Analysis
-
max time kernel
149s -
max time network
139s -
platform
windows10-2004_x64 -
resource
win10v2004-20250502-en -
resource tags
arch:x64arch:x86image:win10v2004-20250502-enlocale:en-usos:windows10-2004-x64system -
submitted
29/05/2025, 11:28
Behavioral task
behavioral1
Sample
2025-05-29_11756abfad621de2c8a0ead901ab20e0_amadey_black-basta_elex_luca-stealer.exe
Resource
win10v2004-20250502-en
General
-
Target
2025-05-29_11756abfad621de2c8a0ead901ab20e0_amadey_black-basta_elex_luca-stealer.exe
-
Size
9.1MB
-
MD5
11756abfad621de2c8a0ead901ab20e0
-
SHA1
1e600d5e8502a4f6bde4126ebc054f95e53f4031
-
SHA256
1b29e33fc0f8631a131fa56da8295919798ff0085a50171f33855d1b6e4823ad
-
SHA512
afcc251e9faa79737541928c08884b6a8b30b1c5941301805562fd77aecbe900c482a0d9c15258dbdda958eb4719a10db7e8835a563e9be603b7fda439f9cf7e
-
SSDEEP
98304:GGyqWyWy0GyqWyWyMRPC1em1eHL5dGTEYm:71em1eHL5dem
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 12 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" 2025-05-29_11756abfad621de2c8a0ead901ab20e0_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" 2025-05-29_11756abfad621de2c8a0ead901ab20e0_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" csrss.exe -
Modifies visibility of file extensions in Explorer 2 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" csrss.exe Set value (int) \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Gaara.exe Set value (int) \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" smss.exe Set value (int) \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" system32.exe Set value (int) \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" 2025-05-29_11756abfad621de2c8a0ead901ab20e0_amadey_black-basta_elex_luca-stealer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Kazekage.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" smss.exe Set value (int) \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" system32.exe Set value (int) \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" 2025-05-29_11756abfad621de2c8a0ead901ab20e0_amadey_black-basta_elex_luca-stealer.exe Set value (int) \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" Kazekage.exe Set value (int) \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" csrss.exe Set value (int) \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" Gaara.exe -
UAC bypass 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 2025-05-29_11756abfad621de2c8a0ead901ab20e0_amadey_black-basta_elex_luca-stealer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Kazekage.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Gaara.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" system32.exe -
Disables RegEdit via registry modification 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Kazekage.exe Set value (int) \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" csrss.exe Set value (int) \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Gaara.exe Set value (int) \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" smss.exe Set value (int) \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" system32.exe Set value (int) \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" 2025-05-29_11756abfad621de2c8a0ead901ab20e0_amadey_black-basta_elex_luca-stealer.exe -
Disables use of System Restore points 1 TTPs
-
Drops file in Drivers directory 24 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\drivers\system32.exe Gaara.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe csrss.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe Gaara.exe File created C:\Windows\SysWOW64\drivers\system32.exe Gaara.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe csrss.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe Kazekage.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe Kazekage.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe system32.exe File created C:\Windows\SysWOW64\drivers\system32.exe system32.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe smss.exe File created C:\Windows\SysWOW64\drivers\system32.exe smss.exe File created C:\Windows\SysWOW64\drivers\system32.exe Kazekage.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe 2025-05-29_11756abfad621de2c8a0ead901ab20e0_amadey_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe Gaara.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe Kazekage.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe csrss.exe File created C:\Windows\SysWOW64\drivers\system32.exe csrss.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe 2025-05-29_11756abfad621de2c8a0ead901ab20e0_amadey_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe 2025-05-29_11756abfad621de2c8a0ead901ab20e0_amadey_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe smss.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe system32.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe system32.exe File created C:\Windows\SysWOW64\drivers\system32.exe 2025-05-29_11756abfad621de2c8a0ead901ab20e0_amadey_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe smss.exe -
Event Triggered Execution: Image File Execution Options Injection 1 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe 2025-05-29_11756abfad621de2c8a0ead901ab20e0_amadey_black-basta_elex_luca-stealer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe\Debugger = "cmd.exe /c del" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "drivers\\Kazekage.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe\Debugger = "cmd.exe /c del" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "drivers\\Kazekage.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe\Debugger = "cmd.exe /c del" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe\Debugger = "cmd.exe /c del" 2025-05-29_11756abfad621de2c8a0ead901ab20e0_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe\Debugger = "drivers\\Kazekage.exe" 2025-05-29_11756abfad621de2c8a0ead901ab20e0_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "drivers\\Kazekage.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger = "drivers\\Kazekage.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe\Debugger = "drivers\\Kazekage.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe\Debugger = "cmd.exe /c del" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe\Debugger = "drivers\\Kazekage.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "drivers\\Kazekage.exe" 2025-05-29_11756abfad621de2c8a0ead901ab20e0_amadey_black-basta_elex_luca-stealer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "drivers\\Kazekage.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "drivers\\Kazekage.exe" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe\Debugger = "cmd.exe /c del" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\Debugger = "cmd.exe /c del" 2025-05-29_11756abfad621de2c8a0ead901ab20e0_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe\Debugger = "cmd.exe /c del" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe\Debugger = "drivers\\Kazekage.exe" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe\Debugger = "drivers\\Kazekage.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com\Debugger = "cmd.exe /c del" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe\Debugger = "drivers\\Kazekage.exe" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe\Debugger = "cmd.exe /c del" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "drivers\\Kazekage.exe" 2025-05-29_11756abfad621de2c8a0ead901ab20e0_amadey_black-basta_elex_luca-stealer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe\Debugger = "cmd.exe /c del" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe\Debugger = "cmd.exe /c del" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger = "drivers\\Kazekage.exe" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe 2025-05-29_11756abfad621de2c8a0ead901ab20e0_amadey_black-basta_elex_luca-stealer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe\Debugger = "cmd.exe /c del" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe 2025-05-29_11756abfad621de2c8a0ead901ab20e0_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe\Debugger = "drivers\\Kazekage.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe\Debugger = "cmd.exe /c del" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com\Debugger = "cmd.exe /c del" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe\Debugger = "cmd.exe /c del" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe\Debugger = "cmd.exe /c del" 2025-05-29_11756abfad621de2c8a0ead901ab20e0_amadey_black-basta_elex_luca-stealer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "drivers\\Kazekage.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger = "drivers\\Kazekage.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe\Debugger = "drivers\\Kazekage.exe" 2025-05-29_11756abfad621de2c8a0ead901ab20e0_amadey_black-basta_elex_luca-stealer.exe -
Executes dropped EXE 30 IoCs
pid Process 5952 smss.exe 1068 smss.exe 6004 Gaara.exe 1876 smss.exe 2896 Gaara.exe 4684 csrss.exe 5316 smss.exe 2668 Gaara.exe 2484 csrss.exe 536 Kazekage.exe 2556 Gaara.exe 3688 csrss.exe 776 smss.exe 556 Kazekage.exe 2188 Gaara.exe 6020 csrss.exe 5900 system32.exe 3192 csrss.exe 5108 Kazekage.exe 1940 system32.exe 5516 Kazekage.exe 5752 smss.exe 3584 system32.exe 2980 Gaara.exe 5220 csrss.exe 1496 system32.exe 3508 Kazekage.exe 532 Kazekage.exe 4432 system32.exe 4860 system32.exe -
Loads dropped DLL 18 IoCs
pid Process 5952 smss.exe 1068 smss.exe 6004 Gaara.exe 1876 smss.exe 2896 Gaara.exe 4684 csrss.exe 5316 smss.exe 2668 Gaara.exe 2484 csrss.exe 2556 Gaara.exe 3688 csrss.exe 776 smss.exe 2188 Gaara.exe 6020 csrss.exe 3192 csrss.exe 5752 smss.exe 2980 Gaara.exe 5220 csrss.exe -
Adds Run key to start application 2 TTPs 24 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 29 - 5 - 2025\\Gaara.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 29 - 5 - 2025\\smss.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "29-5-2025.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 29 - 5 - 2025\\smss.exe" 2025-05-29_11756abfad621de2c8a0ead901ab20e0_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" 2025-05-29_11756abfad621de2c8a0ead901ab20e0_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 29 - 5 - 2025\\smss.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "29-5-2025.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "29-5-2025.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 29 - 5 - 2025\\Gaara.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 29 - 5 - 2025\\Gaara.exe" 2025-05-29_11756abfad621de2c8a0ead901ab20e0_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "29-5-2025.exe" 2025-05-29_11756abfad621de2c8a0ead901ab20e0_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 29 - 5 - 2025\\smss.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 29 - 5 - 2025\\smss.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 29 - 5 - 2025\\Gaara.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 29 - 5 - 2025\\Gaara.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "29-5-2025.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 29 - 5 - 2025\\Gaara.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 29 - 5 - 2025\\smss.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "29-5-2025.exe" Kazekage.exe -
Checks whether UAC is enabled 1 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" system32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 2025-05-29_11756abfad621de2c8a0ead901ab20e0_amadey_black-basta_elex_luca-stealer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Kazekage.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Gaara.exe -
Drops desktop.ini file(s) 64 IoCs
description ioc Process File opened for modification \??\M:\Desktop.ini smss.exe File opened for modification C:\Desktop.ini csrss.exe File opened for modification F:\Desktop.ini csrss.exe File opened for modification \??\K:\Desktop.ini csrss.exe File opened for modification \??\L:\Desktop.ini smss.exe File opened for modification \??\H:\Desktop.ini 2025-05-29_11756abfad621de2c8a0ead901ab20e0_amadey_black-basta_elex_luca-stealer.exe File opened for modification \??\R:\Desktop.ini Kazekage.exe File opened for modification D:\Desktop.ini Gaara.exe File opened for modification C:\Desktop.ini 2025-05-29_11756abfad621de2c8a0ead901ab20e0_amadey_black-basta_elex_luca-stealer.exe File opened for modification \??\K:\Desktop.ini 2025-05-29_11756abfad621de2c8a0ead901ab20e0_amadey_black-basta_elex_luca-stealer.exe File opened for modification \??\V:\Desktop.ini csrss.exe File opened for modification \??\G:\Desktop.ini Gaara.exe File opened for modification \??\Q:\Desktop.ini Gaara.exe File opened for modification \??\N:\Desktop.ini smss.exe File opened for modification \??\T:\Desktop.ini system32.exe File opened for modification \??\P:\Desktop.ini Gaara.exe File opened for modification \??\L:\Desktop.ini Gaara.exe File opened for modification C:\Desktop.ini Kazekage.exe File opened for modification \??\G:\Desktop.ini 2025-05-29_11756abfad621de2c8a0ead901ab20e0_amadey_black-basta_elex_luca-stealer.exe File opened for modification \??\Q:\Desktop.ini 2025-05-29_11756abfad621de2c8a0ead901ab20e0_amadey_black-basta_elex_luca-stealer.exe File opened for modification \??\V:\Desktop.ini Kazekage.exe File opened for modification \??\H:\Desktop.ini Gaara.exe File opened for modification \??\T:\Desktop.ini Gaara.exe File opened for modification \??\U:\Desktop.ini Gaara.exe File opened for modification \??\S:\Desktop.ini 2025-05-29_11756abfad621de2c8a0ead901ab20e0_amadey_black-basta_elex_luca-stealer.exe File opened for modification \??\X:\Desktop.ini csrss.exe File opened for modification \??\O:\Desktop.ini smss.exe File opened for modification F:\Desktop.ini system32.exe File opened for modification \??\L:\Desktop.ini system32.exe File opened for modification \??\N:\Desktop.ini csrss.exe File opened for modification \??\T:\Desktop.ini csrss.exe File opened for modification \??\W:\Desktop.ini Kazekage.exe File opened for modification \??\Y:\Desktop.ini 2025-05-29_11756abfad621de2c8a0ead901ab20e0_amadey_black-basta_elex_luca-stealer.exe File opened for modification \??\I:\Desktop.ini system32.exe File opened for modification \??\K:\Desktop.ini system32.exe File opened for modification \??\R:\Desktop.ini system32.exe File opened for modification \??\B:\Desktop.ini Kazekage.exe File opened for modification D:\Desktop.ini Kazekage.exe File opened for modification \??\U:\Desktop.ini smss.exe File opened for modification \??\Y:\Desktop.ini system32.exe File opened for modification \??\O:\Desktop.ini csrss.exe File opened for modification \??\Q:\Desktop.ini csrss.exe File opened for modification \??\K:\Desktop.ini Gaara.exe File opened for modification \??\I:\Desktop.ini 2025-05-29_11756abfad621de2c8a0ead901ab20e0_amadey_black-basta_elex_luca-stealer.exe File opened for modification \??\Y:\Desktop.ini Gaara.exe File opened for modification \??\X:\Desktop.ini smss.exe File opened for modification D:\Desktop.ini 2025-05-29_11756abfad621de2c8a0ead901ab20e0_amadey_black-basta_elex_luca-stealer.exe File opened for modification \??\T:\Desktop.ini 2025-05-29_11756abfad621de2c8a0ead901ab20e0_amadey_black-basta_elex_luca-stealer.exe File opened for modification \??\Z:\Desktop.ini Kazekage.exe File opened for modification \??\R:\Desktop.ini smss.exe File opened for modification \??\A:\Desktop.ini Gaara.exe File opened for modification \??\J:\Desktop.ini Gaara.exe File opened for modification \??\S:\Desktop.ini Gaara.exe File opened for modification \??\V:\Desktop.ini smss.exe File opened for modification \??\W:\Desktop.ini system32.exe File opened for modification \??\X:\Desktop.ini Kazekage.exe File opened for modification \??\A:\Desktop.ini smss.exe File opened for modification \??\A:\Desktop.ini system32.exe File opened for modification \??\E:\Desktop.ini 2025-05-29_11756abfad621de2c8a0ead901ab20e0_amadey_black-basta_elex_luca-stealer.exe File opened for modification \??\O:\Desktop.ini Kazekage.exe File opened for modification \??\Z:\Desktop.ini smss.exe File opened for modification D:\Desktop.ini system32.exe File opened for modification \??\H:\Desktop.ini system32.exe File opened for modification \??\H:\Desktop.ini Kazekage.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\G: 2025-05-29_11756abfad621de2c8a0ead901ab20e0_amadey_black-basta_elex_luca-stealer.exe File opened (read-only) \??\B: Gaara.exe File opened (read-only) \??\R: system32.exe File opened (read-only) \??\L: 2025-05-29_11756abfad621de2c8a0ead901ab20e0_amadey_black-basta_elex_luca-stealer.exe File opened (read-only) \??\H: 2025-05-29_11756abfad621de2c8a0ead901ab20e0_amadey_black-basta_elex_luca-stealer.exe File opened (read-only) \??\Q: csrss.exe File opened (read-only) \??\G: Gaara.exe File opened (read-only) \??\B: Kazekage.exe File opened (read-only) \??\B: 2025-05-29_11756abfad621de2c8a0ead901ab20e0_amadey_black-basta_elex_luca-stealer.exe File opened (read-only) \??\M: 2025-05-29_11756abfad621de2c8a0ead901ab20e0_amadey_black-basta_elex_luca-stealer.exe File opened (read-only) \??\U: csrss.exe File opened (read-only) \??\S: Gaara.exe File opened (read-only) \??\N: system32.exe File opened (read-only) \??\Y: Kazekage.exe File opened (read-only) \??\K: Gaara.exe File opened (read-only) \??\Z: Gaara.exe File opened (read-only) \??\X: system32.exe File opened (read-only) \??\K: 2025-05-29_11756abfad621de2c8a0ead901ab20e0_amadey_black-basta_elex_luca-stealer.exe File opened (read-only) \??\E: Kazekage.exe File opened (read-only) \??\V: 2025-05-29_11756abfad621de2c8a0ead901ab20e0_amadey_black-basta_elex_luca-stealer.exe File opened (read-only) \??\H: Gaara.exe File opened (read-only) \??\I: Kazekage.exe File opened (read-only) \??\N: csrss.exe File opened (read-only) \??\S: Kazekage.exe File opened (read-only) \??\M: Gaara.exe File opened (read-only) \??\J: smss.exe File opened (read-only) \??\W: csrss.exe File opened (read-only) \??\B: system32.exe File opened (read-only) \??\X: 2025-05-29_11756abfad621de2c8a0ead901ab20e0_amadey_black-basta_elex_luca-stealer.exe File opened (read-only) \??\X: csrss.exe File opened (read-only) \??\G: smss.exe File opened (read-only) \??\K: smss.exe File opened (read-only) \??\J: system32.exe File opened (read-only) \??\H: csrss.exe File opened (read-only) \??\O: csrss.exe File opened (read-only) \??\M: smss.exe File opened (read-only) \??\K: system32.exe File opened (read-only) \??\A: 2025-05-29_11756abfad621de2c8a0ead901ab20e0_amadey_black-basta_elex_luca-stealer.exe File opened (read-only) \??\I: 2025-05-29_11756abfad621de2c8a0ead901ab20e0_amadey_black-basta_elex_luca-stealer.exe File opened (read-only) \??\S: 2025-05-29_11756abfad621de2c8a0ead901ab20e0_amadey_black-basta_elex_luca-stealer.exe File opened (read-only) \??\H: smss.exe File opened (read-only) \??\P: smss.exe File opened (read-only) \??\W: system32.exe File opened (read-only) \??\R: 2025-05-29_11756abfad621de2c8a0ead901ab20e0_amadey_black-basta_elex_luca-stealer.exe File opened (read-only) \??\Y: csrss.exe File opened (read-only) \??\Y: 2025-05-29_11756abfad621de2c8a0ead901ab20e0_amadey_black-basta_elex_luca-stealer.exe File opened (read-only) \??\A: Gaara.exe File opened (read-only) \??\I: system32.exe File opened (read-only) \??\P: system32.exe File opened (read-only) \??\Q: system32.exe File opened (read-only) \??\K: csrss.exe File opened (read-only) \??\V: csrss.exe File opened (read-only) \??\A: smss.exe File opened (read-only) \??\V: smss.exe File opened (read-only) \??\X: smss.exe File opened (read-only) \??\U: system32.exe File opened (read-only) \??\Z: system32.exe File opened (read-only) \??\R: smss.exe File opened (read-only) \??\U: smss.exe File opened (read-only) \??\T: Kazekage.exe File opened (read-only) \??\V: Kazekage.exe File opened (read-only) \??\H: system32.exe File opened (read-only) \??\J: Kazekage.exe File opened (read-only) \??\B: smss.exe -
Drops autorun.inf file 1 TTPs 64 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File created \??\X:\Autorun.inf 2025-05-29_11756abfad621de2c8a0ead901ab20e0_amadey_black-basta_elex_luca-stealer.exe File opened for modification \??\E:\Autorun.inf smss.exe File opened for modification \??\X:\Autorun.inf Gaara.exe File created \??\E:\Autorun.inf Kazekage.exe File created \??\Z:\Autorun.inf system32.exe File created \??\I:\Autorun.inf 2025-05-29_11756abfad621de2c8a0ead901ab20e0_amadey_black-basta_elex_luca-stealer.exe File created \??\J:\Autorun.inf smss.exe File created \??\H:\Autorun.inf csrss.exe File opened for modification \??\Y:\Autorun.inf csrss.exe File opened for modification \??\R:\Autorun.inf Kazekage.exe File created \??\W:\Autorun.inf Kazekage.exe File opened for modification \??\L:\Autorun.inf system32.exe File opened for modification \??\Q:\Autorun.inf system32.exe File opened for modification \??\E:\Autorun.inf 2025-05-29_11756abfad621de2c8a0ead901ab20e0_amadey_black-basta_elex_luca-stealer.exe File opened for modification \??\A:\Autorun.inf smss.exe File opened for modification C:\Autorun.inf smss.exe File opened for modification \??\Q:\Autorun.inf smss.exe File created \??\U:\Autorun.inf smss.exe File opened for modification \??\N:\Autorun.inf Gaara.exe File opened for modification \??\Q:\Autorun.inf Gaara.exe File opened for modification \??\U:\Autorun.inf Gaara.exe File created \??\X:\Autorun.inf Gaara.exe File opened for modification \??\T:\Autorun.inf csrss.exe File created \??\J:\Autorun.inf Kazekage.exe File created \??\Q:\Autorun.inf Kazekage.exe File created \??\I:\Autorun.inf system32.exe File opened for modification \??\M:\Autorun.inf system32.exe File created \??\O:\Autorun.inf 2025-05-29_11756abfad621de2c8a0ead901ab20e0_amadey_black-basta_elex_luca-stealer.exe File opened for modification \??\Z:\Autorun.inf 2025-05-29_11756abfad621de2c8a0ead901ab20e0_amadey_black-basta_elex_luca-stealer.exe File created \??\Q:\Autorun.inf smss.exe File created \??\T:\Autorun.inf system32.exe File opened for modification C:\Autorun.inf 2025-05-29_11756abfad621de2c8a0ead901ab20e0_amadey_black-basta_elex_luca-stealer.exe File opened for modification \??\V:\Autorun.inf smss.exe File opened for modification \??\K:\Autorun.inf Gaara.exe File created D:\Autorun.inf Kazekage.exe File opened for modification \??\N:\Autorun.inf Kazekage.exe File opened for modification \??\J:\Autorun.inf smss.exe File created \??\L:\Autorun.inf smss.exe File opened for modification \??\Z:\Autorun.inf Gaara.exe File created \??\M:\Autorun.inf Kazekage.exe File created \??\V:\Autorun.inf system32.exe File opened for modification \??\K:\Autorun.inf 2025-05-29_11756abfad621de2c8a0ead901ab20e0_amadey_black-basta_elex_luca-stealer.exe File created \??\N:\Autorun.inf csrss.exe File created \??\L:\Autorun.inf 2025-05-29_11756abfad621de2c8a0ead901ab20e0_amadey_black-basta_elex_luca-stealer.exe File created \??\H:\Autorun.inf Gaara.exe File created \??\Z:\Autorun.inf Gaara.exe File created D:\Autorun.inf csrss.exe File created \??\R:\Autorun.inf csrss.exe File created \??\H:\Autorun.inf Kazekage.exe File opened for modification \??\I:\Autorun.inf 2025-05-29_11756abfad621de2c8a0ead901ab20e0_amadey_black-basta_elex_luca-stealer.exe File opened for modification \??\H:\Autorun.inf smss.exe File created \??\G:\Autorun.inf system32.exe File created \??\R:\Autorun.inf system32.exe File opened for modification F:\Autorun.inf Kazekage.exe File opened for modification \??\A:\Autorun.inf Gaara.exe File created \??\G:\Autorun.inf 2025-05-29_11756abfad621de2c8a0ead901ab20e0_amadey_black-basta_elex_luca-stealer.exe File opened for modification \??\J:\Autorun.inf 2025-05-29_11756abfad621de2c8a0ead901ab20e0_amadey_black-basta_elex_luca-stealer.exe File created \??\R:\Autorun.inf 2025-05-29_11756abfad621de2c8a0ead901ab20e0_amadey_black-basta_elex_luca-stealer.exe File opened for modification \??\G:\Autorun.inf csrss.exe File opened for modification \??\V:\Autorun.inf Kazekage.exe File created \??\A:\Autorun.inf system32.exe File opened for modification F:\Autorun.inf Gaara.exe File opened for modification \??\N:\Autorun.inf system32.exe File opened for modification \??\R:\Autorun.inf system32.exe -
Drops file in System32 directory 39 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\ smss.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini Gaara.exe File opened for modification C:\Windows\SysWOW64\ Gaara.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll system32.exe File created C:\Windows\SysWOW64\mscomctl.ocx 2025-05-29_11756abfad621de2c8a0ead901ab20e0_amadey_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx 2025-05-29_11756abfad621de2c8a0ead901ab20e0_amadey_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll smss.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll Gaara.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll csrss.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini system32.exe File opened for modification C:\Windows\SysWOW64\ system32.exe File opened for modification C:\Windows\SysWOW64\29-5-2025.exe Gaara.exe File opened for modification C:\Windows\SysWOW64\29-5-2025.exe csrss.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini smss.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx Gaara.exe File opened for modification C:\Windows\SysWOW64\29-5-2025.exe smss.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini csrss.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini Kazekage.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx system32.exe File created C:\Windows\SysWOW64\msvbvm60.dll Gaara.exe File opened for modification C:\Windows\SysWOW64\29-5-2025.exe Kazekage.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll 2025-05-29_11756abfad621de2c8a0ead901ab20e0_amadey_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx Kazekage.exe File opened for modification C:\Windows\SysWOW64\ Kazekage.exe File created C:\Windows\SysWOW64\msvbvm60.dll smss.exe File created C:\Windows\SysWOW64\msvbvm60.dll csrss.exe File opened for modification C:\Windows\SysWOW64\29-5-2025.exe system32.exe File created C:\Windows\SysWOW64\msvbvm60.dll system32.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini 2025-05-29_11756abfad621de2c8a0ead901ab20e0_amadey_black-basta_elex_luca-stealer.exe File created C:\Windows\SysWOW64\Desktop.ini 2025-05-29_11756abfad621de2c8a0ead901ab20e0_amadey_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\SysWOW64\29-5-2025.exe 2025-05-29_11756abfad621de2c8a0ead901ab20e0_amadey_black-basta_elex_luca-stealer.exe File created C:\Windows\SysWOW64\msvbvm60.dll 2025-05-29_11756abfad621de2c8a0ead901ab20e0_amadey_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx csrss.exe File created C:\Windows\SysWOW64\29-5-2025.exe 2025-05-29_11756abfad621de2c8a0ead901ab20e0_amadey_black-basta_elex_luca-stealer.exe File created C:\Windows\SysWOW64\msvbvm60.dll Kazekage.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx smss.exe File opened for modification C:\Windows\SysWOW64\ csrss.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll Kazekage.exe File opened for modification C:\Windows\SysWOW64\ 2025-05-29_11756abfad621de2c8a0ead901ab20e0_amadey_black-basta_elex_luca-stealer.exe -
Sets desktop wallpaper using registry 2 TTPs 6 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" 2025-05-29_11756abfad621de2c8a0ead901ab20e0_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" smss.exe -
resource yara_rule behavioral1/memory/2384-0-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/files/0x0007000000024247-11.dat upx behavioral1/files/0x0007000000024245-31.dat upx behavioral1/memory/5952-32-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/files/0x0007000000024247-46.dat upx behavioral1/files/0x000700000002424a-53.dat upx behavioral1/files/0x000700000002424b-57.dat upx behavioral1/memory/1068-70-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1068-74-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/files/0x0007000000024246-76.dat upx behavioral1/memory/6004-77-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/files/0x000700000002424a-93.dat upx behavioral1/files/0x000700000002424b-97.dat upx behavioral1/files/0x0007000000024248-89.dat upx behavioral1/memory/2896-118-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/4684-124-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2384-123-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/files/0x0007000000024247-121.dat upx behavioral1/memory/5952-134-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/files/0x000700000002424b-139.dat upx behavioral1/memory/2668-157-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/5316-159-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2484-164-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2668-167-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2484-171-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/files/0x000700000002424a-173.dat upx behavioral1/memory/536-175-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/6004-174-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2556-179-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2556-193-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/files/0x000700000002424b-197.dat upx behavioral1/memory/4684-213-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/776-218-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3688-222-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/556-232-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/536-236-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/5108-237-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/5900-233-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2188-241-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/6020-245-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1940-253-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/5108-252-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1940-269-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/5516-275-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/5900-281-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3584-283-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2980-285-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1496-292-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3508-299-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/532-302-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/4860-306-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/4432-308-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2384-309-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/5952-310-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/536-311-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/6004-312-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/5900-313-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/4684-314-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2384-315-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/5952-316-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/5952-387-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/files/0x0001000000000031-426.dat upx behavioral1/memory/2384-499-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/6004-543-0x0000000000400000-0x000000000042A000-memory.dmp upx -
Drops file in Windows directory 64 IoCs
description ioc Process File created C:\Windows\Fonts\Admin 29 - 5 - 2025\msvbvm60.dll Gaara.exe File opened for modification C:\Windows\Fonts\The Kazekage.jpg csrss.exe File created C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe csrss.exe File created C:\Windows\Fonts\Admin 29 - 5 - 2025\msvbvm60.dll Kazekage.exe File opened for modification C:\Windows\system\msvbvm60.dll Kazekage.exe File created C:\Windows\WBEM\msvbvm60.dll Kazekage.exe File opened for modification C:\Windows\system\mscoree.dll system32.exe File opened for modification C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe system32.exe File opened for modification C:\Windows\msvbvm60.dll 2025-05-29_11756abfad621de2c8a0ead901ab20e0_amadey_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\msvbvm60.dll system32.exe File opened for modification C:\Windows\mscomctl.ocx 2025-05-29_11756abfad621de2c8a0ead901ab20e0_amadey_black-basta_elex_luca-stealer.exe File created C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe smss.exe File opened for modification C:\Windows\mscomctl.ocx csrss.exe File opened for modification C:\Windows\ csrss.exe File opened for modification C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe Gaara.exe File opened for modification C:\Windows\msvbvm60.dll Gaara.exe File created C:\Windows\Fonts\Admin 29 - 5 - 2025\msvbvm60.dll csrss.exe File created C:\Windows\Fonts\The Kazekage.jpg 2025-05-29_11756abfad621de2c8a0ead901ab20e0_amadey_black-basta_elex_luca-stealer.exe File created C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe 2025-05-29_11756abfad621de2c8a0ead901ab20e0_amadey_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\Fonts\The Kazekage.jpg smss.exe File opened for modification C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe smss.exe File created C:\Windows\WBEM\msvbvm60.dll smss.exe File opened for modification C:\Windows\Fonts\The Kazekage.jpg 2025-05-29_11756abfad621de2c8a0ead901ab20e0_amadey_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\system\msvbvm60.dll smss.exe File opened for modification C:\Windows\system\msvbvm60.dll Gaara.exe File created C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe Gaara.exe File opened for modification C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe system32.exe File opened for modification C:\Windows\ 2025-05-29_11756abfad621de2c8a0ead901ab20e0_amadey_black-basta_elex_luca-stealer.exe File created C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe smss.exe File opened for modification C:\Windows\mscomctl.ocx smss.exe File opened for modification C:\Windows\system\mscoree.dll 2025-05-29_11756abfad621de2c8a0ead901ab20e0_amadey_black-basta_elex_luca-stealer.exe File created C:\Windows\Fonts\Admin 29 - 5 - 2025\msvbvm60.dll smss.exe File opened for modification C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe Gaara.exe File created C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe Kazekage.exe File opened for modification C:\Windows\mscomctl.ocx system32.exe File opened for modification C:\Windows\ system32.exe File opened for modification C:\Windows\msvbvm60.dll smss.exe File opened for modification C:\Windows\system\mscoree.dll Kazekage.exe File created C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe Kazekage.exe File opened for modification C:\Windows\mscomctl.ocx Gaara.exe File opened for modification C:\Windows\system\mscoree.dll Gaara.exe File opened for modification C:\Windows\system\msvbvm60.dll csrss.exe File created C:\Windows\mscomctl.ocx 2025-05-29_11756abfad621de2c8a0ead901ab20e0_amadey_black-basta_elex_luca-stealer.exe File created C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe Gaara.exe File opened for modification C:\Windows\ Gaara.exe File opened for modification C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe Kazekage.exe File created C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe 2025-05-29_11756abfad621de2c8a0ead901ab20e0_amadey_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe 2025-05-29_11756abfad621de2c8a0ead901ab20e0_amadey_black-basta_elex_luca-stealer.exe File created C:\Windows\system\msvbvm60.dll 2025-05-29_11756abfad621de2c8a0ead901ab20e0_amadey_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe csrss.exe File created C:\Windows\Fonts\Admin 29 - 5 - 2025\msvbvm60.dll system32.exe File opened for modification C:\Windows\ smss.exe File opened for modification C:\Windows\mscomctl.ocx Kazekage.exe File created C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe 2025-05-29_11756abfad621de2c8a0ead901ab20e0_amadey_black-basta_elex_luca-stealer.exe File created C:\Windows\Fonts\Admin 29 - 5 - 2025\msvbvm60.dll 2025-05-29_11756abfad621de2c8a0ead901ab20e0_amadey_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe smss.exe File opened for modification C:\Windows\Fonts\The Kazekage.jpg Kazekage.exe File opened for modification C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe Kazekage.exe File opened for modification C:\Windows\Fonts\The Kazekage.jpg system32.exe File opened for modification C:\Windows\ Kazekage.exe File opened for modification C:\Windows\Fonts\Admin 29 - 5 - 2025\msvbvm60.dll 2025-05-29_11756abfad621de2c8a0ead901ab20e0_amadey_black-basta_elex_luca-stealer.exe File created C:\Windows\msvbvm60.dll 2025-05-29_11756abfad621de2c8a0ead901ab20e0_amadey_black-basta_elex_luca-stealer.exe File created C:\Windows\WBEM\msvbvm60.dll Gaara.exe File opened for modification C:\Windows\system\mscoree.dll csrss.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaara.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kazekage.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-05-29_11756abfad621de2c8a0ead901ab20e0_amadey_black-basta_elex_luca-stealer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaara.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kazekage.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kazekage.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaara.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaara.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaara.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaara.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kazekage.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kazekage.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kazekage.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 34 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 464 ping.exe 3448 ping.exe 3528 ping.exe 5856 ping.exe 4824 ping.exe 4760 ping.exe 3244 ping.exe 4904 ping.exe 3860 ping.exe 4948 ping.exe 512 ping.exe 6032 ping.exe 3756 ping.exe 3448 ping.exe 4624 ping.exe 1952 ping.exe 4752 ping.exe 404 ping.exe 6132 ping.exe 1236 ping.exe 5776 ping.exe 5496 ping.exe 1644 ping.exe 2628 ping.exe 4736 ping.exe 4244 ping.exe 1688 ping.exe 3792 ping.exe 1400 ping.exe 5876 ping.exe 2612 ping.exe 312 ping.exe 5892 ping.exe 5980 ping.exe -
Modifies Control Panel 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\Control Panel\Screen Saver.Marquee\Size = "72" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\Control Panel\Desktop\WallpaperStyle = "2" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\Control Panel\Screen Saver.Marquee\Speed = "4" 2025-05-29_11756abfad621de2c8a0ead901ab20e0_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\Control Panel\Screen Saver.Marquee\Speed = "4" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\Control Panel\Screen Saver.Marquee\Size = "72" system32.exe Key created \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\Control Panel\Desktop Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\Control Panel\Desktop\WallpaperStyle = "2" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" 2025-05-29_11756abfad621de2c8a0ead901ab20e0_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\Control Panel\Screen Saver.Marquee\Size = "72" 2025-05-29_11756abfad621de2c8a0ead901ab20e0_amadey_black-basta_elex_luca-stealer.exe Key created \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\Control Panel\Screen Saver.Marquee Kazekage.exe Key created \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\Control Panel\Desktop system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" system32.exe Key created \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\Control Panel\Screen Saver.Marquee Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\Control Panel\Desktop\WallpaperStyle = "2" csrss.exe Key created \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\Control Panel\Screen Saver.Marquee csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\Control Panel\Desktop\WallpaperStyle = "2" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" 2025-05-29_11756abfad621de2c8a0ead901ab20e0_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" Gaara.exe Key created \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\Control Panel\Screen Saver.Marquee smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\Control Panel\Screen Saver.Marquee\Speed = "4" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\Control Panel\Screen Saver.Marquee\Size = "72" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" 2025-05-29_11756abfad621de2c8a0ead901ab20e0_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" smss.exe Key created \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\Control Panel\Desktop Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\Control Panel\Screen Saver.Marquee\Speed = "4" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" 2025-05-29_11756abfad621de2c8a0ead901ab20e0_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" smss.exe Key created \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\Control Panel\Desktop 2025-05-29_11756abfad621de2c8a0ead901ab20e0_amadey_black-basta_elex_luca-stealer.exe Key created \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\Control Panel\Desktop smss.exe Key created \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\Control Panel\Desktop csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\Control Panel\Desktop\WallpaperStyle = "2" Kazekage.exe Key created \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\Control Panel\Screen Saver.Marquee 2025-05-29_11756abfad621de2c8a0ead901ab20e0_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" 2025-05-29_11756abfad621de2c8a0ead901ab20e0_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" csrss.exe Key created \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\Control Panel\Screen Saver.Marquee system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" 2025-05-29_11756abfad621de2c8a0ead901ab20e0_amadey_black-basta_elex_luca-stealer.exe -
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" Kazekage.exe Key created \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\Software\Microsoft\Internet Explorer\Main Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" Gaara.exe Key created \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\Software\Microsoft\Internet Explorer\Main smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" smss.exe Key created \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\Software\Microsoft\Internet Explorer\Main system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" system32.exe Key created \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\Software\Microsoft\Internet Explorer\Main 2025-05-29_11756abfad621de2c8a0ead901ab20e0_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" 2025-05-29_11756abfad621de2c8a0ead901ab20e0_amadey_black-basta_elex_luca-stealer.exe Key created \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\Software\Microsoft\Internet Explorer\Main Kazekage.exe Key created \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\Software\Microsoft\Internet Explorer\Main csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-3342576763-1998465526-3870295501-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" csrss.exe -
Modifies registry class 51 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" 2025-05-29_11756abfad621de2c8a0ead901ab20e0_amadey_black-basta_elex_luca-stealer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command 2025-05-29_11756abfad621de2c8a0ead901ab20e0_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" 2025-05-29_11756abfad621de2c8a0ead901ab20e0_amadey_black-basta_elex_luca-stealer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command 2025-05-29_11756abfad621de2c8a0ead901ab20e0_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell 2025-05-29_11756abfad621de2c8a0ead901ab20e0_amadey_black-basta_elex_luca-stealer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install 2025-05-29_11756abfad621de2c8a0ead901ab20e0_amadey_black-basta_elex_luca-stealer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command 2025-05-29_11756abfad621de2c8a0ead901ab20e0_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" 2025-05-29_11756abfad621de2c8a0ead901ab20e0_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command 2025-05-29_11756abfad621de2c8a0ead901ab20e0_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" 2025-05-29_11756abfad621de2c8a0ead901ab20e0_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile 2025-05-29_11756abfad621de2c8a0ead901ab20e0_amadey_black-basta_elex_luca-stealer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command system32.exe -
Runs ping.exe 1 TTPs 34 IoCs
pid Process 4948 ping.exe 1688 ping.exe 4752 ping.exe 1400 ping.exe 5980 ping.exe 3792 ping.exe 5496 ping.exe 4760 ping.exe 312 ping.exe 5856 ping.exe 4904 ping.exe 1236 ping.exe 3860 ping.exe 1952 ping.exe 6132 ping.exe 3756 ping.exe 464 ping.exe 512 ping.exe 4624 ping.exe 3448 ping.exe 1644 ping.exe 4244 ping.exe 4736 ping.exe 6032 ping.exe 404 ping.exe 5776 ping.exe 2612 ping.exe 3448 ping.exe 2628 ping.exe 3528 ping.exe 3244 ping.exe 5892 ping.exe 4824 ping.exe 5876 ping.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2384 2025-05-29_11756abfad621de2c8a0ead901ab20e0_amadey_black-basta_elex_luca-stealer.exe 2384 2025-05-29_11756abfad621de2c8a0ead901ab20e0_amadey_black-basta_elex_luca-stealer.exe 2384 2025-05-29_11756abfad621de2c8a0ead901ab20e0_amadey_black-basta_elex_luca-stealer.exe 2384 2025-05-29_11756abfad621de2c8a0ead901ab20e0_amadey_black-basta_elex_luca-stealer.exe 2384 2025-05-29_11756abfad621de2c8a0ead901ab20e0_amadey_black-basta_elex_luca-stealer.exe 2384 2025-05-29_11756abfad621de2c8a0ead901ab20e0_amadey_black-basta_elex_luca-stealer.exe 2384 2025-05-29_11756abfad621de2c8a0ead901ab20e0_amadey_black-basta_elex_luca-stealer.exe 2384 2025-05-29_11756abfad621de2c8a0ead901ab20e0_amadey_black-basta_elex_luca-stealer.exe 2384 2025-05-29_11756abfad621de2c8a0ead901ab20e0_amadey_black-basta_elex_luca-stealer.exe 2384 2025-05-29_11756abfad621de2c8a0ead901ab20e0_amadey_black-basta_elex_luca-stealer.exe 2384 2025-05-29_11756abfad621de2c8a0ead901ab20e0_amadey_black-basta_elex_luca-stealer.exe 2384 2025-05-29_11756abfad621de2c8a0ead901ab20e0_amadey_black-basta_elex_luca-stealer.exe 2384 2025-05-29_11756abfad621de2c8a0ead901ab20e0_amadey_black-basta_elex_luca-stealer.exe 2384 2025-05-29_11756abfad621de2c8a0ead901ab20e0_amadey_black-basta_elex_luca-stealer.exe 2384 2025-05-29_11756abfad621de2c8a0ead901ab20e0_amadey_black-basta_elex_luca-stealer.exe 2384 2025-05-29_11756abfad621de2c8a0ead901ab20e0_amadey_black-basta_elex_luca-stealer.exe 2384 2025-05-29_11756abfad621de2c8a0ead901ab20e0_amadey_black-basta_elex_luca-stealer.exe 2384 2025-05-29_11756abfad621de2c8a0ead901ab20e0_amadey_black-basta_elex_luca-stealer.exe 4684 csrss.exe 2384 2025-05-29_11756abfad621de2c8a0ead901ab20e0_amadey_black-basta_elex_luca-stealer.exe 2384 2025-05-29_11756abfad621de2c8a0ead901ab20e0_amadey_black-basta_elex_luca-stealer.exe 4684 csrss.exe 2384 2025-05-29_11756abfad621de2c8a0ead901ab20e0_amadey_black-basta_elex_luca-stealer.exe 2384 2025-05-29_11756abfad621de2c8a0ead901ab20e0_amadey_black-basta_elex_luca-stealer.exe 4684 csrss.exe 4684 csrss.exe 2384 2025-05-29_11756abfad621de2c8a0ead901ab20e0_amadey_black-basta_elex_luca-stealer.exe 2384 2025-05-29_11756abfad621de2c8a0ead901ab20e0_amadey_black-basta_elex_luca-stealer.exe 4684 csrss.exe 4684 csrss.exe 4684 csrss.exe 4684 csrss.exe 536 Kazekage.exe 536 Kazekage.exe 536 Kazekage.exe 536 Kazekage.exe 536 Kazekage.exe 536 Kazekage.exe 536 Kazekage.exe 536 Kazekage.exe 536 Kazekage.exe 536 Kazekage.exe 536 Kazekage.exe 536 Kazekage.exe 536 Kazekage.exe 536 Kazekage.exe 536 Kazekage.exe 536 Kazekage.exe 536 Kazekage.exe 536 Kazekage.exe 536 Kazekage.exe 536 Kazekage.exe 536 Kazekage.exe 536 Kazekage.exe 536 Kazekage.exe 536 Kazekage.exe 4684 csrss.exe 4684 csrss.exe 4684 csrss.exe 4684 csrss.exe 4684 csrss.exe 4684 csrss.exe 4684 csrss.exe 4684 csrss.exe -
Suspicious use of SetWindowsHookEx 31 IoCs
pid Process 2384 2025-05-29_11756abfad621de2c8a0ead901ab20e0_amadey_black-basta_elex_luca-stealer.exe 5952 smss.exe 1068 smss.exe 6004 Gaara.exe 1876 smss.exe 2896 Gaara.exe 4684 csrss.exe 5316 smss.exe 2668 Gaara.exe 2484 csrss.exe 536 Kazekage.exe 2556 Gaara.exe 3688 csrss.exe 776 smss.exe 2188 Gaara.exe 556 Kazekage.exe 6020 csrss.exe 5900 system32.exe 3192 csrss.exe 5108 Kazekage.exe 1940 system32.exe 5516 Kazekage.exe 5752 smss.exe 3584 system32.exe 2980 Gaara.exe 1496 system32.exe 5220 csrss.exe 3508 Kazekage.exe 532 Kazekage.exe 4860 system32.exe 4432 system32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2384 wrote to memory of 5952 2384 2025-05-29_11756abfad621de2c8a0ead901ab20e0_amadey_black-basta_elex_luca-stealer.exe 87 PID 2384 wrote to memory of 5952 2384 2025-05-29_11756abfad621de2c8a0ead901ab20e0_amadey_black-basta_elex_luca-stealer.exe 87 PID 2384 wrote to memory of 5952 2384 2025-05-29_11756abfad621de2c8a0ead901ab20e0_amadey_black-basta_elex_luca-stealer.exe 87 PID 5952 wrote to memory of 1068 5952 smss.exe 90 PID 5952 wrote to memory of 1068 5952 smss.exe 90 PID 5952 wrote to memory of 1068 5952 smss.exe 90 PID 5952 wrote to memory of 6004 5952 smss.exe 94 PID 5952 wrote to memory of 6004 5952 smss.exe 94 PID 5952 wrote to memory of 6004 5952 smss.exe 94 PID 6004 wrote to memory of 1876 6004 Gaara.exe 97 PID 6004 wrote to memory of 1876 6004 Gaara.exe 97 PID 6004 wrote to memory of 1876 6004 Gaara.exe 97 PID 6004 wrote to memory of 2896 6004 Gaara.exe 100 PID 6004 wrote to memory of 2896 6004 Gaara.exe 100 PID 6004 wrote to memory of 2896 6004 Gaara.exe 100 PID 6004 wrote to memory of 4684 6004 Gaara.exe 101 PID 6004 wrote to memory of 4684 6004 Gaara.exe 101 PID 6004 wrote to memory of 4684 6004 Gaara.exe 101 PID 4684 wrote to memory of 5316 4684 csrss.exe 102 PID 4684 wrote to memory of 5316 4684 csrss.exe 102 PID 4684 wrote to memory of 5316 4684 csrss.exe 102 PID 4684 wrote to memory of 2668 4684 csrss.exe 103 PID 4684 wrote to memory of 2668 4684 csrss.exe 103 PID 4684 wrote to memory of 2668 4684 csrss.exe 103 PID 4684 wrote to memory of 2484 4684 csrss.exe 106 PID 4684 wrote to memory of 2484 4684 csrss.exe 106 PID 4684 wrote to memory of 2484 4684 csrss.exe 106 PID 4684 wrote to memory of 536 4684 csrss.exe 107 PID 4684 wrote to memory of 536 4684 csrss.exe 107 PID 4684 wrote to memory of 536 4684 csrss.exe 107 PID 2384 wrote to memory of 2556 2384 2025-05-29_11756abfad621de2c8a0ead901ab20e0_amadey_black-basta_elex_luca-stealer.exe 108 PID 2384 wrote to memory of 2556 2384 2025-05-29_11756abfad621de2c8a0ead901ab20e0_amadey_black-basta_elex_luca-stealer.exe 108 PID 2384 wrote to memory of 2556 2384 2025-05-29_11756abfad621de2c8a0ead901ab20e0_amadey_black-basta_elex_luca-stealer.exe 108 PID 2384 wrote to memory of 3688 2384 2025-05-29_11756abfad621de2c8a0ead901ab20e0_amadey_black-basta_elex_luca-stealer.exe 109 PID 2384 wrote to memory of 3688 2384 2025-05-29_11756abfad621de2c8a0ead901ab20e0_amadey_black-basta_elex_luca-stealer.exe 109 PID 2384 wrote to memory of 3688 2384 2025-05-29_11756abfad621de2c8a0ead901ab20e0_amadey_black-basta_elex_luca-stealer.exe 109 PID 536 wrote to memory of 776 536 Kazekage.exe 110 PID 536 wrote to memory of 776 536 Kazekage.exe 110 PID 536 wrote to memory of 776 536 Kazekage.exe 110 PID 2384 wrote to memory of 556 2384 2025-05-29_11756abfad621de2c8a0ead901ab20e0_amadey_black-basta_elex_luca-stealer.exe 111 PID 2384 wrote to memory of 556 2384 2025-05-29_11756abfad621de2c8a0ead901ab20e0_amadey_black-basta_elex_luca-stealer.exe 111 PID 2384 wrote to memory of 556 2384 2025-05-29_11756abfad621de2c8a0ead901ab20e0_amadey_black-basta_elex_luca-stealer.exe 111 PID 536 wrote to memory of 2188 536 Kazekage.exe 112 PID 536 wrote to memory of 2188 536 Kazekage.exe 112 PID 536 wrote to memory of 2188 536 Kazekage.exe 112 PID 5952 wrote to memory of 6020 5952 smss.exe 113 PID 5952 wrote to memory of 6020 5952 smss.exe 113 PID 5952 wrote to memory of 6020 5952 smss.exe 113 PID 2384 wrote to memory of 5900 2384 2025-05-29_11756abfad621de2c8a0ead901ab20e0_amadey_black-basta_elex_luca-stealer.exe 114 PID 2384 wrote to memory of 5900 2384 2025-05-29_11756abfad621de2c8a0ead901ab20e0_amadey_black-basta_elex_luca-stealer.exe 114 PID 2384 wrote to memory of 5900 2384 2025-05-29_11756abfad621de2c8a0ead901ab20e0_amadey_black-basta_elex_luca-stealer.exe 114 PID 536 wrote to memory of 3192 536 Kazekage.exe 115 PID 536 wrote to memory of 3192 536 Kazekage.exe 115 PID 536 wrote to memory of 3192 536 Kazekage.exe 115 PID 5952 wrote to memory of 5108 5952 smss.exe 116 PID 5952 wrote to memory of 5108 5952 smss.exe 116 PID 5952 wrote to memory of 5108 5952 smss.exe 116 PID 5952 wrote to memory of 1940 5952 smss.exe 118 PID 5952 wrote to memory of 1940 5952 smss.exe 118 PID 5952 wrote to memory of 1940 5952 smss.exe 118 PID 536 wrote to memory of 5516 536 Kazekage.exe 117 PID 536 wrote to memory of 5516 536 Kazekage.exe 117 PID 536 wrote to memory of 5516 536 Kazekage.exe 117 PID 5900 wrote to memory of 5752 5900 system32.exe 119 -
System policy modification 1 TTPs 12 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System 2025-05-29_11756abfad621de2c8a0ead901ab20e0_amadey_black-basta_elex_luca-stealer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 2025-05-29_11756abfad621de2c8a0ead901ab20e0_amadey_black-basta_elex_luca-stealer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Kazekage.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System system32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" system32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2025-05-29_11756abfad621de2c8a0ead901ab20e0_amadey_black-basta_elex_luca-stealer.exe"C:\Users\Admin\AppData\Local\Temp\2025-05-29_11756abfad621de2c8a0ead901ab20e0_amadey_black-basta_elex_luca-stealer.exe"1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2384 -
C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe"C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe"2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:5952 -
C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe"C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1068
-
-
C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe"C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe"3⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:6004 -
C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe"C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1876
-
-
C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe"C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2896
-
-
C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe"C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe"4⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4684 -
C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe"C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5316
-
-
C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe"C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2668
-
-
C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe"C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2484
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe5⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:536 -
C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe"C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:776
-
-
C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe"C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2188
-
-
C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe"C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3192
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5516
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3584
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655006⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5876
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655006⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:464
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655006⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2628
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655006⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4760
-
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1496
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655005⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3756
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655005⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:404
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655005⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3448
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655005⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1644
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655005⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:6132
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655005⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3244
-
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:532
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4860
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655004⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3448
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655004⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5980
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655004⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3860
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655004⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2612
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655004⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1952
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655004⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4736
-
-
-
C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe"C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:6020
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5108
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1940
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:6032
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4824
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5776
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5496
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5856
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1688
-
-
-
C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe"C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2556
-
-
C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe"C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3688
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:556
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:5900 -
C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe"C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5752
-
-
C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe"C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2980
-
-
C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe"C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5220
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3508
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4432
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4948
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3792
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4244
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4624
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655003⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4752
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4904
-
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655002⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5892
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655002⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1400
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655002⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1236
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655002⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:512
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655002⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:312
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655002⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3528
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 29 - 5 - 2025\smss.exe1⤵PID:3756
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 29 - 5 - 2025\Gaara.exe1⤵PID:4104
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c 29-5-2025.exe1⤵PID:3032
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c drivers\csrss.exe1⤵PID:5744
Network
MITRE ATT&CK Enterprise v16
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Event Triggered Execution
1Image File Execution Options Injection
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Event Triggered Execution
1Image File Execution Options Injection
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
1Disable or Modify Tools
1Modify Registry
8Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
736B
MD5bb5d6abdf8d0948ac6895ce7fdfbc151
SHA19266b7a247a4685892197194d2b9b86c8f6dddbd
SHA2565db2e0915b5464d32e83484f8ae5e3c73d2c78f238fde5f58f9b40dbb5322de8
SHA512878444760e8df878d65bb62b4798177e168eb099def58ad3634f4348e96705c83f74324f9fa358f0eff389991976698a233ca53e9b72034ae11c86d42322a76c
-
Filesize
196B
MD51564dfe69ffed40950e5cb644e0894d1
SHA1201b6f7a01cc49bb698bea6d4945a082ed454ce4
SHA256be114a2dbcc08540b314b01882aa836a772a883322a77b67aab31233e26dc184
SHA51272df187e39674b657974392cfa268e71ef86dc101ebd2303896381ca56d3c05aa9db3f0ab7d0e428d7436e0108c8f19e94c2013814d30b0b95a23a6b9e341097
-
Filesize
9.1MB
MD527040b1d7226340bfa086947f6f25e7d
SHA1b5708fb24a3a6d5856c68431e460f62ceb27c738
SHA256c14fec1d79dcbfd1ea8541b86893a390694af0b67abf016f3a0115a38a926c25
SHA5123c3b3f507f95c75e7f5c69016497470be64cae02f5b36a06b813947883189cb051efda24560b6424f1d7f1be7a7e4b29bc43cb47e76c51d124dd08783d83a5ea
-
Filesize
9.1MB
MD511756abfad621de2c8a0ead901ab20e0
SHA11e600d5e8502a4f6bde4126ebc054f95e53f4031
SHA2561b29e33fc0f8631a131fa56da8295919798ff0085a50171f33855d1b6e4823ad
SHA512afcc251e9faa79737541928c08884b6a8b30b1c5941301805562fd77aecbe900c482a0d9c15258dbdda958eb4719a10db7e8835a563e9be603b7fda439f9cf7e
-
Filesize
9.1MB
MD52c9d946ace6ebd3d7e7429b02621ecda
SHA1b799e33b9e6debbb775ea93171fb514920149f75
SHA256033127e5c02089b50e35f121195541870d2667a9446dc1ddd1b5cd0b3c0ae9de
SHA5122c5c457769715d3f7d755ad5de014d54a44da3c8f7ac22a2af2c69b28d51b73a2243e2b2bb9710d4a0bb6fca87dff28ba9f5bb730d892ee46ac54286a3ff1dfb
-
Filesize
9.1MB
MD5bf6a7a45783eede00034e417683c23cf
SHA135fa17af7fd69b024e7c4e558e3e46d1c2e72499
SHA2560f8414825c864623b56f1fa95ff6b9bdac5ea0c75dfe937c13577fdac70e4f93
SHA512729f06a206e3c3702d4daaf03b2051a2b808918a09440ef3e89c1ba64466f1f983d50659ba12e49e7f6e44777ce92240d1e915336e879458062a06fb5c5fc4b7
-
Filesize
9.1MB
MD568f24d30f38a9d42e20db159cfbb5185
SHA1c06a7e8f565ff9966760c3439eceb0f063544d9d
SHA256d7723dd38ea5ba914d381a1f48bd51d6614acb1bdbac3165fe2339335728eed1
SHA5123ca34d9138c6ae8607e8a5a297bfd58f4f79f900215611d792f2bef771338a3f081b2d2b85b82be779b346820bdc107ee84b447cd203a2de345664bc16b2b169
-
Filesize
1.4MB
MD5d6b05020d4a0ec2a3a8b687099e335df
SHA1df239d830ebcd1cde5c68c46a7b76dad49d415f4
SHA2569824b98dab6af65a9e84c2ea40e9df948f9766ce2096e81feecad7db8dd6080a
SHA51278fd360faa4d34f5732056d6e9ad7b9930964441c69cf24535845d397de92179553b9377a25649c01eb5ac7d547c29cc964e69ede7f2af9fc677508a99251fff
-
Filesize
9.1MB
MD508df84402b166a3f16e468da3208430f
SHA182c7e1e75f056ad43e64aff2b086d37b2568497d
SHA25632e432e2cc329d5ba172544509475fef0c9f81a094395cfa281ee580198d1d3a
SHA5128ebc6edb1af3a944efc3ce2da5eaf6c2bec3949cb5b74485c439529a4587b959cff87f8866b37cb51b56456d33103ae096775c21a200a0b40634e6da9e551604
-
Filesize
65B
MD564acfa7e03b01f48294cf30d201a0026
SHA110facd995b38a095f30b4a800fa454c0bcbf8438
SHA256ba8159d865d106e7b4d0043007a63d1541e1de455dc8d7ff0edd3013bd425c62
SHA51265a9b2e639de74a2a7faa83463a03f5f5b526495e3c793ec1e144c422ed0b842dd304cd5ff4f8aec3d76d826507030c5916f70a231429cea636ec2d8ab43931a
-
Filesize
9.1MB
MD56f2fdf5cf96309037d3d26bdcb679140
SHA1fcd56dfdc9856910feee7f2095de4d76cdff28de
SHA256b987968db916ba5bb3cd51eebdc5fba6f14484407dd277fe0e50172ef0f99585
SHA51283e82f7f804f5b5954711291e3498120a09066ecb62f809d2a8d8010ef253b7463bea640a8f4a6dd2d6ed99ad3efee5252cb9f4c45e3f20a20c6b89a9ddff339
-
Filesize
9.1MB
MD5c81cf21fcce58dbce1ca2b27ca3b50f4
SHA14cf14d212bc005feefbc6212532e73b1e9716ecd
SHA256d1c6d3abf736016702ce2d3399900d9b48f6a5ea805296e67d51d08342f8f8af
SHA512b951169da717fba37c9691fd0e5cdcfc51f90fb2b0beebd04176c4bca6d07254911fc9e74a9618a1ed17d3fb9de9ffb3ab9ae86e1f57f7ecff410e6a06018237
-
Filesize
9.1MB
MD5ad8041b8f2d6817069368b447050ed70
SHA194ea8c37e82e378c62dbfac02c6440d457bbc09a
SHA25666581392c4a9254a1d90165b34264d9c6f475eb709b294db6a764dd0393f1b72
SHA5129295f74ce6153b3ce7b04e9b3d5e351b486f298df10210cf14b3deeee891c8e242b58b6c412cb1848e2cad4e24601d6381f88683c862b5901c576fb786dbb510
-
Filesize
1.3MB
MD5e884c9fc34c220116ba9f9c90faaf6b3
SHA11258f92e9c9e4154df4d9f5b13041642f56255b8
SHA256cd90495a134d52149da3d7690f354ab1e3383be738875a7131cf793c47fcd47f
SHA51221a0f156cd7fbeb28e370a1ac4cf029d6bc6bae6acdc2f99e05165de7a919d7146d3a84ee4dea996c1a8b5bb6440ae016096341342d8d6f5866740b09224a45a
-
Filesize
9.1MB
MD5f5524a4ad88cc806a2fdc7a9d4f9382c
SHA1fd4be1556f2b58a17c25d2ecaa4e10f6fa95fe4f
SHA256852fb574b1a25574aab25f90f1421ec330749dc10ca887eff29ccb7925a24cdb
SHA51293d4f4b870fc6926c0acaf1c50c5810041ad9b5e33874a9fce531503251e25c9fc6d924a530c08ddab560ef5ebd6f9de1f25529435da0e721c1338a8f6a6d14c
-
Filesize
9.1MB
MD5bdf1fdc3c1fa3da934730f0446551529
SHA17e051c0aa26236b9738ae209dd46256b84372476
SHA2563941276e848ac3dba453a5dd35b9ce9ea34e20a6b1dd56cda45572ef30832239
SHA512cc9bf6dd31e73984fafa17a0edaf8fbc7874008e07cfeed04232076289bf3ab2fec26abab182e5acc30f5eacd5bc37ad9b72636f49de22ce4035a4dd5d874362
-
Filesize
9.1MB
MD516059a0faccad7baa10e192bb0710ba5
SHA1c7a1e6d279ca8d77479ef2542e12a22f1fdc230b
SHA2561a549b98bb4c47492610aa90a698f63d97dd98346463096ba7278dbe2aee296d
SHA512fcf6eb8114006fd34e62a553ba6e3863b343117ce900a9bffcdb6615e4111576a587fc5437902bf4a45b7138286ed3480fb731550d8aa0a52cb3a40f59790854
-
Filesize
1.4MB
MD525f62c02619174b35851b0e0455b3d94
SHA14e8ee85157f1769f6e3f61c0acbe59072209da71
SHA256898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2
SHA512f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a
-
Filesize
7.2MB
MD593c2066ae6e9dc732c7f46d897ce0867
SHA1133a97837686bf98f4fd0ea5bf8e0507d8800090
SHA2564711a82c1c1916d89f23d94f12910ce716f561de946fe5aaba78cd715af8bcc3
SHA512e74c5894a6f96fb112613c10ad5471c10c34b1f4e1c3bb25cbe3107d1d0650be88d3489bdeceb99a6bf6182cc947adfa07f41f6974772c9995442c05a700d1b4