Analysis
-
max time kernel
150s -
max time network
138s -
platform
windows10-2004_x64 -
resource
win10v2004-20250502-en -
resource tags
arch:x64arch:x86image:win10v2004-20250502-enlocale:en-usos:windows10-2004-x64system -
submitted
29/05/2025, 11:41
Behavioral task
behavioral1
Sample
2025-05-29_9aaf66041598bcc6ced612f0f42812ad_amadey_black-basta_elex_luca-stealer.exe
Resource
win10v2004-20250502-en
Behavioral task
behavioral2
Sample
2025-05-29_9aaf66041598bcc6ced612f0f42812ad_amadey_black-basta_elex_luca-stealer.exe
Resource
win11-20250502-en
General
-
Target
2025-05-29_9aaf66041598bcc6ced612f0f42812ad_amadey_black-basta_elex_luca-stealer.exe
-
Size
9.1MB
-
MD5
9aaf66041598bcc6ced612f0f42812ad
-
SHA1
42d51c3f422799a5f7c437a1e94d583d4c540182
-
SHA256
c5271eb25fc9cbee598e6a95925b150d35269bc02db640d758752244aa4ca845
-
SHA512
79dae066a012720803d8556a75f6087610759528bfff36823032c6df48318e6ad642ef5f18fd6cf3eef21baf68df6f71c8b1264958486cf2b53fd5c9a525332b
-
SSDEEP
98304:HGyqWyWy0GyqWyWyMRPC1em1eHL5dGTEYm:A1em1eHL5dem
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 12 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" 2025-05-29_9aaf66041598bcc6ced612f0f42812ad_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" 2025-05-29_9aaf66041598bcc6ced612f0f42812ad_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" Gaara.exe -
Modifies visibility of file extensions in Explorer 2 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2930597513-779029253-718817275-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" csrss.exe Set value (int) \REGISTRY\USER\S-1-5-21-2930597513-779029253-718817275-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" 2025-05-29_9aaf66041598bcc6ced612f0f42812ad_amadey_black-basta_elex_luca-stealer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2930597513-779029253-718817275-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" system32.exe Set value (int) \REGISTRY\USER\S-1-5-21-2930597513-779029253-718817275-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Gaara.exe Set value (int) \REGISTRY\USER\S-1-5-21-2930597513-779029253-718817275-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Kazekage.exe Set value (int) \REGISTRY\USER\S-1-5-21-2930597513-779029253-718817275-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" smss.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2930597513-779029253-718817275-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" csrss.exe Set value (int) \REGISTRY\USER\S-1-5-21-2930597513-779029253-718817275-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" 2025-05-29_9aaf66041598bcc6ced612f0f42812ad_amadey_black-basta_elex_luca-stealer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2930597513-779029253-718817275-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" system32.exe Set value (int) \REGISTRY\USER\S-1-5-21-2930597513-779029253-718817275-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" Gaara.exe Set value (int) \REGISTRY\USER\S-1-5-21-2930597513-779029253-718817275-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" Kazekage.exe Set value (int) \REGISTRY\USER\S-1-5-21-2930597513-779029253-718817275-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" smss.exe -
UAC bypass 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Kazekage.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 2025-05-29_9aaf66041598bcc6ced612f0f42812ad_amadey_black-basta_elex_luca-stealer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" system32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Gaara.exe -
Disables RegEdit via registry modification 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2930597513-779029253-718817275-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" 2025-05-29_9aaf66041598bcc6ced612f0f42812ad_amadey_black-basta_elex_luca-stealer.exe Set value (int) \REGISTRY\USER\S-1-5-21-2930597513-779029253-718817275-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" system32.exe Set value (int) \REGISTRY\USER\S-1-5-21-2930597513-779029253-718817275-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Gaara.exe Set value (int) \REGISTRY\USER\S-1-5-21-2930597513-779029253-718817275-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Kazekage.exe Set value (int) \REGISTRY\USER\S-1-5-21-2930597513-779029253-718817275-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" smss.exe Set value (int) \REGISTRY\USER\S-1-5-21-2930597513-779029253-718817275-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" csrss.exe -
Disables use of System Restore points 1 TTPs
-
Drops file in Drivers directory 24 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe Kazekage.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe Kazekage.exe File created C:\Windows\SysWOW64\drivers\system32.exe Kazekage.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe 2025-05-29_9aaf66041598bcc6ced612f0f42812ad_amadey_black-basta_elex_luca-stealer.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe Kazekage.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe system32.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe smss.exe File created C:\Windows\SysWOW64\drivers\system32.exe smss.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe Gaara.exe File created C:\Windows\SysWOW64\drivers\system32.exe Gaara.exe File created C:\Windows\SysWOW64\drivers\system32.exe csrss.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe 2025-05-29_9aaf66041598bcc6ced612f0f42812ad_amadey_black-basta_elex_luca-stealer.exe File created C:\Windows\SysWOW64\drivers\system32.exe 2025-05-29_9aaf66041598bcc6ced612f0f42812ad_amadey_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe smss.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe csrss.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe csrss.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe csrss.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe system32.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe system32.exe File created C:\Windows\SysWOW64\drivers\system32.exe system32.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe 2025-05-29_9aaf66041598bcc6ced612f0f42812ad_amadey_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe smss.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe Gaara.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe Gaara.exe -
Event Triggered Execution: Image File Execution Options Injection 1 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger = "drivers\\Kazekage.exe" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe\Debugger = "drivers\\Kazekage.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe\Debugger = "cmd.exe /c del" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe\Debugger = "cmd.exe /c del" 2025-05-29_9aaf66041598bcc6ced612f0f42812ad_amadey_black-basta_elex_luca-stealer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe 2025-05-29_9aaf66041598bcc6ced612f0f42812ad_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe\Debugger = "drivers\\Kazekage.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe\Debugger = "drivers\\Kazekage.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com\Debugger = "cmd.exe /c del" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe\Debugger = "cmd.exe /c del" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe\Debugger = "cmd.exe /c del" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe\Debugger = "drivers\\Kazekage.exe" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe 2025-05-29_9aaf66041598bcc6ced612f0f42812ad_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe\Debugger = "cmd.exe /c del" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe\Debugger = "cmd.exe /c del" 2025-05-29_9aaf66041598bcc6ced612f0f42812ad_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe\Debugger = "cmd.exe /c del" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "drivers\\Kazekage.exe" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe 2025-05-29_9aaf66041598bcc6ced612f0f42812ad_amadey_black-basta_elex_luca-stealer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe 2025-05-29_9aaf66041598bcc6ced612f0f42812ad_amadey_black-basta_elex_luca-stealer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\Debugger = "cmd.exe /c del" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "drivers\\Kazekage.exe" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe\Debugger = "drivers\\Kazekage.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com\Debugger = "cmd.exe /c del" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe\Debugger = "cmd.exe /c del" 2025-05-29_9aaf66041598bcc6ced612f0f42812ad_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe\Debugger = "cmd.exe /c del" 2025-05-29_9aaf66041598bcc6ced612f0f42812ad_amadey_black-basta_elex_luca-stealer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe\Debugger = "cmd.exe /c del" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "drivers\\Kazekage.exe" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "drivers\\Kazekage.exe" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe\Debugger = "cmd.exe /c del" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe\Debugger = "drivers\\Kazekage.exe" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe 2025-05-29_9aaf66041598bcc6ced612f0f42812ad_amadey_black-basta_elex_luca-stealer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe\Debugger = "cmd.exe /c del" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe 2025-05-29_9aaf66041598bcc6ced612f0f42812ad_amadey_black-basta_elex_luca-stealer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe\Debugger = "cmd.exe /c del" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe 2025-05-29_9aaf66041598bcc6ced612f0f42812ad_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe\Debugger = "cmd.exe /c del" 2025-05-29_9aaf66041598bcc6ced612f0f42812ad_amadey_black-basta_elex_luca-stealer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe\Debugger = "drivers\\Kazekage.exe" smss.exe -
Executes dropped EXE 30 IoCs
pid Process 5604 smss.exe 2024 smss.exe 4768 Gaara.exe 2332 smss.exe 2492 Gaara.exe 4944 csrss.exe 5016 smss.exe 2144 Gaara.exe 2100 csrss.exe 5512 Kazekage.exe 5624 smss.exe 4592 Gaara.exe 3888 csrss.exe 1444 csrss.exe 3056 Kazekage.exe 1916 Gaara.exe 5204 Kazekage.exe 4520 Kazekage.exe 5252 system32.exe 4112 system32.exe 3592 csrss.exe 2800 system32.exe 3176 system32.exe 3188 Kazekage.exe 5780 smss.exe 5008 Gaara.exe 2304 system32.exe 3116 csrss.exe 2792 Kazekage.exe 3920 system32.exe -
Loads dropped DLL 18 IoCs
pid Process 5604 smss.exe 2024 smss.exe 4768 Gaara.exe 2332 smss.exe 2492 Gaara.exe 4944 csrss.exe 5016 smss.exe 2144 Gaara.exe 2100 csrss.exe 5624 smss.exe 4592 Gaara.exe 3888 csrss.exe 1444 csrss.exe 1916 Gaara.exe 3592 csrss.exe 5780 smss.exe 5008 Gaara.exe 3116 csrss.exe -
Adds Run key to start application 2 TTPs 24 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "29-5-2025.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "29-5-2025.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 29 - 5 - 2025\\smss.exe" 2025-05-29_9aaf66041598bcc6ced612f0f42812ad_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 29 - 5 - 2025\\Gaara.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 29 - 5 - 2025\\smss.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 29 - 5 - 2025\\smss.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 29 - 5 - 2025\\Gaara.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "29-5-2025.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 29 - 5 - 2025\\Gaara.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 29 - 5 - 2025\\Gaara.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 29 - 5 - 2025\\Gaara.exe" 2025-05-29_9aaf66041598bcc6ced612f0f42812ad_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" 2025-05-29_9aaf66041598bcc6ced612f0f42812ad_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "29-5-2025.exe" 2025-05-29_9aaf66041598bcc6ced612f0f42812ad_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "29-5-2025.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 29 - 5 - 2025\\smss.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 29 - 5 - 2025\\smss.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "29-5-2025.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 29 - 5 - 2025\\Gaara.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 29 - 5 - 2025\\smss.exe" smss.exe -
Checks whether UAC is enabled 1 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Gaara.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Kazekage.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 2025-05-29_9aaf66041598bcc6ced612f0f42812ad_amadey_black-basta_elex_luca-stealer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" system32.exe -
Drops desktop.ini file(s) 64 IoCs
description ioc Process File opened for modification \??\A:\Desktop.ini Kazekage.exe File opened for modification \??\L:\Desktop.ini Kazekage.exe File opened for modification \??\A:\Desktop.ini csrss.exe File opened for modification \??\O:\Desktop.ini smss.exe File opened for modification \??\G:\Desktop.ini csrss.exe File opened for modification \??\M:\Desktop.ini csrss.exe File opened for modification C:\Desktop.ini system32.exe File opened for modification \??\O:\Desktop.ini Gaara.exe File opened for modification D:\Desktop.ini Kazekage.exe File opened for modification \??\E:\Desktop.ini csrss.exe File opened for modification \??\I:\Desktop.ini Kazekage.exe File opened for modification \??\Y:\Desktop.ini Kazekage.exe File opened for modification \??\O:\Desktop.ini 2025-05-29_9aaf66041598bcc6ced612f0f42812ad_amadey_black-basta_elex_luca-stealer.exe File opened for modification \??\E:\Desktop.ini system32.exe File opened for modification \??\V:\Desktop.ini system32.exe File opened for modification F:\Desktop.ini Gaara.exe File opened for modification \??\I:\Desktop.ini Gaara.exe File opened for modification \??\G:\Desktop.ini 2025-05-29_9aaf66041598bcc6ced612f0f42812ad_amadey_black-basta_elex_luca-stealer.exe File opened for modification \??\A:\Desktop.ini system32.exe File opened for modification D:\Desktop.ini smss.exe File opened for modification \??\I:\Desktop.ini smss.exe File opened for modification \??\J:\Desktop.ini smss.exe File opened for modification \??\S:\Desktop.ini Gaara.exe File opened for modification \??\Q:\Desktop.ini smss.exe File opened for modification \??\P:\Desktop.ini Kazekage.exe File opened for modification \??\U:\Desktop.ini Kazekage.exe File opened for modification \??\B:\Desktop.ini smss.exe File opened for modification \??\H:\Desktop.ini smss.exe File opened for modification \??\K:\Desktop.ini smss.exe File opened for modification \??\R:\Desktop.ini system32.exe File opened for modification \??\W:\Desktop.ini system32.exe File opened for modification \??\S:\Desktop.ini Kazekage.exe File opened for modification C:\Desktop.ini smss.exe File opened for modification \??\M:\Desktop.ini smss.exe File opened for modification \??\W:\Desktop.ini smss.exe File opened for modification \??\Z:\Desktop.ini 2025-05-29_9aaf66041598bcc6ced612f0f42812ad_amadey_black-basta_elex_luca-stealer.exe File opened for modification \??\S:\Desktop.ini system32.exe File opened for modification \??\A:\Desktop.ini Gaara.exe File opened for modification \??\Q:\Desktop.ini Gaara.exe File opened for modification F:\Desktop.ini smss.exe File opened for modification \??\U:\Desktop.ini csrss.exe File opened for modification \??\K:\Desktop.ini 2025-05-29_9aaf66041598bcc6ced612f0f42812ad_amadey_black-basta_elex_luca-stealer.exe File opened for modification \??\Y:\Desktop.ini 2025-05-29_9aaf66041598bcc6ced612f0f42812ad_amadey_black-basta_elex_luca-stealer.exe File opened for modification \??\L:\Desktop.ini system32.exe File opened for modification D:\Desktop.ini 2025-05-29_9aaf66041598bcc6ced612f0f42812ad_amadey_black-basta_elex_luca-stealer.exe File opened for modification \??\R:\Desktop.ini csrss.exe File opened for modification \??\J:\Desktop.ini 2025-05-29_9aaf66041598bcc6ced612f0f42812ad_amadey_black-basta_elex_luca-stealer.exe File opened for modification \??\B:\Desktop.ini system32.exe File opened for modification \??\X:\Desktop.ini system32.exe File opened for modification \??\T:\Desktop.ini Gaara.exe File opened for modification \??\Q:\Desktop.ini Kazekage.exe File opened for modification \??\G:\Desktop.ini smss.exe File opened for modification \??\I:\Desktop.ini csrss.exe File opened for modification \??\Q:\Desktop.ini csrss.exe File opened for modification \??\Z:\Desktop.ini system32.exe File opened for modification \??\H:\Desktop.ini Gaara.exe File opened for modification \??\X:\Desktop.ini Kazekage.exe File opened for modification \??\L:\Desktop.ini csrss.exe File opened for modification D:\Desktop.ini Gaara.exe File opened for modification \??\K:\Desktop.ini Kazekage.exe File opened for modification \??\W:\Desktop.ini Kazekage.exe File opened for modification \??\N:\Desktop.ini smss.exe File opened for modification \??\L:\Desktop.ini 2025-05-29_9aaf66041598bcc6ced612f0f42812ad_amadey_black-basta_elex_luca-stealer.exe File opened for modification \??\X:\Desktop.ini csrss.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\A: Kazekage.exe File opened (read-only) \??\S: smss.exe File opened (read-only) \??\W: smss.exe File opened (read-only) \??\X: csrss.exe File opened (read-only) \??\B: system32.exe File opened (read-only) \??\R: Gaara.exe File opened (read-only) \??\J: Kazekage.exe File opened (read-only) \??\V: Kazekage.exe File opened (read-only) \??\K: csrss.exe File opened (read-only) \??\T: 2025-05-29_9aaf66041598bcc6ced612f0f42812ad_amadey_black-basta_elex_luca-stealer.exe File opened (read-only) \??\W: 2025-05-29_9aaf66041598bcc6ced612f0f42812ad_amadey_black-basta_elex_luca-stealer.exe File opened (read-only) \??\M: Kazekage.exe File opened (read-only) \??\J: smss.exe File opened (read-only) \??\X: smss.exe File opened (read-only) \??\R: system32.exe File opened (read-only) \??\Z: smss.exe File opened (read-only) \??\Y: csrss.exe File opened (read-only) \??\T: Gaara.exe File opened (read-only) \??\W: Kazekage.exe File opened (read-only) \??\X: Kazekage.exe File opened (read-only) \??\P: csrss.exe File opened (read-only) \??\R: Kazekage.exe File opened (read-only) \??\M: smss.exe File opened (read-only) \??\S: csrss.exe File opened (read-only) \??\L: 2025-05-29_9aaf66041598bcc6ced612f0f42812ad_amadey_black-basta_elex_luca-stealer.exe File opened (read-only) \??\N: system32.exe File opened (read-only) \??\Z: csrss.exe File opened (read-only) \??\Y: smss.exe File opened (read-only) \??\O: system32.exe File opened (read-only) \??\J: csrss.exe File opened (read-only) \??\N: csrss.exe File opened (read-only) \??\E: 2025-05-29_9aaf66041598bcc6ced612f0f42812ad_amadey_black-basta_elex_luca-stealer.exe File opened (read-only) \??\O: Kazekage.exe File opened (read-only) \??\L: smss.exe File opened (read-only) \??\O: smss.exe File opened (read-only) \??\V: Gaara.exe File opened (read-only) \??\Z: Kazekage.exe File opened (read-only) \??\K: 2025-05-29_9aaf66041598bcc6ced612f0f42812ad_amadey_black-basta_elex_luca-stealer.exe File opened (read-only) \??\M: system32.exe File opened (read-only) \??\Y: system32.exe File opened (read-only) \??\X: Gaara.exe File opened (read-only) \??\R: csrss.exe File opened (read-only) \??\Q: Gaara.exe File opened (read-only) \??\Y: Kazekage.exe File opened (read-only) \??\A: 2025-05-29_9aaf66041598bcc6ced612f0f42812ad_amadey_black-basta_elex_luca-stealer.exe File opened (read-only) \??\O: csrss.exe File opened (read-only) \??\K: smss.exe File opened (read-only) \??\Q: smss.exe File opened (read-only) \??\J: system32.exe File opened (read-only) \??\S: system32.exe File opened (read-only) \??\E: Gaara.exe File opened (read-only) \??\Z: Gaara.exe File opened (read-only) \??\E: csrss.exe File opened (read-only) \??\W: system32.exe File opened (read-only) \??\Z: system32.exe File opened (read-only) \??\E: system32.exe File opened (read-only) \??\H: Gaara.exe File opened (read-only) \??\O: Gaara.exe File opened (read-only) \??\S: Gaara.exe File opened (read-only) \??\Q: csrss.exe File opened (read-only) \??\Q: 2025-05-29_9aaf66041598bcc6ced612f0f42812ad_amadey_black-basta_elex_luca-stealer.exe File opened (read-only) \??\S: 2025-05-29_9aaf66041598bcc6ced612f0f42812ad_amadey_black-basta_elex_luca-stealer.exe File opened (read-only) \??\X: 2025-05-29_9aaf66041598bcc6ced612f0f42812ad_amadey_black-basta_elex_luca-stealer.exe File opened (read-only) \??\K: Gaara.exe -
Drops autorun.inf file 1 TTPs 64 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification \??\X:\Autorun.inf Kazekage.exe File created \??\Y:\Autorun.inf Kazekage.exe File opened for modification D:\Autorun.inf 2025-05-29_9aaf66041598bcc6ced612f0f42812ad_amadey_black-basta_elex_luca-stealer.exe File opened for modification \??\M:\Autorun.inf 2025-05-29_9aaf66041598bcc6ced612f0f42812ad_amadey_black-basta_elex_luca-stealer.exe File created D:\Autorun.inf csrss.exe File created \??\S:\Autorun.inf 2025-05-29_9aaf66041598bcc6ced612f0f42812ad_amadey_black-basta_elex_luca-stealer.exe File created \??\V:\Autorun.inf 2025-05-29_9aaf66041598bcc6ced612f0f42812ad_amadey_black-basta_elex_luca-stealer.exe File opened for modification \??\V:\Autorun.inf csrss.exe File created \??\J:\Autorun.inf smss.exe File opened for modification \??\Z:\Autorun.inf system32.exe File opened for modification \??\T:\Autorun.inf 2025-05-29_9aaf66041598bcc6ced612f0f42812ad_amadey_black-basta_elex_luca-stealer.exe File created \??\K:\Autorun.inf smss.exe File created \??\W:\Autorun.inf Gaara.exe File created \??\A:\Autorun.inf Kazekage.exe File created \??\Z:\Autorun.inf 2025-05-29_9aaf66041598bcc6ced612f0f42812ad_amadey_black-basta_elex_luca-stealer.exe File opened for modification \??\O:\Autorun.inf Gaara.exe File created \??\J:\Autorun.inf csrss.exe File opened for modification \??\S:\Autorun.inf system32.exe File opened for modification C:\Autorun.inf 2025-05-29_9aaf66041598bcc6ced612f0f42812ad_amadey_black-basta_elex_luca-stealer.exe File created \??\R:\Autorun.inf 2025-05-29_9aaf66041598bcc6ced612f0f42812ad_amadey_black-basta_elex_luca-stealer.exe File created \??\X:\Autorun.inf 2025-05-29_9aaf66041598bcc6ced612f0f42812ad_amadey_black-basta_elex_luca-stealer.exe File opened for modification \??\N:\Autorun.inf smss.exe File opened for modification \??\J:\Autorun.inf csrss.exe File opened for modification \??\Q:\Autorun.inf csrss.exe File created \??\S:\Autorun.inf csrss.exe File created \??\Z:\Autorun.inf csrss.exe File created \??\O:\Autorun.inf 2025-05-29_9aaf66041598bcc6ced612f0f42812ad_amadey_black-basta_elex_luca-stealer.exe File created \??\B:\Autorun.inf Kazekage.exe File opened for modification \??\L:\Autorun.inf system32.exe File created \??\X:\Autorun.inf system32.exe File created D:\Autorun.inf smss.exe File created \??\T:\Autorun.inf Gaara.exe File opened for modification C:\Autorun.inf csrss.exe File created \??\E:\Autorun.inf Kazekage.exe File created \??\L:\Autorun.inf Kazekage.exe File opened for modification \??\Y:\Autorun.inf smss.exe File opened for modification \??\A:\Autorun.inf smss.exe File created \??\H:\Autorun.inf smss.exe File opened for modification \??\J:\Autorun.inf smss.exe File created \??\L:\Autorun.inf Gaara.exe File created \??\N:\Autorun.inf Gaara.exe File opened for modification \??\O:\Autorun.inf csrss.exe File opened for modification \??\W:\Autorun.inf csrss.exe File created \??\J:\Autorun.inf 2025-05-29_9aaf66041598bcc6ced612f0f42812ad_amadey_black-basta_elex_luca-stealer.exe File created \??\W:\Autorun.inf csrss.exe File created \??\G:\Autorun.inf Kazekage.exe File created \??\H:\Autorun.inf Kazekage.exe File created \??\B:\Autorun.inf system32.exe File created \??\O:\Autorun.inf system32.exe File created \??\T:\Autorun.inf 2025-05-29_9aaf66041598bcc6ced612f0f42812ad_amadey_black-basta_elex_luca-stealer.exe File opened for modification \??\W:\Autorun.inf 2025-05-29_9aaf66041598bcc6ced612f0f42812ad_amadey_black-basta_elex_luca-stealer.exe File opened for modification \??\B:\Autorun.inf smss.exe File opened for modification \??\V:\Autorun.inf smss.exe File created \??\R:\Autorun.inf csrss.exe File created \??\Y:\Autorun.inf csrss.exe File created \??\T:\Autorun.inf Kazekage.exe File opened for modification \??\P:\Autorun.inf system32.exe File created \??\S:\Autorun.inf system32.exe File opened for modification \??\U:\Autorun.inf 2025-05-29_9aaf66041598bcc6ced612f0f42812ad_amadey_black-basta_elex_luca-stealer.exe File opened for modification \??\L:\Autorun.inf smss.exe File opened for modification \??\S:\Autorun.inf smss.exe File created \??\M:\Autorun.inf csrss.exe File created \??\P:\Autorun.inf Kazekage.exe File created \??\X:\Autorun.inf Kazekage.exe -
Drops file in System32 directory 39 IoCs
description ioc Process File created C:\Windows\SysWOW64\mscomctl.ocx 2025-05-29_9aaf66041598bcc6ced612f0f42812ad_amadey_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx smss.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini 2025-05-29_9aaf66041598bcc6ced612f0f42812ad_amadey_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll smss.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll csrss.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini system32.exe File opened for modification C:\Windows\SysWOW64\29-5-2025.exe csrss.exe File created C:\Windows\SysWOW64\msvbvm60.dll system32.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini smss.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx Gaara.exe File opened for modification C:\Windows\SysWOW64\ Kazekage.exe File opened for modification C:\Windows\SysWOW64\ system32.exe File opened for modification C:\Windows\SysWOW64\ smss.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini Gaara.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll Gaara.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini csrss.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx Kazekage.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx system32.exe File opened for modification C:\Windows\SysWOW64\29-5-2025.exe smss.exe File opened for modification C:\Windows\SysWOW64\29-5-2025.exe Gaara.exe File opened for modification C:\Windows\SysWOW64\ 2025-05-29_9aaf66041598bcc6ced612f0f42812ad_amadey_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx csrss.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini Kazekage.exe File created C:\Windows\SysWOW64\msvbvm60.dll Kazekage.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll 2025-05-29_9aaf66041598bcc6ced612f0f42812ad_amadey_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\SysWOW64\ csrss.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll Kazekage.exe File opened for modification C:\Windows\SysWOW64\29-5-2025.exe 2025-05-29_9aaf66041598bcc6ced612f0f42812ad_amadey_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\SysWOW64\29-5-2025.exe Kazekage.exe File created C:\Windows\SysWOW64\Desktop.ini 2025-05-29_9aaf66041598bcc6ced612f0f42812ad_amadey_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll system32.exe File created C:\Windows\SysWOW64\29-5-2025.exe 2025-05-29_9aaf66041598bcc6ced612f0f42812ad_amadey_black-basta_elex_luca-stealer.exe File created C:\Windows\SysWOW64\msvbvm60.dll Gaara.exe File created C:\Windows\SysWOW64\msvbvm60.dll csrss.exe File opened for modification C:\Windows\SysWOW64\29-5-2025.exe system32.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx 2025-05-29_9aaf66041598bcc6ced612f0f42812ad_amadey_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\SysWOW64\ Gaara.exe File created C:\Windows\SysWOW64\msvbvm60.dll 2025-05-29_9aaf66041598bcc6ced612f0f42812ad_amadey_black-basta_elex_luca-stealer.exe File created C:\Windows\SysWOW64\msvbvm60.dll smss.exe -
Sets desktop wallpaper using registry 2 TTPs 6 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2930597513-779029253-718817275-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-2930597513-779029253-718817275-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2930597513-779029253-718817275-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" 2025-05-29_9aaf66041598bcc6ced612f0f42812ad_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2930597513-779029253-718817275-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2930597513-779029253-718817275-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-2930597513-779029253-718817275-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" csrss.exe -
resource yara_rule behavioral1/memory/4156-0-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/files/0x0007000000024241-11.dat upx behavioral1/memory/5604-32-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/files/0x000700000002423f-31.dat upx behavioral1/files/0x0007000000024243-53.dat upx behavioral1/files/0x0007000000024244-57.dat upx behavioral1/memory/2024-70-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/files/0x0007000000024240-77.dat upx behavioral1/memory/2024-78-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/4768-76-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2332-110-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/files/0x0007000000024244-97.dat upx behavioral1/files/0x0007000000024243-93.dat upx behavioral1/files/0x0007000000024242-89.dat upx behavioral1/memory/2492-115-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2332-117-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2492-121-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/4944-124-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/files/0x0007000000024241-125.dat upx behavioral1/files/0x0007000000024243-137.dat upx behavioral1/memory/4156-153-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/5604-158-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2144-165-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2100-169-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/5512-174-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/4768-173-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3888-208-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/4944-209-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/4592-216-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3056-220-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/5512-228-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3888-231-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/4520-236-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/files/0x0007000000024244-241.dat upx behavioral1/memory/5252-243-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3056-245-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/4112-248-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3592-251-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1916-254-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/5204-258-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3176-261-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/4520-264-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/4112-269-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3176-286-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3592-284-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2800-279-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3188-295-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2304-301-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/5008-302-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/5252-305-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2792-310-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3920-314-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/4944-315-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/4156-316-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/5512-317-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/5252-319-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/5604-318-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/4768-320-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/4156-344-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/5604-390-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/5512-501-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/4768-545-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/4944-546-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/files/0x000700000002428f-555.dat upx -
Drops file in Windows directory 64 IoCs
description ioc Process File created C:\Windows\Fonts\The Kazekage.jpg 2025-05-29_9aaf66041598bcc6ced612f0f42812ad_amadey_black-basta_elex_luca-stealer.exe File created C:\Windows\system\msvbvm60.dll 2025-05-29_9aaf66041598bcc6ced612f0f42812ad_amadey_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe smss.exe File opened for modification C:\Windows\mscomctl.ocx system32.exe File opened for modification C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe smss.exe File created C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe Gaara.exe File created C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe Kazekage.exe File opened for modification C:\Windows\msvbvm60.dll Kazekage.exe File opened for modification C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe system32.exe File opened for modification C:\Windows\system\mscoree.dll smss.exe File opened for modification C:\Windows\msvbvm60.dll smss.exe File created C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe csrss.exe File opened for modification C:\Windows\Fonts\The Kazekage.jpg Kazekage.exe File opened for modification C:\Windows\ Gaara.exe File created C:\Windows\WBEM\msvbvm60.dll 2025-05-29_9aaf66041598bcc6ced612f0f42812ad_amadey_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe csrss.exe File created C:\Windows\Fonts\Admin 29 - 5 - 2025\msvbvm60.dll csrss.exe File opened for modification C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe Kazekage.exe File opened for modification C:\Windows\Fonts\The Kazekage.jpg system32.exe File created C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe system32.exe File opened for modification C:\Windows\mscomctl.ocx Gaara.exe File opened for modification C:\Windows\ Kazekage.exe File created C:\Windows\WBEM\msvbvm60.dll Gaara.exe File opened for modification C:\Windows\Fonts\The Kazekage.jpg csrss.exe File created C:\Windows\WBEM\msvbvm60.dll csrss.exe File created C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe Kazekage.exe File created C:\Windows\Fonts\Admin 29 - 5 - 2025\msvbvm60.dll system32.exe File opened for modification C:\Windows\mscomctl.ocx csrss.exe File created C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe 2025-05-29_9aaf66041598bcc6ced612f0f42812ad_amadey_black-basta_elex_luca-stealer.exe File created C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe 2025-05-29_9aaf66041598bcc6ced612f0f42812ad_amadey_black-basta_elex_luca-stealer.exe File created C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe csrss.exe File created C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe csrss.exe File opened for modification C:\Windows\system\msvbvm60.dll csrss.exe File opened for modification C:\Windows\msvbvm60.dll system32.exe File created C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe 2025-05-29_9aaf66041598bcc6ced612f0f42812ad_amadey_black-basta_elex_luca-stealer.exe File created C:\Windows\msvbvm60.dll 2025-05-29_9aaf66041598bcc6ced612f0f42812ad_amadey_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\msvbvm60.dll 2025-05-29_9aaf66041598bcc6ced612f0f42812ad_amadey_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\system\msvbvm60.dll Gaara.exe File opened for modification C:\Windows\system\mscoree.dll csrss.exe File created C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe system32.exe File opened for modification C:\Windows\ smss.exe File created C:\Windows\Fonts\Admin 29 - 5 - 2025\msvbvm60.dll 2025-05-29_9aaf66041598bcc6ced612f0f42812ad_amadey_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\Fonts\Admin 29 - 5 - 2025\msvbvm60.dll 2025-05-29_9aaf66041598bcc6ced612f0f42812ad_amadey_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\Fonts\The Kazekage.jpg smss.exe File opened for modification C:\Windows\system\mscoree.dll Gaara.exe File opened for modification C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe Gaara.exe File opened for modification C:\Windows\system\msvbvm60.dll system32.exe File opened for modification C:\Windows\ csrss.exe File opened for modification C:\Windows\mscomctl.ocx Kazekage.exe File opened for modification C:\Windows\Fonts\The Kazekage.jpg 2025-05-29_9aaf66041598bcc6ced612f0f42812ad_amadey_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe 2025-05-29_9aaf66041598bcc6ced612f0f42812ad_amadey_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\system\msvbvm60.dll 2025-05-29_9aaf66041598bcc6ced612f0f42812ad_amadey_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe smss.exe File created C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe Kazekage.exe File created C:\Windows\Fonts\Admin 29 - 5 - 2025\msvbvm60.dll Kazekage.exe File opened for modification C:\Windows\system\msvbvm60.dll Kazekage.exe File opened for modification C:\Windows\system\mscoree.dll system32.exe File created C:\Windows\Fonts\Admin 29 - 5 - 2025\msvbvm60.dll Gaara.exe File opened for modification C:\Windows\msvbvm60.dll Gaara.exe File created C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe system32.exe File opened for modification C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe system32.exe File opened for modification C:\Windows\ 2025-05-29_9aaf66041598bcc6ced612f0f42812ad_amadey_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe csrss.exe File opened for modification C:\Windows\ system32.exe -
System Location Discovery: System Language Discovery 1 TTPs 63 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaara.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kazekage.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaara.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kazekage.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaara.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kazekage.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaara.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaara.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-05-29_9aaf66041598bcc6ced612f0f42812ad_amadey_black-basta_elex_luca-stealer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaara.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kazekage.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kazekage.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kazekage.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 32 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 2472 ping.exe 5224 ping.exe 6016 ping.exe 3248 ping.exe 2984 ping.exe 3196 ping.exe 6092 ping.exe 4612 ping.exe 6088 ping.exe 5016 ping.exe 4064 ping.exe 1932 ping.exe 5416 ping.exe 3772 ping.exe 2280 ping.exe 2896 ping.exe 3784 ping.exe 3004 ping.exe 3104 ping.exe 5916 ping.exe 4488 ping.exe 6076 ping.exe 4780 ping.exe 2340 ping.exe 2476 ping.exe 4440 ping.exe 5056 ping.exe 3132 ping.exe 556 ping.exe 3964 ping.exe 6000 ping.exe 3116 ping.exe -
Modifies Control Panel 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2930597513-779029253-718817275-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-2930597513-779029253-718817275-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2930597513-779029253-718817275-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2930597513-779029253-718817275-1000\Control Panel\Screen Saver.Marquee\Size = "72" csrss.exe Key created \REGISTRY\USER\S-1-5-21-2930597513-779029253-718817275-1000\Control Panel\Desktop csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2930597513-779029253-718817275-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-2930597513-779029253-718817275-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2930597513-779029253-718817275-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-2930597513-779029253-718817275-1000\Control Panel\Screen Saver.Marquee\Size = "72" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2930597513-779029253-718817275-1000\Control Panel\Screen Saver.Marquee\Speed = "4" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2930597513-779029253-718817275-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2930597513-779029253-718817275-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2930597513-779029253-718817275-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" 2025-05-29_9aaf66041598bcc6ced612f0f42812ad_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2930597513-779029253-718817275-1000\Control Panel\Desktop\WallpaperStyle = "2" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-2930597513-779029253-718817275-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-2930597513-779029253-718817275-1000\Control Panel\Screen Saver.Marquee\Size = "72" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-2930597513-779029253-718817275-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2930597513-779029253-718817275-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2930597513-779029253-718817275-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2930597513-779029253-718817275-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" 2025-05-29_9aaf66041598bcc6ced612f0f42812ad_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2930597513-779029253-718817275-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-2930597513-779029253-718817275-1000\Control Panel\Screen Saver.Marquee\Speed = "4" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-2930597513-779029253-718817275-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" csrss.exe Key created \REGISTRY\USER\S-1-5-21-2930597513-779029253-718817275-1000\Control Panel\Desktop 2025-05-29_9aaf66041598bcc6ced612f0f42812ad_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2930597513-779029253-718817275-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-2930597513-779029253-718817275-1000\Control Panel\Screen Saver.Marquee\Speed = "4" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2930597513-779029253-718817275-1000\Control Panel\Screen Saver.Marquee\Size = "72" 2025-05-29_9aaf66041598bcc6ced612f0f42812ad_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2930597513-779029253-718817275-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2930597513-779029253-718817275-1000\Control Panel\Screen Saver.Marquee\Speed = "4" smss.exe Key created \REGISTRY\USER\S-1-5-21-2930597513-779029253-718817275-1000\Control Panel\Screen Saver.Marquee system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2930597513-779029253-718817275-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2930597513-779029253-718817275-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2930597513-779029253-718817275-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" 2025-05-29_9aaf66041598bcc6ced612f0f42812ad_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2930597513-779029253-718817275-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" smss.exe Key created \REGISTRY\USER\S-1-5-21-2930597513-779029253-718817275-1000\Control Panel\Screen Saver.Marquee Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-2930597513-779029253-718817275-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2930597513-779029253-718817275-1000\Control Panel\Desktop\WallpaperStyle = "2" smss.exe Key created \REGISTRY\USER\S-1-5-21-2930597513-779029253-718817275-1000\Control Panel\Desktop Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-2930597513-779029253-718817275-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-2930597513-779029253-718817275-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2930597513-779029253-718817275-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2930597513-779029253-718817275-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2930597513-779029253-718817275-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-2930597513-779029253-718817275-1000\Control Panel\Screen Saver.Marquee\Speed = "4" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-2930597513-779029253-718817275-1000\Control Panel\Desktop\WallpaperStyle = "2" 2025-05-29_9aaf66041598bcc6ced612f0f42812ad_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2930597513-779029253-718817275-1000\Control Panel\Desktop\WallpaperStyle = "2" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-2930597513-779029253-718817275-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" csrss.exe Key created \REGISTRY\USER\S-1-5-21-2930597513-779029253-718817275-1000\Control Panel\Desktop system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2930597513-779029253-718817275-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" 2025-05-29_9aaf66041598bcc6ced612f0f42812ad_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2930597513-779029253-718817275-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-2930597513-779029253-718817275-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-2930597513-779029253-718817275-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-2930597513-779029253-718817275-1000\Control Panel\Desktop\WallpaperStyle = "2" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2930597513-779029253-718817275-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-2930597513-779029253-718817275-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" 2025-05-29_9aaf66041598bcc6ced612f0f42812ad_amadey_black-basta_elex_luca-stealer.exe Key created \REGISTRY\USER\S-1-5-21-2930597513-779029253-718817275-1000\Control Panel\Screen Saver.Marquee 2025-05-29_9aaf66041598bcc6ced612f0f42812ad_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2930597513-779029253-718817275-1000\Control Panel\Screen Saver.Marquee\Speed = "4" 2025-05-29_9aaf66041598bcc6ced612f0f42812ad_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2930597513-779029253-718817275-1000\Control Panel\Screen Saver.Marquee\Size = "72" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2930597513-779029253-718817275-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-2930597513-779029253-718817275-1000\Control Panel\Screen Saver.Marquee\Size = "72" Gaara.exe Key created \REGISTRY\USER\S-1-5-21-2930597513-779029253-718817275-1000\Control Panel\Desktop smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2930597513-779029253-718817275-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" smss.exe Key created \REGISTRY\USER\S-1-5-21-2930597513-779029253-718817275-1000\Control Panel\Screen Saver.Marquee smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2930597513-779029253-718817275-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" 2025-05-29_9aaf66041598bcc6ced612f0f42812ad_amadey_black-basta_elex_luca-stealer.exe -
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2930597513-779029253-718817275-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-2930597513-779029253-718817275-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2930597513-779029253-718817275-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-2930597513-779029253-718817275-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" system32.exe Key created \REGISTRY\USER\S-1-5-21-2930597513-779029253-718817275-1000\Software\Microsoft\Internet Explorer\Main Gaara.exe Key created \REGISTRY\USER\S-1-5-21-2930597513-779029253-718817275-1000\Software\Microsoft\Internet Explorer\Main Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-2930597513-779029253-718817275-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" Kazekage.exe Key created \REGISTRY\USER\S-1-5-21-2930597513-779029253-718817275-1000\Software\Microsoft\Internet Explorer\Main smss.exe Key created \REGISTRY\USER\S-1-5-21-2930597513-779029253-718817275-1000\Software\Microsoft\Internet Explorer\Main csrss.exe Key created \REGISTRY\USER\S-1-5-21-2930597513-779029253-718817275-1000\Software\Microsoft\Internet Explorer\Main 2025-05-29_9aaf66041598bcc6ced612f0f42812ad_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-2930597513-779029253-718817275-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" 2025-05-29_9aaf66041598bcc6ced612f0f42812ad_amadey_black-basta_elex_luca-stealer.exe Key created \REGISTRY\USER\S-1-5-21-2930597513-779029253-718817275-1000\Software\Microsoft\Internet Explorer\Main system32.exe -
Modifies registry class 51 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command 2025-05-29_9aaf66041598bcc6ced612f0f42812ad_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" 2025-05-29_9aaf66041598bcc6ced612f0f42812ad_amadey_black-basta_elex_luca-stealer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command 2025-05-29_9aaf66041598bcc6ced612f0f42812ad_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command 2025-05-29_9aaf66041598bcc6ced612f0f42812ad_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" 2025-05-29_9aaf66041598bcc6ced612f0f42812ad_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command 2025-05-29_9aaf66041598bcc6ced612f0f42812ad_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" 2025-05-29_9aaf66041598bcc6ced612f0f42812ad_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" 2025-05-29_9aaf66041598bcc6ced612f0f42812ad_amadey_black-basta_elex_luca-stealer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command system32.exe -
Runs ping.exe 1 TTPs 32 IoCs
pid Process 5224 ping.exe 2340 ping.exe 2476 ping.exe 5016 ping.exe 5416 ping.exe 6092 ping.exe 556 ping.exe 4780 ping.exe 6088 ping.exe 3132 ping.exe 2280 ping.exe 2896 ping.exe 6000 ping.exe 3116 ping.exe 2472 ping.exe 3772 ping.exe 3964 ping.exe 3196 ping.exe 4612 ping.exe 6016 ping.exe 3248 ping.exe 1932 ping.exe 5916 ping.exe 5056 ping.exe 6076 ping.exe 4064 ping.exe 2984 ping.exe 3104 ping.exe 4440 ping.exe 4488 ping.exe 3784 ping.exe 3004 ping.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 5512 Kazekage.exe 5512 Kazekage.exe 5512 Kazekage.exe 5512 Kazekage.exe 5512 Kazekage.exe 5512 Kazekage.exe 5512 Kazekage.exe 5512 Kazekage.exe 5512 Kazekage.exe 5512 Kazekage.exe 5512 Kazekage.exe 5512 Kazekage.exe 5512 Kazekage.exe 5512 Kazekage.exe 5512 Kazekage.exe 5512 Kazekage.exe 5512 Kazekage.exe 5512 Kazekage.exe 5512 Kazekage.exe 5512 Kazekage.exe 5512 Kazekage.exe 5512 Kazekage.exe 5512 Kazekage.exe 5512 Kazekage.exe 5604 smss.exe 5604 smss.exe 5604 smss.exe 5604 smss.exe 5604 smss.exe 5604 smss.exe 5604 smss.exe 5604 smss.exe 5604 smss.exe 5604 smss.exe 5604 smss.exe 5604 smss.exe 5604 smss.exe 5604 smss.exe 5604 smss.exe 5604 smss.exe 5604 smss.exe 5604 smss.exe 5604 smss.exe 5604 smss.exe 5604 smss.exe 5604 smss.exe 5604 smss.exe 5604 smss.exe 4944 csrss.exe 4944 csrss.exe 4944 csrss.exe 4944 csrss.exe 4944 csrss.exe 4944 csrss.exe 4944 csrss.exe 4944 csrss.exe 4944 csrss.exe 4944 csrss.exe 4944 csrss.exe 4944 csrss.exe 4944 csrss.exe 4944 csrss.exe 4944 csrss.exe 4944 csrss.exe -
Suspicious use of SetWindowsHookEx 31 IoCs
pid Process 4156 2025-05-29_9aaf66041598bcc6ced612f0f42812ad_amadey_black-basta_elex_luca-stealer.exe 5604 smss.exe 2024 smss.exe 4768 Gaara.exe 2332 smss.exe 2492 Gaara.exe 4944 csrss.exe 5016 smss.exe 2144 Gaara.exe 2100 csrss.exe 5512 Kazekage.exe 5624 smss.exe 4592 Gaara.exe 3888 csrss.exe 1444 csrss.exe 3056 Kazekage.exe 1916 Gaara.exe 5204 Kazekage.exe 4520 Kazekage.exe 5252 system32.exe 4112 system32.exe 2800 system32.exe 3592 csrss.exe 3176 system32.exe 3188 Kazekage.exe 5780 smss.exe 5008 Gaara.exe 2304 system32.exe 3116 csrss.exe 2792 Kazekage.exe 3920 system32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4156 wrote to memory of 5604 4156 2025-05-29_9aaf66041598bcc6ced612f0f42812ad_amadey_black-basta_elex_luca-stealer.exe 90 PID 4156 wrote to memory of 5604 4156 2025-05-29_9aaf66041598bcc6ced612f0f42812ad_amadey_black-basta_elex_luca-stealer.exe 90 PID 4156 wrote to memory of 5604 4156 2025-05-29_9aaf66041598bcc6ced612f0f42812ad_amadey_black-basta_elex_luca-stealer.exe 90 PID 5604 wrote to memory of 2024 5604 smss.exe 92 PID 5604 wrote to memory of 2024 5604 smss.exe 92 PID 5604 wrote to memory of 2024 5604 smss.exe 92 PID 5604 wrote to memory of 4768 5604 smss.exe 93 PID 5604 wrote to memory of 4768 5604 smss.exe 93 PID 5604 wrote to memory of 4768 5604 smss.exe 93 PID 4768 wrote to memory of 2332 4768 Gaara.exe 94 PID 4768 wrote to memory of 2332 4768 Gaara.exe 94 PID 4768 wrote to memory of 2332 4768 Gaara.exe 94 PID 4768 wrote to memory of 2492 4768 Gaara.exe 95 PID 4768 wrote to memory of 2492 4768 Gaara.exe 95 PID 4768 wrote to memory of 2492 4768 Gaara.exe 95 PID 4768 wrote to memory of 4944 4768 Gaara.exe 98 PID 4768 wrote to memory of 4944 4768 Gaara.exe 98 PID 4768 wrote to memory of 4944 4768 Gaara.exe 98 PID 4944 wrote to memory of 5016 4944 csrss.exe 101 PID 4944 wrote to memory of 5016 4944 csrss.exe 101 PID 4944 wrote to memory of 5016 4944 csrss.exe 101 PID 4944 wrote to memory of 2144 4944 csrss.exe 102 PID 4944 wrote to memory of 2144 4944 csrss.exe 102 PID 4944 wrote to memory of 2144 4944 csrss.exe 102 PID 4944 wrote to memory of 2100 4944 csrss.exe 104 PID 4944 wrote to memory of 2100 4944 csrss.exe 104 PID 4944 wrote to memory of 2100 4944 csrss.exe 104 PID 4944 wrote to memory of 5512 4944 csrss.exe 105 PID 4944 wrote to memory of 5512 4944 csrss.exe 105 PID 4944 wrote to memory of 5512 4944 csrss.exe 105 PID 5512 wrote to memory of 5624 5512 Kazekage.exe 106 PID 5512 wrote to memory of 5624 5512 Kazekage.exe 106 PID 5512 wrote to memory of 5624 5512 Kazekage.exe 106 PID 4156 wrote to memory of 4592 4156 2025-05-29_9aaf66041598bcc6ced612f0f42812ad_amadey_black-basta_elex_luca-stealer.exe 107 PID 4156 wrote to memory of 4592 4156 2025-05-29_9aaf66041598bcc6ced612f0f42812ad_amadey_black-basta_elex_luca-stealer.exe 107 PID 4156 wrote to memory of 4592 4156 2025-05-29_9aaf66041598bcc6ced612f0f42812ad_amadey_black-basta_elex_luca-stealer.exe 107 PID 4156 wrote to memory of 3888 4156 2025-05-29_9aaf66041598bcc6ced612f0f42812ad_amadey_black-basta_elex_luca-stealer.exe 110 PID 4156 wrote to memory of 3888 4156 2025-05-29_9aaf66041598bcc6ced612f0f42812ad_amadey_black-basta_elex_luca-stealer.exe 110 PID 4156 wrote to memory of 3888 4156 2025-05-29_9aaf66041598bcc6ced612f0f42812ad_amadey_black-basta_elex_luca-stealer.exe 110 PID 5604 wrote to memory of 1444 5604 smss.exe 111 PID 5604 wrote to memory of 1444 5604 smss.exe 111 PID 5604 wrote to memory of 1444 5604 smss.exe 111 PID 4768 wrote to memory of 3056 4768 Gaara.exe 112 PID 4768 wrote to memory of 3056 4768 Gaara.exe 112 PID 4768 wrote to memory of 3056 4768 Gaara.exe 112 PID 5512 wrote to memory of 1916 5512 Kazekage.exe 113 PID 5512 wrote to memory of 1916 5512 Kazekage.exe 113 PID 5512 wrote to memory of 1916 5512 Kazekage.exe 113 PID 4156 wrote to memory of 5204 4156 2025-05-29_9aaf66041598bcc6ced612f0f42812ad_amadey_black-basta_elex_luca-stealer.exe 114 PID 4156 wrote to memory of 5204 4156 2025-05-29_9aaf66041598bcc6ced612f0f42812ad_amadey_black-basta_elex_luca-stealer.exe 114 PID 4156 wrote to memory of 5204 4156 2025-05-29_9aaf66041598bcc6ced612f0f42812ad_amadey_black-basta_elex_luca-stealer.exe 114 PID 5604 wrote to memory of 4520 5604 smss.exe 115 PID 5604 wrote to memory of 4520 5604 smss.exe 115 PID 5604 wrote to memory of 4520 5604 smss.exe 115 PID 4768 wrote to memory of 5252 4768 Gaara.exe 116 PID 4768 wrote to memory of 5252 4768 Gaara.exe 116 PID 4768 wrote to memory of 5252 4768 Gaara.exe 116 PID 4944 wrote to memory of 4112 4944 csrss.exe 117 PID 4944 wrote to memory of 4112 4944 csrss.exe 117 PID 4944 wrote to memory of 4112 4944 csrss.exe 117 PID 5512 wrote to memory of 3592 5512 Kazekage.exe 118 PID 5512 wrote to memory of 3592 5512 Kazekage.exe 118 PID 5512 wrote to memory of 3592 5512 Kazekage.exe 118 PID 4156 wrote to memory of 2800 4156 2025-05-29_9aaf66041598bcc6ced612f0f42812ad_amadey_black-basta_elex_luca-stealer.exe 119 -
System policy modification 1 TTPs 12 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System system32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Kazekage.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System 2025-05-29_9aaf66041598bcc6ced612f0f42812ad_amadey_black-basta_elex_luca-stealer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 2025-05-29_9aaf66041598bcc6ced612f0f42812ad_amadey_black-basta_elex_luca-stealer.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2025-05-29_9aaf66041598bcc6ced612f0f42812ad_amadey_black-basta_elex_luca-stealer.exe"C:\Users\Admin\AppData\Local\Temp\2025-05-29_9aaf66041598bcc6ced612f0f42812ad_amadey_black-basta_elex_luca-stealer.exe"1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4156 -
C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe"C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe"2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:5604 -
C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe"C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2024
-
-
C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe"C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe"3⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4768 -
C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe"C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2332
-
-
C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe"C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2492
-
-
C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe"C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe"4⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4944 -
C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe"C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5016
-
-
C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe"C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2144
-
-
C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe"C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2100
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe5⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:5512 -
C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe"C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5624
-
-
C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe"C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1916
-
-
C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe"C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3592
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3188
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2304
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655006⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5916
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655006⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:6016
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655006⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3132
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655006⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4488
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655006⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3004
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655006⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3116
-
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4112
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655005⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3104
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655005⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2340
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655005⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4440
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655005⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1932
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655005⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5416
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655005⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3784
-
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3056
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe4⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:5252 -
C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe"C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5780
-
-
C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe"C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5008
-
-
C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe"C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3116
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2792
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3920
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655005⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:6076
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655005⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3964
-
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655004⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5224
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655004⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:6088
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655004⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5016
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655004⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4064
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655004⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2984
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655004⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4780
-
-
-
C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe"C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1444
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4520
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3176
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:6092
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4612
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2476
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3772
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:6000
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2896
-
-
-
C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe"C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4592
-
-
C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe"C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3888
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5204
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2800
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655002⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2472
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655002⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3196
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655002⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3248
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655002⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5056
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655002⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2280
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655002⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:556
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 29 - 5 - 2025\smss.exe1⤵PID:5732
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 29 - 5 - 2025\Gaara.exe1⤵PID:2892
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c 29-5-2025.exe1⤵PID:3212
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c drivers\csrss.exe1⤵PID:5388
Network
MITRE ATT&CK Enterprise v16
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Event Triggered Execution
1Image File Execution Options Injection
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Event Triggered Execution
1Image File Execution Options Injection
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
1Disable or Modify Tools
1Modify Registry
8Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
9.1MB
MD5094088ece1c1eea7195024e6c16b929e
SHA16ebc2de5d5205e2d16e4f97f06276036aa5a4c61
SHA2565c796df25680e79f0d0f53156786bf454e70140aeff07791f78c82746acf4999
SHA5128d1e4f44204dac4c3c1ebd9d0305e9f6823495f573de934c0cf4ce3df36d712c034144fb1690f9a6c666b42310d9de6bb0e056bb0c5d32b85889412f36a98153
-
Filesize
736B
MD5bb5d6abdf8d0948ac6895ce7fdfbc151
SHA19266b7a247a4685892197194d2b9b86c8f6dddbd
SHA2565db2e0915b5464d32e83484f8ae5e3c73d2c78f238fde5f58f9b40dbb5322de8
SHA512878444760e8df878d65bb62b4798177e168eb099def58ad3634f4348e96705c83f74324f9fa358f0eff389991976698a233ca53e9b72034ae11c86d42322a76c
-
Filesize
196B
MD51564dfe69ffed40950e5cb644e0894d1
SHA1201b6f7a01cc49bb698bea6d4945a082ed454ce4
SHA256be114a2dbcc08540b314b01882aa836a772a883322a77b67aab31233e26dc184
SHA51272df187e39674b657974392cfa268e71ef86dc101ebd2303896381ca56d3c05aa9db3f0ab7d0e428d7436e0108c8f19e94c2013814d30b0b95a23a6b9e341097
-
Filesize
9.1MB
MD556e41d10992ca4b47af9ccc834a1494a
SHA111af59e8501e510ad9b43fd0f306d7c6ae553bdb
SHA256fe742a4c687ec7e6cf8f1ee85d9167049c06c33989165cc2293184efb3c73dd7
SHA5126a9be1633d32f1911a5de36ad318089fd25dfc0e70490665d554bd5e1e21d124a9a1a1b2b4c4b9b6b9f05d174d92aed90925d6d1526841401bb6f5f5cf3fef4d
-
Filesize
9.1MB
MD59aaf66041598bcc6ced612f0f42812ad
SHA142d51c3f422799a5f7c437a1e94d583d4c540182
SHA256c5271eb25fc9cbee598e6a95925b150d35269bc02db640d758752244aa4ca845
SHA51279dae066a012720803d8556a75f6087610759528bfff36823032c6df48318e6ad642ef5f18fd6cf3eef21baf68df6f71c8b1264958486cf2b53fd5c9a525332b
-
Filesize
9.1MB
MD529de151262d59c0414db46c9d0751c68
SHA1cd2b2cca78ea356dc66ca47e6419287c2a8f525b
SHA2565c0a58256717a5a600b895b01a9d91f28964234e524ef690b79a5b9f97cb008c
SHA512bc639600e7db1029c7ebbad3e1664a39edf7a1d140a1fdd464ea6840344a03d3fcb060999f9b67e6687ab24b3a8144a76d01faaa5ed289a905c5f7a853174315
-
Filesize
9.1MB
MD54f186209e0359156cfffffa3d3368f41
SHA1a337f7140974c1433f7dd718f49442fe706e8f48
SHA2563643e5ecdc16ce6a9d595c80cb08bce2f0e3cb1c411b7409f53c77d1c50cca48
SHA512bf8e5590c7939dee239db7dc86ce06100a7a001767b273bc4cd5c95bbf8f19c74016ed8bba95e8201e369c43a7866ff83ea82a92420b8e0361d6f033508dad49
-
Filesize
1.4MB
MD5d6b05020d4a0ec2a3a8b687099e335df
SHA1df239d830ebcd1cde5c68c46a7b76dad49d415f4
SHA2569824b98dab6af65a9e84c2ea40e9df948f9766ce2096e81feecad7db8dd6080a
SHA51278fd360faa4d34f5732056d6e9ad7b9930964441c69cf24535845d397de92179553b9377a25649c01eb5ac7d547c29cc964e69ede7f2af9fc677508a99251fff
-
Filesize
9.1MB
MD5d4877b147d0fe9ad08049e5fd296dee1
SHA16548e995fcbb1794fc01c32634a23dccfb69db37
SHA2567d481d8dad29d9689169029f445379f8ef718206b779c0fee89e68b32ffd623a
SHA512138e5c15c7c7dd12e2e2c02620f4059e49b3351a5fb8c27655a8b0c4eabd82b33b3a6201560b328cc90be73dbb96d83494f53be4b78e69e84bc52d5d94e71e1f
-
Filesize
65B
MD564acfa7e03b01f48294cf30d201a0026
SHA110facd995b38a095f30b4a800fa454c0bcbf8438
SHA256ba8159d865d106e7b4d0043007a63d1541e1de455dc8d7ff0edd3013bd425c62
SHA51265a9b2e639de74a2a7faa83463a03f5f5b526495e3c793ec1e144c422ed0b842dd304cd5ff4f8aec3d76d826507030c5916f70a231429cea636ec2d8ab43931a
-
Filesize
9.1MB
MD571edd4e95a116d107eb418cedafba9a3
SHA1043a680b04754d1a596f34a44e77ea323d5af037
SHA25633f5055bed044b52df26f59647723050d0424515c826aecfa5832e767cfc92d2
SHA51243a80268510ea0ffb040c19623a1183312ed5e082c04d63876011995aa27a5b46358e9a12d4a16b08b44a56e1aa37961067711fc468d3d033f6bd73535a939f0
-
Filesize
9.1MB
MD5cb7b859cbdc25f48bedd4188c16cb9c3
SHA1d4edd2ff3e9eb6c1056a00cb3a90f9501041e9fd
SHA2561d8a4f3836c3fefec2d226fde01d28f261b2cefe3b05728fb3e02134b808dbdc
SHA51204976950a7b386354c5134a1987f7c188d55ef82e25c9056e21b09b025069bf2d8fe561265ce6cc69a484c6df6acd6e660a224f6f4e4de84a897c38efaf4c27d
-
Filesize
9.1MB
MD5023c8784fa63d007564833e7eb98a60a
SHA194f297393cb8816db2617ae07c94fa2870b88803
SHA256ba385b601c36ad1dc30b693e462d32e2b58fdc4cbab868b02bad4531bb55a13b
SHA512c826d83b8f51359a33a04c2994b533c8d9d7924c39b54b4779f44e30572153feb525ea3b3853857775f730831aa397e388e6d6e7cbb95643d3ae89e923d732f4
-
Filesize
9.1MB
MD5d3b9146d84a56e718fe9f3984bb1306d
SHA14a2aebe332e3bd12eab19558f98aa962dca244a6
SHA256f5861272675f4c78071119519d5b982cd9e3cd8da320dd600323e8e51a113252
SHA512b93a99e020970082c10ff037456d60101de440f64fc0348bf0807488db2f4a5b8bd3c93add040cc6b98a9a8e74e2e92026e76082f291312407fcae00f2976cce
-
Filesize
9.1MB
MD550379b40af36c2f7cb737f46cbbabb9e
SHA11d558bb0b888421c135df2ccaa01b6b43e53c421
SHA256a84a0d909aa7a9d1a5e4c546ccdb3f5d7da7d1b3477af9e686cdff382b111b3f
SHA5128ae0c0bd806c11a32c1c9e376e2b9042a263556d542e46eff109ad44d7f2aee5d3dfe7b599e4c78c7a7cd088c122ca8f32da1999c5c371e8007c25df5d3cfdaa
-
Filesize
9.1MB
MD5e7092608510bef10fb21677688d0725a
SHA1a4aff52c31c704999d99108501ed85e00f1e0c34
SHA256764fe7e0b637c728321afe034a53fdfb03d3d859ee93251d1ec4b7c6c33d201b
SHA5122ef874ef013fa8d157f5edfe10cd61c3c10ce6448b40769e406a6e9b54ee03509942b9623b858f710d2b6b0f9b2be1ea822b4408d2a334c88777f367b1bf32d4
-
Filesize
1.4MB
MD525f62c02619174b35851b0e0455b3d94
SHA14e8ee85157f1769f6e3f61c0acbe59072209da71
SHA256898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2
SHA512f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a