Analysis
-
max time kernel
150s -
max time network
121s -
platform
windows11-21h2_x64 -
resource
win11-20250502-en -
resource tags
arch:x64arch:x86image:win11-20250502-enlocale:en-usos:windows11-21h2-x64system -
submitted
29/05/2025, 10:32
Behavioral task
behavioral1
Sample
2025-05-29_ccb925eec2e3595a9a3665036208827d_amadey_black-basta_elex_luca-stealer.exe
Resource
win10v2004-20250502-en
Behavioral task
behavioral2
Sample
2025-05-29_ccb925eec2e3595a9a3665036208827d_amadey_black-basta_elex_luca-stealer.exe
Resource
win11-20250502-en
General
-
Target
2025-05-29_ccb925eec2e3595a9a3665036208827d_amadey_black-basta_elex_luca-stealer.exe
-
Size
8.2MB
-
MD5
ccb925eec2e3595a9a3665036208827d
-
SHA1
1db9df3f33a9ef5a7d2da210f1014645cf609067
-
SHA256
8332991d7c2d09dbea56be004a8d5c0d658d6ea82cb75cb09337584c607ae2e2
-
SHA512
cc860459cbaeef40f2c94d1a4a44b240c0caf0dbf059ce0eb1c70f5419fdb57cb12f1876341bf78c1cfba9d4dc685d1e13e5022961facad0959cfee9ca8bc3af
-
SSDEEP
49152:3GyqWyWy0GyqWyWyMRPC1em1eHc785diLvnb1gts:3GyqWyWy0GyqWyWyMRPC1em1eHL5dGTP
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 12 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" 2025-05-29_ccb925eec2e3595a9a3665036208827d_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" 2025-05-29_ccb925eec2e3595a9a3665036208827d_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" csrss.exe -
Modifies visibility of file extensions in Explorer 2 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2329104403-2882594830-3136665766-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" smss.exe Set value (int) \REGISTRY\USER\S-1-5-21-2329104403-2882594830-3136665766-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" 2025-05-29_ccb925eec2e3595a9a3665036208827d_amadey_black-basta_elex_luca-stealer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2329104403-2882594830-3136665766-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Gaara.exe Set value (int) \REGISTRY\USER\S-1-5-21-2329104403-2882594830-3136665766-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Kazekage.exe Set value (int) \REGISTRY\USER\S-1-5-21-2329104403-2882594830-3136665766-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" system32.exe Set value (int) \REGISTRY\USER\S-1-5-21-2329104403-2882594830-3136665766-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" csrss.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2329104403-2882594830-3136665766-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" smss.exe Set value (int) \REGISTRY\USER\S-1-5-21-2329104403-2882594830-3136665766-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" 2025-05-29_ccb925eec2e3595a9a3665036208827d_amadey_black-basta_elex_luca-stealer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2329104403-2882594830-3136665766-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" Gaara.exe Set value (int) \REGISTRY\USER\S-1-5-21-2329104403-2882594830-3136665766-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" Kazekage.exe Set value (int) \REGISTRY\USER\S-1-5-21-2329104403-2882594830-3136665766-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" system32.exe Set value (int) \REGISTRY\USER\S-1-5-21-2329104403-2882594830-3136665766-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" csrss.exe -
UAC bypass 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 2025-05-29_ccb925eec2e3595a9a3665036208827d_amadey_black-basta_elex_luca-stealer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Gaara.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Kazekage.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" system32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe -
Disables RegEdit via registry modification 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2329104403-2882594830-3136665766-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" 2025-05-29_ccb925eec2e3595a9a3665036208827d_amadey_black-basta_elex_luca-stealer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2329104403-2882594830-3136665766-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Gaara.exe Set value (int) \REGISTRY\USER\S-1-5-21-2329104403-2882594830-3136665766-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Kazekage.exe Set value (int) \REGISTRY\USER\S-1-5-21-2329104403-2882594830-3136665766-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" system32.exe Set value (int) \REGISTRY\USER\S-1-5-21-2329104403-2882594830-3136665766-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" csrss.exe Set value (int) \REGISTRY\USER\S-1-5-21-2329104403-2882594830-3136665766-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" smss.exe -
Disables use of System Restore points 1 TTPs
-
Drops file in Drivers directory 24 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\drivers\system32.exe csrss.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe smss.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe 2025-05-29_ccb925eec2e3595a9a3665036208827d_amadey_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe Gaara.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe Gaara.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe Kazekage.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe system32.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe Gaara.exe File created C:\Windows\SysWOW64\drivers\system32.exe Gaara.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe csrss.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe 2025-05-29_ccb925eec2e3595a9a3665036208827d_amadey_black-basta_elex_luca-stealer.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe Kazekage.exe File created C:\Windows\SysWOW64\drivers\system32.exe system32.exe File created C:\Windows\SysWOW64\drivers\system32.exe smss.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe Kazekage.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe system32.exe File created C:\Windows\SysWOW64\drivers\system32.exe csrss.exe File created C:\Windows\SysWOW64\drivers\system32.exe Kazekage.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe system32.exe File created C:\Windows\SysWOW64\drivers\system32.exe 2025-05-29_ccb925eec2e3595a9a3665036208827d_amadey_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe 2025-05-29_ccb925eec2e3595a9a3665036208827d_amadey_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe smss.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe smss.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe csrss.exe -
Event Triggered Execution: Image File Execution Options Injection 1 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe\Debugger = "cmd.exe /c del" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe 2025-05-29_ccb925eec2e3595a9a3665036208827d_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com\Debugger = "cmd.exe /c del" 2025-05-29_ccb925eec2e3595a9a3665036208827d_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "drivers\\Kazekage.exe" 2025-05-29_ccb925eec2e3595a9a3665036208827d_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe\Debugger = "cmd.exe /c del" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe\Debugger = "drivers\\Kazekage.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "drivers\\Kazekage.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe\Debugger = "cmd.exe /c del" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "drivers\\Kazekage.exe" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe\Debugger = "cmd.exe /c del" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe\Debugger = "cmd.exe /c del" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "drivers\\Kazekage.exe" 2025-05-29_ccb925eec2e3595a9a3665036208827d_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "drivers\\Kazekage.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe\Debugger = "drivers\\Kazekage.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe\Debugger = "cmd.exe /c del" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "drivers\\Kazekage.exe" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe\Debugger = "cmd.exe /c del" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe\Debugger = "cmd.exe /c del" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com\Debugger = "cmd.exe /c del" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe 2025-05-29_ccb925eec2e3595a9a3665036208827d_amadey_black-basta_elex_luca-stealer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe\Debugger = "cmd.exe /c del" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger = "drivers\\Kazekage.exe" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "drivers\\Kazekage.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe\Debugger = "drivers\\Kazekage.exe" 2025-05-29_ccb925eec2e3595a9a3665036208827d_amadey_black-basta_elex_luca-stealer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe\Debugger = "cmd.exe /c del" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "drivers\\Kazekage.exe" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe 2025-05-29_ccb925eec2e3595a9a3665036208827d_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe\Debugger = "cmd.exe /c del" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe\Debugger = "cmd.exe /c del" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger = "drivers\\Kazekage.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "drivers\\Kazekage.exe" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com\Debugger = "cmd.exe /c del" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe\Debugger = "cmd.exe /c del" 2025-05-29_ccb925eec2e3595a9a3665036208827d_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe\Debugger = "cmd.exe /c del" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe\Debugger = "cmd.exe /c del" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com\Debugger = "cmd.exe /c del" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe\Debugger = "cmd.exe /c del" 2025-05-29_ccb925eec2e3595a9a3665036208827d_amadey_black-basta_elex_luca-stealer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe system32.exe -
Executes dropped EXE 30 IoCs
pid Process 576 smss.exe 4804 smss.exe 5600 Gaara.exe 4868 smss.exe 4940 Gaara.exe 3360 csrss.exe 1240 smss.exe 4884 Gaara.exe 4544 csrss.exe 4568 Kazekage.exe 5548 smss.exe 432 Gaara.exe 5636 csrss.exe 804 Kazekage.exe 5576 system32.exe 920 smss.exe 4908 Gaara.exe 1004 csrss.exe 2492 Kazekage.exe 2440 system32.exe 5340 system32.exe 4152 Kazekage.exe 1080 system32.exe 4736 csrss.exe 1016 Kazekage.exe 1700 system32.exe 3284 Gaara.exe 2832 csrss.exe 3312 Kazekage.exe 2332 system32.exe -
Loads dropped DLL 18 IoCs
pid Process 576 smss.exe 4804 smss.exe 5600 Gaara.exe 4868 smss.exe 4940 Gaara.exe 3360 csrss.exe 1240 smss.exe 4884 Gaara.exe 4544 csrss.exe 5548 smss.exe 432 Gaara.exe 5636 csrss.exe 920 smss.exe 4908 Gaara.exe 1004 csrss.exe 4736 csrss.exe 3284 Gaara.exe 2832 csrss.exe -
Adds Run key to start application 2 TTPs 24 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" 2025-05-29_ccb925eec2e3595a9a3665036208827d_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 29 - 5 - 2025\\smss.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 29 - 5 - 2025\\Gaara.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 29 - 5 - 2025\\Gaara.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "29-5-2025.exe" 2025-05-29_ccb925eec2e3595a9a3665036208827d_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 29 - 5 - 2025\\smss.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "29-5-2025.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "29-5-2025.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "29-5-2025.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 29 - 5 - 2025\\smss.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "29-5-2025.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 29 - 5 - 2025\\smss.exe" 2025-05-29_ccb925eec2e3595a9a3665036208827d_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 29 - 5 - 2025\\smss.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 29 - 5 - 2025\\smss.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "29-5-2025.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 29 - 5 - 2025\\Gaara.exe" 2025-05-29_ccb925eec2e3595a9a3665036208827d_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 29 - 5 - 2025\\Gaara.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 29 - 5 - 2025\\Gaara.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 29 - 5 - 2025\\Gaara.exe" csrss.exe -
Checks whether UAC is enabled 1 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 2025-05-29_ccb925eec2e3595a9a3665036208827d_amadey_black-basta_elex_luca-stealer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Gaara.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Kazekage.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" system32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe -
Drops desktop.ini file(s) 64 IoCs
description ioc Process File opened for modification \??\S:\Desktop.ini smss.exe File opened for modification \??\U:\Desktop.ini 2025-05-29_ccb925eec2e3595a9a3665036208827d_amadey_black-basta_elex_luca-stealer.exe File opened for modification \??\V:\Desktop.ini csrss.exe File opened for modification \??\K:\Desktop.ini smss.exe File opened for modification \??\Z:\Desktop.ini smss.exe File opened for modification \??\Y:\Desktop.ini 2025-05-29_ccb925eec2e3595a9a3665036208827d_amadey_black-basta_elex_luca-stealer.exe File opened for modification \??\L:\Desktop.ini Kazekage.exe File opened for modification \??\H:\Desktop.ini csrss.exe File opened for modification \??\O:\Desktop.ini csrss.exe File opened for modification \??\U:\Desktop.ini system32.exe File opened for modification \??\G:\Desktop.ini 2025-05-29_ccb925eec2e3595a9a3665036208827d_amadey_black-basta_elex_luca-stealer.exe File opened for modification \??\A:\Desktop.ini csrss.exe File opened for modification D:\Desktop.ini Gaara.exe File opened for modification \??\E:\Desktop.ini system32.exe File opened for modification \??\L:\Desktop.ini system32.exe File opened for modification D:\Desktop.ini 2025-05-29_ccb925eec2e3595a9a3665036208827d_amadey_black-basta_elex_luca-stealer.exe File opened for modification \??\X:\Desktop.ini Kazekage.exe File opened for modification \??\B:\Desktop.ini smss.exe File opened for modification F:\Desktop.ini 2025-05-29_ccb925eec2e3595a9a3665036208827d_amadey_black-basta_elex_luca-stealer.exe File opened for modification \??\P:\Desktop.ini smss.exe File opened for modification \??\W:\Desktop.ini 2025-05-29_ccb925eec2e3595a9a3665036208827d_amadey_black-basta_elex_luca-stealer.exe File opened for modification C:\Desktop.ini system32.exe File opened for modification \??\H:\Desktop.ini system32.exe File opened for modification \??\M:\Desktop.ini csrss.exe File opened for modification \??\V:\Desktop.ini Kazekage.exe File opened for modification D:\Desktop.ini smss.exe File opened for modification \??\E:\Desktop.ini smss.exe File opened for modification \??\K:\Desktop.ini 2025-05-29_ccb925eec2e3595a9a3665036208827d_amadey_black-basta_elex_luca-stealer.exe File opened for modification \??\P:\Desktop.ini 2025-05-29_ccb925eec2e3595a9a3665036208827d_amadey_black-basta_elex_luca-stealer.exe File opened for modification \??\H:\Desktop.ini Kazekage.exe File opened for modification \??\Z:\Desktop.ini csrss.exe File opened for modification \??\X:\Desktop.ini smss.exe File opened for modification C:\Desktop.ini csrss.exe File opened for modification \??\K:\Desktop.ini Gaara.exe File opened for modification \??\S:\Desktop.ini Kazekage.exe File opened for modification \??\O:\Desktop.ini Gaara.exe File opened for modification \??\H:\Desktop.ini smss.exe File opened for modification D:\Desktop.ini system32.exe File opened for modification \??\O:\Desktop.ini Kazekage.exe File opened for modification \??\L:\Desktop.ini csrss.exe File opened for modification \??\W:\Desktop.ini system32.exe File opened for modification \??\X:\Desktop.ini csrss.exe File opened for modification \??\R:\Desktop.ini 2025-05-29_ccb925eec2e3595a9a3665036208827d_amadey_black-basta_elex_luca-stealer.exe File opened for modification \??\A:\Desktop.ini Gaara.exe File opened for modification \??\R:\Desktop.ini Kazekage.exe File opened for modification \??\W:\Desktop.ini Kazekage.exe File opened for modification \??\T:\Desktop.ini csrss.exe File opened for modification \??\Z:\Desktop.ini Kazekage.exe File opened for modification \??\M:\Desktop.ini 2025-05-29_ccb925eec2e3595a9a3665036208827d_amadey_black-basta_elex_luca-stealer.exe File opened for modification F:\Desktop.ini Kazekage.exe File opened for modification \??\B:\Desktop.ini system32.exe File opened for modification \??\E:\Desktop.ini Kazekage.exe File opened for modification \??\I:\Desktop.ini Kazekage.exe File opened for modification \??\G:\Desktop.ini csrss.exe File opened for modification \??\G:\Desktop.ini smss.exe File opened for modification \??\Q:\Desktop.ini 2025-05-29_ccb925eec2e3595a9a3665036208827d_amadey_black-basta_elex_luca-stealer.exe File opened for modification \??\B:\Desktop.ini Gaara.exe File opened for modification \??\J:\Desktop.ini csrss.exe File opened for modification \??\J:\Desktop.ini smss.exe File opened for modification C:\Desktop.ini Gaara.exe File opened for modification \??\P:\Desktop.ini system32.exe File opened for modification \??\I:\Desktop.ini 2025-05-29_ccb925eec2e3595a9a3665036208827d_amadey_black-basta_elex_luca-stealer.exe File opened for modification \??\K:\Desktop.ini Kazekage.exe File opened for modification \??\L:\Desktop.ini Gaara.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\N: Gaara.exe File opened (read-only) \??\G: csrss.exe File opened (read-only) \??\E: csrss.exe File opened (read-only) \??\K: system32.exe File opened (read-only) \??\G: smss.exe File opened (read-only) \??\A: Kazekage.exe File opened (read-only) \??\H: system32.exe File opened (read-only) \??\T: csrss.exe File opened (read-only) \??\R: Gaara.exe File opened (read-only) \??\Q: csrss.exe File opened (read-only) \??\M: 2025-05-29_ccb925eec2e3595a9a3665036208827d_amadey_black-basta_elex_luca-stealer.exe File opened (read-only) \??\B: system32.exe File opened (read-only) \??\K: Gaara.exe File opened (read-only) \??\K: csrss.exe File opened (read-only) \??\L: smss.exe File opened (read-only) \??\V: smss.exe File opened (read-only) \??\Y: 2025-05-29_ccb925eec2e3595a9a3665036208827d_amadey_black-basta_elex_luca-stealer.exe File opened (read-only) \??\T: Kazekage.exe File opened (read-only) \??\Z: csrss.exe File opened (read-only) \??\B: Gaara.exe File opened (read-only) \??\T: smss.exe File opened (read-only) \??\H: Kazekage.exe File opened (read-only) \??\J: system32.exe File opened (read-only) \??\N: system32.exe File opened (read-only) \??\X: Kazekage.exe File opened (read-only) \??\Y: Kazekage.exe File opened (read-only) \??\U: system32.exe File opened (read-only) \??\O: system32.exe File opened (read-only) \??\Q: 2025-05-29_ccb925eec2e3595a9a3665036208827d_amadey_black-basta_elex_luca-stealer.exe File opened (read-only) \??\X: 2025-05-29_ccb925eec2e3595a9a3665036208827d_amadey_black-basta_elex_luca-stealer.exe File opened (read-only) \??\K: Kazekage.exe File opened (read-only) \??\R: csrss.exe File opened (read-only) \??\Y: csrss.exe File opened (read-only) \??\G: 2025-05-29_ccb925eec2e3595a9a3665036208827d_amadey_black-basta_elex_luca-stealer.exe File opened (read-only) \??\I: smss.exe File opened (read-only) \??\V: 2025-05-29_ccb925eec2e3595a9a3665036208827d_amadey_black-basta_elex_luca-stealer.exe File opened (read-only) \??\L: Gaara.exe File opened (read-only) \??\E: system32.exe File opened (read-only) \??\I: system32.exe File opened (read-only) \??\L: csrss.exe File opened (read-only) \??\B: Kazekage.exe File opened (read-only) \??\O: Gaara.exe File opened (read-only) \??\O: csrss.exe File opened (read-only) \??\Z: Kazekage.exe File opened (read-only) \??\X: csrss.exe File opened (read-only) \??\A: 2025-05-29_ccb925eec2e3595a9a3665036208827d_amadey_black-basta_elex_luca-stealer.exe File opened (read-only) \??\O: smss.exe File opened (read-only) \??\J: Gaara.exe File opened (read-only) \??\R: Kazekage.exe File opened (read-only) \??\V: csrss.exe File opened (read-only) \??\O: 2025-05-29_ccb925eec2e3595a9a3665036208827d_amadey_black-basta_elex_luca-stealer.exe File opened (read-only) \??\G: Kazekage.exe File opened (read-only) \??\P: Gaara.exe File opened (read-only) \??\A: smss.exe File opened (read-only) \??\E: smss.exe File opened (read-only) \??\S: smss.exe File opened (read-only) \??\W: smss.exe File opened (read-only) \??\L: 2025-05-29_ccb925eec2e3595a9a3665036208827d_amadey_black-basta_elex_luca-stealer.exe File opened (read-only) \??\G: Gaara.exe File opened (read-only) \??\O: Kazekage.exe File opened (read-only) \??\H: csrss.exe File opened (read-only) \??\A: Gaara.exe File opened (read-only) \??\T: Gaara.exe File opened (read-only) \??\V: Gaara.exe -
Drops autorun.inf file 1 TTPs 64 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File created \??\I:\Autorun.inf system32.exe File created \??\Q:\Autorun.inf system32.exe File opened for modification \??\Z:\Autorun.inf smss.exe File opened for modification \??\M:\Autorun.inf Gaara.exe File created \??\R:\Autorun.inf Kazekage.exe File created \??\T:\Autorun.inf Gaara.exe File opened for modification \??\B:\Autorun.inf 2025-05-29_ccb925eec2e3595a9a3665036208827d_amadey_black-basta_elex_luca-stealer.exe File created \??\A:\Autorun.inf csrss.exe File created \??\E:\Autorun.inf csrss.exe File created \??\H:\Autorun.inf system32.exe File created D:\Autorun.inf 2025-05-29_ccb925eec2e3595a9a3665036208827d_amadey_black-basta_elex_luca-stealer.exe File opened for modification \??\E:\Autorun.inf Gaara.exe File opened for modification \??\X:\Autorun.inf Gaara.exe File opened for modification \??\O:\Autorun.inf csrss.exe File created \??\W:\Autorun.inf csrss.exe File opened for modification \??\T:\Autorun.inf Kazekage.exe File created \??\O:\Autorun.inf system32.exe File created \??\Q:\Autorun.inf 2025-05-29_ccb925eec2e3595a9a3665036208827d_amadey_black-basta_elex_luca-stealer.exe File opened for modification C:\Autorun.inf smss.exe File opened for modification D:\Autorun.inf Gaara.exe File opened for modification \??\U:\Autorun.inf csrss.exe File opened for modification \??\L:\Autorun.inf system32.exe File created \??\L:\Autorun.inf system32.exe File created \??\T:\Autorun.inf system32.exe File created \??\J:\Autorun.inf smss.exe File opened for modification \??\V:\Autorun.inf Gaara.exe File opened for modification \??\Z:\Autorun.inf csrss.exe File created \??\Z:\Autorun.inf csrss.exe File opened for modification F:\Autorun.inf system32.exe File opened for modification \??\N:\Autorun.inf system32.exe File opened for modification \??\X:\Autorun.inf 2025-05-29_ccb925eec2e3595a9a3665036208827d_amadey_black-basta_elex_luca-stealer.exe File opened for modification \??\Z:\Autorun.inf Gaara.exe File opened for modification \??\M:\Autorun.inf csrss.exe File created \??\N:\Autorun.inf csrss.exe File created \??\Q:\Autorun.inf Kazekage.exe File opened for modification \??\E:\Autorun.inf system32.exe File created \??\G:\Autorun.inf Kazekage.exe File created \??\P:\Autorun.inf 2025-05-29_ccb925eec2e3595a9a3665036208827d_amadey_black-basta_elex_luca-stealer.exe File opened for modification \??\W:\Autorun.inf 2025-05-29_ccb925eec2e3595a9a3665036208827d_amadey_black-basta_elex_luca-stealer.exe File opened for modification \??\N:\Autorun.inf smss.exe File created \??\B:\Autorun.inf Gaara.exe File created \??\K:\Autorun.inf csrss.exe File created D:\Autorun.inf system32.exe File created \??\W:\Autorun.inf system32.exe File created \??\L:\Autorun.inf 2025-05-29_ccb925eec2e3595a9a3665036208827d_amadey_black-basta_elex_luca-stealer.exe File created \??\X:\Autorun.inf 2025-05-29_ccb925eec2e3595a9a3665036208827d_amadey_black-basta_elex_luca-stealer.exe File created \??\E:\Autorun.inf smss.exe File created \??\J:\Autorun.inf Gaara.exe File opened for modification \??\Y:\Autorun.inf Gaara.exe File opened for modification \??\X:\Autorun.inf csrss.exe File opened for modification C:\Autorun.inf Kazekage.exe File opened for modification \??\M:\Autorun.inf Kazekage.exe File created \??\K:\Autorun.inf Gaara.exe File created D:\Autorun.inf csrss.exe File created \??\X:\Autorun.inf csrss.exe File created \??\A:\Autorun.inf Kazekage.exe File created \??\M:\Autorun.inf Kazekage.exe File created \??\T:\Autorun.inf Kazekage.exe File created \??\A:\Autorun.inf system32.exe File opened for modification \??\V:\Autorun.inf system32.exe File opened for modification \??\A:\Autorun.inf 2025-05-29_ccb925eec2e3595a9a3665036208827d_amadey_black-basta_elex_luca-stealer.exe File opened for modification \??\H:\Autorun.inf 2025-05-29_ccb925eec2e3595a9a3665036208827d_amadey_black-basta_elex_luca-stealer.exe File created \??\T:\Autorun.inf 2025-05-29_ccb925eec2e3595a9a3665036208827d_amadey_black-basta_elex_luca-stealer.exe File opened for modification \??\Y:\Autorun.inf 2025-05-29_ccb925eec2e3595a9a3665036208827d_amadey_black-basta_elex_luca-stealer.exe -
Drops file in System32 directory 39 IoCs
description ioc Process File created C:\Windows\SysWOW64\msvbvm60.dll Gaara.exe File created C:\Windows\SysWOW64\mscomctl.ocx 2025-05-29_ccb925eec2e3595a9a3665036208827d_amadey_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll 2025-05-29_ccb925eec2e3595a9a3665036208827d_amadey_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini smss.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx smss.exe File opened for modification C:\Windows\SysWOW64\29-5-2025.exe csrss.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll Kazekage.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx system32.exe File created C:\Windows\SysWOW64\29-5-2025.exe 2025-05-29_ccb925eec2e3595a9a3665036208827d_amadey_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\SysWOW64\29-5-2025.exe smss.exe File created C:\Windows\SysWOW64\msvbvm60.dll smss.exe File opened for modification C:\Windows\SysWOW64\29-5-2025.exe Gaara.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx 2025-05-29_ccb925eec2e3595a9a3665036208827d_amadey_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll smss.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx csrss.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini system32.exe File created C:\Windows\SysWOW64\msvbvm60.dll csrss.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini 2025-05-29_ccb925eec2e3595a9a3665036208827d_amadey_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini Gaara.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx Gaara.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll csrss.exe File opened for modification C:\Windows\SysWOW64\29-5-2025.exe system32.exe File opened for modification C:\Windows\SysWOW64\ 2025-05-29_ccb925eec2e3595a9a3665036208827d_amadey_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\SysWOW64\ smss.exe File opened for modification C:\Windows\SysWOW64\ Gaara.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini Kazekage.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll Gaara.exe File opened for modification C:\Windows\SysWOW64\ csrss.exe File opened for modification C:\Windows\SysWOW64\ Kazekage.exe File opened for modification C:\Windows\SysWOW64\29-5-2025.exe Kazekage.exe File created C:\Windows\SysWOW64\msvbvm60.dll system32.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx Kazekage.exe File created C:\Windows\SysWOW64\msvbvm60.dll Kazekage.exe File created C:\Windows\SysWOW64\Desktop.ini 2025-05-29_ccb925eec2e3595a9a3665036208827d_amadey_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini csrss.exe File opened for modification C:\Windows\SysWOW64\ system32.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll system32.exe File opened for modification C:\Windows\SysWOW64\29-5-2025.exe 2025-05-29_ccb925eec2e3595a9a3665036208827d_amadey_black-basta_elex_luca-stealer.exe File created C:\Windows\SysWOW64\msvbvm60.dll 2025-05-29_ccb925eec2e3595a9a3665036208827d_amadey_black-basta_elex_luca-stealer.exe -
Sets desktop wallpaper using registry 2 TTPs 6 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2329104403-2882594830-3136665766-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2329104403-2882594830-3136665766-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-2329104403-2882594830-3136665766-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2329104403-2882594830-3136665766-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-2329104403-2882594830-3136665766-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2329104403-2882594830-3136665766-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" 2025-05-29_ccb925eec2e3595a9a3665036208827d_amadey_black-basta_elex_luca-stealer.exe -
resource yara_rule behavioral2/memory/5740-0-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/files/0x001900000002b14a-11.dat upx behavioral2/memory/576-32-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/files/0x001900000002b146-31.dat upx behavioral2/files/0x001c00000002b14b-49.dat upx behavioral2/memory/4804-70-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4804-74-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/files/0x001900000002b147-76.dat upx behavioral2/memory/5600-78-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4868-113-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4940-120-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3360-125-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/files/0x001900000002b14d-139.dat upx behavioral2/memory/4544-166-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/files/0x001900000002b14c-168.dat upx behavioral2/memory/4568-171-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5740-170-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/files/0x001c00000002b14b-177.dat upx behavioral2/memory/5576-218-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3360-236-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4568-251-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2440-255-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3312-293-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2332-297-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3284-286-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1700-282-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1016-275-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5576-271-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/1080-267-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4152-263-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5340-259-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/2492-250-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4908-243-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/files/0x001c00000002b14b-224.dat upx behavioral2/files/0x001900000002b14d-217.dat upx behavioral2/memory/804-214-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5600-206-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/432-205-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/files/0x001900000002b14a-202.dat upx behavioral2/memory/576-194-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4884-162-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/files/0x001c00000002b14b-131.dat upx behavioral2/memory/4940-116-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/files/0x001900000002b14d-97.dat upx behavioral2/memory/5740-298-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/576-299-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3360-301-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5600-300-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5576-303-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4568-302-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/3360-307-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5600-306-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5740-340-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/576-407-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/files/0x001900000002b16c-454.dat upx behavioral2/memory/3360-480-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/5600-479-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/files/0x001c00000002b170-537.dat upx behavioral2/memory/5576-553-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral2/memory/4568-552-0x0000000000400000-0x000000000042A000-memory.dmp upx -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\Windows\Fonts\The Kazekage.jpg 2025-05-29_ccb925eec2e3595a9a3665036208827d_amadey_black-basta_elex_luca-stealer.exe File created C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe 2025-05-29_ccb925eec2e3595a9a3665036208827d_amadey_black-basta_elex_luca-stealer.exe File created C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe 2025-05-29_ccb925eec2e3595a9a3665036208827d_amadey_black-basta_elex_luca-stealer.exe File created C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe Gaara.exe File opened for modification C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe Kazekage.exe File created C:\Windows\Fonts\Admin 29 - 5 - 2025\msvbvm60.dll system32.exe File opened for modification C:\Windows\ Kazekage.exe File opened for modification C:\Windows\Fonts\Admin 29 - 5 - 2025\msvbvm60.dll 2025-05-29_ccb925eec2e3595a9a3665036208827d_amadey_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe Gaara.exe File opened for modification C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe Gaara.exe File created C:\Windows\WBEM\msvbvm60.dll Gaara.exe File opened for modification C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe Kazekage.exe File opened for modification C:\Windows\mscomctl.ocx smss.exe File opened for modification C:\Windows\mscomctl.ocx csrss.exe File created C:\Windows\Fonts\Admin 29 - 5 - 2025\msvbvm60.dll Gaara.exe File created C:\Windows\Fonts\Admin 29 - 5 - 2025\msvbvm60.dll csrss.exe File opened for modification C:\Windows\system\msvbvm60.dll csrss.exe File created C:\Windows\WBEM\msvbvm60.dll csrss.exe File created C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe smss.exe File opened for modification C:\Windows\Fonts\The Kazekage.jpg csrss.exe File created C:\Windows\Fonts\Admin 29 - 5 - 2025\msvbvm60.dll Kazekage.exe File opened for modification C:\Windows\ 2025-05-29_ccb925eec2e3595a9a3665036208827d_amadey_black-basta_elex_luca-stealer.exe File created C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe Kazekage.exe File opened for modification C:\Windows\msvbvm60.dll smss.exe File created C:\Windows\Fonts\The Kazekage.jpg 2025-05-29_ccb925eec2e3595a9a3665036208827d_amadey_black-basta_elex_luca-stealer.exe File created C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe csrss.exe File created C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe csrss.exe File opened for modification C:\Windows\system\mscoree.dll Kazekage.exe File opened for modification C:\Windows\system\mscoree.dll system32.exe File opened for modification C:\Windows\ system32.exe File opened for modification C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe 2025-05-29_ccb925eec2e3595a9a3665036208827d_amadey_black-basta_elex_luca-stealer.exe File created C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe 2025-05-29_ccb925eec2e3595a9a3665036208827d_amadey_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe 2025-05-29_ccb925eec2e3595a9a3665036208827d_amadey_black-basta_elex_luca-stealer.exe File created C:\Windows\msvbvm60.dll 2025-05-29_ccb925eec2e3595a9a3665036208827d_amadey_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\system\mscoree.dll smss.exe File opened for modification C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe smss.exe File opened for modification C:\Windows\system\mscoree.dll csrss.exe File opened for modification C:\Windows\ csrss.exe File opened for modification C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe 2025-05-29_ccb925eec2e3595a9a3665036208827d_amadey_black-basta_elex_luca-stealer.exe File created C:\Windows\WBEM\msvbvm60.dll 2025-05-29_ccb925eec2e3595a9a3665036208827d_amadey_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\msvbvm60.dll csrss.exe File created C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe system32.exe File created C:\Windows\WBEM\msvbvm60.dll system32.exe File opened for modification C:\Windows\Fonts\The Kazekage.jpg smss.exe File opened for modification C:\Windows\msvbvm60.dll Kazekage.exe File created C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe smss.exe File created C:\Windows\Fonts\Admin 29 - 5 - 2025\msvbvm60.dll smss.exe File created C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe Gaara.exe File opened for modification C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe Kazekage.exe File opened for modification C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe system32.exe File opened for modification C:\Windows\mscomctl.ocx 2025-05-29_ccb925eec2e3595a9a3665036208827d_amadey_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\mscomctl.ocx system32.exe File opened for modification C:\Windows\mscomctl.ocx Gaara.exe File opened for modification C:\Windows\system\mscoree.dll 2025-05-29_ccb925eec2e3595a9a3665036208827d_amadey_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\system\msvbvm60.dll 2025-05-29_ccb925eec2e3595a9a3665036208827d_amadey_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe smss.exe File opened for modification C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe smss.exe File opened for modification C:\Windows\system\msvbvm60.dll smss.exe File opened for modification C:\Windows\system\mscoree.dll Gaara.exe File opened for modification C:\Windows\system\msvbvm60.dll Gaara.exe File opened for modification C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe csrss.exe File created C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe Kazekage.exe File opened for modification C:\Windows\msvbvm60.dll 2025-05-29_ccb925eec2e3595a9a3665036208827d_amadey_black-basta_elex_luca-stealer.exe File created C:\Windows\system\msvbvm60.dll 2025-05-29_ccb925eec2e3595a9a3665036208827d_amadey_black-basta_elex_luca-stealer.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kazekage.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kazekage.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-05-29_ccb925eec2e3595a9a3665036208827d_amadey_black-basta_elex_luca-stealer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaara.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaara.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaara.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kazekage.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaara.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kazekage.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kazekage.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kazekage.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 36 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 456 ping.exe 432 ping.exe 5028 ping.exe 3932 ping.exe 1944 ping.exe 5260 ping.exe 5596 ping.exe 5784 ping.exe 5184 ping.exe 6100 ping.exe 5752 ping.exe 5188 ping.exe 992 ping.exe 2356 ping.exe 5792 ping.exe 1252 ping.exe 6128 ping.exe 4712 ping.exe 5868 ping.exe 3880 ping.exe 3492 ping.exe 920 ping.exe 1116 ping.exe 5744 ping.exe 4840 ping.exe 4928 ping.exe 720 ping.exe 5772 ping.exe 896 ping.exe 1248 ping.exe 564 ping.exe 4592 ping.exe 5536 ping.exe 6064 ping.exe 2672 ping.exe 1760 ping.exe -
Modifies Control Panel 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2329104403-2882594830-3136665766-1000\Control Panel\Desktop\WallpaperStyle = "2" Kazekage.exe Key created \REGISTRY\USER\S-1-5-21-2329104403-2882594830-3136665766-1000\Control Panel\Desktop system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2329104403-2882594830-3136665766-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2329104403-2882594830-3136665766-1000\Control Panel\Screen Saver.Marquee\Size = "72" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2329104403-2882594830-3136665766-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" 2025-05-29_ccb925eec2e3595a9a3665036208827d_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2329104403-2882594830-3136665766-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-2329104403-2882594830-3136665766-1000\Control Panel\Desktop\WallpaperStyle = "2" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2329104403-2882594830-3136665766-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2329104403-2882594830-3136665766-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2329104403-2882594830-3136665766-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-2329104403-2882594830-3136665766-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-2329104403-2882594830-3136665766-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2329104403-2882594830-3136665766-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2329104403-2882594830-3136665766-1000\Control Panel\Desktop\WallpaperStyle = "2" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2329104403-2882594830-3136665766-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" smss.exe Key created \REGISTRY\USER\S-1-5-21-2329104403-2882594830-3136665766-1000\Control Panel\Screen Saver.Marquee smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2329104403-2882594830-3136665766-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" 2025-05-29_ccb925eec2e3595a9a3665036208827d_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2329104403-2882594830-3136665766-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-2329104403-2882594830-3136665766-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2329104403-2882594830-3136665766-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2329104403-2882594830-3136665766-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-2329104403-2882594830-3136665766-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2329104403-2882594830-3136665766-1000\Control Panel\Screen Saver.Marquee\Speed = "4" 2025-05-29_ccb925eec2e3595a9a3665036208827d_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2329104403-2882594830-3136665766-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-2329104403-2882594830-3136665766-1000\Control Panel\Screen Saver.Marquee\Size = "72" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-2329104403-2882594830-3136665766-1000\Control Panel\Screen Saver.Marquee\Size = "72" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-2329104403-2882594830-3136665766-1000\Control Panel\Screen Saver.Marquee\Size = "72" csrss.exe Key created \REGISTRY\USER\S-1-5-21-2329104403-2882594830-3136665766-1000\Control Panel\Screen Saver.Marquee 2025-05-29_ccb925eec2e3595a9a3665036208827d_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2329104403-2882594830-3136665766-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" 2025-05-29_ccb925eec2e3595a9a3665036208827d_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2329104403-2882594830-3136665766-1000\Control Panel\Screen Saver.Marquee\Size = "72" 2025-05-29_ccb925eec2e3595a9a3665036208827d_amadey_black-basta_elex_luca-stealer.exe Key created \REGISTRY\USER\S-1-5-21-2329104403-2882594830-3136665766-1000\Control Panel\Screen Saver.Marquee system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2329104403-2882594830-3136665766-1000\Control Panel\Screen Saver.Marquee\Size = "72" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2329104403-2882594830-3136665766-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2329104403-2882594830-3136665766-1000\Control Panel\Desktop\WallpaperStyle = "2" 2025-05-29_ccb925eec2e3595a9a3665036208827d_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2329104403-2882594830-3136665766-1000\Control Panel\Desktop\WallpaperStyle = "2" Gaara.exe Key created \REGISTRY\USER\S-1-5-21-2329104403-2882594830-3136665766-1000\Control Panel\Desktop Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-2329104403-2882594830-3136665766-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2329104403-2882594830-3136665766-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" 2025-05-29_ccb925eec2e3595a9a3665036208827d_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2329104403-2882594830-3136665766-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-2329104403-2882594830-3136665766-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" Gaara.exe Key created \REGISTRY\USER\S-1-5-21-2329104403-2882594830-3136665766-1000\Control Panel\Desktop smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2329104403-2882594830-3136665766-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-2329104403-2882594830-3136665766-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2329104403-2882594830-3136665766-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-2329104403-2882594830-3136665766-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2329104403-2882594830-3136665766-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2329104403-2882594830-3136665766-1000\Control Panel\Screen Saver.Marquee\Speed = "4" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2329104403-2882594830-3136665766-1000\Control Panel\Screen Saver.Marquee\Speed = "4" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2329104403-2882594830-3136665766-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" 2025-05-29_ccb925eec2e3595a9a3665036208827d_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2329104403-2882594830-3136665766-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" 2025-05-29_ccb925eec2e3595a9a3665036208827d_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2329104403-2882594830-3136665766-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" smss.exe Key created \REGISTRY\USER\S-1-5-21-2329104403-2882594830-3136665766-1000\Control Panel\Desktop csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2329104403-2882594830-3136665766-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2329104403-2882594830-3136665766-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2329104403-2882594830-3136665766-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" 2025-05-29_ccb925eec2e3595a9a3665036208827d_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2329104403-2882594830-3136665766-1000\Control Panel\Screen Saver.Marquee\Speed = "4" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-2329104403-2882594830-3136665766-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-2329104403-2882594830-3136665766-1000\Control Panel\Screen Saver.Marquee\Speed = "4" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-2329104403-2882594830-3136665766-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" 2025-05-29_ccb925eec2e3595a9a3665036208827d_amadey_black-basta_elex_luca-stealer.exe Key created \REGISTRY\USER\S-1-5-21-2329104403-2882594830-3136665766-1000\Control Panel\Screen Saver.Marquee Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-2329104403-2882594830-3136665766-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2329104403-2882594830-3136665766-1000\Control Panel\Screen Saver.Marquee\Speed = "4" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2329104403-2882594830-3136665766-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2329104403-2882594830-3136665766-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" csrss.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2329104403-2882594830-3136665766-1000\Software\Microsoft\Internet Explorer\Main 2025-05-29_ccb925eec2e3595a9a3665036208827d_amadey_black-basta_elex_luca-stealer.exe Key created \REGISTRY\USER\S-1-5-21-2329104403-2882594830-3136665766-1000\Software\Microsoft\Internet Explorer\Main Gaara.exe Key created \REGISTRY\USER\S-1-5-21-2329104403-2882594830-3136665766-1000\Software\Microsoft\Internet Explorer\Main Kazekage.exe Key created \REGISTRY\USER\S-1-5-21-2329104403-2882594830-3136665766-1000\Software\Microsoft\Internet Explorer\Main system32.exe Key created \REGISTRY\USER\S-1-5-21-2329104403-2882594830-3136665766-1000\Software\Microsoft\Internet Explorer\Main csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2329104403-2882594830-3136665766-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" csrss.exe Key created \REGISTRY\USER\S-1-5-21-2329104403-2882594830-3136665766-1000\Software\Microsoft\Internet Explorer\Main smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2329104403-2882594830-3136665766-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" 2025-05-29_ccb925eec2e3595a9a3665036208827d_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2329104403-2882594830-3136665766-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-2329104403-2882594830-3136665766-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-2329104403-2882594830-3136665766-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2329104403-2882594830-3136665766-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" smss.exe -
Modifies registry class 51 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command 2025-05-29_ccb925eec2e3595a9a3665036208827d_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" 2025-05-29_ccb925eec2e3595a9a3665036208827d_amadey_black-basta_elex_luca-stealer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command 2025-05-29_ccb925eec2e3595a9a3665036208827d_amadey_black-basta_elex_luca-stealer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command 2025-05-29_ccb925eec2e3595a9a3665036208827d_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" 2025-05-29_ccb925eec2e3595a9a3665036208827d_amadey_black-basta_elex_luca-stealer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command 2025-05-29_ccb925eec2e3595a9a3665036208827d_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" 2025-05-29_ccb925eec2e3595a9a3665036208827d_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" 2025-05-29_ccb925eec2e3595a9a3665036208827d_amadey_black-basta_elex_luca-stealer.exe -
Runs ping.exe 1 TTPs 36 IoCs
pid Process 4592 ping.exe 5260 ping.exe 5596 ping.exe 1116 ping.exe 5028 ping.exe 3492 ping.exe 3932 ping.exe 720 ping.exe 1944 ping.exe 5184 ping.exe 564 ping.exe 4712 ping.exe 5188 ping.exe 432 ping.exe 5536 ping.exe 6100 ping.exe 1252 ping.exe 6128 ping.exe 2356 ping.exe 5792 ping.exe 4928 ping.exe 896 ping.exe 6064 ping.exe 2672 ping.exe 456 ping.exe 5752 ping.exe 920 ping.exe 5868 ping.exe 1248 ping.exe 1760 ping.exe 3880 ping.exe 5784 ping.exe 5744 ping.exe 992 ping.exe 5772 ping.exe 4840 ping.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 576 smss.exe 576 smss.exe 576 smss.exe 576 smss.exe 576 smss.exe 576 smss.exe 576 smss.exe 576 smss.exe 576 smss.exe 576 smss.exe 576 smss.exe 576 smss.exe 576 smss.exe 576 smss.exe 576 smss.exe 576 smss.exe 576 smss.exe 576 smss.exe 576 smss.exe 576 smss.exe 576 smss.exe 576 smss.exe 576 smss.exe 576 smss.exe 5740 2025-05-29_ccb925eec2e3595a9a3665036208827d_amadey_black-basta_elex_luca-stealer.exe 5740 2025-05-29_ccb925eec2e3595a9a3665036208827d_amadey_black-basta_elex_luca-stealer.exe 5740 2025-05-29_ccb925eec2e3595a9a3665036208827d_amadey_black-basta_elex_luca-stealer.exe 5740 2025-05-29_ccb925eec2e3595a9a3665036208827d_amadey_black-basta_elex_luca-stealer.exe 5740 2025-05-29_ccb925eec2e3595a9a3665036208827d_amadey_black-basta_elex_luca-stealer.exe 5740 2025-05-29_ccb925eec2e3595a9a3665036208827d_amadey_black-basta_elex_luca-stealer.exe 5740 2025-05-29_ccb925eec2e3595a9a3665036208827d_amadey_black-basta_elex_luca-stealer.exe 5740 2025-05-29_ccb925eec2e3595a9a3665036208827d_amadey_black-basta_elex_luca-stealer.exe 5740 2025-05-29_ccb925eec2e3595a9a3665036208827d_amadey_black-basta_elex_luca-stealer.exe 5740 2025-05-29_ccb925eec2e3595a9a3665036208827d_amadey_black-basta_elex_luca-stealer.exe 5740 2025-05-29_ccb925eec2e3595a9a3665036208827d_amadey_black-basta_elex_luca-stealer.exe 5740 2025-05-29_ccb925eec2e3595a9a3665036208827d_amadey_black-basta_elex_luca-stealer.exe 5740 2025-05-29_ccb925eec2e3595a9a3665036208827d_amadey_black-basta_elex_luca-stealer.exe 5740 2025-05-29_ccb925eec2e3595a9a3665036208827d_amadey_black-basta_elex_luca-stealer.exe 5740 2025-05-29_ccb925eec2e3595a9a3665036208827d_amadey_black-basta_elex_luca-stealer.exe 5740 2025-05-29_ccb925eec2e3595a9a3665036208827d_amadey_black-basta_elex_luca-stealer.exe 5740 2025-05-29_ccb925eec2e3595a9a3665036208827d_amadey_black-basta_elex_luca-stealer.exe 5740 2025-05-29_ccb925eec2e3595a9a3665036208827d_amadey_black-basta_elex_luca-stealer.exe 5740 2025-05-29_ccb925eec2e3595a9a3665036208827d_amadey_black-basta_elex_luca-stealer.exe 5740 2025-05-29_ccb925eec2e3595a9a3665036208827d_amadey_black-basta_elex_luca-stealer.exe 5740 2025-05-29_ccb925eec2e3595a9a3665036208827d_amadey_black-basta_elex_luca-stealer.exe 5740 2025-05-29_ccb925eec2e3595a9a3665036208827d_amadey_black-basta_elex_luca-stealer.exe 5740 2025-05-29_ccb925eec2e3595a9a3665036208827d_amadey_black-basta_elex_luca-stealer.exe 5740 2025-05-29_ccb925eec2e3595a9a3665036208827d_amadey_black-basta_elex_luca-stealer.exe 576 smss.exe 576 smss.exe 576 smss.exe 576 smss.exe 576 smss.exe 576 smss.exe 576 smss.exe 576 smss.exe 576 smss.exe 576 smss.exe 576 smss.exe 576 smss.exe 576 smss.exe 576 smss.exe 576 smss.exe 576 smss.exe -
Suspicious use of SetWindowsHookEx 31 IoCs
pid Process 5740 2025-05-29_ccb925eec2e3595a9a3665036208827d_amadey_black-basta_elex_luca-stealer.exe 576 smss.exe 4804 smss.exe 5600 Gaara.exe 4868 smss.exe 4940 Gaara.exe 3360 csrss.exe 1240 smss.exe 4884 Gaara.exe 4544 csrss.exe 4568 Kazekage.exe 5548 smss.exe 432 Gaara.exe 5636 csrss.exe 804 Kazekage.exe 5576 system32.exe 920 smss.exe 4908 Gaara.exe 1004 csrss.exe 2492 Kazekage.exe 2440 system32.exe 5340 system32.exe 4152 Kazekage.exe 1080 system32.exe 4736 csrss.exe 1016 Kazekage.exe 1700 system32.exe 3284 Gaara.exe 2832 csrss.exe 3312 Kazekage.exe 2332 system32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 5740 wrote to memory of 576 5740 2025-05-29_ccb925eec2e3595a9a3665036208827d_amadey_black-basta_elex_luca-stealer.exe 79 PID 5740 wrote to memory of 576 5740 2025-05-29_ccb925eec2e3595a9a3665036208827d_amadey_black-basta_elex_luca-stealer.exe 79 PID 5740 wrote to memory of 576 5740 2025-05-29_ccb925eec2e3595a9a3665036208827d_amadey_black-basta_elex_luca-stealer.exe 79 PID 576 wrote to memory of 4804 576 smss.exe 80 PID 576 wrote to memory of 4804 576 smss.exe 80 PID 576 wrote to memory of 4804 576 smss.exe 80 PID 576 wrote to memory of 5600 576 smss.exe 81 PID 576 wrote to memory of 5600 576 smss.exe 81 PID 576 wrote to memory of 5600 576 smss.exe 81 PID 5600 wrote to memory of 4868 5600 Gaara.exe 82 PID 5600 wrote to memory of 4868 5600 Gaara.exe 82 PID 5600 wrote to memory of 4868 5600 Gaara.exe 82 PID 5600 wrote to memory of 4940 5600 Gaara.exe 83 PID 5600 wrote to memory of 4940 5600 Gaara.exe 83 PID 5600 wrote to memory of 4940 5600 Gaara.exe 83 PID 5600 wrote to memory of 3360 5600 Gaara.exe 84 PID 5600 wrote to memory of 3360 5600 Gaara.exe 84 PID 5600 wrote to memory of 3360 5600 Gaara.exe 84 PID 3360 wrote to memory of 1240 3360 csrss.exe 85 PID 3360 wrote to memory of 1240 3360 csrss.exe 85 PID 3360 wrote to memory of 1240 3360 csrss.exe 85 PID 3360 wrote to memory of 4884 3360 csrss.exe 86 PID 3360 wrote to memory of 4884 3360 csrss.exe 86 PID 3360 wrote to memory of 4884 3360 csrss.exe 86 PID 3360 wrote to memory of 4544 3360 csrss.exe 87 PID 3360 wrote to memory of 4544 3360 csrss.exe 87 PID 3360 wrote to memory of 4544 3360 csrss.exe 87 PID 3360 wrote to memory of 4568 3360 csrss.exe 88 PID 3360 wrote to memory of 4568 3360 csrss.exe 88 PID 3360 wrote to memory of 4568 3360 csrss.exe 88 PID 4568 wrote to memory of 5548 4568 Kazekage.exe 89 PID 4568 wrote to memory of 5548 4568 Kazekage.exe 89 PID 4568 wrote to memory of 5548 4568 Kazekage.exe 89 PID 4568 wrote to memory of 432 4568 Kazekage.exe 90 PID 4568 wrote to memory of 432 4568 Kazekage.exe 90 PID 4568 wrote to memory of 432 4568 Kazekage.exe 90 PID 4568 wrote to memory of 5636 4568 Kazekage.exe 91 PID 4568 wrote to memory of 5636 4568 Kazekage.exe 91 PID 4568 wrote to memory of 5636 4568 Kazekage.exe 91 PID 4568 wrote to memory of 804 4568 Kazekage.exe 92 PID 4568 wrote to memory of 804 4568 Kazekage.exe 92 PID 4568 wrote to memory of 804 4568 Kazekage.exe 92 PID 4568 wrote to memory of 5576 4568 Kazekage.exe 93 PID 4568 wrote to memory of 5576 4568 Kazekage.exe 93 PID 4568 wrote to memory of 5576 4568 Kazekage.exe 93 PID 5576 wrote to memory of 920 5576 system32.exe 94 PID 5576 wrote to memory of 920 5576 system32.exe 94 PID 5576 wrote to memory of 920 5576 system32.exe 94 PID 5576 wrote to memory of 4908 5576 system32.exe 95 PID 5576 wrote to memory of 4908 5576 system32.exe 95 PID 5576 wrote to memory of 4908 5576 system32.exe 95 PID 5576 wrote to memory of 1004 5576 system32.exe 96 PID 5576 wrote to memory of 1004 5576 system32.exe 96 PID 5576 wrote to memory of 1004 5576 system32.exe 96 PID 5576 wrote to memory of 2492 5576 system32.exe 97 PID 5576 wrote to memory of 2492 5576 system32.exe 97 PID 5576 wrote to memory of 2492 5576 system32.exe 97 PID 5576 wrote to memory of 2440 5576 system32.exe 98 PID 5576 wrote to memory of 2440 5576 system32.exe 98 PID 5576 wrote to memory of 2440 5576 system32.exe 98 PID 3360 wrote to memory of 5340 3360 csrss.exe 99 PID 3360 wrote to memory of 5340 3360 csrss.exe 99 PID 3360 wrote to memory of 5340 3360 csrss.exe 99 PID 5600 wrote to memory of 4152 5600 Gaara.exe 100 -
System policy modification 1 TTPs 12 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System system32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System 2025-05-29_ccb925eec2e3595a9a3665036208827d_amadey_black-basta_elex_luca-stealer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 2025-05-29_ccb925eec2e3595a9a3665036208827d_amadey_black-basta_elex_luca-stealer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Gaara.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Gaara.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Kazekage.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2025-05-29_ccb925eec2e3595a9a3665036208827d_amadey_black-basta_elex_luca-stealer.exe"C:\Users\Admin\AppData\Local\Temp\2025-05-29_ccb925eec2e3595a9a3665036208827d_amadey_black-basta_elex_luca-stealer.exe"1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:5740 -
C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe"C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe"2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:576 -
C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe"C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4804
-
-
C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe"C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe"3⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:5600 -
C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe"C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4868
-
-
C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe"C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4940
-
-
C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe"C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe"4⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3360 -
C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe"C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1240
-
-
C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe"C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4884
-
-
C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe"C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4544
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe5⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4568 -
C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe"C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5548
-
-
C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe"C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:432
-
-
C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe"C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5636
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:804
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe6⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:5576 -
C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe"C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:920
-
-
C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe"C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:4908
-
-
C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe"C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1004
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2492
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2440
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655007⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:920
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655007⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5184
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655007⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5752
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655007⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4712
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655007⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1116
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655007⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5596
-
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655006⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:896
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655006⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4928
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655006⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3932
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655006⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:456
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655006⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5868
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655006⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5260
-
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5340
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655005⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5772
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655005⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5536
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655005⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1252
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655005⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:6128
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655005⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1944
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655005⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4840
-
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4152
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1080
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655004⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3492
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655004⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5744
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655004⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2672
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655004⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1760
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655004⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5188
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655004⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4592
-
-
-
C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe"C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4736
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1016
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1700
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5784
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5792
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:6100
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:564
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2356
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:432
-
-
-
C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe"C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3284
-
-
C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe"C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2832
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3312
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2332
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655002⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3880
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655002⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5028
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655002⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1248
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655002⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:6064
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655002⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:720
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655002⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:992
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 29 - 5 - 2025\smss.exe1⤵PID:1352
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 29 - 5 - 2025\Gaara.exe1⤵PID:2744
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c 29-5-2025.exe1⤵PID:6076
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c drivers\csrss.exe1⤵PID:4904
Network
MITRE ATT&CK Enterprise v16
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Event Triggered Execution
1Image File Execution Options Injection
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Event Triggered Execution
1Image File Execution Options Injection
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
1Disable or Modify Tools
1Modify Registry
8Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5.8MB
MD533fd632261a544d86d4e74f8412ddfaa
SHA1e93a8c5c628a48b16ace97f79eaeb6630d228b52
SHA256c442c830027d5c135d6fb1bb3cb916a10a540210250c38979a4acdfc164a3014
SHA51252eea7837f6cd60c333820708f818597e0d988bda2e16ef10e26cf5d80377e243ae8b982b3afd6ca9e09fe7fa7a3d0cd643aa64d032a5fd9ec980bd89b322605
-
Filesize
7.3MB
MD5a7ca61643c895c2ab3c74b076e6eedab
SHA14acee6a6fa21f0d602a2371c5ea5a5c3403df35b
SHA25641e96afbf56fe3b185fa868cd9126b9fbd76c21f77c9f859fee1e6780cffaadc
SHA51233ab6d7e6574b61f83bacd94e04f80b30ed6614fadc3fefe54a3de63c4ac9b1fa217bbe0765f617fde76a89f5c6361e33705f65eb14235d3e53d97698ee2a3d8
-
Filesize
736B
MD5bb5d6abdf8d0948ac6895ce7fdfbc151
SHA19266b7a247a4685892197194d2b9b86c8f6dddbd
SHA2565db2e0915b5464d32e83484f8ae5e3c73d2c78f238fde5f58f9b40dbb5322de8
SHA512878444760e8df878d65bb62b4798177e168eb099def58ad3634f4348e96705c83f74324f9fa358f0eff389991976698a233ca53e9b72034ae11c86d42322a76c
-
Filesize
196B
MD51564dfe69ffed40950e5cb644e0894d1
SHA1201b6f7a01cc49bb698bea6d4945a082ed454ce4
SHA256be114a2dbcc08540b314b01882aa836a772a883322a77b67aab31233e26dc184
SHA51272df187e39674b657974392cfa268e71ef86dc101ebd2303896381ca56d3c05aa9db3f0ab7d0e428d7436e0108c8f19e94c2013814d30b0b95a23a6b9e341097
-
Filesize
8.2MB
MD5f878d07a04d8d07c6c9737189a4a9cd0
SHA16752c1931e9789b24ba9f890bdba51f1afbabc78
SHA256a76d696ef3983f4aa586c42932473336a67b9dd59506ff5c29e523471230b118
SHA51232715f0d08a3428fd21488c68c655d1f6852d93e3b62c6473b17edda26981d4cc8648f8f0af6f5883dcc8ab54b5ceab46d9f960834b6966bfeb1067a09acd0aa
-
Filesize
8.2MB
MD5ccb925eec2e3595a9a3665036208827d
SHA11db9df3f33a9ef5a7d2da210f1014645cf609067
SHA2568332991d7c2d09dbea56be004a8d5c0d658d6ea82cb75cb09337584c607ae2e2
SHA512cc860459cbaeef40f2c94d1a4a44b240c0caf0dbf059ce0eb1c70f5419fdb57cb12f1876341bf78c1cfba9d4dc685d1e13e5022961facad0959cfee9ca8bc3af
-
Filesize
8.2MB
MD5e23fe65416676818816da046f186e61f
SHA1c57a462817d9f904d4f39230a0c7426ff4e94947
SHA25643cad06e2f65030be795d984e57998d85f396643caad4faef4586a6c88892ab9
SHA512e67f4c271415c32b02dc82f5418e14da4428600005159d44ef57ee7dd71ea9aacbf19aee4d1bd797fe241b7ded091709deeaaf2a989ac28df88c4754c2e61551
-
Filesize
8.2MB
MD5e91f06e0d99d931a72396a13e35b6650
SHA183d87c2cbbdedd202dcd1407b0cdba969c1cffe9
SHA256d6c801b247c14a955df1d644989742981ac0411df33a3c62aafd47df44b1dd65
SHA5123eed427dac0591a6a02dfd9679e2170e7872d839fdbbc1e656306e78c88dad0e4dc405b8433ce34e4c2d1081a1dc68cf6a728f335ea1bc02924204a70a9c37cb
-
Filesize
1.4MB
MD5d6b05020d4a0ec2a3a8b687099e335df
SHA1df239d830ebcd1cde5c68c46a7b76dad49d415f4
SHA2569824b98dab6af65a9e84c2ea40e9df948f9766ce2096e81feecad7db8dd6080a
SHA51278fd360faa4d34f5732056d6e9ad7b9930964441c69cf24535845d397de92179553b9377a25649c01eb5ac7d547c29cc964e69ede7f2af9fc677508a99251fff
-
Filesize
8.2MB
MD594874f133d0b5da64a59e0268edef314
SHA1b492c59bc8c377b8b59d9b21509613a9f94c3a66
SHA2562be14e3e38c4b1ba32b253b3c72d96817a58225f1c96c1961770baeca53bb0ab
SHA512ce4d1301940413cde973dadc5687a503df955860315f6a75bcacde56cd110c37a3b9ab85d77794884b13c6b4d9b5f4cac6d525808f820ff5b966617bcf8071f4
-
Filesize
8.2MB
MD5dc7d18e4054459660fa9fc706d2248ec
SHA1bf5eff15bb08f8e5ca04b57b6c32521c41d431c0
SHA256d05390b4c2ae0171682c2f3bad45ee90c8d0af6fa8bb9de1f1dd023e9f8bde03
SHA512e50a1d96c94354eda18e11189ac5c872774e64a89a062d39df80689c3b6d832d222cb741ac5365303c9bf1e2f1560b97944bc2aa805468c2af0c08a1266e75f4
-
Filesize
8.2MB
MD561851a856b306f793c83d63e45e51fab
SHA1d47ac59953c5c5b80deb1b1d891fa242dcd4d689
SHA2564cb2af3c89d631b8d0824d7c9666003e8a107e75965bfdbb4b3d77118c305459
SHA51284df9eda4051b5319983da5d673293c289c037105bba65e0561e50a9880c21464723775f0af7e9050033f59137561895be52f72b4ec7180ad6bdaf387184a4bb
-
Filesize
3.6MB
MD5cd14d055afe312ec01856765d2797426
SHA1261d82f5eae388027e912cfb2e0544f51ab9e226
SHA256afb2f9e929e9063423b11e675ab6c7d6906a382e2d908f550070f3a8b6678938
SHA5123054a4df6b17fa1dcc7cd4ce21c78201a9144117001b8e1944ac20a8724b699b25250a9600fd16e776de540ecb47f7ef151f6bacad0016443787b72f5135a5a6
-
Filesize
65B
MD564acfa7e03b01f48294cf30d201a0026
SHA110facd995b38a095f30b4a800fa454c0bcbf8438
SHA256ba8159d865d106e7b4d0043007a63d1541e1de455dc8d7ff0edd3013bd425c62
SHA51265a9b2e639de74a2a7faa83463a03f5f5b526495e3c793ec1e144c422ed0b842dd304cd5ff4f8aec3d76d826507030c5916f70a231429cea636ec2d8ab43931a
-
Filesize
8.2MB
MD50316ee8d078db96f8fa01fdf4165ea85
SHA1b49eb9aff886ddedc762ea3ad3186ee57209a3fe
SHA256801ce1f55fb556bf4247251e5d82e4342ad6a87e4e5c0d33d18e38dee8b5214d
SHA5127f95fb6018cb1f8184804519597ed2e3f7d5cb68915c10dee09ca0136227358cf4d977f014a3ad8afb01fea871a00285d79850ad03ee7241962a9ce2700ff66d
-
Filesize
8.2MB
MD53d08ca1935d4ad1e63b4875ccd21cb70
SHA18357188ed0cd8636715f1c176a4f7649f4afe4d4
SHA25609ea760bb982c741f866936d2209955fd48b1c6adf139c5e1edfd35789d5d757
SHA5121a7da7ac72525eb864c562d6c11360650accb903374910a35f2e38f393cd55f23ecbe54a7cb61ce9e9e4f8bd2113a45c6d09bf1790730f3a95693fde8f8baa28
-
Filesize
8.2MB
MD5f27bae8180a345c3e67f87e4bcdb973a
SHA1b067616cc205f7c955ca0106065f95de9de67781
SHA2566f12156e9bc6f4f9b6798ac99e68e1370b2a0a4f64ddf143341ff55645d70234
SHA512e90f463e93badbd56e82776c664c0381c1adc5192bc0cc108500422bf2d02a88d1a1ce79c07df98768c7d9c4a85b957f8c2fdf5048b8e5929f725fa6105eb4f2
-
Filesize
8.2MB
MD5190c2d8ca930d61c048f2b1e7e17d2a2
SHA1eb33d41f9393c72b7bf07b022830a9258bb033f6
SHA256b6398f1604733e5f81aaaf26ddef5d0177ebbdd639b93997dc2feecefce9654a
SHA512af0900503464c9b26c966ff8ec1ab12f5c622c01a4e9af7f90169703c2d7a454f226f98623ac2190cd7dd0251b60400620cfc3b37cc30db676f64905859f6809
-
Filesize
1.4MB
MD525f62c02619174b35851b0e0455b3d94
SHA14e8ee85157f1769f6e3f61c0acbe59072209da71
SHA256898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2
SHA512f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a