivers\\Kazekage.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe\Debugger = "cmd.exe /c del" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe\Debugger = "cmd.exe /c del" 2025-05-19_98fb17cd44481c16e1b7ee97315b8d15_amadey_black-basta_elex_luca-stealer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe 2025-05-19_98fb17cd44481c16e1b7ee97315b8d15_amadey_black-basta_elex_luca-stealer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe\Debugger = "cmd.exe /c del" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe\Debugger = "drivers\\Kazekage.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "drivers\\Kazekage.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe\Debugger = "drivers\\Kazekage.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "drivers\\Kazekage.exe" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "drivers\\Kazekage.exe" 2025-05-19_98fb17cd44481c16e1b7ee97315b8d15_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe\Debugger = "drivers\\Kazekage.exe" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe\Debugger = "cmd.exe /c del" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe\Debugger = "cmd.exe /c del" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe\Debugger = "cmd.exe /c del" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com\Debugger = "cmd.exe /c del" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe\Debugger = "cmd.exe /c del" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "drivers\\Kazekage.exe" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com\Debugger = "cmd.exe /c del" Gaara.exe -
Executes dropped EXE 30 IoCs
pid Process 5804 smss.exe 6012 smss.exe 4820 Gaara.exe 4024 smss.exe 4004 Gaara.exe 3368 csrss.exe 5092 smss.exe 5944 Gaara.exe 3080 csrss.exe 4872 Kazekage.exe 4360 smss.exe 1688 Gaara.exe 3024 csrss.exe 1000 Kazekage.exe 3600 system32.exe 2032 smss.exe 2012 Gaara.exe 2280 csrss.exe 1824 Kazekage.exe 1716 system32.exe 2896 system32.exe 5844 Kazekage.exe 3416 system32.exe 4396 csrss.exe 512 Kazekage.exe 5536 Gaara.exe 840 system32.exe 2036 csrss.exe 4484 Kazekage.exe 4540 system32.exe -
Loads dropped DLL 18 IoCs
pid Process 5804 smss.exe 6012 smss.exe 4820 Gaara.exe 4024 smss.exe 4004 Gaara.exe 3368 csrss.exe 5092 smss.exe 5944 Gaara.exe 3080 csrss.exe 4360 smss.exe 1688 Gaara.exe 3024 csrss.exe 2032 smss.exe 2012 Gaara.exe 2280 csrss.exe 4396 csrss.exe 5536 Gaara.exe 2036 csrss.exe -
Adds Run key to start application 2 TTPs 24 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 19 - 5 - 2025\\Gaara.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 19 - 5 - 2025\\smss.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 19 - 5 - 2025\\smss.exe" 2025-05-19_98fb17cd44481c16e1b7ee97315b8d15_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 19 - 5 - 2025\\Gaara.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "19-5-2025.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 19 - 5 - 2025\\Gaara.exe" 2025-05-19_98fb17cd44481c16e1b7ee97315b8d15_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "19-5-2025.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 19 - 5 - 2025\\smss.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 19 - 5 - 2025\\Gaara.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "19-5-2025.exe" 2025-05-19_98fb17cd44481c16e1b7ee97315b8d15_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 19 - 5 - 2025\\smss.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 19 - 5 - 2025\\Gaara.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 19 - 5 - 2025\\smss.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "19-5-2025.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 19 - 5 - 2025\\smss.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" 2025-05-19_98fb17cd44481c16e1b7ee97315b8d15_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "19-5-2025.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 19 - 5 - 2025\\Gaara.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "19-5-2025.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" Gaara.exe -
Checks whether UAC is enabled 1 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Kazekage.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Gaara.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 2025-05-19_98fb17cd44481c16e1b7ee97315b8d15_amadey_black-basta_elex_luca-stealer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" system32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe -
Drops desktop.ini file(s) 64 IoCs
description ioc Process File opened for modification \??\Y:\Desktop.ini 2025-05-19_98fb17cd44481c16e1b7ee97315b8d15_amadey_black-basta_elex_luca-stealer.exe File opened for modification \??\E:\Desktop.ini system32.exe File opened for modification \??\T:\Desktop.ini system32.exe File opened for modification \??\Q:\Desktop.ini smss.exe File opened for modification \??\U:\Desktop.ini Kazekage.exe File opened for modification \??\A:\Desktop.ini Gaara.exe File opened for modification \??\R:\Desktop.ini Gaara.exe File opened for modification \??\R:\Desktop.ini system32.exe File opened for modification \??\W:\Desktop.ini Kazekage.exe File opened for modification D:\Desktop.ini Gaara.exe File opened for modification \??\O:\Desktop.ini csrss.exe File opened for modification F:\Desktop.ini system32.exe File opened for modification \??\R:\Desktop.ini smss.exe File opened for modification \??\M:\Desktop.ini Kazekage.exe File opened for modification F:\Desktop.ini 2025-05-19_98fb17cd44481c16e1b7ee97315b8d15_amadey_black-basta_elex_luca-stealer.exe File opened for modification \??\Z:\Desktop.ini system32.exe File opened for modification \??\M:\Desktop.ini smss.exe File opened for modification \??\N:\Desktop.ini Gaara.exe File opened for modification \??\S:\Desktop.ini Gaara.exe File opened for modification \??\H:\Desktop.ini 2025-05-19_98fb17cd44481c16e1b7ee97315b8d15_amadey_black-basta_elex_luca-stealer.exe File opened for modification \??\I:\Desktop.ini system32.exe File opened for modification \??\H:\Desktop.ini smss.exe File opened for modification \??\V:\Desktop.ini smss.exe File opened for modification \??\Y:\Desktop.ini Kazekage.exe File opened for modification \??\Z:\Desktop.ini Kazekage.exe File opened for modification \??\B:\Desktop.ini csrss.exe File opened for modification \??\K:\Desktop.ini system32.exe File opened for modification F:\Desktop.ini smss.exe File opened for modification \??\P:\Desktop.ini Kazekage.exe File opened for modification F:\Desktop.ini csrss.exe File opened for modification \??\M:\Desktop.ini csrss.exe File opened for modification \??\B:\Desktop.ini Gaara.exe File opened for modification \??\X:\Desktop.ini Gaara.exe File opened for modification \??\A:\Desktop.ini 2025-05-19_98fb17cd44481c16e1b7ee97315b8d15_amadey_black-basta_elex_luca-stealer.exe File opened for modification \??\Z:\Desktop.ini 2025-05-19_98fb17cd44481c16e1b7ee97315b8d15_amadey_black-basta_elex_luca-stealer.exe File opened for modification \??\A:\Desktop.ini smss.exe File opened for modification \??\G:\Desktop.ini smss.exe File opened for modification \??\K:\Desktop.ini Kazekage.exe File opened for modification \??\T:\Desktop.ini Kazekage.exe File opened for modification F:\Desktop.ini Gaara.exe File opened for modification \??\J:\Desktop.ini Gaara.exe File opened for modification \??\G:\Desktop.ini 2025-05-19_98fb17cd44481c16e1b7ee97315b8d15_amadey_black-basta_elex_luca-stealer.exe File opened for modification \??\B:\Desktop.ini system32.exe File opened for modification C:\Desktop.ini system32.exe File opened for modification \??\V:\Desktop.ini system32.exe File opened for modification \??\V:\Desktop.ini Gaara.exe File opened for modification \??\W:\Desktop.ini Gaara.exe File opened for modification \??\T:\Desktop.ini 2025-05-19_98fb17cd44481c16e1b7ee97315b8d15_amadey_black-basta_elex_luca-stealer.exe File opened for modification \??\G:\Desktop.ini system32.exe File opened for modification \??\W:\Desktop.ini system32.exe File opened for modification \??\E:\Desktop.ini Gaara.exe File opened for modification \??\L:\Desktop.ini Gaara.exe File opened for modification \??\P:\Desktop.ini smss.exe File opened for modification F:\Desktop.ini Kazekage.exe File opened for modification \??\R:\Desktop.ini Kazekage.exe File opened for modification C:\Desktop.ini Gaara.exe File opened for modification D:\Desktop.ini 2025-05-19_98fb17cd44481c16e1b7ee97315b8d15_amadey_black-basta_elex_luca-stealer.exe File opened for modification \??\U:\Desktop.ini smss.exe File opened for modification \??\Q:\Desktop.ini Kazekage.exe File opened for modification \??\G:\Desktop.ini Gaara.exe File opened for modification \??\A:\Desktop.ini csrss.exe File opened for modification \??\N:\Desktop.ini 2025-05-19_98fb17cd44481c16e1b7ee97315b8d15_amadey_black-basta_elex_luca-stealer.exe File opened for modification \??\I:\Desktop.ini smss.exe File opened for modification \??\X:\Desktop.ini smss.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\V: csrss.exe File opened (read-only) \??\W: smss.exe File opened (read-only) \??\G: 2025-05-19_98fb17cd44481c16e1b7ee97315b8d15_amadey_black-basta_elex_luca-stealer.exe File opened (read-only) \??\P: 2025-05-19_98fb17cd44481c16e1b7ee97315b8d15_amadey_black-basta_elex_luca-stealer.exe File opened (read-only) \??\E: system32.exe File opened (read-only) \??\S: system32.exe File opened (read-only) \??\W: system32.exe File opened (read-only) \??\L: smss.exe File opened (read-only) \??\W: Gaara.exe File opened (read-only) \??\I: system32.exe File opened (read-only) \??\R: Gaara.exe File opened (read-only) \??\S: 2025-05-19_98fb17cd44481c16e1b7ee97315b8d15_amadey_black-basta_elex_luca-stealer.exe File opened (read-only) \??\Y: 2025-05-19_98fb17cd44481c16e1b7ee97315b8d15_amadey_black-basta_elex_luca-stealer.exe File opened (read-only) \??\Y: system32.exe File opened (read-only) \??\T: Gaara.exe File opened (read-only) \??\Q: Kazekage.exe File opened (read-only) \??\M: system32.exe File opened (read-only) \??\N: Gaara.exe File opened (read-only) \??\U: csrss.exe File opened (read-only) \??\E: 2025-05-19_98fb17cd44481c16e1b7ee97315b8d15_amadey_black-basta_elex_luca-stealer.exe File opened (read-only) \??\G: Kazekage.exe File opened (read-only) \??\P: csrss.exe File opened (read-only) \??\R: system32.exe File opened (read-only) \??\S: csrss.exe File opened (read-only) \??\N: smss.exe File opened (read-only) \??\B: Gaara.exe File opened (read-only) \??\J: Gaara.exe File opened (read-only) \??\Q: Gaara.exe File opened (read-only) \??\Q: 2025-05-19_98fb17cd44481c16e1b7ee97315b8d15_amadey_black-basta_elex_luca-stealer.exe File opened (read-only) \??\G: system32.exe File opened (read-only) \??\Y: smss.exe File opened (read-only) \??\N: csrss.exe File opened (read-only) \??\R: smss.exe File opened (read-only) \??\Z: smss.exe File opened (read-only) \??\H: system32.exe File opened (read-only) \??\J: system32.exe File opened (read-only) \??\J: smss.exe File opened (read-only) \??\I: csrss.exe File opened (read-only) \??\M: csrss.exe File opened (read-only) \??\T: 2025-05-19_98fb17cd44481c16e1b7ee97315b8d15_amadey_black-basta_elex_luca-stealer.exe File opened (read-only) \??\Z: 2025-05-19_98fb17cd44481c16e1b7ee97315b8d15_amadey_black-basta_elex_luca-stealer.exe File opened (read-only) \??\G: smss.exe File opened (read-only) \??\M: Gaara.exe File opened (read-only) \??\R: csrss.exe File opened (read-only) \??\I: smss.exe File opened (read-only) \??\R: Kazekage.exe File opened (read-only) \??\V: Kazekage.exe File opened (read-only) \??\W: Kazekage.exe File opened (read-only) \??\V: Gaara.exe File opened (read-only) \??\B: 2025-05-19_98fb17cd44481c16e1b7ee97315b8d15_amadey_black-basta_elex_luca-stealer.exe File opened (read-only) \??\B: system32.exe File opened (read-only) \??\Z: system32.exe File opened (read-only) \??\E: Kazekage.exe File opened (read-only) \??\L: Gaara.exe File opened (read-only) \??\E: csrss.exe File opened (read-only) \??\O: Kazekage.exe File opened (read-only) \??\U: Gaara.exe File opened (read-only) \??\Y: Gaara.exe File opened (read-only) \??\S: Kazekage.exe File opened (read-only) \??\H: csrss.exe File opened (read-only) \??\K: csrss.exe File opened (read-only) \??\Q: csrss.exe File opened (read-only) \??\O: 2025-05-19_98fb17cd44481c16e1b7ee97315b8d15_amadey_black-basta_elex_luca-stealer.exe File opened (read-only) \??\Q: system32.exe -
Drops autorun.inf file 1 TTPs 64 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification \??\I:\Autorun.inf 2025-05-19_98fb17cd44481c16e1b7ee97315b8d15_amadey_black-basta_elex_luca-stealer.exe File opened for modification \??\V:\Autorun.inf 2025-05-19_98fb17cd44481c16e1b7ee97315b8d15_amadey_black-basta_elex_luca-stealer.exe File opened for modification \??\M:\Autorun.inf Gaara.exe File opened for modification D:\Autorun.inf csrss.exe File opened for modification F:\Autorun.inf csrss.exe File opened for modification \??\J:\Autorun.inf Kazekage.exe File created \??\M:\Autorun.inf Kazekage.exe File opened for modification D:\Autorun.inf system32.exe File created \??\R:\Autorun.inf 2025-05-19_98fb17cd44481c16e1b7ee97315b8d15_amadey_black-basta_elex_luca-stealer.exe File created \??\X:\Autorun.inf Gaara.exe File opened for modification \??\A:\Autorun.inf csrss.exe File created \??\V:\Autorun.inf csrss.exe File opened for modification \??\R:\Autorun.inf system32.exe File created \??\T:\Autorun.inf system32.exe File opened for modification \??\M:\Autorun.inf 2025-05-19_98fb17cd44481c16e1b7ee97315b8d15_amadey_black-basta_elex_luca-stealer.exe File created \??\O:\Autorun.inf 2025-05-19_98fb17cd44481c16e1b7ee97315b8d15_amadey_black-basta_elex_luca-stealer.exe File created \??\H:\Autorun.inf smss.exe File opened for modification \??\Y:\Autorun.inf Gaara.exe File created \??\J:\Autorun.inf system32.exe File created \??\B:\Autorun.inf smss.exe File opened for modification \??\A:\Autorun.inf Kazekage.exe File created \??\K:\Autorun.inf Kazekage.exe File opened for modification \??\J:\Autorun.inf 2025-05-19_98fb17cd44481c16e1b7ee97315b8d15_amadey_black-basta_elex_luca-stealer.exe File opened for modification \??\A:\Autorun.inf smss.exe File created \??\O:\Autorun.inf Gaara.exe File opened for modification \??\Z:\Autorun.inf Kazekage.exe File opened for modification \??\I:\Autorun.inf system32.exe File created \??\U:\Autorun.inf 2025-05-19_98fb17cd44481c16e1b7ee97315b8d15_amadey_black-basta_elex_luca-stealer.exe File opened for modification \??\E:\Autorun.inf smss.exe File opened for modification \??\Z:\Autorun.inf smss.exe File created \??\Z:\Autorun.inf csrss.exe File created \??\W:\Autorun.inf Gaara.exe File opened for modification \??\N:\Autorun.inf smss.exe File created \??\T:\Autorun.inf smss.exe File created \??\P:\Autorun.inf csrss.exe File opened for modification \??\Y:\Autorun.inf system32.exe File created \??\A:\Autorun.inf smss.exe File created \??\Z:\Autorun.inf 2025-05-19_98fb17cd44481c16e1b7ee97315b8d15_amadey_black-basta_elex_luca-stealer.exe File created F:\Autorun.inf 2025-05-19_98fb17cd44481c16e1b7ee97315b8d15_amadey_black-basta_elex_luca-stealer.exe File opened for modification \??\J:\Autorun.inf Gaara.exe File created \??\N:\Autorun.inf csrss.exe File created \??\T:\Autorun.inf csrss.exe File opened for modification \??\U:\Autorun.inf 2025-05-19_98fb17cd44481c16e1b7ee97315b8d15_amadey_black-basta_elex_luca-stealer.exe File opened for modification \??\G:\Autorun.inf csrss.exe File created \??\K:\Autorun.inf csrss.exe File created \??\B:\Autorun.inf Kazekage.exe File opened for modification \??\N:\Autorun.inf Kazekage.exe File created \??\O:\Autorun.inf Kazekage.exe File opened for modification \??\Q:\Autorun.inf Kazekage.exe File created \??\L:\Autorun.inf smss.exe File opened for modification \??\O:\Autorun.inf smss.exe File created \??\R:\Autorun.inf smss.exe File created \??\Y:\Autorun.inf csrss.exe File opened for modification \??\B:\Autorun.inf Kazekage.exe File opened for modification F:\Autorun.inf Kazekage.exe File created \??\E:\Autorun.inf system32.exe File created \??\M:\Autorun.inf system32.exe File opened for modification C:\Autorun.inf 2025-05-19_98fb17cd44481c16e1b7ee97315b8d15_amadey_black-basta_elex_luca-stealer.exe File created \??\E:\Autorun.inf smss.exe File created \??\Q:\Autorun.inf smss.exe File created \??\Z:\Autorun.inf system32.exe File created \??\I:\Autorun.inf 2025-05-19_98fb17cd44481c16e1b7ee97315b8d15_amadey_black-basta_elex_luca-stealer.exe File opened for modification \??\L:\Autorun.inf smss.exe File created \??\Y:\Autorun.inf smss.exe -
Drops file in System32 directory 39 IoCs
description ioc Process File created C:\Windows\SysWOW64\19-5-2025.exe 2025-05-19_98fb17cd44481c16e1b7ee97315b8d15_amadey_black-basta_elex_luca-stealer.exe File created C:\Windows\SysWOW64\msvbvm60.dll Kazekage.exe File opened for modification C:\Windows\SysWOW64\19-5-2025.exe system32.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx Gaara.exe File created C:\Windows\SysWOW64\msvbvm60.dll system32.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx smss.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll csrss.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx Kazekage.exe File opened for modification C:\Windows\SysWOW64\19-5-2025.exe Gaara.exe File opened for modification C:\Windows\SysWOW64\ 2025-05-19_98fb17cd44481c16e1b7ee97315b8d15_amadey_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx csrss.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini Kazekage.exe File opened for modification C:\Windows\SysWOW64\ system32.exe File created C:\Windows\SysWOW64\msvbvm60.dll Gaara.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini smss.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini Gaara.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll system32.exe File opened for modification C:\Windows\SysWOW64\19-5-2025.exe 2025-05-19_98fb17cd44481c16e1b7ee97315b8d15_amadey_black-basta_elex_luca-stealer.exe File created C:\Windows\SysWOW64\msvbvm60.dll smss.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini 2025-05-19_98fb17cd44481c16e1b7ee97315b8d15_amadey_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx 2025-05-19_98fb17cd44481c16e1b7ee97315b8d15_amadey_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll smss.exe File opened for modification C:\Windows\SysWOW64\ Kazekage.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini system32.exe File created C:\Windows\SysWOW64\msvbvm60.dll 2025-05-19_98fb17cd44481c16e1b7ee97315b8d15_amadey_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\SysWOW64\19-5-2025.exe smss.exe File created C:\Windows\SysWOW64\msvbvm60.dll csrss.exe File opened for modification C:\Windows\SysWOW64\19-5-2025.exe Kazekage.exe File opened for modification C:\Windows\SysWOW64\ smss.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll Gaara.exe File opened for modification C:\Windows\SysWOW64\19-5-2025.exe csrss.exe File created C:\Windows\SysWOW64\Desktop.ini 2025-05-19_98fb17cd44481c16e1b7ee97315b8d15_amadey_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll 2025-05-19_98fb17cd44481c16e1b7ee97315b8d15_amadey_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\SysWOW64\ Gaara.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini csrss.exe File created C:\Windows\SysWOW64\mscomctl.ocx 2025-05-19_98fb17cd44481c16e1b7ee97315b8d15_amadey_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\SysWOW64\ csrss.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll Kazekage.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx system32.exe -
Sets desktop wallpaper using registry 2 TTPs 6 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" 2025-05-19_98fb17cd44481c16e1b7ee97315b8d15_amadey_black-basta_elex_luca-stealer.exe -
resource yara_rule behavioral1/memory/3944-0-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/files/0x0007000000024282-11.dat upx behavioral1/files/0x0007000000024280-31.dat upx behavioral1/memory/5804-32-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/files/0x0007000000024284-49.dat upx behavioral1/files/0x0007000000024285-53.dat upx behavioral1/memory/4820-76-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/6012-79-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/files/0x0007000000024281-74.dat upx behavioral1/files/0x0007000000024284-87.dat upx behavioral1/memory/4024-108-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/files/0x0007000000024286-95.dat upx behavioral1/files/0x0007000000024285-91.dat upx behavioral1/memory/4024-114-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/4004-113-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/4004-117-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/files/0x0007000000024282-119.dat upx behavioral1/memory/3368-120-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/files/0x0007000000024284-128.dat upx behavioral1/memory/5092-155-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/5944-158-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/3080-161-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/files/0x0007000000024285-166.dat upx behavioral1/memory/4872-165-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/3944-164-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/5804-189-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/4820-194-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/1688-200-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/3024-203-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/1000-206-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/files/0x0007000000024286-210.dat upx behavioral1/memory/3600-211-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/3368-209-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/2032-231-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/2012-234-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/1824-238-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/4872-237-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/1824-241-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/1716-245-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/2896-244-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/2896-251-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/5844-254-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/3416-257-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/3600-260-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/512-263-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/840-271-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/5536-269-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/2036-268-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/4484-275-0x0000000000400000-0x000000000042B000-memory.dmp upx behavioral1/memory/4540-278-0x0000000000400000-0x000000000042B000-memory.dmp upx -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\Windows\mscomctl.ocx csrss.exe File opened for modification C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe smss.exe File opened for modification C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe csrss.exe File created C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe smss.exe File opened for modification C:\Windows\system\mscoree.dll Kazekage.exe File created C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe Kazekage.exe File opened for modification C:\Windows\mscomctl.ocx Gaara.exe File opened for modification C:\Windows\Fonts\Admin 19 - 5 - 2025\msvbvm60.dll 2025-05-19_98fb17cd44481c16e1b7ee97315b8d15_amadey_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\system\msvbvm60.dll smss.exe File created C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe Gaara.exe File created C:\Windows\Fonts\Admin 19 - 5 - 2025\msvbvm60.dll Gaara.exe File opened for modification C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe csrss.exe File opened for modification C:\Windows\Fonts\The Kazekage.jpg system32.exe File created C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe system32.exe File created C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe Gaara.exe File opened for modification C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe 2025-05-19_98fb17cd44481c16e1b7ee97315b8d15_amadey_black-basta_elex_luca-stealer.exe File created C:\Windows\WBEM\msvbvm60.dll smss.exe File created C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe Kazekage.exe File created C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe system32.exe File opened for modification C:\Windows\mscomctl.ocx 2025-05-19_98fb17cd44481c16e1b7ee97315b8d15_amadey_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\ smss.exe File opened for modification C:\Windows\mscomctl.ocx system32.exe File opened for modification C:\Windows\Fonts\The Kazekage.jpg Kazekage.exe File opened for modification C:\Windows\Fonts\The Kazekage.jpg csrss.exe File created C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe csrss.exe File opened for modification C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe system32.exe File created C:\Windows\WBEM\msvbvm60.dll system32.exe File opened for modification C:\Windows\mscomctl.ocx Kazekage.exe File opened for modification C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe Gaara.exe File opened for modification C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe Kazekage.exe File created C:\Windows\Fonts\Admin 19 - 5 - 2025\msvbvm60.dll Kazekage.exe File created C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe smss.exe File opened for modification C:\Windows\ system32.exe File created C:\Windows\Fonts\Admin 19 - 5 - 2025\msvbvm60.dll 2025-05-19_98fb17cd44481c16e1b7ee97315b8d15_amadey_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe Gaara.exe File created C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe csrss.exe File created C:\Windows\Fonts\Admin 19 - 5 - 2025\msvbvm60.dll csrss.exe File created C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe smss.exe File created C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe 2025-05-19_98fb17cd44481c16e1b7ee97315b8d15_amadey_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\msvbvm60.dll 2025-05-19_98fb17cd44481c16e1b7ee97315b8d15_amadey_black-basta_elex_luca-stealer.exe File created C:\Windows\Fonts\Admin 19 - 5 - 2025\msvbvm60.dll smss.exe File opened for modification C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe Kazekage.exe File opened for modification C:\Windows\mscomctl.ocx smss.exe File opened for modification C:\Windows\ Kazekage.exe File opened for modification C:\Windows\system\mscoree.dll 2025-05-19_98fb17cd44481c16e1b7ee97315b8d15_amadey_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe smss.exe File opened for modification C:\Windows\msvbvm60.dll csrss.exe File opened for modification C:\Windows\ csrss.exe File opened for modification C:\Windows\Fonts\The Kazekage.jpg 2025-05-19_98fb17cd44481c16e1b7ee97315b8d15_amadey_black-basta_elex_luca-stealer.exe File created C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe 2025-05-19_98fb17cd44481c16e1b7ee97315b8d15_amadey_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe 2025-05-19_98fb17cd44481c16e1b7ee97315b8d15_amadey_black-basta_elex_luca-stealer.exe File created C:\Windows\WBEM\msvbvm60.dll 2025-05-19_98fb17cd44481c16e1b7ee97315b8d15_amadey_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe Gaara.exe File opened for modification C:\Windows\msvbvm60.dll Kazekage.exe File opened for modification C:\Windows\ Gaara.exe File opened for modification C:\Windows\msvbvm60.dll smss.exe File opened for modification C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe system32.exe File created C:\Windows\Fonts\Admin 19 - 5 - 2025\msvbvm60.dll system32.exe File opened for modification C:\Windows\ 2025-05-19_98fb17cd44481c16e1b7ee97315b8d15_amadey_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\system\mscoree.dll csrss.exe File created C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe csrss.exe File created C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe Kazekage.exe File opened for modification C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe Kazekage.exe File created C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe system32.exe -
System Location Discovery: System Language Discovery 1 TTPs 63 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kazekage.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaara.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kazekage.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaara.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kazekage.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaara.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-05-19_98fb17cd44481c16e1b7ee97315b8d15_amadey_black-basta_elex_luca-stealer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaara.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaara.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kazekage.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaara.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kazekage.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kazekage.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 32 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 428 ping.exe 5676 ping.exe 1616 ping.exe 828 ping.exe 3444 ping.exe 1164 ping.exe 5436 ping.exe 5000 ping.exe 1728 ping.exe 2588 ping.exe 2324 ping.exe 5916 ping.exe 264 ping.exe 4056 ping.exe 3364 ping.exe 1288 ping.exe 400 ping.exe 5652 ping.exe 4640 ping.exe 1504 ping.exe 4980 ping.exe 5924 ping.exe 4640 ping.exe 4260 ping.exe 5800 ping.exe 4772 ping.exe 5536 ping.exe 6044 ping.exe 5240 ping.exe 3576 ping.exe 840 ping.exe 5376 ping.exe -
Modifies Control Panel 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000\Control Panel\Desktop\WallpaperStyle = "2" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000\Control Panel\Desktop\WallpaperStyle = "2" Gaara.exe Key created \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000\Control Panel\Desktop Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000\Control Panel\Screen Saver.Marquee\Speed = "4" 2025-05-19_98fb17cd44481c16e1b7ee97315b8d15_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000\Control Panel\Screen Saver.Marquee\Speed = "4" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000\Control Panel\Screen Saver.Marquee\Speed = "4" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" Gaara.exe Key created \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000\Control Panel\Desktop system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" 2025-05-19_98fb17cd44481c16e1b7ee97315b8d15_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000\Control Panel\Screen Saver.Marquee\Speed = "4" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" Gaara.exe Key created \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000\Control Panel\Desktop csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000\Control Panel\Desktop\WallpaperStyle = "2" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" csrss.exe Key created \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000\Control Panel\Screen Saver.Marquee smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" smss.exe Key created \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000\Control Panel\Screen Saver.Marquee csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" 2025-05-19_98fb17cd44481c16e1b7ee97315b8d15_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000\Control Panel\Screen Saver.Marquee\Size = "72" 2025-05-19_98fb17cd44481c16e1b7ee97315b8d15_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" 2025-05-19_98fb17cd44481c16e1b7ee97315b8d15_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" smss.exe Key created \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000\Control Panel\Desktop 2025-05-19_98fb17cd44481c16e1b7ee97315b8d15_amadey_black-basta_elex_luca-stealer.exe Key created \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000\Control Panel\Screen Saver.Marquee 2025-05-19_98fb17cd44481c16e1b7ee97315b8d15_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000\Control Panel\Screen Saver.Marquee\Speed = "4" Kazekage.exe Key created \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000\Control Panel\Screen Saver.Marquee Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000\Control Panel\Screen Saver.Marquee\Size = "72" Gaara.exe Key created \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000\Control Panel\Desktop smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" 2025-05-19_98fb17cd44481c16e1b7ee97315b8d15_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000\Control Panel\Desktop\WallpaperStyle = "2" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000\Control Panel\Screen Saver.Marquee\Size = "72" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000\Control Panel\Desktop\WallpaperStyle = "2" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" 2025-05-19_98fb17cd44481c16e1b7ee97315b8d15_amadey_black-basta_elex_luca-stealer.exe Key created \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000\Control Panel\Screen Saver.Marquee Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000\Control Panel\Desktop\WallpaperStyle = "2" 2025-05-19_98fb17cd44481c16e1b7ee97315b8d15_amadey_black-basta_elex_luca-stealer.exe -
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" csrss.exe Key created \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000\Software\Microsoft\Internet Explorer\Main 2025-05-19_98fb17cd44481c16e1b7ee97315b8d15_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" 2025-05-19_98fb17cd44481c16e1b7ee97315b8d15_amadey_black-basta_elex_luca-stealer.exe Key created \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000\Software\Microsoft\Internet Explorer\Main system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" system32.exe Key created \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000\Software\Microsoft\Internet Explorer\Main smss.exe Key created \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000\Software\Microsoft\Internet Explorer\Main Kazekage.exe Key created \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000\Software\Microsoft\Internet Explorer\Main Gaara.exe Key created \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000\Software\Microsoft\Internet Explorer\Main csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-3299287909-2279959458-198972791-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" Gaara.exe -
Modifies registry class 51 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" 2025-05-19_98fb17cd44481c16e1b7ee97315b8d15_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command 2025-05-19_98fb17cd44481c16e1b7ee97315b8d15_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" 2025-05-19_98fb17cd44481c16e1b7ee97315b8d15_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" 2025-05-19_98fb17cd44481c16e1b7ee97315b8d15_amadey_black-basta_elex_luca-stealer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command 2025-05-19_98fb17cd44481c16e1b7ee97315b8d15_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command 2025-05-19_98fb17cd44481c16e1b7ee97315b8d15_amadey_black-basta_elex_luca-stealer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command 2025-05-19_98fb17cd44481c16e1b7ee97315b8d15_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" 2025-05-19_98fb17cd44481c16e1b7ee97315b8d15_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command smss.exe -
Runs ping.exe 1 TTPs 32 IoCs
pid Process 1164 ping.exe 4980 ping.exe 3576 ping.exe 5376 ping.exe 1616 ping.exe 4640 ping.exe 4772 ping.exe 3364 ping.exe 5000 ping.exe 4260 ping.exe 5800 ping.exe 3444 ping.exe 5916 ping.exe 400 ping.exe 840 ping.exe 264 ping.exe 5924 ping.exe 6044 ping.exe 5436 ping.exe 5536 ping.exe 2588 ping.exe 2324 ping.exe 5240 ping.exe 1288 ping.exe 1728 ping.exe 828 ping.exe 4640 ping.exe 1504 ping.exe 428 ping.exe 5676 ping.exe 4056 ping.exe 5652 ping.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3368 csrss.exe 3368 csrss.exe 3368 csrss.exe 3368 csrss.exe 3368 csrss.exe 3368 csrss.exe 3368 csrss.exe 3368 csrss.exe 3368 csrss.exe 3368 csrss.exe 3368 csrss.exe 3368 csrss.exe 3368 csrss.exe 3368 csrss.exe 3368 csrss.exe 3368 csrss.exe 3368 csrss.exe 3368 csrss.exe 3368 csrss.exe 3368 csrss.exe 3368 csrss.exe 3368 csrss.exe 3368 csrss.exe 3368 csrss.exe 3944 2025-05-19_98fb17cd44481c16e1b7ee97315b8d15_amadey_black-basta_elex_luca-stealer.exe 3944 2025-05-19_98fb17cd44481c16e1b7ee97315b8d15_amadey_black-basta_elex_luca-stealer.exe 3944 2025-05-19_98fb17cd44481c16e1b7ee97315b8d15_amadey_black-basta_elex_luca-stealer.exe 3944 2025-05-19_98fb17cd44481c16e1b7ee97315b8d15_amadey_black-basta_elex_luca-stealer.exe 3944 2025-05-19_98fb17cd44481c16e1b7ee97315b8d15_amadey_black-basta_elex_luca-stealer.exe 3944 2025-05-19_98fb17cd44481c16e1b7ee97315b8d15_amadey_black-basta_elex_luca-stealer.exe 3944 2025-05-19_98fb17cd44481c16e1b7ee97315b8d15_amadey_black-basta_elex_luca-stealer.exe 3944 2025-05-19_98fb17cd44481c16e1b7ee97315b8d15_amadey_black-basta_elex_luca-stealer.exe 3944 2025-05-19_98fb17cd44481c16e1b7ee97315b8d15_amadey_black-basta_elex_luca-stealer.exe 3944 2025-05-19_98fb17cd44481c16e1b7ee97315b8d15_amadey_black-basta_elex_luca-stealer.exe 3944 2025-05-19_98fb17cd44481c16e1b7ee97315b8d15_amadey_black-basta_elex_luca-stealer.exe 3944 2025-05-19_98fb17cd44481c16e1b7ee97315b8d15_amadey_black-basta_elex_luca-stealer.exe 3944 2025-05-19_98fb17cd44481c16e1b7ee97315b8d15_amadey_black-basta_elex_luca-stealer.exe 3944 2025-05-19_98fb17cd44481c16e1b7ee97315b8d15_amadey_black-basta_elex_luca-stealer.exe 3944 2025-05-19_98fb17cd44481c16e1b7ee97315b8d15_amadey_black-basta_elex_luca-stealer.exe 3944 2025-05-19_98fb17cd44481c16e1b7ee97315b8d15_amadey_black-basta_elex_luca-stealer.exe 3944 2025-05-19_98fb17cd44481c16e1b7ee97315b8d15_amadey_black-basta_elex_luca-stealer.exe 3944 2025-05-19_98fb17cd44481c16e1b7ee97315b8d15_amadey_black-basta_elex_luca-stealer.exe 3944 2025-05-19_98fb17cd44481c16e1b7ee97315b8d15_amadey_black-basta_elex_luca-stealer.exe 3944 2025-05-19_98fb17cd44481c16e1b7ee97315b8d15_amadey_black-basta_elex_luca-stealer.exe 3944 2025-05-19_98fb17cd44481c16e1b7ee97315b8d15_amadey_black-basta_elex_luca-stealer.exe 3944 2025-05-19_98fb17cd44481c16e1b7ee97315b8d15_amadey_black-basta_elex_luca-stealer.exe 3944 2025-05-19_98fb17cd44481c16e1b7ee97315b8d15_amadey_black-basta_elex_luca-stealer.exe 3944 2025-05-19_98fb17cd44481c16e1b7ee97315b8d15_amadey_black-basta_elex_luca-stealer.exe 3600 system32.exe 3600 system32.exe 3600 system32.exe 3600 system32.exe 3600 system32.exe 3600 system32.exe 3600 system32.exe 3600 system32.exe 3600 system32.exe 3600 system32.exe 3600 system32.exe 3600 system32.exe 3600 system32.exe 3600 system32.exe 3600 system32.exe 3600 system32.exe -
Suspicious use of SetWindowsHookEx 31 IoCs
pid Process 3944 2025-05-19_98fb17cd44481c16e1b7ee97315b8d15_amadey_black-basta_elex_luca-stealer.exe 5804 smss.exe 6012 smss.exe 4820 Gaara.exe 4024 smss.exe 4004 Gaara.exe 3368 csrss.exe 5092 smss.exe 5944 Gaara.exe 3080 csrss.exe 4872 Kazekage.exe 4360 smss.exe 1688 Gaara.exe 3024 csrss.exe 1000 Kazekage.exe 3600 system32.exe 2032 smss.exe 2012 Gaara.exe 2280 csrss.exe 1824 Kazekage.exe 1716 system32.exe 2896 system32.exe 5844 Kazekage.exe 3416 system32.exe 4396 csrss.exe 512 Kazekage.exe 5536 Gaara.exe 840 system32.exe 2036 csrss.exe 4484 Kazekage.exe 4540 system32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3944 wrote to memory of 5804 3944 2025-05-19_98fb17cd44481c16e1b7ee97315b8d15_amadey_black-basta_elex_luca-stealer.exe 86 PID 3944 wrote to memory of 5804 3944 2025-05-19_98fb17cd44481c16e1b7ee97315b8d15_amadey_black-basta_elex_luca-stealer.exe 86 PID 3944 wrote to memory of 5804 3944 2025-05-19_98fb17cd44481c16e1b7ee97315b8d15_amadey_black-basta_elex_luca-stealer.exe 86 PID 5804 wrote to memory of 6012 5804 smss.exe 89 PID 5804 wrote to memory of 6012 5804 smss.exe 89 PID 5804 wrote to memory of 6012 5804 smss.exe 89 PID 5804 wrote to memory of 4820 5804 smss.exe 90 PID 5804 wrote to memory of 4820 5804 smss.exe 90 PID 5804 wrote to memory of 4820 5804 smss.exe 90 PID 4820 wrote to memory of 4024 4820 Gaara.exe 91 PID 4820 wrote to memory of 4024 4820 Gaara.exe 91 PID 4820 wrote to memory of 4024 4820 Gaara.exe 91 PID 4820 wrote to memory of 4004 4820 Gaara.exe 92 PID 4820 wrote to memory of 4004 4820 Gaara.exe 92 PID 4820 wrote to memory of 4004 4820 Gaara.exe 92 PID 4820 wrote to memory of 3368 4820 Gaara.exe 95 PID 4820 wrote to memory of 3368 4820 Gaara.exe 95 PID 4820 wrote to memory of 3368 4820 Gaara.exe 95 PID 3368 wrote to memory of 5092 3368 csrss.exe 96 PID 3368 wrote to memory of 5092 3368 csrss.exe 96 PID 3368 wrote to memory of 5092 3368 csrss.exe 96 PID 3368 wrote to memory of 5944 3368 csrss.exe 97 PID 3368 wrote to memory of 5944 3368 csrss.exe 97 PID 3368 wrote to memory of 5944 3368 csrss.exe 97 PID 3368 wrote to memory of 3080 3368 csrss.exe 100 PID 3368 wrote to memory of 3080 3368 csrss.exe 100 PID 3368 wrote to memory of 3080 3368 csrss.exe 100 PID 3368 wrote to memory of 4872 3368 csrss.exe 102 PID 3368 wrote to memory of 4872 3368 csrss.exe 102 PID 3368 wrote to memory of 4872 3368 csrss.exe 102 PID 4872 wrote to memory of 4360 4872 Kazekage.exe 103 PID 4872 wrote to memory of 4360 4872 Kazekage.exe 103 PID 4872 wrote to memory of 4360 4872 Kazekage.exe 103 PID 4872 wrote to memory of 1688 4872 Kazekage.exe 105 PID 4872 wrote to memory of 1688 4872 Kazekage.exe 105 PID 4872 wrote to memory of 1688 4872 Kazekage.exe 105 PID 4872 wrote to memory of 3024 4872 Kazekage.exe 106 PID 4872 wrote to memory of 3024 4872 Kazekage.exe 106 PID 4872 wrote to memory of 3024 4872 Kazekage.exe 106 PID 4872 wrote to memory of 1000 4872 Kazekage.exe 107 PID 4872 wrote to memory of 1000 4872 Kazekage.exe 107 PID 4872 wrote to memory of 1000 4872 Kazekage.exe 107 PID 4872 wrote to memory of 3600 4872 Kazekage.exe 108 PID 4872 wrote to memory of 3600 4872 Kazekage.exe 108 PID 4872 wrote to memory of 3600 4872 Kazekage.exe 108 PID 3600 wrote to memory of 2032 3600 system32.exe 110 PID 3600 wrote to memory of 2032 3600 system32.exe 110 PID 3600 wrote to memory of 2032 3600 system32.exe 110 PID 3600 wrote to memory of 2012 3600 system32.exe 111 PID 3600 wrote to memory of 2012 3600 system32.exe 111 PID 3600 wrote to memory of 2012 3600 system32.exe 111 PID 3600 wrote to memory of 2280 3600 system32.exe 112 PID 3600 wrote to memory of 2280 3600 system32.exe 112 PID 3600 wrote to memory of 2280 3600 system32.exe 112 PID 3600 wrote to memory of 1824 3600 system32.exe 113 PID 3600 wrote to memory of 1824 3600 system32.exe 113 PID 3600 wrote to memory of 1824 3600 system32.exe 113 PID 3600 wrote to memory of 1716 3600 system32.exe 114 PID 3600 wrote to memory of 1716 3600 system32.exe 114 PID 3600 wrote to memory of 1716 3600 system32.exe 114 PID 3368 wrote to memory of 2896 3368 csrss.exe 116 PID 3368 wrote to memory of 2896 3368 csrss.exe 116 PID 3368 wrote to memory of 2896 3368 csrss.exe 116 PID 4820 wrote to memory of 5844 4820 Gaara.exe 118 -
System policy modification 1 TTPs 12 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Kazekage.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Gaara.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System 2025-05-19_98fb17cd44481c16e1b7ee97315b8d15_amadey_black-basta_elex_luca-stealer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 2025-05-19_98fb17cd44481c16e1b7ee97315b8d15_amadey_black-basta_elex_luca-stealer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System system32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System smss.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2025-05-19_98fb17cd44481c16e1b7ee97315b8d15_amadey_black-basta_elex_luca-stealer.exe"C:\Users\Admin\AppData\Local\Temp\2025-05-19_98fb17cd44481c16e1b7ee97315b8d15_amadey_black-basta_elex_luca-stealer.exe"1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3944 -
C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe"C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe"2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:5804 -
C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe"C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:6012
-
-
C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe"C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe"3⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4820 -
C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe"C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4024
-
-
C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe"C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4004
-
-
C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe"C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe"4⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3368 -
C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe"C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5092
-
-
C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe"C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5944
-
-
C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe"C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3080
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe5⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4872 -
C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe"C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4360
-
-
C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe"C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1688
-
-
C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe"C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3024
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1000
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe6⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3600 -
C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe"C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2032
-
-
C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe"C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2012
-
-
C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe"C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2280
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1824
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1716
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655007⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5376
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655007⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5676
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655007⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4772
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655007⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2588
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655007⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5916
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655007⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1164
-
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655006⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5924
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655006⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:264
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655006⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1288
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655006⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4640
-
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2896
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655005⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5536
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655005⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:840
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655005⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5800
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655005⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4056
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655005⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5240
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655005⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3444
-
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5844
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3416
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655004⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3576
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655004⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:428
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655004⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1728
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655004⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4260
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655004⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5652
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655004⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2324
-
-
-
C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe"C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4396
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:512
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:840
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4980
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5436
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4640
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1616
-
-
-
C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe"C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5536
-
-
C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe"C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2036
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4484
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4540
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655002⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:400
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655002⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1504
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655002⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5000
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655002⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:6044
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655002⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3364
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655002⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:828
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 19 - 5 - 2025\smss.exe1⤵PID:6024
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 19 - 5 - 2025\Gaara.exe1⤵PID:3492
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c 19-5-2025.exe1⤵PID:2076
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c drivers\csrss.exe1⤵PID:4208
Network
MITRE ATT&CK Enterprise v16
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Event Triggered Execution
1Image File Execution Options Injection
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Event Triggered Execution
1Image File Execution Options Injection
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
1Disable or Modify Tools
1Modify Registry
8Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
736B
MD5bb5d6abdf8d0948ac6895ce7fdfbc151
SHA19266b7a247a4685892197194d2b9b86c8f6dddbd
SHA2565db2e0915b5464d32e83484f8ae5e3c73d2c78f238fde5f58f9b40dbb5322de8
SHA512878444760e8df878d65bb62b4798177e168eb099def58ad3634f4348e96705c83f74324f9fa358f0eff389991976698a233ca53e9b72034ae11c86d42322a76c
-
Filesize
196B
MD51564dfe69ffed40950e5cb644e0894d1
SHA1201b6f7a01cc49bb698bea6d4945a082ed454ce4
SHA256be114a2dbcc08540b314b01882aa836a772a883322a77b67aab31233e26dc184
SHA51272df187e39674b657974392cfa268e71ef86dc101ebd2303896381ca56d3c05aa9db3f0ab7d0e428d7436e0108c8f19e94c2013814d30b0b95a23a6b9e341097
-
Filesize
8.2MB
MD54780987de1ba478c9b5a76ea962521c4
SHA168eba2e52176a457f3e68d36aed727113182245e
SHA256b1e9c18389599ade8f7390a45aa618760daefb339c669f6e8e6cecb2a9f8c914
SHA512feaf43cdb93a9be78c93f75478ba8ed1dfe9279722f68b87f1c8cd8b620c5927229b4be238ecd7752881a984ebb258e7f46b792015157aa7280360f7d556be81
-
Filesize
8.2MB
MD598fb17cd44481c16e1b7ee97315b8d15
SHA1e736aca23e63bd7fb337a3015ed2a6aa86d63947
SHA256c57a979d2d6317bec84e4c9ec97fee642d6188aa9f4b018a018bea332a4ebba8
SHA512f250029f0f13d0a00d65b6ee63fa3108ad7fc4eb847317a9b525fe46006fd20b47de42cbd96bf188dff107443f6eaecff7de8022991985e4e01e296c2b53ca14
-
Filesize
8.2MB
MD5b77c770292fef155a065cdca6b15a569
SHA1c654e99009bb247d8105255ac19c4549a9656d0f
SHA256215e010c645f8bf5d0a6f645ff879a2ef75fd2f09511c71cc6ae2a698aa76953
SHA51209231757320c940ede61e0517a69a8a706d128bd94c456f39d02e6411ec8b22fac9532c89d12f473ac2ce5a994b0c4c27cb64e84fcf3c399190e08ce1b61f256
-
Filesize
8.2MB
MD5a1775b33af74ed139ee4a0426a8e316c
SHA16aa703a50e61d034d07e1200a6f3157761122128
SHA256a0d93319e87b17ea0476787248719377e0a25f1f7e5a1fcfdb21125fc7c17ee7
SHA512e0c23faccdb08bc3e06c00b7369de7995e207430707e38156114b6983bfd9313c82063f75add8dadf1d2f68bd3bccdabeeaddad60f34f2017ee29043ab367130
-
Filesize
1.4MB
MD5d6b05020d4a0ec2a3a8b687099e335df
SHA1df239d830ebcd1cde5c68c46a7b76dad49d415f4
SHA2569824b98dab6af65a9e84c2ea40e9df948f9766ce2096e81feecad7db8dd6080a
SHA51278fd360faa4d34f5732056d6e9ad7b9930964441c69cf24535845d397de92179553b9377a25649c01eb5ac7d547c29cc964e69ede7f2af9fc677508a99251fff
-
Filesize
2.8MB
MD539253a8b73aea8d2f65383d9803e0f83
SHA10c8f267f69d0f9dc183f47cf42faa35ad4c217e4
SHA25671245be01d1171b29b3ddd4b97c3771111b37fc0634c406b712965c34bcb22c1
SHA512bebff167e9989d88163da8b563da27a136b37ba3340894f3a83acd9434be2b1a9903649e148657ee3e898fe25dc3f2a91e1c709f0753153ae5f0b0603147c97c
-
Filesize
6.4MB
MD5e7263af04f30a1aef93ed3d3b6786530
SHA1da32628602e9ad8995c9a742898fb2c9c1c8de5c
SHA256335cc6b904da696c79012ed59117de4148beb885f481345e03555669c60ca1f9
SHA51285f02343f6c0a0aa829039791be955ed26e21cd97b826a7ab7f4ac8911bffefcd51b8d0af5116d8c515205e479b9c739c3649c299891cad71b912c06fe67b557
-
Filesize
4.6MB
MD5f1f8eeed42b61be4c6be8b2e1be46012
SHA18122d9cc78cd6ab074ed024e9ea30e03e877f254
SHA25605fffbba39b2e28775716e871815fa0c9bef294a255a98db96465a2530447c95
SHA512d3f4eaa2d20a9ee32750bccf5bfa02912e4e1db2aa5ef2cb4bd34171c01d37f2a4a276d9eeb30a6e3bc065e101af475335e8df5c55619382137a522f4b7cdf0f
-
Filesize
65B
MD564acfa7e03b01f48294cf30d201a0026
SHA110facd995b38a095f30b4a800fa454c0bcbf8438
SHA256ba8159d865d106e7b4d0043007a63d1541e1de455dc8d7ff0edd3013bd425c62
SHA51265a9b2e639de74a2a7faa83463a03f5f5b526495e3c793ec1e144c422ed0b842dd304cd5ff4f8aec3d76d826507030c5916f70a231429cea636ec2d8ab43931a
-
Filesize
8.2MB
MD51bee3fbc936b14ad048a1ef8c3c08bc1
SHA14e862ab732df590da3a4bf4dbcb9aa283c93255c
SHA256c49d853841c043eafbbcaa23530c854e8c740aca984400ec411c299b287a68ce
SHA512d43c91507819407037009b6a2bca6ee8d938dc7668dc56e3f377ff84004629bb5270a0d720cec8a7d98fe1d6a52b5b8f5c9eb0f3488d2be997034fdede32b1a0
-
Filesize
2.7MB
MD526eb6be53d87275ec1e57b7acd3dc654
SHA16978e153cdceaced01a6bc0bf7f74fe7bc22132c
SHA25656edc6754a8f93d1de8e499c0b3f4072d7638383034560367cfa55eb78b119a1
SHA512db25cd866c92f8cb717103dd641105bc0af5a4af470f8b2d1d86da3db98d80d0594624b2a1664dfcec7e434304542fa859c144dbc8f8a4071cc576b85a201502
-
Filesize
8.2MB
MD5720cc03e38512c7d655fbe569f0cefbf
SHA1566eea4d0331f6ed0f19c2d414e4b4d4c8d01330
SHA2566011794cbfab5d01c4416fc696f8ed2b44469f6c602c3e904691399c3129605d
SHA5126ee7a097b82e9f9ca567454f47c2716ee649d4e3b5273d19c4b2b636300469cb109ec12a5f010d14a4fc4e6411d63e7cedc1c025c0795afc1e5038e784a58c58
-
Filesize
8.2MB
MD5b153250d8daa81bb71a270a72c035ff8
SHA1e12bfbff04464ef4bdb1c0faf6ac0ebc88cf016b
SHA2567e08e5b2ad2455ca48e8ba2b279ac1e165c23d7be2a3bdb2639965e300a76e46
SHA512ca3e0b07d38020fe4cd150cd861efa4f255c73051dc19aae1892aad8af6a2c000c6ff22f1ffbe5ea7ff290a6808648cb6aebee86f7f6bca28792391c8d3f8e72
-
Filesize
8.2MB
MD5c3229e717bf0c81d648c02856fe8d83f
SHA1b0779228de1011825da93dfc556b9715ff154ab3
SHA25632821c3c08949aa7bd1bf735d7f3a2650c923210bf9c2b47f9f5157dc4e19eaa
SHA5124f218c6b9c26e4a6f8357484954641ed06b18c7f7856501ca60a4cc3fb0c725ae7741217c01c3af25dac812abb59cf1d8b506a2135a0b99fd7b6d9680dd65c79
-
Filesize
1.4MB
MD525f62c02619174b35851b0e0455b3d94
SHA14e8ee85157f1769f6e3f61c0acbe59072209da71
SHA256898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2
SHA512f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a