Analysis
-
max time kernel
149s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20250502-en -
resource tags
arch:x64arch:x86image:win10v2004-20250502-enlocale:en-usos:windows10-2004-x64system -
submitted
29/05/2025, 11:07
Behavioral task
behavioral1
Sample
2025-05-29_0907ffbf662cae89a8751ab25d32d9b2_amadey_black-basta_elex_luca-stealer.exe
Resource
win10v2004-20250502-en
Behavioral task
behavioral2
Sample
2025-05-29_0907ffbf662cae89a8751ab25d32d9b2_amadey_black-basta_elex_luca-stealer.exe
Resource
win11-20250502-en
General
-
Target
2025-05-29_0907ffbf662cae89a8751ab25d32d9b2_amadey_black-basta_elex_luca-stealer.exe
-
Size
9.1MB
-
MD5
0907ffbf662cae89a8751ab25d32d9b2
-
SHA1
40f30266ade343e73282d8c939373c7c38f9f724
-
SHA256
1c3bb7ae580061255ae6ca6119765ca282b2d529b2542d50331f798114adba99
-
SHA512
2b60202c1cdab8800f84cb923912b9f54bf1934c81d88f82ca6a090d722912e49bf3c58a27f2bb6e32108e589e1a82e989cc55dd5f8805ef8ff178355a1fc450
-
SSDEEP
98304:gGyqWyWy0GyqWyWyMRPC1em1eHL5dGTEYm:N1em1eHL5dem
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 12 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" 2025-05-29_0907ffbf662cae89a8751ab25d32d9b2_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" 2025-05-29_0907ffbf662cae89a8751ab25d32d9b2_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" system32.exe -
Modifies visibility of file extensions in Explorer 2 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Kazekage.exe Set value (int) \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" smss.exe Set value (int) \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" system32.exe Set value (int) \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" 2025-05-29_0907ffbf662cae89a8751ab25d32d9b2_amadey_black-basta_elex_luca-stealer.exe Set value (int) \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" csrss.exe Set value (int) \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Gaara.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" smss.exe Set value (int) \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" system32.exe Set value (int) \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" 2025-05-29_0907ffbf662cae89a8751ab25d32d9b2_amadey_black-basta_elex_luca-stealer.exe Set value (int) \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" csrss.exe Set value (int) \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" Gaara.exe Set value (int) \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" Kazekage.exe -
UAC bypass 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" system32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 2025-05-29_0907ffbf662cae89a8751ab25d32d9b2_amadey_black-basta_elex_luca-stealer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Gaara.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Kazekage.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe -
Disables RegEdit via registry modification 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Kazekage.exe Set value (int) \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" smss.exe Set value (int) \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" system32.exe Set value (int) \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" 2025-05-29_0907ffbf662cae89a8751ab25d32d9b2_amadey_black-basta_elex_luca-stealer.exe Set value (int) \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" csrss.exe Set value (int) \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Gaara.exe -
Disables use of System Restore points 1 TTPs
-
Drops file in Drivers directory 24 IoCs
description ioc Process File created C:\Windows\SysWOW64\drivers\Kazekage.exe system32.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe system32.exe File created C:\Windows\SysWOW64\drivers\system32.exe system32.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe smss.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe 2025-05-29_0907ffbf662cae89a8751ab25d32d9b2_amadey_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe 2025-05-29_0907ffbf662cae89a8751ab25d32d9b2_amadey_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe smss.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe smss.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe Gaara.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe Gaara.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe Gaara.exe File created C:\Windows\SysWOW64\drivers\system32.exe Gaara.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe Kazekage.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe csrss.exe File created C:\Windows\SysWOW64\drivers\system32.exe csrss.exe File created C:\Windows\SysWOW64\drivers\system32.exe 2025-05-29_0907ffbf662cae89a8751ab25d32d9b2_amadey_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe Kazekage.exe File created C:\Windows\SysWOW64\drivers\system32.exe Kazekage.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe system32.exe File created C:\Windows\SysWOW64\drivers\system32.exe smss.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe 2025-05-29_0907ffbf662cae89a8751ab25d32d9b2_amadey_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe csrss.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe csrss.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe Kazekage.exe -
Event Triggered Execution: Image File Execution Options Injection 1 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe 2025-05-29_0907ffbf662cae89a8751ab25d32d9b2_amadey_black-basta_elex_luca-stealer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe\Debugger = "cmd.exe /c del" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe\Debugger = "cmd.exe /c del" 2025-05-29_0907ffbf662cae89a8751ab25d32d9b2_amadey_black-basta_elex_luca-stealer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "drivers\\Kazekage.exe" 2025-05-29_0907ffbf662cae89a8751ab25d32d9b2_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "drivers\\Kazekage.exe" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe\Debugger = "cmd.exe /c del" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\Debugger = "cmd.exe /c del" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "drivers\\Kazekage.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "drivers\\Kazekage.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe\Debugger = "cmd.exe /c del" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe\Debugger = "cmd.exe /c del" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe\Debugger = "cmd.exe /c del" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe\Debugger = "drivers\\Kazekage.exe" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "drivers\\Kazekage.exe" 2025-05-29_0907ffbf662cae89a8751ab25d32d9b2_amadey_black-basta_elex_luca-stealer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe\Debugger = "cmd.exe /c del" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe\Debugger = "drivers\\Kazekage.exe" 2025-05-29_0907ffbf662cae89a8751ab25d32d9b2_amadey_black-basta_elex_luca-stealer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe\Debugger = "drivers\\Kazekage.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe\Debugger = "cmd.exe /c del" 2025-05-29_0907ffbf662cae89a8751ab25d32d9b2_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "drivers\\Kazekage.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe\Debugger = "cmd.exe /c del" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe\Debugger = "cmd.exe /c del" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "drivers\\Kazekage.exe" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\Debugger = "cmd.exe /c del" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe\Debugger = "cmd.exe /c del" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "drivers\\Kazekage.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "drivers\\Kazekage.exe" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe 2025-05-29_0907ffbf662cae89a8751ab25d32d9b2_amadey_black-basta_elex_luca-stealer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe 2025-05-29_0907ffbf662cae89a8751ab25d32d9b2_amadey_black-basta_elex_luca-stealer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe 2025-05-29_0907ffbf662cae89a8751ab25d32d9b2_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "drivers\\Kazekage.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe\Debugger = "drivers\\Kazekage.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe\Debugger = "cmd.exe /c del" 2025-05-29_0907ffbf662cae89a8751ab25d32d9b2_amadey_black-basta_elex_luca-stealer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe 2025-05-29_0907ffbf662cae89a8751ab25d32d9b2_amadey_black-basta_elex_luca-stealer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe\Debugger = "cmd.exe /c del" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "drivers\\Kazekage.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe\Debugger = "cmd.exe /c del" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe 2025-05-29_0907ffbf662cae89a8751ab25d32d9b2_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe\Debugger = "cmd.exe /c del" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe\Debugger = "cmd.exe /c del" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe\Debugger = "cmd.exe /c del" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger = "drivers\\Kazekage.exe" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe 2025-05-29_0907ffbf662cae89a8751ab25d32d9b2_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe\Debugger = "cmd.exe /c del" 2025-05-29_0907ffbf662cae89a8751ab25d32d9b2_amadey_black-basta_elex_luca-stealer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe\Debugger = "drivers\\Kazekage.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "drivers\\Kazekage.exe" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe 2025-05-29_0907ffbf662cae89a8751ab25d32d9b2_amadey_black-basta_elex_luca-stealer.exe -
Executes dropped EXE 30 IoCs
pid Process 4836 smss.exe 4560 smss.exe 3104 Gaara.exe 3952 smss.exe 1524 Gaara.exe 1196 csrss.exe 4232 smss.exe 3372 Gaara.exe 408 Gaara.exe 460 csrss.exe 2732 csrss.exe 1968 Kazekage.exe 624 Kazekage.exe 3564 system32.exe 1888 smss.exe 1652 csrss.exe 4016 Gaara.exe 3396 Kazekage.exe 1032 csrss.exe 2268 smss.exe 2700 system32.exe 2996 Kazekage.exe 1512 Gaara.exe 4184 system32.exe 2312 csrss.exe 4708 system32.exe 4968 Kazekage.exe 224 system32.exe 748 Kazekage.exe 2068 system32.exe -
Loads dropped DLL 18 IoCs
pid Process 4836 smss.exe 4560 smss.exe 3104 Gaara.exe 3952 smss.exe 1524 Gaara.exe 1196 csrss.exe 4232 smss.exe 3372 Gaara.exe 408 Gaara.exe 460 csrss.exe 2732 csrss.exe 1888 smss.exe 1652 csrss.exe 4016 Gaara.exe 1032 csrss.exe 2268 smss.exe 1512 Gaara.exe 2312 csrss.exe -
Adds Run key to start application 2 TTPs 24 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "29-5-2025.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 29 - 5 - 2025\\smss.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "29-5-2025.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 29 - 5 - 2025\\Gaara.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 29 - 5 - 2025\\smss.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 29 - 5 - 2025\\Gaara.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "29-5-2025.exe" 2025-05-29_0907ffbf662cae89a8751ab25d32d9b2_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 29 - 5 - 2025\\smss.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 29 - 5 - 2025\\Gaara.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "29-5-2025.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 29 - 5 - 2025\\smss.exe" 2025-05-29_0907ffbf662cae89a8751ab25d32d9b2_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 29 - 5 - 2025\\smss.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 29 - 5 - 2025\\smss.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 29 - 5 - 2025\\Gaara.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "29-5-2025.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 29 - 5 - 2025\\Gaara.exe" 2025-05-29_0907ffbf662cae89a8751ab25d32d9b2_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" 2025-05-29_0907ffbf662cae89a8751ab25d32d9b2_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 29 - 5 - 2025\\Gaara.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "29-5-2025.exe" Kazekage.exe -
Checks whether UAC is enabled 1 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 2025-05-29_0907ffbf662cae89a8751ab25d32d9b2_amadey_black-basta_elex_luca-stealer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Gaara.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Kazekage.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" system32.exe -
Drops desktop.ini file(s) 64 IoCs
description ioc Process File opened for modification C:\Desktop.ini system32.exe File opened for modification \??\N:\Desktop.ini system32.exe File opened for modification \??\E:\Desktop.ini 2025-05-29_0907ffbf662cae89a8751ab25d32d9b2_amadey_black-basta_elex_luca-stealer.exe File opened for modification \??\N:\Desktop.ini csrss.exe File opened for modification \??\X:\Desktop.ini 2025-05-29_0907ffbf662cae89a8751ab25d32d9b2_amadey_black-basta_elex_luca-stealer.exe File opened for modification C:\Desktop.ini Gaara.exe File opened for modification \??\O:\Desktop.ini 2025-05-29_0907ffbf662cae89a8751ab25d32d9b2_amadey_black-basta_elex_luca-stealer.exe File opened for modification \??\U:\Desktop.ini system32.exe File opened for modification \??\V:\Desktop.ini csrss.exe File opened for modification \??\P:\Desktop.ini Gaara.exe File opened for modification \??\Z:\Desktop.ini smss.exe File opened for modification \??\O:\Desktop.ini system32.exe File opened for modification \??\R:\Desktop.ini system32.exe File opened for modification \??\K:\Desktop.ini csrss.exe File opened for modification \??\Z:\Desktop.ini 2025-05-29_0907ffbf662cae89a8751ab25d32d9b2_amadey_black-basta_elex_luca-stealer.exe File opened for modification \??\T:\Desktop.ini csrss.exe File opened for modification \??\L:\Desktop.ini smss.exe File opened for modification \??\T:\Desktop.ini Kazekage.exe File opened for modification \??\U:\Desktop.ini smss.exe File opened for modification \??\P:\Desktop.ini system32.exe File opened for modification \??\V:\Desktop.ini system32.exe File opened for modification F:\Desktop.ini 2025-05-29_0907ffbf662cae89a8751ab25d32d9b2_amadey_black-basta_elex_luca-stealer.exe File opened for modification \??\J:\Desktop.ini 2025-05-29_0907ffbf662cae89a8751ab25d32d9b2_amadey_black-basta_elex_luca-stealer.exe File opened for modification \??\X:\Desktop.ini Gaara.exe File opened for modification \??\V:\Desktop.ini smss.exe File opened for modification \??\O:\Desktop.ini csrss.exe File opened for modification \??\Y:\Desktop.ini 2025-05-29_0907ffbf662cae89a8751ab25d32d9b2_amadey_black-basta_elex_luca-stealer.exe File opened for modification D:\Desktop.ini Kazekage.exe File opened for modification \??\Y:\Desktop.ini Kazekage.exe File opened for modification \??\L:\Desktop.ini system32.exe File opened for modification \??\Z:\Desktop.ini system32.exe File opened for modification \??\K:\Desktop.ini 2025-05-29_0907ffbf662cae89a8751ab25d32d9b2_amadey_black-basta_elex_luca-stealer.exe File opened for modification \??\U:\Desktop.ini csrss.exe File opened for modification \??\L:\Desktop.ini Gaara.exe File opened for modification \??\B:\Desktop.ini 2025-05-29_0907ffbf662cae89a8751ab25d32d9b2_amadey_black-basta_elex_luca-stealer.exe File opened for modification F:\Desktop.ini csrss.exe File opened for modification \??\M:\Desktop.ini Gaara.exe File opened for modification \??\N:\Desktop.ini Gaara.exe File opened for modification \??\S:\Desktop.ini smss.exe File opened for modification C:\Desktop.ini 2025-05-29_0907ffbf662cae89a8751ab25d32d9b2_amadey_black-basta_elex_luca-stealer.exe File opened for modification \??\L:\Desktop.ini 2025-05-29_0907ffbf662cae89a8751ab25d32d9b2_amadey_black-basta_elex_luca-stealer.exe File opened for modification \??\N:\Desktop.ini 2025-05-29_0907ffbf662cae89a8751ab25d32d9b2_amadey_black-basta_elex_luca-stealer.exe File opened for modification \??\Z:\Desktop.ini csrss.exe File opened for modification \??\H:\Desktop.ini Gaara.exe File opened for modification \??\Q:\Desktop.ini Gaara.exe File opened for modification \??\S:\Desktop.ini system32.exe File opened for modification \??\Y:\Desktop.ini system32.exe File opened for modification \??\H:\Desktop.ini csrss.exe File opened for modification \??\J:\Desktop.ini csrss.exe File opened for modification \??\P:\Desktop.ini 2025-05-29_0907ffbf662cae89a8751ab25d32d9b2_amadey_black-basta_elex_luca-stealer.exe File opened for modification \??\U:\Desktop.ini Gaara.exe File opened for modification \??\A:\Desktop.ini smss.exe File opened for modification D:\Desktop.ini smss.exe File opened for modification \??\K:\Desktop.ini Kazekage.exe File opened for modification \??\H:\Desktop.ini smss.exe File opened for modification \??\U:\Desktop.ini Kazekage.exe File opened for modification \??\Z:\Desktop.ini Kazekage.exe File opened for modification \??\J:\Desktop.ini system32.exe File opened for modification F:\Desktop.ini Gaara.exe File opened for modification D:\Desktop.ini system32.exe File opened for modification \??\L:\Desktop.ini csrss.exe File opened for modification \??\S:\Desktop.ini Gaara.exe File opened for modification \??\Z:\Desktop.ini Gaara.exe File opened for modification \??\G:\Desktop.ini Kazekage.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\T: csrss.exe File opened (read-only) \??\Q: Kazekage.exe File opened (read-only) \??\O: Kazekage.exe File opened (read-only) \??\U: Kazekage.exe File opened (read-only) \??\A: system32.exe File opened (read-only) \??\B: csrss.exe File opened (read-only) \??\Y: Gaara.exe File opened (read-only) \??\J: smss.exe File opened (read-only) \??\J: 2025-05-29_0907ffbf662cae89a8751ab25d32d9b2_amadey_black-basta_elex_luca-stealer.exe File opened (read-only) \??\W: smss.exe File opened (read-only) \??\V: csrss.exe File opened (read-only) \??\H: Gaara.exe File opened (read-only) \??\O: system32.exe File opened (read-only) \??\P: Gaara.exe File opened (read-only) \??\Z: Gaara.exe File opened (read-only) \??\P: Kazekage.exe File opened (read-only) \??\B: Kazekage.exe File opened (read-only) \??\S: system32.exe File opened (read-only) \??\G: csrss.exe File opened (read-only) \??\I: 2025-05-29_0907ffbf662cae89a8751ab25d32d9b2_amadey_black-basta_elex_luca-stealer.exe File opened (read-only) \??\H: csrss.exe File opened (read-only) \??\O: csrss.exe File opened (read-only) \??\I: Gaara.exe File opened (read-only) \??\N: Kazekage.exe File opened (read-only) \??\W: Kazekage.exe File opened (read-only) \??\Z: Kazekage.exe File opened (read-only) \??\T: system32.exe File opened (read-only) \??\O: Gaara.exe File opened (read-only) \??\B: smss.exe File opened (read-only) \??\X: csrss.exe File opened (read-only) \??\K: 2025-05-29_0907ffbf662cae89a8751ab25d32d9b2_amadey_black-basta_elex_luca-stealer.exe File opened (read-only) \??\Q: csrss.exe File opened (read-only) \??\M: Gaara.exe File opened (read-only) \??\R: Gaara.exe File opened (read-only) \??\U: smss.exe File opened (read-only) \??\O: 2025-05-29_0907ffbf662cae89a8751ab25d32d9b2_amadey_black-basta_elex_luca-stealer.exe File opened (read-only) \??\Y: 2025-05-29_0907ffbf662cae89a8751ab25d32d9b2_amadey_black-basta_elex_luca-stealer.exe File opened (read-only) \??\G: Gaara.exe File opened (read-only) \??\L: Gaara.exe File opened (read-only) \??\I: Kazekage.exe File opened (read-only) \??\G: smss.exe File opened (read-only) \??\E: csrss.exe File opened (read-only) \??\H: 2025-05-29_0907ffbf662cae89a8751ab25d32d9b2_amadey_black-basta_elex_luca-stealer.exe File opened (read-only) \??\Z: csrss.exe File opened (read-only) \??\S: Gaara.exe File opened (read-only) \??\I: smss.exe File opened (read-only) \??\R: Kazekage.exe File opened (read-only) \??\Q: smss.exe File opened (read-only) \??\V: Kazekage.exe File opened (read-only) \??\H: system32.exe File opened (read-only) \??\B: 2025-05-29_0907ffbf662cae89a8751ab25d32d9b2_amadey_black-basta_elex_luca-stealer.exe File opened (read-only) \??\R: csrss.exe File opened (read-only) \??\Z: 2025-05-29_0907ffbf662cae89a8751ab25d32d9b2_amadey_black-basta_elex_luca-stealer.exe File opened (read-only) \??\S: Kazekage.exe File opened (read-only) \??\A: csrss.exe File opened (read-only) \??\L: 2025-05-29_0907ffbf662cae89a8751ab25d32d9b2_amadey_black-basta_elex_luca-stealer.exe File opened (read-only) \??\P: 2025-05-29_0907ffbf662cae89a8751ab25d32d9b2_amadey_black-basta_elex_luca-stealer.exe File opened (read-only) \??\P: csrss.exe File opened (read-only) \??\W: 2025-05-29_0907ffbf662cae89a8751ab25d32d9b2_amadey_black-basta_elex_luca-stealer.exe File opened (read-only) \??\U: csrss.exe File opened (read-only) \??\H: smss.exe File opened (read-only) \??\J: system32.exe File opened (read-only) \??\N: csrss.exe File opened (read-only) \??\A: Gaara.exe -
Drops autorun.inf file 1 TTPs 64 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification \??\Q:\Autorun.inf csrss.exe File created \??\G:\Autorun.inf 2025-05-29_0907ffbf662cae89a8751ab25d32d9b2_amadey_black-basta_elex_luca-stealer.exe File created \??\N:\Autorun.inf smss.exe File opened for modification \??\R:\Autorun.inf csrss.exe File created D:\Autorun.inf Kazekage.exe File opened for modification \??\G:\Autorun.inf Kazekage.exe File created \??\K:\Autorun.inf Kazekage.exe File opened for modification \??\G:\Autorun.inf 2025-05-29_0907ffbf662cae89a8751ab25d32d9b2_amadey_black-basta_elex_luca-stealer.exe File created \??\Y:\Autorun.inf Gaara.exe File opened for modification \??\O:\Autorun.inf csrss.exe File opened for modification \??\P:\Autorun.inf csrss.exe File created \??\K:\Autorun.inf Gaara.exe File created \??\Y:\Autorun.inf csrss.exe File opened for modification C:\Autorun.inf Kazekage.exe File created \??\V:\Autorun.inf 2025-05-29_0907ffbf662cae89a8751ab25d32d9b2_amadey_black-basta_elex_luca-stealer.exe File created \??\J:\Autorun.inf system32.exe File created \??\W:\Autorun.inf Gaara.exe File opened for modification \??\X:\Autorun.inf Gaara.exe File created \??\V:\Autorun.inf Kazekage.exe File created \??\A:\Autorun.inf Gaara.exe File created \??\G:\Autorun.inf Gaara.exe File created \??\I:\Autorun.inf Gaara.exe File opened for modification \??\T:\Autorun.inf Gaara.exe File created \??\N:\Autorun.inf 2025-05-29_0907ffbf662cae89a8751ab25d32d9b2_amadey_black-basta_elex_luca-stealer.exe File created \??\Q:\Autorun.inf 2025-05-29_0907ffbf662cae89a8751ab25d32d9b2_amadey_black-basta_elex_luca-stealer.exe File created \??\T:\Autorun.inf 2025-05-29_0907ffbf662cae89a8751ab25d32d9b2_amadey_black-basta_elex_luca-stealer.exe File created \??\Y:\Autorun.inf smss.exe File created \??\B:\Autorun.inf system32.exe File opened for modification \??\X:\Autorun.inf system32.exe File created \??\W:\Autorun.inf 2025-05-29_0907ffbf662cae89a8751ab25d32d9b2_amadey_black-basta_elex_luca-stealer.exe File opened for modification \??\R:\Autorun.inf smss.exe File opened for modification \??\Z:\Autorun.inf smss.exe File created \??\P:\Autorun.inf csrss.exe File opened for modification \??\K:\Autorun.inf system32.exe File created \??\R:\Autorun.inf csrss.exe File created \??\U:\Autorun.inf smss.exe File created \??\U:\Autorun.inf 2025-05-29_0907ffbf662cae89a8751ab25d32d9b2_amadey_black-basta_elex_luca-stealer.exe File created \??\E:\Autorun.inf 2025-05-29_0907ffbf662cae89a8751ab25d32d9b2_amadey_black-basta_elex_luca-stealer.exe File opened for modification \??\P:\Autorun.inf 2025-05-29_0907ffbf662cae89a8751ab25d32d9b2_amadey_black-basta_elex_luca-stealer.exe File opened for modification \??\H:\Autorun.inf smss.exe File created \??\A:\Autorun.inf system32.exe File opened for modification \??\Z:\Autorun.inf 2025-05-29_0907ffbf662cae89a8751ab25d32d9b2_amadey_black-basta_elex_luca-stealer.exe File opened for modification F:\Autorun.inf Gaara.exe File opened for modification \??\L:\Autorun.inf csrss.exe File created \??\S:\Autorun.inf csrss.exe File opened for modification \??\N:\Autorun.inf Kazekage.exe File opened for modification \??\S:\Autorun.inf Kazekage.exe File opened for modification \??\Y:\Autorun.inf smss.exe File opened for modification \??\E:\Autorun.inf Gaara.exe File created \??\Z:\Autorun.inf Gaara.exe File created \??\Y:\Autorun.inf system32.exe File created \??\B:\Autorun.inf 2025-05-29_0907ffbf662cae89a8751ab25d32d9b2_amadey_black-basta_elex_luca-stealer.exe File opened for modification \??\M:\Autorun.inf 2025-05-29_0907ffbf662cae89a8751ab25d32d9b2_amadey_black-basta_elex_luca-stealer.exe File opened for modification \??\J:\Autorun.inf smss.exe File created \??\Z:\Autorun.inf system32.exe File opened for modification \??\J:\Autorun.inf Kazekage.exe File created D:\Autorun.inf system32.exe File created \??\E:\Autorun.inf system32.exe File opened for modification \??\P:\Autorun.inf system32.exe File created D:\Autorun.inf smss.exe File created \??\A:\Autorun.inf csrss.exe File opened for modification \??\B:\Autorun.inf csrss.exe File created \??\U:\Autorun.inf Kazekage.exe File opened for modification \??\E:\Autorun.inf system32.exe -
Drops file in System32 directory 39 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\msvbvm60.dll 2025-05-29_0907ffbf662cae89a8751ab25d32d9b2_amadey_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx smss.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx Gaara.exe File created C:\Windows\SysWOW64\msvbvm60.dll 2025-05-29_0907ffbf662cae89a8751ab25d32d9b2_amadey_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll Gaara.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx csrss.exe File created C:\Windows\SysWOW64\msvbvm60.dll smss.exe File opened for modification C:\Windows\SysWOW64\29-5-2025.exe Gaara.exe File opened for modification C:\Windows\SysWOW64\29-5-2025.exe csrss.exe File created C:\Windows\SysWOW64\Desktop.ini 2025-05-29_0907ffbf662cae89a8751ab25d32d9b2_amadey_black-basta_elex_luca-stealer.exe File created C:\Windows\SysWOW64\mscomctl.ocx 2025-05-29_0907ffbf662cae89a8751ab25d32d9b2_amadey_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll smss.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini csrss.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll csrss.exe File created C:\Windows\SysWOW64\msvbvm60.dll Kazekage.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini 2025-05-29_0907ffbf662cae89a8751ab25d32d9b2_amadey_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx Kazekage.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll system32.exe File created C:\Windows\SysWOW64\msvbvm60.dll csrss.exe File opened for modification C:\Windows\SysWOW64\29-5-2025.exe system32.exe File opened for modification C:\Windows\SysWOW64\ Gaara.exe File opened for modification C:\Windows\SysWOW64\29-5-2025.exe Kazekage.exe File created C:\Windows\SysWOW64\msvbvm60.dll system32.exe File opened for modification C:\Windows\SysWOW64\ 2025-05-29_0907ffbf662cae89a8751ab25d32d9b2_amadey_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini Gaara.exe File opened for modification C:\Windows\SysWOW64\ csrss.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini system32.exe File opened for modification C:\Windows\SysWOW64\29-5-2025.exe 2025-05-29_0907ffbf662cae89a8751ab25d32d9b2_amadey_black-basta_elex_luca-stealer.exe File created C:\Windows\SysWOW64\msvbvm60.dll Gaara.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx 2025-05-29_0907ffbf662cae89a8751ab25d32d9b2_amadey_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini smss.exe File opened for modification C:\Windows\SysWOW64\ smss.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini Kazekage.exe File opened for modification C:\Windows\SysWOW64\ Kazekage.exe File opened for modification C:\Windows\SysWOW64\ system32.exe File created C:\Windows\SysWOW64\29-5-2025.exe 2025-05-29_0907ffbf662cae89a8751ab25d32d9b2_amadey_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\SysWOW64\29-5-2025.exe smss.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll Kazekage.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx system32.exe -
Sets desktop wallpaper using registry 2 TTPs 6 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" 2025-05-29_0907ffbf662cae89a8751ab25d32d9b2_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" system32.exe -
resource yara_rule behavioral1/memory/3036-0-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/files/0x00070000000240c9-11.dat upx behavioral1/files/0x00070000000240c7-31.dat upx behavioral1/memory/4836-33-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/files/0x00070000000240c9-46.dat upx behavioral1/files/0x00070000000240ca-49.dat upx behavioral1/files/0x00070000000240cb-53.dat upx behavioral1/files/0x00070000000240cc-57.dat upx behavioral1/memory/4560-70-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/4560-74-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/files/0x00070000000240c8-77.dat upx behavioral1/memory/3104-79-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/files/0x00070000000240cc-98.dat upx behavioral1/files/0x00070000000240cb-93.dat upx behavioral1/files/0x00070000000240ca-89.dat upx behavioral1/memory/1524-114-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3952-116-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1524-120-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/files/0x00070000000240c9-122.dat upx behavioral1/memory/3036-123-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1196-124-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/4836-135-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/files/0x00070000000240cb-138.dat upx behavioral1/memory/4232-161-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3104-164-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3372-176-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/408-178-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2732-173-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/460-185-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1968-188-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/624-192-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1196-191-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/files/0x00070000000240ca-200.dat upx behavioral1/files/0x00070000000240cc-214.dat upx behavioral1/memory/3564-218-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1968-217-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1652-222-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1652-239-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/4016-246-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3396-237-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/624-254-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3396-257-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1512-265-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3564-264-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2700-268-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/4184-274-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2996-277-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1512-281-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/4708-283-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/4184-284-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2312-288-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/4708-292-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/4968-295-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/224-299-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/748-303-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2068-307-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3036-308-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/4836-309-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3104-310-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/624-311-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3564-312-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1196-313-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3036-314-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3104-316-0x0000000000400000-0x000000000042A000-memory.dmp upx -
Drops file in Windows directory 64 IoCs
description ioc Process File created C:\Windows\WBEM\msvbvm60.dll csrss.exe File created C:\Windows\Fonts\Admin 29 - 5 - 2025\msvbvm60.dll Kazekage.exe File opened for modification C:\Windows\system\msvbvm60.dll Kazekage.exe File opened for modification C:\Windows\system\mscoree.dll system32.exe File created C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe system32.exe File created C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe smss.exe File opened for modification C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe 2025-05-29_0907ffbf662cae89a8751ab25d32d9b2_amadey_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\system\msvbvm60.dll smss.exe File opened for modification C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe Kazekage.exe File opened for modification C:\Windows\mscomctl.ocx Gaara.exe File opened for modification C:\Windows\mscomctl.ocx Kazekage.exe File opened for modification C:\Windows\ Kazekage.exe File opened for modification C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe Gaara.exe File opened for modification C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe Gaara.exe File opened for modification C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe Gaara.exe File opened for modification C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe system32.exe File opened for modification C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe 2025-05-29_0907ffbf662cae89a8751ab25d32d9b2_amadey_black-basta_elex_luca-stealer.exe File created C:\Windows\WBEM\msvbvm60.dll smss.exe File opened for modification C:\Windows\system\mscoree.dll csrss.exe File opened for modification C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe csrss.exe File opened for modification C:\Windows\system\msvbvm60.dll csrss.exe File created C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe csrss.exe File created C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe Kazekage.exe File opened for modification C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe system32.exe File created C:\Windows\WBEM\msvbvm60.dll system32.exe File opened for modification C:\Windows\Fonts\The Kazekage.jpg smss.exe File opened for modification C:\Windows\msvbvm60.dll Gaara.exe File created C:\Windows\Fonts\Admin 29 - 5 - 2025\msvbvm60.dll csrss.exe File opened for modification C:\Windows\Fonts\The Kazekage.jpg Kazekage.exe File opened for modification C:\Windows\ system32.exe File created C:\Windows\Fonts\Admin 29 - 5 - 2025\msvbvm60.dll 2025-05-29_0907ffbf662cae89a8751ab25d32d9b2_amadey_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\Fonts\Admin 29 - 5 - 2025\msvbvm60.dll 2025-05-29_0907ffbf662cae89a8751ab25d32d9b2_amadey_black-basta_elex_luca-stealer.exe File created C:\Windows\system\msvbvm60.dll 2025-05-29_0907ffbf662cae89a8751ab25d32d9b2_amadey_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\msvbvm60.dll smss.exe File created C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe Kazekage.exe File opened for modification C:\Windows\system\msvbvm60.dll system32.exe File created C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe Gaara.exe File opened for modification C:\Windows\system\msvbvm60.dll 2025-05-29_0907ffbf662cae89a8751ab25d32d9b2_amadey_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\Fonts\The Kazekage.jpg system32.exe File opened for modification C:\Windows\ smss.exe File opened for modification C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe smss.exe File opened for modification C:\Windows\Fonts\The Kazekage.jpg csrss.exe File opened for modification C:\Windows\msvbvm60.dll Kazekage.exe File created C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe system32.exe File created C:\Windows\Fonts\Admin 29 - 5 - 2025\msvbvm60.dll system32.exe File created C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe 2025-05-29_0907ffbf662cae89a8751ab25d32d9b2_amadey_black-basta_elex_luca-stealer.exe File created C:\Windows\msvbvm60.dll 2025-05-29_0907ffbf662cae89a8751ab25d32d9b2_amadey_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\msvbvm60.dll 2025-05-29_0907ffbf662cae89a8751ab25d32d9b2_amadey_black-basta_elex_luca-stealer.exe File created C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe smss.exe File created C:\Windows\WBEM\msvbvm60.dll Gaara.exe File created C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe Gaara.exe File opened for modification C:\Windows\system\msvbvm60.dll Gaara.exe File opened for modification C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe csrss.exe File created C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe system32.exe File created C:\Windows\mscomctl.ocx 2025-05-29_0907ffbf662cae89a8751ab25d32d9b2_amadey_black-basta_elex_luca-stealer.exe File created C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe smss.exe File opened for modification C:\Windows\mscomctl.ocx smss.exe File opened for modification C:\Windows\mscomctl.ocx csrss.exe File opened for modification C:\Windows\Fonts\The Kazekage.jpg 2025-05-29_0907ffbf662cae89a8751ab25d32d9b2_amadey_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\system\mscoree.dll 2025-05-29_0907ffbf662cae89a8751ab25d32d9b2_amadey_black-basta_elex_luca-stealer.exe File created C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe 2025-05-29_0907ffbf662cae89a8751ab25d32d9b2_amadey_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe smss.exe File opened for modification C:\Windows\Fonts\The Kazekage.jpg Gaara.exe File opened for modification C:\Windows\msvbvm60.dll csrss.exe -
System Location Discovery: System Language Discovery 1 TTPs 63 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaara.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kazekage.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kazekage.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kazekage.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaara.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaara.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kazekage.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaara.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kazekage.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-05-29_0907ffbf662cae89a8751ab25d32d9b2_amadey_black-basta_elex_luca-stealer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaara.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kazekage.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaara.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 32 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 1420 ping.exe 3416 ping.exe 3044 ping.exe 3244 ping.exe 4812 ping.exe 1312 ping.exe 4212 ping.exe 2920 ping.exe 4452 ping.exe 1240 ping.exe 3076 ping.exe 2368 ping.exe 1828 ping.exe 1552 ping.exe 872 ping.exe 4792 ping.exe 1644 ping.exe 4716 ping.exe 4376 ping.exe 2012 ping.exe 4912 ping.exe 2484 ping.exe 3848 ping.exe 5056 ping.exe 3804 ping.exe 32 ping.exe 2668 ping.exe 2040 ping.exe 2956 ping.exe 372 ping.exe 4636 ping.exe 4560 ping.exe -
Modifies Control Panel 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\Control Panel\Desktop\WallpaperStyle = "2" 2025-05-29_0907ffbf662cae89a8751ab25d32d9b2_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" smss.exe Key created \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\Control Panel\Desktop csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\Control Panel\Screen Saver.Marquee\Speed = "4" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" 2025-05-29_0907ffbf662cae89a8751ab25d32d9b2_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" 2025-05-29_0907ffbf662cae89a8751ab25d32d9b2_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\Control Panel\Screen Saver.Marquee\Size = "72" smss.exe Key created \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\Control Panel\Screen Saver.Marquee 2025-05-29_0907ffbf662cae89a8751ab25d32d9b2_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\Control Panel\Screen Saver.Marquee\Speed = "4" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" 2025-05-29_0907ffbf662cae89a8751ab25d32d9b2_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\Control Panel\Screen Saver.Marquee\Speed = "4" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" 2025-05-29_0907ffbf662cae89a8751ab25d32d9b2_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\Control Panel\Screen Saver.Marquee\Speed = "4" 2025-05-29_0907ffbf662cae89a8751ab25d32d9b2_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\Control Panel\Screen Saver.Marquee\Speed = "4" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" system32.exe Key created \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\Control Panel\Desktop 2025-05-29_0907ffbf662cae89a8751ab25d32d9b2_amadey_black-basta_elex_luca-stealer.exe Key created \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\Control Panel\Desktop Kazekage.exe Key created \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\Control Panel\Screen Saver.Marquee system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\Control Panel\Screen Saver.Marquee\Size = "72" 2025-05-29_0907ffbf662cae89a8751ab25d32d9b2_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\Control Panel\Screen Saver.Marquee\Size = "72" csrss.exe Key created \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\Control Panel\Desktop smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\Control Panel\Screen Saver.Marquee\Size = "72" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" csrss.exe Key created \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\Control Panel\Screen Saver.Marquee csrss.exe Key created \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\Control Panel\Screen Saver.Marquee Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\Control Panel\Desktop\WallpaperStyle = "2" smss.exe Key created \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\Control Panel\Desktop system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" Kazekage.exe Key created \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\Control Panel\Screen Saver.Marquee smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" 2025-05-29_0907ffbf662cae89a8751ab25d32d9b2_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" 2025-05-29_0907ffbf662cae89a8751ab25d32d9b2_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\Control Panel\Screen Saver.Marquee\Size = "72" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\Control Panel\Desktop\WallpaperStyle = "2" csrss.exe Key created \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\Control Panel\Screen Saver.Marquee Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" 2025-05-29_0907ffbf662cae89a8751ab25d32d9b2_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" Gaara.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\Software\Microsoft\Internet Explorer\Main Kazekage.exe Key created \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\Software\Microsoft\Internet Explorer\Main smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" system32.exe Key created \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\Software\Microsoft\Internet Explorer\Main 2025-05-29_0907ffbf662cae89a8751ab25d32d9b2_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" 2025-05-29_0907ffbf662cae89a8751ab25d32d9b2_amadey_black-basta_elex_luca-stealer.exe Key created \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\Software\Microsoft\Internet Explorer\Main csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" Kazekage.exe Key created \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\Software\Microsoft\Internet Explorer\Main system32.exe Key created \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\Software\Microsoft\Internet Explorer\Main Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" Gaara.exe -
Modifies registry class 51 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command 2025-05-29_0907ffbf662cae89a8751ab25d32d9b2_amadey_black-basta_elex_luca-stealer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" 2025-05-29_0907ffbf662cae89a8751ab25d32d9b2_amadey_black-basta_elex_luca-stealer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" 2025-05-29_0907ffbf662cae89a8751ab25d32d9b2_amadey_black-basta_elex_luca-stealer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command 2025-05-29_0907ffbf662cae89a8751ab25d32d9b2_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command 2025-05-29_0907ffbf662cae89a8751ab25d32d9b2_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" 2025-05-29_0907ffbf662cae89a8751ab25d32d9b2_amadey_black-basta_elex_luca-stealer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command 2025-05-29_0907ffbf662cae89a8751ab25d32d9b2_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" 2025-05-29_0907ffbf662cae89a8751ab25d32d9b2_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" csrss.exe -
Runs ping.exe 1 TTPs 32 IoCs
pid Process 5056 ping.exe 2012 ping.exe 1828 ping.exe 4912 ping.exe 2040 ping.exe 2668 ping.exe 4452 ping.exe 1240 ping.exe 3076 ping.exe 2956 ping.exe 4560 ping.exe 872 ping.exe 2920 ping.exe 372 ping.exe 32 ping.exe 3416 ping.exe 2484 ping.exe 4636 ping.exe 1420 ping.exe 4376 ping.exe 3848 ping.exe 4212 ping.exe 4716 ping.exe 2368 ping.exe 3044 ping.exe 4812 ping.exe 1312 ping.exe 3804 ping.exe 3244 ping.exe 4792 ping.exe 1552 ping.exe 1644 ping.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 624 Kazekage.exe 624 Kazekage.exe 624 Kazekage.exe 624 Kazekage.exe 624 Kazekage.exe 624 Kazekage.exe 624 Kazekage.exe 624 Kazekage.exe 624 Kazekage.exe 624 Kazekage.exe 624 Kazekage.exe 624 Kazekage.exe 624 Kazekage.exe 624 Kazekage.exe 624 Kazekage.exe 624 Kazekage.exe 624 Kazekage.exe 624 Kazekage.exe 624 Kazekage.exe 624 Kazekage.exe 624 Kazekage.exe 624 Kazekage.exe 624 Kazekage.exe 624 Kazekage.exe 4836 smss.exe 4836 smss.exe 4836 smss.exe 4836 smss.exe 4836 smss.exe 4836 smss.exe 4836 smss.exe 4836 smss.exe 4836 smss.exe 4836 smss.exe 4836 smss.exe 4836 smss.exe 4836 smss.exe 4836 smss.exe 4836 smss.exe 4836 smss.exe 4836 smss.exe 4836 smss.exe 4836 smss.exe 4836 smss.exe 4836 smss.exe 4836 smss.exe 4836 smss.exe 4836 smss.exe 3564 system32.exe 3564 system32.exe 3564 system32.exe 3564 system32.exe 3564 system32.exe 3564 system32.exe 3564 system32.exe 3564 system32.exe 3564 system32.exe 3564 system32.exe 3564 system32.exe 3564 system32.exe 3564 system32.exe 3564 system32.exe 3564 system32.exe 3564 system32.exe -
Suspicious use of SetWindowsHookEx 31 IoCs
pid Process 3036 2025-05-29_0907ffbf662cae89a8751ab25d32d9b2_amadey_black-basta_elex_luca-stealer.exe 4836 smss.exe 4560 smss.exe 3104 Gaara.exe 3952 smss.exe 1524 Gaara.exe 1196 csrss.exe 4232 smss.exe 3372 Gaara.exe 408 Gaara.exe 460 csrss.exe 2732 csrss.exe 624 Kazekage.exe 1968 Kazekage.exe 1888 smss.exe 3564 system32.exe 1652 csrss.exe 4016 Gaara.exe 3396 Kazekage.exe 1032 csrss.exe 2268 smss.exe 2700 system32.exe 2996 Kazekage.exe 1512 Gaara.exe 4184 system32.exe 2312 csrss.exe 4708 system32.exe 4968 Kazekage.exe 224 system32.exe 748 Kazekage.exe 2068 system32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3036 wrote to memory of 4836 3036 2025-05-29_0907ffbf662cae89a8751ab25d32d9b2_amadey_black-basta_elex_luca-stealer.exe 88 PID 3036 wrote to memory of 4836 3036 2025-05-29_0907ffbf662cae89a8751ab25d32d9b2_amadey_black-basta_elex_luca-stealer.exe 88 PID 3036 wrote to memory of 4836 3036 2025-05-29_0907ffbf662cae89a8751ab25d32d9b2_amadey_black-basta_elex_luca-stealer.exe 88 PID 4836 wrote to memory of 4560 4836 smss.exe 90 PID 4836 wrote to memory of 4560 4836 smss.exe 90 PID 4836 wrote to memory of 4560 4836 smss.exe 90 PID 4836 wrote to memory of 3104 4836 smss.exe 91 PID 4836 wrote to memory of 3104 4836 smss.exe 91 PID 4836 wrote to memory of 3104 4836 smss.exe 91 PID 3104 wrote to memory of 3952 3104 Gaara.exe 94 PID 3104 wrote to memory of 3952 3104 Gaara.exe 94 PID 3104 wrote to memory of 3952 3104 Gaara.exe 94 PID 3104 wrote to memory of 1524 3104 Gaara.exe 95 PID 3104 wrote to memory of 1524 3104 Gaara.exe 95 PID 3104 wrote to memory of 1524 3104 Gaara.exe 95 PID 3104 wrote to memory of 1196 3104 Gaara.exe 97 PID 3104 wrote to memory of 1196 3104 Gaara.exe 97 PID 3104 wrote to memory of 1196 3104 Gaara.exe 97 PID 1196 wrote to memory of 4232 1196 csrss.exe 99 PID 1196 wrote to memory of 4232 1196 csrss.exe 99 PID 1196 wrote to memory of 4232 1196 csrss.exe 99 PID 1196 wrote to memory of 3372 1196 csrss.exe 101 PID 1196 wrote to memory of 3372 1196 csrss.exe 101 PID 1196 wrote to memory of 3372 1196 csrss.exe 101 PID 3036 wrote to memory of 408 3036 2025-05-29_0907ffbf662cae89a8751ab25d32d9b2_amadey_black-basta_elex_luca-stealer.exe 102 PID 3036 wrote to memory of 408 3036 2025-05-29_0907ffbf662cae89a8751ab25d32d9b2_amadey_black-basta_elex_luca-stealer.exe 102 PID 3036 wrote to memory of 408 3036 2025-05-29_0907ffbf662cae89a8751ab25d32d9b2_amadey_black-basta_elex_luca-stealer.exe 102 PID 1196 wrote to memory of 460 1196 csrss.exe 103 PID 1196 wrote to memory of 460 1196 csrss.exe 103 PID 1196 wrote to memory of 460 1196 csrss.exe 103 PID 3036 wrote to memory of 2732 3036 2025-05-29_0907ffbf662cae89a8751ab25d32d9b2_amadey_black-basta_elex_luca-stealer.exe 104 PID 3036 wrote to memory of 2732 3036 2025-05-29_0907ffbf662cae89a8751ab25d32d9b2_amadey_black-basta_elex_luca-stealer.exe 104 PID 3036 wrote to memory of 2732 3036 2025-05-29_0907ffbf662cae89a8751ab25d32d9b2_amadey_black-basta_elex_luca-stealer.exe 104 PID 1196 wrote to memory of 1968 1196 csrss.exe 105 PID 1196 wrote to memory of 1968 1196 csrss.exe 105 PID 1196 wrote to memory of 1968 1196 csrss.exe 105 PID 3036 wrote to memory of 624 3036 2025-05-29_0907ffbf662cae89a8751ab25d32d9b2_amadey_black-basta_elex_luca-stealer.exe 106 PID 3036 wrote to memory of 624 3036 2025-05-29_0907ffbf662cae89a8751ab25d32d9b2_amadey_black-basta_elex_luca-stealer.exe 106 PID 3036 wrote to memory of 624 3036 2025-05-29_0907ffbf662cae89a8751ab25d32d9b2_amadey_black-basta_elex_luca-stealer.exe 106 PID 1196 wrote to memory of 3564 1196 csrss.exe 109 PID 1196 wrote to memory of 3564 1196 csrss.exe 109 PID 1196 wrote to memory of 3564 1196 csrss.exe 109 PID 624 wrote to memory of 1888 624 Kazekage.exe 110 PID 624 wrote to memory of 1888 624 Kazekage.exe 110 PID 624 wrote to memory of 1888 624 Kazekage.exe 110 PID 4836 wrote to memory of 1652 4836 smss.exe 111 PID 4836 wrote to memory of 1652 4836 smss.exe 111 PID 4836 wrote to memory of 1652 4836 smss.exe 111 PID 624 wrote to memory of 4016 624 Kazekage.exe 112 PID 624 wrote to memory of 4016 624 Kazekage.exe 112 PID 624 wrote to memory of 4016 624 Kazekage.exe 112 PID 4836 wrote to memory of 3396 4836 smss.exe 113 PID 4836 wrote to memory of 3396 4836 smss.exe 113 PID 4836 wrote to memory of 3396 4836 smss.exe 113 PID 624 wrote to memory of 1032 624 Kazekage.exe 114 PID 624 wrote to memory of 1032 624 Kazekage.exe 114 PID 624 wrote to memory of 1032 624 Kazekage.exe 114 PID 3564 wrote to memory of 2268 3564 system32.exe 115 PID 3564 wrote to memory of 2268 3564 system32.exe 115 PID 3564 wrote to memory of 2268 3564 system32.exe 115 PID 4836 wrote to memory of 2700 4836 smss.exe 116 PID 4836 wrote to memory of 2700 4836 smss.exe 116 PID 4836 wrote to memory of 2700 4836 smss.exe 116 PID 624 wrote to memory of 2996 624 Kazekage.exe 117 -
System policy modification 1 TTPs 12 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System 2025-05-29_0907ffbf662cae89a8751ab25d32d9b2_amadey_black-basta_elex_luca-stealer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Gaara.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Gaara.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 2025-05-29_0907ffbf662cae89a8751ab25d32d9b2_amadey_black-basta_elex_luca-stealer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System system32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" system32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2025-05-29_0907ffbf662cae89a8751ab25d32d9b2_amadey_black-basta_elex_luca-stealer.exe"C:\Users\Admin\AppData\Local\Temp\2025-05-29_0907ffbf662cae89a8751ab25d32d9b2_amadey_black-basta_elex_luca-stealer.exe"1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3036 -
C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe"C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe"2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4836 -
C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe"C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4560
-
-
C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe"C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe"3⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3104 -
C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe"C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3952
-
-
C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe"C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1524
-
-
C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe"C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe"4⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1196 -
C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe"C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4232
-
-
C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe"C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3372
-
-
C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe"C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:460
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1968
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe5⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3564 -
C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe"C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2268
-
-
C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe"C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1512
-
-
C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe"C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2312
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4968
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:224
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655006⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:32
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655006⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4912
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655006⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4560
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655006⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1644
-
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655005⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4792
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655005⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4452
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655005⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:372
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655005⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2012
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655005⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2484
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655005⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1312
-
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:748
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2068
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655004⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3244
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655004⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4716
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655004⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3804
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655004⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4376
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655004⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1552
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655004⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2040
-
-
-
C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe"C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1652
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3396
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2700
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4212
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5056
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2920
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3076
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4636
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2668
-
-
-
C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe"C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:408
-
-
C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe"C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2732
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:624 -
C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe"C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1888
-
-
C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe"C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4016
-
-
C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe"C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1032
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2996
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4184
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4812
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1240
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1828
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2368
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3044
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2956
-
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4708
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655002⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:872
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655002⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3848
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655002⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1420
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655002⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3416
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 29 - 5 - 2025\smss.exe1⤵PID:2624
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 29 - 5 - 2025\Gaara.exe1⤵PID:5056
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c 29-5-2025.exe1⤵PID:396
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c drivers\csrss.exe1⤵PID:388
Network
MITRE ATT&CK Enterprise v16
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Event Triggered Execution
1Image File Execution Options Injection
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Event Triggered Execution
1Image File Execution Options Injection
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
1Disable or Modify Tools
1Modify Registry
8Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
736B
MD5bb5d6abdf8d0948ac6895ce7fdfbc151
SHA19266b7a247a4685892197194d2b9b86c8f6dddbd
SHA2565db2e0915b5464d32e83484f8ae5e3c73d2c78f238fde5f58f9b40dbb5322de8
SHA512878444760e8df878d65bb62b4798177e168eb099def58ad3634f4348e96705c83f74324f9fa358f0eff389991976698a233ca53e9b72034ae11c86d42322a76c
-
Filesize
196B
MD51564dfe69ffed40950e5cb644e0894d1
SHA1201b6f7a01cc49bb698bea6d4945a082ed454ce4
SHA256be114a2dbcc08540b314b01882aa836a772a883322a77b67aab31233e26dc184
SHA51272df187e39674b657974392cfa268e71ef86dc101ebd2303896381ca56d3c05aa9db3f0ab7d0e428d7436e0108c8f19e94c2013814d30b0b95a23a6b9e341097
-
Filesize
9.1MB
MD5edec8336e124ce9cf216f180104300c9
SHA1da62ac2fd3d599244635e04d96a3710bd6bb31e9
SHA2560d17dbe38ad40896baa2efc85538deee4d3506e21413b9795359409f54347ea9
SHA5120d15689613b26f7324ffe212170cd7ec3bbbb6f1bdeb6f6cf41398a989ca02ee6b5e8f244bbe957b550f566b385f607f097ac5a02c330835399273090177f480
-
Filesize
9.1MB
MD50907ffbf662cae89a8751ab25d32d9b2
SHA140f30266ade343e73282d8c939373c7c38f9f724
SHA2561c3bb7ae580061255ae6ca6119765ca282b2d529b2542d50331f798114adba99
SHA5122b60202c1cdab8800f84cb923912b9f54bf1934c81d88f82ca6a090d722912e49bf3c58a27f2bb6e32108e589e1a82e989cc55dd5f8805ef8ff178355a1fc450
-
Filesize
9.1MB
MD551f8358b2f42b378c3181ad80c70cc77
SHA1d46b4fbd9d34d74cf0580790af9fd180bf2fe744
SHA25614005431a23d6341c59a0ced63f3861bae9f11dc0dd96d75d15e385b3053c7dd
SHA5124b9e86cc386ea34538fab42de1b277d91753519ca95d1a449b1e84934f7ba3385bab07bbd8c66127c3ad7c87074e002bae019a0746a934c0331d91267a1df122
-
Filesize
9.1MB
MD52041eafb3dbdfaa2cdd37c34646fa4da
SHA1be6209e4c7f827846fa50016fbf0fd3ff76f5cde
SHA256734886b50dbf328a04bf3e62b2832ebba1aadebceb98f145197256f8aada7045
SHA512afc1d658c1104e9b0b11045fa7a0218bd11428a15df101f7d080baac98c5eb3dabf8a7bfbf0d3e408c32deb43f35b5fd80e1f282b293a733006edb0c22b0aa04
-
Filesize
9.1MB
MD58e028fada887e725f488537159594f13
SHA1457cdf490ecb9599178bd1c14d2b3e19320f3b48
SHA2569a9ec80844e476c46fa86d8a08817a1486242ac56245e28283d37e89abff31fe
SHA5129a08a908d20b06e5d51302604d31dcf13a439e6d17b9b2c1e4261827adb0d76c20aba51d52f261ad85315a3d3cd5c3a0b107cc507f96bcb7010f903bb82d7dd1
-
Filesize
1.4MB
MD5d6b05020d4a0ec2a3a8b687099e335df
SHA1df239d830ebcd1cde5c68c46a7b76dad49d415f4
SHA2569824b98dab6af65a9e84c2ea40e9df948f9766ce2096e81feecad7db8dd6080a
SHA51278fd360faa4d34f5732056d6e9ad7b9930964441c69cf24535845d397de92179553b9377a25649c01eb5ac7d547c29cc964e69ede7f2af9fc677508a99251fff
-
Filesize
9.1MB
MD5e37e44c490d98227245ea47787fa8049
SHA133d83313e3ccfe5c13dc12474e524a140745fe39
SHA256e1f76f0fffca7004d201eec0fee53deeba9bcf23680521cf5e3d22ddff5ca71b
SHA512c761210e3593add74aab1018bb18af19664eeb9db75bc0a0bc1937ff95dbad7a510ccd2d176a837610705b9796c0ea51d5a8b131fe9551b0abf213f2e4f8973f
-
Filesize
9.1MB
MD5556215a8eb64702ac0bd3b8e59aaa04f
SHA164e024cffdef304a0c416cd0c0f6ccab38f59b69
SHA2568d4efd9cb562fc894dacbb2df61a004ddb5ccba7646b15f6ba9366df7ab058e9
SHA51245f52616a859a22bf138f5161edda4b009b99a370222edfe38cc6042d37224a8e051190e37d5cccdbab78b7c918046b7fb8b7f64f05e2cf4d08a7f07f703c11f
-
Filesize
9.1MB
MD583ec06d6f3d3748a1141c71d76bf009a
SHA1ea7383c4a8b60f724dd3631e41da35991c1c4b85
SHA25682da3f38811fd0007c539b2f6a93887a99cf79ce6c3cff79f218c858576d07c6
SHA512a6f86f136fae70d0460e50efe5127d13fae1b256cbda97363b914243e1d9588d5e545b66e42e88328580992760740c3ab7447bc472ed6828c1045604299df46b
-
Filesize
65B
MD564acfa7e03b01f48294cf30d201a0026
SHA110facd995b38a095f30b4a800fa454c0bcbf8438
SHA256ba8159d865d106e7b4d0043007a63d1541e1de455dc8d7ff0edd3013bd425c62
SHA51265a9b2e639de74a2a7faa83463a03f5f5b526495e3c793ec1e144c422ed0b842dd304cd5ff4f8aec3d76d826507030c5916f70a231429cea636ec2d8ab43931a
-
Filesize
9.1MB
MD5fcf292ab88d60104629fc6ee0bce7b82
SHA1410a54301588238a15d489028131f486d07c5551
SHA256da5c0fc248a5a07af6b432de9a9d10d519db70678ce0179dd0f7b906747c83b2
SHA512709885c7e9e2a609a4006daf2afd3d2ff25a227d60a893734d2ac23840032d6f7d0bbecc4168dba45f3a3622383ba77ecb58e1170b6c08de901222b7b0e87f82
-
Filesize
9.1MB
MD595ba055cfb9d584c150b2131ce9f9741
SHA1d1fcd04420c213137927e72c6ad93aa2f7a8b394
SHA2565cb9b6aa6f69398d8257078567ffbbc7fedfebafb08d589e56fb7c7fb82b7539
SHA512ab90900234a9f3fc37223bf0d51f649e83349c4591e1f77e1da17edc50d9350d55e64f1eca543639bc39533132ebe10a112eb3fc7c2591607e8d7dafd885ed05
-
Filesize
9.1MB
MD58e45b27c97fcc49e1d0900b10f6930db
SHA127d872a0a342a50512559fa7b0ab9ffc3cc29bde
SHA25649eb6f6a3638bf030ca4bba44eaec9e4d3da31fdee1ff9478a9714cc5bcf7f0f
SHA512c08b13ff920270bb556acb60302ae97e2ff0431147adb47871f9b4080ce7fe65b916605753d7e07e787d58cabc024b39254989e626f759682705b3dbb4fcb3b8
-
Filesize
9.1MB
MD5c4c12d82fea5b5c173bb1dbce3918c12
SHA1169e8f4491868ebcb22b06c35bce3d1ee91917c9
SHA2569cb5b1a3354cd56ae583182f6e542fb4c9c90a0a4328b2f24376306ea71d9439
SHA5125a603a49ec8e4f6343104ddf308daf656149b3cda2d3a62d469300ec353b1035bfa89d9ce6deaf2b62d7e66d4f4d4ad9cbef3b34928e4b636fc7dcdafcf15428
-
Filesize
9.1MB
MD50dee0c7e9165c6fbc215bc9523bd07e9
SHA159e5d302d784200da1c6b7c315d16a1805d157f6
SHA25642e1253fe7c19b7a6dd016a59bf8da2d9e66aa5b35d9adaa05286866bf9960c0
SHA512bc0f30125fab6aed4443bc6666b732c573747d279f61fae72dc74802ac9a625e731c3b3ce90e47e302a1408ff6839b2f81a4fc5e10e23c68c5c41d82de574481
-
Filesize
9.1MB
MD5ee5d75df84d6608d49add0e30c805d16
SHA1bce78d2b17700c7c20028f05cd0a99216ba56eed
SHA256bf9067094317efc998e79cbf881cd211ccd93cec9864d11dc58da581a8669d3a
SHA512a1351b18fbf09a030789f00e47af349861ff2b4ff237b574c5436c7086e703f52b5c646e2c52cd7aa0849cbe36c945ff77a7547e707accebca8f99a95e97d2e7
-
Filesize
1.4MB
MD525f62c02619174b35851b0e0455b3d94
SHA14e8ee85157f1769f6e3f61c0acbe59072209da71
SHA256898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2
SHA512f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a
-
Filesize
508KB
MD53510db7620dda3c052de49ea1aa0191e
SHA140105462edc01acc30c586f5bbad1311cce85fdc
SHA256551a3c6401d8f67764db1eddd457416ca3f1c97f1ec3ab9e10179990130518a4
SHA5123b4156e48ecc69a87267e4ebef26d003f63bc4122a36115396855ee6bcb773bdd600e1a084797a99a550e392ea4a7a7c4c0ba5064a0f11e6bd57e8ec15a81253