Analysis
-
max time kernel
150s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20250502-en -
resource tags
arch:x64arch:x86image:win10v2004-20250502-enlocale:en-usos:windows10-2004-x64system -
submitted
29/05/2025, 11:51
Behavioral task
behavioral1
Sample
2025-05-29_b315b9baf0090e0fe9acd782b64c5bed_amadey_black-basta_elex_luca-stealer.exe
Resource
win10v2004-20250502-en
General
-
Target
2025-05-29_b315b9baf0090e0fe9acd782b64c5bed_amadey_black-basta_elex_luca-stealer.exe
-
Size
8.1MB
-
MD5
b315b9baf0090e0fe9acd782b64c5bed
-
SHA1
5e1d64a47d48be1d22a0e5a455bc422b08fcc5b3
-
SHA256
d8f2501508489f91193dbcdf22d654b2562e38eb4074899854a7ae4306417af7
-
SHA512
4f7c1dec92f2f82e4951a8b7dabe9979715ffb99d2c01f5706036f456adfa90afb32d76786226f5234c5650f721ab42d05d11ab37852e205194e869f01275976
-
SSDEEP
49152:BGyqWyWy0GyqWyWyMRPC1em1eHc785diLvnb17:BGyqWyWy0GyqWyWyMRPC1em1eHL5dGTp
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 12 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" 2025-05-29_b315b9baf0090e0fe9acd782b64c5bed_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" 2025-05-29_b315b9baf0090e0fe9acd782b64c5bed_amadey_black-basta_elex_luca-stealer.exe -
Modifies visibility of file extensions in Explorer 2 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" smss.exe Set value (int) \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" 2025-05-29_b315b9baf0090e0fe9acd782b64c5bed_amadey_black-basta_elex_luca-stealer.exe Set value (int) \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" csrss.exe Set value (int) \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" system32.exe Set value (int) \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Kazekage.exe Set value (int) \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" Gaara.exe -
Modifies visiblity of hidden/system files in Explorer 2 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" smss.exe Set value (int) \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" 2025-05-29_b315b9baf0090e0fe9acd782b64c5bed_amadey_black-basta_elex_luca-stealer.exe Set value (int) \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" csrss.exe Set value (int) \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" system32.exe Set value (int) \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" Kazekage.exe Set value (int) \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" Gaara.exe -
UAC bypass 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 2025-05-29_b315b9baf0090e0fe9acd782b64c5bed_amadey_black-basta_elex_luca-stealer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" system32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Kazekage.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Gaara.exe -
Disables RegEdit via registry modification 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" 2025-05-29_b315b9baf0090e0fe9acd782b64c5bed_amadey_black-basta_elex_luca-stealer.exe Set value (int) \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" csrss.exe Set value (int) \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" system32.exe Set value (int) \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Kazekage.exe Set value (int) \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" Gaara.exe Set value (int) \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" smss.exe -
Disables use of System Restore points 1 TTPs
-
Drops file in Drivers directory 24 IoCs
description ioc Process File created C:\Windows\SysWOW64\drivers\Kazekage.exe 2025-05-29_b315b9baf0090e0fe9acd782b64c5bed_amadey_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe 2025-05-29_b315b9baf0090e0fe9acd782b64c5bed_amadey_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe Kazekage.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe system32.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe smss.exe File created C:\Windows\SysWOW64\drivers\system32.exe Kazekage.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe 2025-05-29_b315b9baf0090e0fe9acd782b64c5bed_amadey_black-basta_elex_luca-stealer.exe File created C:\Windows\SysWOW64\drivers\system32.exe 2025-05-29_b315b9baf0090e0fe9acd782b64c5bed_amadey_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe Gaara.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe system32.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe system32.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe Gaara.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe Kazekage.exe File created C:\Windows\SysWOW64\drivers\system32.exe system32.exe File created C:\Windows\SysWOW64\drivers\system32.exe smss.exe File created C:\Windows\SysWOW64\drivers\Kazekage.exe csrss.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe smss.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe smss.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe Gaara.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe csrss.exe File opened for modification C:\Windows\SysWOW64\drivers\system32.exe csrss.exe File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe Kazekage.exe File created C:\Windows\SysWOW64\drivers\system32.exe Gaara.exe File created C:\Windows\SysWOW64\drivers\system32.exe csrss.exe -
Event Triggered Execution: Image File Execution Options Injection 1 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "drivers\\Kazekage.exe" 2025-05-29_b315b9baf0090e0fe9acd782b64c5bed_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe\Debugger = "drivers\\Kazekage.exe" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe\Debugger = "cmd.exe /c del" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe\Debugger = "cmd.exe /c del" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe\Debugger = "cmd.exe /c del" 2025-05-29_b315b9baf0090e0fe9acd782b64c5bed_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe\Debugger = "cmd.exe /c del" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\Debugger = "cmd.exe /c del" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe\Debugger = "cmd.exe /c del" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\Debugger = "cmd.exe /c del" 2025-05-29_b315b9baf0090e0fe9acd782b64c5bed_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "drivers\\Kazekage.exe" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe 2025-05-29_b315b9baf0090e0fe9acd782b64c5bed_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe\Debugger = "cmd.exe /c del" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "drivers\\Kazekage.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe\Debugger = "cmd.exe /c del" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe\Debugger = "drivers\\Kazekage.exe" 2025-05-29_b315b9baf0090e0fe9acd782b64c5bed_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe\Debugger = "cmd.exe /c del" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe\Debugger = "cmd.exe /c del" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe 2025-05-29_b315b9baf0090e0fe9acd782b64c5bed_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe\Debugger = "drivers\\Kazekage.exe" 2025-05-29_b315b9baf0090e0fe9acd782b64c5bed_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\Debugger = "cmd.exe /c del" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe 2025-05-29_b315b9baf0090e0fe9acd782b64c5bed_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com\Debugger = "cmd.exe /c del" 2025-05-29_b315b9baf0090e0fe9acd782b64c5bed_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe\Debugger = "cmd.exe /c del" 2025-05-29_b315b9baf0090e0fe9acd782b64c5bed_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe\Debugger = "cmd.exe /c del" 2025-05-29_b315b9baf0090e0fe9acd782b64c5bed_amadey_black-basta_elex_luca-stealer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe 2025-05-29_b315b9baf0090e0fe9acd782b64c5bed_amadey_black-basta_elex_luca-stealer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com\Debugger = "cmd.exe /c del" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe\Debugger = "cmd.exe /c del" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com\Debugger = "cmd.exe /c del" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe 2025-05-29_b315b9baf0090e0fe9acd782b64c5bed_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "drivers\\Kazekage.exe" 2025-05-29_b315b9baf0090e0fe9acd782b64c5bed_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "drivers\\Kazekage.exe" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe 2025-05-29_b315b9baf0090e0fe9acd782b64c5bed_amadey_black-basta_elex_luca-stealer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe 2025-05-29_b315b9baf0090e0fe9acd782b64c5bed_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe\Debugger = "cmd.exe /c del" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com\Debugger = "cmd.exe /c del" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com 2025-05-29_b315b9baf0090e0fe9acd782b64c5bed_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "drivers\\Kazekage.exe" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe\Debugger = "drivers\\Kazekage.exe" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe system32.exe -
Executes dropped EXE 30 IoCs
pid Process 436 smss.exe 3672 smss.exe 4556 Gaara.exe 2036 smss.exe 2224 Gaara.exe 3336 csrss.exe 4640 smss.exe 2176 Gaara.exe 1952 csrss.exe 4812 Gaara.exe 2096 csrss.exe 1296 Kazekage.exe 4896 Kazekage.exe 3028 smss.exe 2536 csrss.exe 916 Gaara.exe 808 system32.exe 2180 Kazekage.exe 868 csrss.exe 3320 system32.exe 4336 smss.exe 2504 Kazekage.exe 2100 Gaara.exe 3960 system32.exe 1512 csrss.exe 4704 Kazekage.exe 4380 system32.exe 2976 Kazekage.exe 2780 system32.exe 2732 system32.exe -
Loads dropped DLL 18 IoCs
pid Process 436 smss.exe 3672 smss.exe 4556 Gaara.exe 2036 smss.exe 2224 Gaara.exe 3336 csrss.exe 4640 smss.exe 2176 Gaara.exe 1952 csrss.exe 4812 Gaara.exe 2096 csrss.exe 3028 smss.exe 2536 csrss.exe 916 Gaara.exe 868 csrss.exe 4336 smss.exe 2100 Gaara.exe 1512 csrss.exe -
Adds Run key to start application 2 TTPs 24 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "29-5-2025.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 29 - 5 - 2025\\Gaara.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "29-5-2025.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 29 - 5 - 2025\\Gaara.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "29-5-2025.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 29 - 5 - 2025\\smss.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 29 - 5 - 2025\\Gaara.exe" 2025-05-29_b315b9baf0090e0fe9acd782b64c5bed_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 29 - 5 - 2025\\smss.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 29 - 5 - 2025\\smss.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 29 - 5 - 2025\\Gaara.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 29 - 5 - 2025\\smss.exe" 2025-05-29_b315b9baf0090e0fe9acd782b64c5bed_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" 2025-05-29_b315b9baf0090e0fe9acd782b64c5bed_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 29 - 5 - 2025\\Gaara.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "29-5-2025.exe" smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "29-5-2025.exe" 2025-05-29_b315b9baf0090e0fe9acd782b64c5bed_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 29 - 5 - 2025\\smss.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 29 - 5 - 2025\\smss.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "29-5-2025.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 29 - 5 - 2025\\Gaara.exe" Kazekage.exe -
Checks whether UAC is enabled 1 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 2025-05-29_b315b9baf0090e0fe9acd782b64c5bed_amadey_black-basta_elex_luca-stealer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" system32.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Kazekage.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Gaara.exe -
Drops desktop.ini file(s) 64 IoCs
description ioc Process File opened for modification \??\A:\Desktop.ini csrss.exe File opened for modification \??\G:\Desktop.ini csrss.exe File opened for modification \??\V:\Desktop.ini 2025-05-29_b315b9baf0090e0fe9acd782b64c5bed_amadey_black-basta_elex_luca-stealer.exe File opened for modification \??\Y:\Desktop.ini csrss.exe File opened for modification \??\O:\Desktop.ini Kazekage.exe File opened for modification \??\R:\Desktop.ini Kazekage.exe File opened for modification \??\A:\Desktop.ini smss.exe File opened for modification \??\B:\Desktop.ini smss.exe File opened for modification F:\Desktop.ini smss.exe File opened for modification \??\G:\Desktop.ini smss.exe File opened for modification \??\Z:\Desktop.ini smss.exe File opened for modification \??\O:\Desktop.ini 2025-05-29_b315b9baf0090e0fe9acd782b64c5bed_amadey_black-basta_elex_luca-stealer.exe File opened for modification \??\Q:\Desktop.ini 2025-05-29_b315b9baf0090e0fe9acd782b64c5bed_amadey_black-basta_elex_luca-stealer.exe File opened for modification \??\L:\Desktop.ini system32.exe File opened for modification \??\H:\Desktop.ini smss.exe File opened for modification \??\Q:\Desktop.ini smss.exe File opened for modification \??\S:\Desktop.ini smss.exe File opened for modification \??\M:\Desktop.ini system32.exe File opened for modification F:\Desktop.ini Gaara.exe File opened for modification \??\G:\Desktop.ini Gaara.exe File opened for modification \??\H:\Desktop.ini Gaara.exe File opened for modification \??\X:\Desktop.ini smss.exe File opened for modification \??\T:\Desktop.ini csrss.exe File opened for modification \??\B:\Desktop.ini csrss.exe File opened for modification F:\Desktop.ini 2025-05-29_b315b9baf0090e0fe9acd782b64c5bed_amadey_black-basta_elex_luca-stealer.exe File opened for modification \??\O:\Desktop.ini csrss.exe File opened for modification \??\N:\Desktop.ini system32.exe File opened for modification \??\W:\Desktop.ini system32.exe File opened for modification \??\Q:\Desktop.ini Gaara.exe File opened for modification \??\N:\Desktop.ini 2025-05-29_b315b9baf0090e0fe9acd782b64c5bed_amadey_black-basta_elex_luca-stealer.exe File opened for modification \??\P:\Desktop.ini 2025-05-29_b315b9baf0090e0fe9acd782b64c5bed_amadey_black-basta_elex_luca-stealer.exe File opened for modification \??\Z:\Desktop.ini 2025-05-29_b315b9baf0090e0fe9acd782b64c5bed_amadey_black-basta_elex_luca-stealer.exe File opened for modification C:\Desktop.ini system32.exe File opened for modification \??\N:\Desktop.ini csrss.exe File opened for modification \??\S:\Desktop.ini 2025-05-29_b315b9baf0090e0fe9acd782b64c5bed_amadey_black-basta_elex_luca-stealer.exe File opened for modification \??\H:\Desktop.ini Kazekage.exe File opened for modification \??\L:\Desktop.ini Kazekage.exe File opened for modification \??\N:\Desktop.ini Gaara.exe File opened for modification \??\N:\Desktop.ini smss.exe File opened for modification \??\H:\Desktop.ini csrss.exe File opened for modification \??\Q:\Desktop.ini csrss.exe File opened for modification \??\Y:\Desktop.ini 2025-05-29_b315b9baf0090e0fe9acd782b64c5bed_amadey_black-basta_elex_luca-stealer.exe File opened for modification \??\X:\Desktop.ini system32.exe File opened for modification \??\G:\Desktop.ini Kazekage.exe File opened for modification \??\P:\Desktop.ini Kazekage.exe File opened for modification \??\W:\Desktop.ini 2025-05-29_b315b9baf0090e0fe9acd782b64c5bed_amadey_black-basta_elex_luca-stealer.exe File opened for modification \??\E:\Desktop.ini system32.exe File opened for modification \??\H:\Desktop.ini system32.exe File opened for modification \??\S:\Desktop.ini Kazekage.exe File opened for modification \??\X:\Desktop.ini Gaara.exe File opened for modification D:\Desktop.ini Kazekage.exe File opened for modification D:\Desktop.ini smss.exe File opened for modification \??\A:\Desktop.ini 2025-05-29_b315b9baf0090e0fe9acd782b64c5bed_amadey_black-basta_elex_luca-stealer.exe File opened for modification \??\E:\Desktop.ini 2025-05-29_b315b9baf0090e0fe9acd782b64c5bed_amadey_black-basta_elex_luca-stealer.exe File opened for modification \??\Z:\Desktop.ini csrss.exe File opened for modification \??\T:\Desktop.ini Kazekage.exe File opened for modification \??\E:\Desktop.ini Gaara.exe File opened for modification \??\K:\Desktop.ini Gaara.exe File opened for modification \??\K:\Desktop.ini smss.exe File opened for modification \??\E:\Desktop.ini csrss.exe File opened for modification \??\B:\Desktop.ini Kazekage.exe File opened for modification \??\J:\Desktop.ini Kazekage.exe File opened for modification \??\W:\Desktop.ini Kazekage.exe File opened for modification D:\Desktop.ini Gaara.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\N: 2025-05-29_b315b9baf0090e0fe9acd782b64c5bed_amadey_black-basta_elex_luca-stealer.exe File opened (read-only) \??\W: 2025-05-29_b315b9baf0090e0fe9acd782b64c5bed_amadey_black-basta_elex_luca-stealer.exe File opened (read-only) \??\O: system32.exe File opened (read-only) \??\R: csrss.exe File opened (read-only) \??\Y: 2025-05-29_b315b9baf0090e0fe9acd782b64c5bed_amadey_black-basta_elex_luca-stealer.exe File opened (read-only) \??\Q: system32.exe File opened (read-only) \??\O: Gaara.exe File opened (read-only) \??\O: smss.exe File opened (read-only) \??\T: smss.exe File opened (read-only) \??\B: 2025-05-29_b315b9baf0090e0fe9acd782b64c5bed_amadey_black-basta_elex_luca-stealer.exe File opened (read-only) \??\I: 2025-05-29_b315b9baf0090e0fe9acd782b64c5bed_amadey_black-basta_elex_luca-stealer.exe File opened (read-only) \??\T: 2025-05-29_b315b9baf0090e0fe9acd782b64c5bed_amadey_black-basta_elex_luca-stealer.exe File opened (read-only) \??\Y: smss.exe File opened (read-only) \??\A: 2025-05-29_b315b9baf0090e0fe9acd782b64c5bed_amadey_black-basta_elex_luca-stealer.exe File opened (read-only) \??\E: 2025-05-29_b315b9baf0090e0fe9acd782b64c5bed_amadey_black-basta_elex_luca-stealer.exe File opened (read-only) \??\L: system32.exe File opened (read-only) \??\H: Kazekage.exe File opened (read-only) \??\R: Kazekage.exe File opened (read-only) \??\K: 2025-05-29_b315b9baf0090e0fe9acd782b64c5bed_amadey_black-basta_elex_luca-stealer.exe File opened (read-only) \??\P: csrss.exe File opened (read-only) \??\I: Kazekage.exe File opened (read-only) \??\O: Kazekage.exe File opened (read-only) \??\A: csrss.exe File opened (read-only) \??\P: system32.exe File opened (read-only) \??\A: Kazekage.exe File opened (read-only) \??\T: Kazekage.exe File opened (read-only) \??\J: smss.exe File opened (read-only) \??\B: csrss.exe File opened (read-only) \??\T: system32.exe File opened (read-only) \??\X: system32.exe File opened (read-only) \??\V: Gaara.exe File opened (read-only) \??\G: csrss.exe File opened (read-only) \??\M: Kazekage.exe File opened (read-only) \??\N: Kazekage.exe File opened (read-only) \??\A: Gaara.exe File opened (read-only) \??\H: Gaara.exe File opened (read-only) \??\S: csrss.exe File opened (read-only) \??\X: Gaara.exe File opened (read-only) \??\Q: smss.exe File opened (read-only) \??\S: smss.exe File opened (read-only) \??\H: csrss.exe File opened (read-only) \??\X: 2025-05-29_b315b9baf0090e0fe9acd782b64c5bed_amadey_black-basta_elex_luca-stealer.exe File opened (read-only) \??\U: smss.exe File opened (read-only) \??\U: system32.exe File opened (read-only) \??\W: csrss.exe File opened (read-only) \??\G: system32.exe File opened (read-only) \??\Y: Gaara.exe File opened (read-only) \??\A: system32.exe File opened (read-only) \??\N: system32.exe File opened (read-only) \??\B: Gaara.exe File opened (read-only) \??\P: smss.exe File opened (read-only) \??\Z: system32.exe File opened (read-only) \??\U: Kazekage.exe File opened (read-only) \??\X: Kazekage.exe File opened (read-only) \??\W: Gaara.exe File opened (read-only) \??\J: csrss.exe File opened (read-only) \??\O: 2025-05-29_b315b9baf0090e0fe9acd782b64c5bed_amadey_black-basta_elex_luca-stealer.exe File opened (read-only) \??\R: 2025-05-29_b315b9baf0090e0fe9acd782b64c5bed_amadey_black-basta_elex_luca-stealer.exe File opened (read-only) \??\Q: Gaara.exe File opened (read-only) \??\Z: Gaara.exe File opened (read-only) \??\L: 2025-05-29_b315b9baf0090e0fe9acd782b64c5bed_amadey_black-basta_elex_luca-stealer.exe File opened (read-only) \??\T: csrss.exe File opened (read-only) \??\H: smss.exe File opened (read-only) \??\I: smss.exe -
Drops autorun.inf file 1 TTPs 64 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File created \??\Y:\Autorun.inf Gaara.exe File created \??\N:\Autorun.inf csrss.exe File created \??\Q:\Autorun.inf Kazekage.exe File opened for modification C:\Autorun.inf system32.exe File opened for modification \??\M:\Autorun.inf system32.exe File opened for modification \??\Q:\Autorun.inf 2025-05-29_b315b9baf0090e0fe9acd782b64c5bed_amadey_black-basta_elex_luca-stealer.exe File opened for modification \??\V:\Autorun.inf Gaara.exe File opened for modification D:\Autorun.inf csrss.exe File opened for modification \??\W:\Autorun.inf Kazekage.exe File opened for modification \??\Z:\Autorun.inf system32.exe File created \??\J:\Autorun.inf smss.exe File created \??\N:\Autorun.inf Gaara.exe File opened for modification \??\N:\Autorun.inf csrss.exe File opened for modification \??\T:\Autorun.inf Kazekage.exe File opened for modification \??\W:\Autorun.inf system32.exe File opened for modification \??\N:\Autorun.inf 2025-05-29_b315b9baf0090e0fe9acd782b64c5bed_amadey_black-basta_elex_luca-stealer.exe File created C:\Autorun.inf 2025-05-29_b315b9baf0090e0fe9acd782b64c5bed_amadey_black-basta_elex_luca-stealer.exe File opened for modification \??\M:\Autorun.inf smss.exe File created \??\L:\Autorun.inf csrss.exe File opened for modification \??\R:\Autorun.inf Kazekage.exe File created \??\N:\Autorun.inf system32.exe File created \??\V:\Autorun.inf smss.exe File created \??\Z:\Autorun.inf smss.exe File opened for modification \??\A:\Autorun.inf smss.exe File opened for modification \??\Y:\Autorun.inf Gaara.exe File created D:\Autorun.inf smss.exe File opened for modification \??\J:\Autorun.inf system32.exe File created \??\M:\Autorun.inf smss.exe File opened for modification \??\Q:\Autorun.inf Gaara.exe File created \??\G:\Autorun.inf csrss.exe File opened for modification \??\S:\Autorun.inf csrss.exe File opened for modification \??\Z:\Autorun.inf csrss.exe File opened for modification \??\Z:\Autorun.inf Kazekage.exe File created \??\R:\Autorun.inf 2025-05-29_b315b9baf0090e0fe9acd782b64c5bed_amadey_black-basta_elex_luca-stealer.exe File opened for modification \??\P:\Autorun.inf smss.exe File opened for modification \??\Q:\Autorun.inf system32.exe File created \??\V:\Autorun.inf Gaara.exe File opened for modification \??\I:\Autorun.inf Kazekage.exe File created \??\Q:\Autorun.inf smss.exe File opened for modification \??\K:\Autorun.inf Gaara.exe File created \??\Q:\Autorun.inf Gaara.exe File opened for modification \??\K:\Autorun.inf csrss.exe File created \??\W:\Autorun.inf system32.exe File opened for modification \??\V:\Autorun.inf 2025-05-29_b315b9baf0090e0fe9acd782b64c5bed_amadey_black-basta_elex_luca-stealer.exe File created \??\B:\Autorun.inf smss.exe File created \??\P:\Autorun.inf Gaara.exe File opened for modification \??\J:\Autorun.inf csrss.exe File opened for modification \??\L:\Autorun.inf csrss.exe File created \??\P:\Autorun.inf csrss.exe File opened for modification \??\G:\Autorun.inf system32.exe File opened for modification \??\N:\Autorun.inf system32.exe File opened for modification D:\Autorun.inf smss.exe File created \??\A:\Autorun.inf Gaara.exe File opened for modification \??\B:\Autorun.inf Gaara.exe File opened for modification \??\L:\Autorun.inf Gaara.exe File opened for modification F:\Autorun.inf Kazekage.exe File opened for modification \??\Y:\Autorun.inf Kazekage.exe File created \??\Z:\Autorun.inf Kazekage.exe File created \??\Q:\Autorun.inf 2025-05-29_b315b9baf0090e0fe9acd782b64c5bed_amadey_black-basta_elex_luca-stealer.exe File opened for modification \??\T:\Autorun.inf smss.exe File created \??\E:\Autorun.inf csrss.exe File created \??\N:\Autorun.inf Kazekage.exe File opened for modification \??\S:\Autorun.inf Kazekage.exe File opened for modification \??\U:\Autorun.inf Kazekage.exe -
Drops file in System32 directory 39 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\29-5-2025.exe Gaara.exe File opened for modification C:\Windows\SysWOW64\29-5-2025.exe system32.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll csrss.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx Kazekage.exe File opened for modification C:\Windows\SysWOW64\ system32.exe File created C:\Windows\SysWOW64\msvbvm60.dll Gaara.exe File opened for modification C:\Windows\SysWOW64\ 2025-05-29_b315b9baf0090e0fe9acd782b64c5bed_amadey_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini smss.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini Gaara.exe File created C:\Windows\SysWOW64\29-5-2025.exe 2025-05-29_b315b9baf0090e0fe9acd782b64c5bed_amadey_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\SysWOW64\29-5-2025.exe csrss.exe File opened for modification C:\Windows\SysWOW64\29-5-2025.exe Kazekage.exe File opened for modification C:\Windows\SysWOW64\ smss.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini csrss.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx system32.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx Gaara.exe File created C:\Windows\SysWOW64\msvbvm60.dll smss.exe File created C:\Windows\SysWOW64\msvbvm60.dll Kazekage.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini 2025-05-29_b315b9baf0090e0fe9acd782b64c5bed_amadey_black-basta_elex_luca-stealer.exe File created C:\Windows\SysWOW64\Desktop.ini 2025-05-29_b315b9baf0090e0fe9acd782b64c5bed_amadey_black-basta_elex_luca-stealer.exe File created C:\Windows\SysWOW64\msvbvm60.dll system32.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll Gaara.exe File opened for modification C:\Windows\SysWOW64\ csrss.exe File opened for modification C:\Windows\SysWOW64\ Kazekage.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll system32.exe File opened for modification C:\Windows\SysWOW64\29-5-2025.exe 2025-05-29_b315b9baf0090e0fe9acd782b64c5bed_amadey_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\SysWOW64\29-5-2025.exe smss.exe File created C:\Windows\SysWOW64\mscomctl.ocx 2025-05-29_b315b9baf0090e0fe9acd782b64c5bed_amadey_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll smss.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx smss.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx csrss.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini Kazekage.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll Kazekage.exe File opened for modification C:\Windows\SysWOW64\ Gaara.exe File created C:\Windows\SysWOW64\msvbvm60.dll 2025-05-29_b315b9baf0090e0fe9acd782b64c5bed_amadey_black-basta_elex_luca-stealer.exe File created C:\Windows\SysWOW64\msvbvm60.dll csrss.exe File opened for modification C:\Windows\SysWOW64\mscomctl.ocx 2025-05-29_b315b9baf0090e0fe9acd782b64c5bed_amadey_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\SysWOW64\msvbvm60.dll 2025-05-29_b315b9baf0090e0fe9acd782b64c5bed_amadey_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\SysWOW64\Desktop.ini system32.exe -
Sets desktop wallpaper using registry 2 TTPs 6 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" 2025-05-29_b315b9baf0090e0fe9acd782b64c5bed_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" Gaara.exe -
resource yara_rule behavioral1/memory/3224-0-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/files/0x0007000000024103-11.dat upx behavioral1/files/0x0007000000024101-31.dat upx behavioral1/memory/436-32-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/files/0x0007000000024103-46.dat upx behavioral1/files/0x0007000000024105-53.dat upx behavioral1/memory/3672-70-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3672-75-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/files/0x0007000000024102-76.dat upx behavioral1/memory/4556-77-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/files/0x0007000000024104-89.dat upx behavioral1/files/0x0007000000024105-93.dat upx behavioral1/files/0x0007000000024106-97.dat upx behavioral1/memory/2036-115-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2224-119-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/files/0x0007000000024103-121.dat upx behavioral1/memory/3336-123-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3224-122-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/files/0x0007000000024105-136.dat upx behavioral1/memory/436-142-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/4640-160-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/4556-164-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2176-167-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/4812-171-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1952-176-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2096-181-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1296-185-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/4812-180-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/4896-195-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3336-194-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/files/0x0007000000024104-196.dat upx behavioral1/files/0x0007000000024106-200.dat upx behavioral1/memory/3028-227-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/808-232-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/4896-235-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2180-249-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1296-243-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/916-246-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3320-263-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/868-265-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/4336-270-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3960-273-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2100-280-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2504-277-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/4704-286-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/808-285-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3960-290-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/4704-297-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2976-301-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/4380-303-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2780-307-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/2732-309-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3224-310-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/436-311-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/1296-312-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/4556-313-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/808-314-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3336-315-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3224-316-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/436-372-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/files/0x0001000000000030-426.dat upx behavioral1/memory/4556-431-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/memory/3224-500-0x0000000000400000-0x000000000042A000-memory.dmp upx behavioral1/files/0x000100000000002c-557.dat upx -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe Kazekage.exe File created C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe 2025-05-29_b315b9baf0090e0fe9acd782b64c5bed_amadey_black-basta_elex_luca-stealer.exe File created C:\Windows\system\msvbvm60.dll 2025-05-29_b315b9baf0090e0fe9acd782b64c5bed_amadey_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\Fonts\The Kazekage.jpg smss.exe File created C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe Gaara.exe File opened for modification C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe csrss.exe File created C:\Windows\WBEM\msvbvm60.dll Kazekage.exe File opened for modification C:\Windows\mscomctl.ocx Gaara.exe File opened for modification C:\Windows\Fonts\The Kazekage.jpg csrss.exe File opened for modification C:\Windows\mscomctl.ocx Kazekage.exe File opened for modification C:\Windows\system\mscoree.dll Kazekage.exe File opened for modification C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe 2025-05-29_b315b9baf0090e0fe9acd782b64c5bed_amadey_black-basta_elex_luca-stealer.exe File created C:\Windows\Fonts\Admin 29 - 5 - 2025\msvbvm60.dll Gaara.exe File created C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe smss.exe File opened for modification C:\Windows\system\mscoree.dll Gaara.exe File created C:\Windows\Fonts\The Kazekage.jpg 2025-05-29_b315b9baf0090e0fe9acd782b64c5bed_amadey_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\msvbvm60.dll 2025-05-29_b315b9baf0090e0fe9acd782b64c5bed_amadey_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\system\mscoree.dll smss.exe File opened for modification C:\Windows\system\mscoree.dll csrss.exe File opened for modification C:\Windows\system\msvbvm60.dll system32.exe File opened for modification C:\Windows\mscomctl.ocx smss.exe File opened for modification C:\Windows\ csrss.exe File opened for modification C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe 2025-05-29_b315b9baf0090e0fe9acd782b64c5bed_amadey_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe smss.exe File opened for modification C:\Windows\msvbvm60.dll csrss.exe File created C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe system32.exe File opened for modification C:\Windows\ system32.exe File opened for modification C:\Windows\Fonts\The Kazekage.jpg 2025-05-29_b315b9baf0090e0fe9acd782b64c5bed_amadey_black-basta_elex_luca-stealer.exe File created C:\Windows\WBEM\msvbvm60.dll 2025-05-29_b315b9baf0090e0fe9acd782b64c5bed_amadey_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\msvbvm60.dll smss.exe File created C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe csrss.exe File created C:\Windows\WBEM\msvbvm60.dll csrss.exe File opened for modification C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe Kazekage.exe File opened for modification C:\Windows\msvbvm60.dll system32.exe File opened for modification C:\Windows\mscomctl.ocx system32.exe File created C:\Windows\Fonts\Admin 29 - 5 - 2025\msvbvm60.dll 2025-05-29_b315b9baf0090e0fe9acd782b64c5bed_amadey_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe smss.exe File opened for modification C:\Windows\Fonts\The Kazekage.jpg Kazekage.exe File created C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe Kazekage.exe File created C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe Kazekage.exe File created C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe 2025-05-29_b315b9baf0090e0fe9acd782b64c5bed_amadey_black-basta_elex_luca-stealer.exe File created C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe 2025-05-29_b315b9baf0090e0fe9acd782b64c5bed_amadey_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe smss.exe File opened for modification C:\Windows\Fonts\The Kazekage.jpg Gaara.exe File created C:\Windows\WBEM\msvbvm60.dll Gaara.exe File opened for modification C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe csrss.exe File created C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe csrss.exe File created C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe Kazekage.exe File opened for modification C:\Windows\system\msvbvm60.dll smss.exe File created C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe Gaara.exe File opened for modification C:\Windows\msvbvm60.dll Kazekage.exe File opened for modification C:\Windows\system\msvbvm60.dll Kazekage.exe File opened for modification C:\Windows\Fonts\The Kazekage.jpg system32.exe File opened for modification C:\Windows\system\mscoree.dll system32.exe File opened for modification C:\Windows\ smss.exe File opened for modification C:\Windows\mscomctl.ocx csrss.exe File opened for modification C:\Windows\system\msvbvm60.dll csrss.exe File opened for modification C:\Windows\system\mscoree.dll 2025-05-29_b315b9baf0090e0fe9acd782b64c5bed_amadey_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\Fonts\Admin 29 - 5 - 2025\msvbvm60.dll 2025-05-29_b315b9baf0090e0fe9acd782b64c5bed_amadey_black-basta_elex_luca-stealer.exe File opened for modification C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe Gaara.exe File opened for modification C:\Windows\msvbvm60.dll Gaara.exe File opened for modification C:\Windows\system\msvbvm60.dll Gaara.exe File created C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe csrss.exe File created C:\Windows\Fonts\Admin 29 - 5 - 2025\msvbvm60.dll system32.exe -
System Location Discovery: System Language Discovery 1 TTPs 63 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kazekage.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaara.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaara.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaara.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaara.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kazekage.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kazekage.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kazekage.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-05-29_b315b9baf0090e0fe9acd782b64c5bed_amadey_black-basta_elex_luca-stealer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaara.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language smss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Gaara.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kazekage.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Kazekage.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language system32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ping.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 32 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 2244 ping.exe 3120 ping.exe 4228 ping.exe 4880 ping.exe 2248 ping.exe 2636 ping.exe 2244 ping.exe 4772 ping.exe 3936 ping.exe 2476 ping.exe 3268 ping.exe 2308 ping.exe 3936 ping.exe 4336 ping.exe 452 ping.exe 184 ping.exe 2176 ping.exe 3316 ping.exe 3008 ping.exe 5096 ping.exe 2552 ping.exe 2248 ping.exe 1096 ping.exe 2068 ping.exe 4896 ping.exe 4600 ping.exe 4524 ping.exe 2176 ping.exe 3776 ping.exe 3008 ping.exe 2840 ping.exe 4876 ping.exe -
Modifies Control Panel 64 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\Control Panel\Screen Saver.Marquee csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\Control Panel\Screen Saver.Marquee\Size = "72" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\Control Panel\Desktop\WallpaperStyle = "2" 2025-05-29_b315b9baf0090e0fe9acd782b64c5bed_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" 2025-05-29_b315b9baf0090e0fe9acd782b64c5bed_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" system32.exe Key created \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\Control Panel\Screen Saver.Marquee Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" Gaara.exe Key created \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\Control Panel\Screen Saver.Marquee system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" 2025-05-29_b315b9baf0090e0fe9acd782b64c5bed_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\Control Panel\Screen Saver.Marquee\Speed = "4" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" Kazekage.exe Key created \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\Control Panel\Desktop system32.exe Key created \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\Control Panel\Screen Saver.Marquee smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" 2025-05-29_b315b9baf0090e0fe9acd782b64c5bed_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\Control Panel\Screen Saver.Marquee\Speed = "4" system32.exe Key created \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\Control Panel\Desktop smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" Gaara.exe Key created \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\Control Panel\Desktop Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\Control Panel\Screen Saver.Marquee\Size = "72" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\Control Panel\Screen Saver.Marquee\Speed = "4" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" Gaara.exe Key created \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\Control Panel\Desktop 2025-05-29_b315b9baf0090e0fe9acd782b64c5bed_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" 2025-05-29_b315b9baf0090e0fe9acd782b64c5bed_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\Control Panel\Screen Saver.Marquee\Size = "72" 2025-05-29_b315b9baf0090e0fe9acd782b64c5bed_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\Control Panel\Desktop\WallpaperStyle = "2" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\Control Panel\Screen Saver.Marquee\Speed = "4" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" csrss.exe Key created \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\Control Panel\Screen Saver.Marquee Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\Control Panel\Screen Saver.Marquee\Size = "72" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\Control Panel\Screen Saver.Marquee\Speed = "4" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\Control Panel\Desktop\WallpaperStyle = "2" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" 2025-05-29_b315b9baf0090e0fe9acd782b64c5bed_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" 2025-05-29_b315b9baf0090e0fe9acd782b64c5bed_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" Kazekage.exe Set value (str) \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\Control Panel\Screen Saver.Marquee\Size = "72" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\Control Panel\Screen Saver.Marquee\Size = "72" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" smss.exe -
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" smss.exe Set value (str) \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" 2025-05-29_b315b9baf0090e0fe9acd782b64c5bed_amadey_black-basta_elex_luca-stealer.exe Key created \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\Software\Microsoft\Internet Explorer\Main csrss.exe Set value (str) \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" system32.exe Set value (str) \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" Kazekage.exe Key created \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\Software\Microsoft\Internet Explorer\Main smss.exe Key created \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\Software\Microsoft\Internet Explorer\Main 2025-05-29_b315b9baf0090e0fe9acd782b64c5bed_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" csrss.exe Key created \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\Software\Microsoft\Internet Explorer\Main system32.exe Key created \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\Software\Microsoft\Internet Explorer\Main Kazekage.exe Key created \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\Software\Microsoft\Internet Explorer\Main Gaara.exe Set value (str) \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" Gaara.exe -
Modifies registry class 51 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" 2025-05-29_b315b9baf0090e0fe9acd782b64c5bed_amadey_black-basta_elex_luca-stealer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" 2025-05-29_b315b9baf0090e0fe9acd782b64c5bed_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" 2025-05-29_b315b9baf0090e0fe9acd782b64c5bed_amadey_black-basta_elex_luca-stealer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command 2025-05-29_b315b9baf0090e0fe9acd782b64c5bed_amadey_black-basta_elex_luca-stealer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command smss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" Kazekage.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command 2025-05-29_b315b9baf0090e0fe9acd782b64c5bed_amadey_black-basta_elex_luca-stealer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" Gaara.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command 2025-05-29_b315b9baf0090e0fe9acd782b64c5bed_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" 2025-05-29_b315b9baf0090e0fe9acd782b64c5bed_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command 2025-05-29_b315b9baf0090e0fe9acd782b64c5bed_amadey_black-basta_elex_luca-stealer.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" csrss.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" system32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" system32.exe -
Runs ping.exe 1 TTPs 32 IoCs
pid Process 2248 ping.exe 2476 ping.exe 3008 ping.exe 2248 ping.exe 452 ping.exe 2244 ping.exe 2176 ping.exe 3268 ping.exe 3936 ping.exe 2068 ping.exe 3008 ping.exe 4876 ping.exe 3120 ping.exe 4880 ping.exe 2636 ping.exe 4600 ping.exe 3936 ping.exe 4772 ping.exe 3776 ping.exe 184 ping.exe 5096 ping.exe 1096 ping.exe 2308 ping.exe 3316 ping.exe 2244 ping.exe 2552 ping.exe 2176 ping.exe 4896 ping.exe 4228 ping.exe 2840 ping.exe 4336 ping.exe 4524 ping.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 436 smss.exe 436 smss.exe 436 smss.exe 436 smss.exe 436 smss.exe 436 smss.exe 436 smss.exe 436 smss.exe 436 smss.exe 436 smss.exe 436 smss.exe 436 smss.exe 436 smss.exe 436 smss.exe 436 smss.exe 436 smss.exe 436 smss.exe 436 smss.exe 436 smss.exe 436 smss.exe 436 smss.exe 436 smss.exe 436 smss.exe 436 smss.exe 3224 2025-05-29_b315b9baf0090e0fe9acd782b64c5bed_amadey_black-basta_elex_luca-stealer.exe 3224 2025-05-29_b315b9baf0090e0fe9acd782b64c5bed_amadey_black-basta_elex_luca-stealer.exe 3224 2025-05-29_b315b9baf0090e0fe9acd782b64c5bed_amadey_black-basta_elex_luca-stealer.exe 3224 2025-05-29_b315b9baf0090e0fe9acd782b64c5bed_amadey_black-basta_elex_luca-stealer.exe 3224 2025-05-29_b315b9baf0090e0fe9acd782b64c5bed_amadey_black-basta_elex_luca-stealer.exe 3224 2025-05-29_b315b9baf0090e0fe9acd782b64c5bed_amadey_black-basta_elex_luca-stealer.exe 3224 2025-05-29_b315b9baf0090e0fe9acd782b64c5bed_amadey_black-basta_elex_luca-stealer.exe 3224 2025-05-29_b315b9baf0090e0fe9acd782b64c5bed_amadey_black-basta_elex_luca-stealer.exe 3224 2025-05-29_b315b9baf0090e0fe9acd782b64c5bed_amadey_black-basta_elex_luca-stealer.exe 3224 2025-05-29_b315b9baf0090e0fe9acd782b64c5bed_amadey_black-basta_elex_luca-stealer.exe 3224 2025-05-29_b315b9baf0090e0fe9acd782b64c5bed_amadey_black-basta_elex_luca-stealer.exe 3224 2025-05-29_b315b9baf0090e0fe9acd782b64c5bed_amadey_black-basta_elex_luca-stealer.exe 3224 2025-05-29_b315b9baf0090e0fe9acd782b64c5bed_amadey_black-basta_elex_luca-stealer.exe 3224 2025-05-29_b315b9baf0090e0fe9acd782b64c5bed_amadey_black-basta_elex_luca-stealer.exe 3224 2025-05-29_b315b9baf0090e0fe9acd782b64c5bed_amadey_black-basta_elex_luca-stealer.exe 3224 2025-05-29_b315b9baf0090e0fe9acd782b64c5bed_amadey_black-basta_elex_luca-stealer.exe 3224 2025-05-29_b315b9baf0090e0fe9acd782b64c5bed_amadey_black-basta_elex_luca-stealer.exe 3224 2025-05-29_b315b9baf0090e0fe9acd782b64c5bed_amadey_black-basta_elex_luca-stealer.exe 3224 2025-05-29_b315b9baf0090e0fe9acd782b64c5bed_amadey_black-basta_elex_luca-stealer.exe 3224 2025-05-29_b315b9baf0090e0fe9acd782b64c5bed_amadey_black-basta_elex_luca-stealer.exe 3224 2025-05-29_b315b9baf0090e0fe9acd782b64c5bed_amadey_black-basta_elex_luca-stealer.exe 3224 2025-05-29_b315b9baf0090e0fe9acd782b64c5bed_amadey_black-basta_elex_luca-stealer.exe 3224 2025-05-29_b315b9baf0090e0fe9acd782b64c5bed_amadey_black-basta_elex_luca-stealer.exe 3224 2025-05-29_b315b9baf0090e0fe9acd782b64c5bed_amadey_black-basta_elex_luca-stealer.exe 3336 csrss.exe 3336 csrss.exe 3336 csrss.exe 3336 csrss.exe 3336 csrss.exe 3336 csrss.exe 3336 csrss.exe 3336 csrss.exe 3336 csrss.exe 3336 csrss.exe 3336 csrss.exe 3336 csrss.exe 3336 csrss.exe 3336 csrss.exe 3336 csrss.exe 3336 csrss.exe -
Suspicious use of SetWindowsHookEx 31 IoCs
pid Process 3224 2025-05-29_b315b9baf0090e0fe9acd782b64c5bed_amadey_black-basta_elex_luca-stealer.exe 436 smss.exe 3672 smss.exe 4556 Gaara.exe 2036 smss.exe 2224 Gaara.exe 3336 csrss.exe 4640 smss.exe 2176 Gaara.exe 1952 csrss.exe 4812 Gaara.exe 2096 csrss.exe 1296 Kazekage.exe 4896 Kazekage.exe 3028 smss.exe 2536 csrss.exe 916 Gaara.exe 808 system32.exe 2180 Kazekage.exe 3320 system32.exe 868 csrss.exe 4336 smss.exe 2504 Kazekage.exe 2100 Gaara.exe 3960 system32.exe 1512 csrss.exe 4704 Kazekage.exe 4380 system32.exe 2976 Kazekage.exe 2780 system32.exe 2732 system32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3224 wrote to memory of 436 3224 2025-05-29_b315b9baf0090e0fe9acd782b64c5bed_amadey_black-basta_elex_luca-stealer.exe 88 PID 3224 wrote to memory of 436 3224 2025-05-29_b315b9baf0090e0fe9acd782b64c5bed_amadey_black-basta_elex_luca-stealer.exe 88 PID 3224 wrote to memory of 436 3224 2025-05-29_b315b9baf0090e0fe9acd782b64c5bed_amadey_black-basta_elex_luca-stealer.exe 88 PID 436 wrote to memory of 3672 436 smss.exe 91 PID 436 wrote to memory of 3672 436 smss.exe 91 PID 436 wrote to memory of 3672 436 smss.exe 91 PID 436 wrote to memory of 4556 436 smss.exe 92 PID 436 wrote to memory of 4556 436 smss.exe 92 PID 436 wrote to memory of 4556 436 smss.exe 92 PID 4556 wrote to memory of 2036 4556 Gaara.exe 95 PID 4556 wrote to memory of 2036 4556 Gaara.exe 95 PID 4556 wrote to memory of 2036 4556 Gaara.exe 95 PID 4556 wrote to memory of 2224 4556 Gaara.exe 97 PID 4556 wrote to memory of 2224 4556 Gaara.exe 97 PID 4556 wrote to memory of 2224 4556 Gaara.exe 97 PID 4556 wrote to memory of 3336 4556 Gaara.exe 99 PID 4556 wrote to memory of 3336 4556 Gaara.exe 99 PID 4556 wrote to memory of 3336 4556 Gaara.exe 99 PID 3336 wrote to memory of 4640 3336 csrss.exe 100 PID 3336 wrote to memory of 4640 3336 csrss.exe 100 PID 3336 wrote to memory of 4640 3336 csrss.exe 100 PID 3336 wrote to memory of 2176 3336 csrss.exe 102 PID 3336 wrote to memory of 2176 3336 csrss.exe 102 PID 3336 wrote to memory of 2176 3336 csrss.exe 102 PID 3336 wrote to memory of 1952 3336 csrss.exe 104 PID 3336 wrote to memory of 1952 3336 csrss.exe 104 PID 3336 wrote to memory of 1952 3336 csrss.exe 104 PID 3224 wrote to memory of 4812 3224 2025-05-29_b315b9baf0090e0fe9acd782b64c5bed_amadey_black-basta_elex_luca-stealer.exe 105 PID 3224 wrote to memory of 4812 3224 2025-05-29_b315b9baf0090e0fe9acd782b64c5bed_amadey_black-basta_elex_luca-stealer.exe 105 PID 3224 wrote to memory of 4812 3224 2025-05-29_b315b9baf0090e0fe9acd782b64c5bed_amadey_black-basta_elex_luca-stealer.exe 105 PID 3224 wrote to memory of 2096 3224 2025-05-29_b315b9baf0090e0fe9acd782b64c5bed_amadey_black-basta_elex_luca-stealer.exe 107 PID 3224 wrote to memory of 2096 3224 2025-05-29_b315b9baf0090e0fe9acd782b64c5bed_amadey_black-basta_elex_luca-stealer.exe 107 PID 3224 wrote to memory of 2096 3224 2025-05-29_b315b9baf0090e0fe9acd782b64c5bed_amadey_black-basta_elex_luca-stealer.exe 107 PID 3336 wrote to memory of 1296 3336 csrss.exe 106 PID 3336 wrote to memory of 1296 3336 csrss.exe 106 PID 3336 wrote to memory of 1296 3336 csrss.exe 106 PID 3224 wrote to memory of 4896 3224 2025-05-29_b315b9baf0090e0fe9acd782b64c5bed_amadey_black-basta_elex_luca-stealer.exe 109 PID 3224 wrote to memory of 4896 3224 2025-05-29_b315b9baf0090e0fe9acd782b64c5bed_amadey_black-basta_elex_luca-stealer.exe 109 PID 3224 wrote to memory of 4896 3224 2025-05-29_b315b9baf0090e0fe9acd782b64c5bed_amadey_black-basta_elex_luca-stealer.exe 109 PID 1296 wrote to memory of 3028 1296 Kazekage.exe 110 PID 1296 wrote to memory of 3028 1296 Kazekage.exe 110 PID 1296 wrote to memory of 3028 1296 Kazekage.exe 110 PID 436 wrote to memory of 2536 436 smss.exe 112 PID 436 wrote to memory of 2536 436 smss.exe 112 PID 436 wrote to memory of 2536 436 smss.exe 112 PID 1296 wrote to memory of 916 1296 Kazekage.exe 113 PID 1296 wrote to memory of 916 1296 Kazekage.exe 113 PID 1296 wrote to memory of 916 1296 Kazekage.exe 113 PID 3224 wrote to memory of 808 3224 2025-05-29_b315b9baf0090e0fe9acd782b64c5bed_amadey_black-basta_elex_luca-stealer.exe 114 PID 3224 wrote to memory of 808 3224 2025-05-29_b315b9baf0090e0fe9acd782b64c5bed_amadey_black-basta_elex_luca-stealer.exe 114 PID 3224 wrote to memory of 808 3224 2025-05-29_b315b9baf0090e0fe9acd782b64c5bed_amadey_black-basta_elex_luca-stealer.exe 114 PID 436 wrote to memory of 2180 436 smss.exe 115 PID 436 wrote to memory of 2180 436 smss.exe 115 PID 436 wrote to memory of 2180 436 smss.exe 115 PID 1296 wrote to memory of 868 1296 Kazekage.exe 116 PID 1296 wrote to memory of 868 1296 Kazekage.exe 116 PID 1296 wrote to memory of 868 1296 Kazekage.exe 116 PID 436 wrote to memory of 3320 436 smss.exe 117 PID 436 wrote to memory of 3320 436 smss.exe 117 PID 436 wrote to memory of 3320 436 smss.exe 117 PID 808 wrote to memory of 4336 808 system32.exe 118 PID 808 wrote to memory of 4336 808 system32.exe 118 PID 808 wrote to memory of 4336 808 system32.exe 118 PID 1296 wrote to memory of 2504 1296 Kazekage.exe 119 -
System policy modification 1 TTPs 12 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" smss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 2025-05-29_b315b9baf0090e0fe9acd782b64c5bed_amadey_black-basta_elex_luca-stealer.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System csrss.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" system32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Kazekage.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Kazekage.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Gaara.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" Gaara.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System smss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System 2025-05-29_b315b9baf0090e0fe9acd782b64c5bed_amadey_black-basta_elex_luca-stealer.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" csrss.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System system32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2025-05-29_b315b9baf0090e0fe9acd782b64c5bed_amadey_black-basta_elex_luca-stealer.exe"C:\Users\Admin\AppData\Local\Temp\2025-05-29_b315b9baf0090e0fe9acd782b64c5bed_amadey_black-basta_elex_luca-stealer.exe"1⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3224 -
C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe"C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe"2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:436 -
C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe"C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3672
-
-
C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe"C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe"3⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4556 -
C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe"C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2036
-
-
C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe"C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2224
-
-
C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe"C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe"4⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3336 -
C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe"C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4640
-
-
C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe"C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2176
-
-
C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe"C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe"5⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1952
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe5⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1296 -
C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe"C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3028
-
-
C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe"C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:916
-
-
C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe"C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe"6⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:868
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2504
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3960
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655006⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3008
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655006⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:5096
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655006⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4772
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655006⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2248
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655006⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3008
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655006⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2840
-
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4380
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655005⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3316
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655005⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4896
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655005⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2552
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655005⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4228
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655005⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2244
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655005⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2176
-
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4704
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2780
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655004⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3936
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655004⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2476
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655004⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3120
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655004⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4336
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655004⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3776
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655004⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4524
-
-
-
C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe"C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2536
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2180
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3320
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2176
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2636
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3268
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2244
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2068
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2308
-
-
-
C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe"C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4812
-
-
C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe"C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2096
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4896
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe2⤵
- Modifies WinLogon for persistence
- Modifies visibility of file extensions in Explorer
- Modifies visiblity of hidden/system files in Explorer
- UAC bypass
- Disables RegEdit via registry modification
- Drops file in Drivers directory
- Event Triggered Execution: Image File Execution Options Injection
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops autorun.inf file
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies Control Panel
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:808 -
C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe"C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:4336
-
-
C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe"C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2100
-
-
C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe"C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1512
-
-
C:\Windows\SysWOW64\drivers\Kazekage.exeC:\Windows\system32\drivers\Kazekage.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2976
-
-
C:\Windows\SysWOW64\drivers\system32.exeC:\Windows\system32\drivers\system32.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2732
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:452
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3936
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:184
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4876
-
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655002⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2248
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655002⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4880
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.rasasayang.com.my 655002⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4600
-
-
C:\Windows\SysWOW64\ping.exeping -a -l www.duniasex.com 655002⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1096
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 29 - 5 - 2025\smss.exe1⤵PID:4484
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c Fonts\Admin 29 - 5 - 2025\Gaara.exe1⤵PID:1508
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c 29-5-2025.exe1⤵PID:4548
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c drivers\csrss.exe1⤵PID:2500
Network
MITRE ATT&CK Enterprise v16
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Event Triggered Execution
1Image File Execution Options Injection
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Event Triggered Execution
1Image File Execution Options Injection
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
1Disable or Modify Tools
1Modify Registry
8Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
736B
MD5bb5d6abdf8d0948ac6895ce7fdfbc151
SHA19266b7a247a4685892197194d2b9b86c8f6dddbd
SHA2565db2e0915b5464d32e83484f8ae5e3c73d2c78f238fde5f58f9b40dbb5322de8
SHA512878444760e8df878d65bb62b4798177e168eb099def58ad3634f4348e96705c83f74324f9fa358f0eff389991976698a233ca53e9b72034ae11c86d42322a76c
-
Filesize
196B
MD51564dfe69ffed40950e5cb644e0894d1
SHA1201b6f7a01cc49bb698bea6d4945a082ed454ce4
SHA256be114a2dbcc08540b314b01882aa836a772a883322a77b67aab31233e26dc184
SHA51272df187e39674b657974392cfa268e71ef86dc101ebd2303896381ca56d3c05aa9db3f0ab7d0e428d7436e0108c8f19e94c2013814d30b0b95a23a6b9e341097
-
Filesize
8.1MB
MD56440d87d42087aa7c97429151134d6c0
SHA1d36bca08e72c6a351711cfc290939fc53060a4ee
SHA256c4c4e2b2b937847924e801c0ca60288af7262b7ebb445ea794af2d1f25c76f8d
SHA512f825cd4a0249db0283d196364433f0ee43680b1b9ac94b22c27a1e5a2dc7275dc4dfbbb50c2191a63b54d1ac94d46d1a5afa8025e50a6de096ff01f4632de782
-
Filesize
8.1MB
MD5b315b9baf0090e0fe9acd782b64c5bed
SHA15e1d64a47d48be1d22a0e5a455bc422b08fcc5b3
SHA256d8f2501508489f91193dbcdf22d654b2562e38eb4074899854a7ae4306417af7
SHA5124f7c1dec92f2f82e4951a8b7dabe9979715ffb99d2c01f5706036f456adfa90afb32d76786226f5234c5650f721ab42d05d11ab37852e205194e869f01275976
-
Filesize
8.1MB
MD52e4335439d58f3866db2d4c2ef410938
SHA10621d26dcb0e786f599642a0f16958e5dbdd8d74
SHA256b1a3ae69aa95fe3fb274840c77dc1d79e292832837088829ef41deb0b4c4e1e6
SHA5124bb029e16097439f868d422e205b682089303ef891b5c34bdc1ac4c46e0f7034e55a0b129f0ab81c9a37077650c2292345d4cc5fe70135180b27b217e4da0faa
-
Filesize
8.1MB
MD5a209979d29a40815a19b50c5a6def5d1
SHA144b0507a5a36ef3f75db6e088581c30e1c4506ec
SHA2562fc6be28fedeb6c43921c0c8b8ac0e534625a74fce0a13a630b329f1755b86fb
SHA512bfb975c37a970d85f2d819f8c8aa91005c09b02d77d97a0a3a520316021922ff0ee2998eeffd02b1ab5c884afafa1e2273132bf58eaff8c9078bfb3d651ebbfa
-
Filesize
8.1MB
MD5bb430fec77f659dd54e50fcb39645b5f
SHA1bc5d61e61d6bc710e0fc2c3459a9c547caf063f5
SHA256fc9ceacd5c92b0caa61abfd2e91a019606dd4096b886e010a11d40f1b53955f7
SHA5126ce8e0bbd1daba4416f375258af6f64c843a3757124f39a7b42029951bbaab60e2e996e0cf6f96c9f699baaf67896428b01584ae3007e4f5ca0a63d80384573b
-
Filesize
1.4MB
MD5d6b05020d4a0ec2a3a8b687099e335df
SHA1df239d830ebcd1cde5c68c46a7b76dad49d415f4
SHA2569824b98dab6af65a9e84c2ea40e9df948f9766ce2096e81feecad7db8dd6080a
SHA51278fd360faa4d34f5732056d6e9ad7b9930964441c69cf24535845d397de92179553b9377a25649c01eb5ac7d547c29cc964e69ede7f2af9fc677508a99251fff
-
Filesize
8.1MB
MD593b5e6e8da7c9e9b41e9daf350e64959
SHA1418b9c3fa9c03d4bfde8ef9474884ab1cfb0171d
SHA256e4e43e672d787467e096e620ac15f7c26fc7c03a9e594be65bbe5c0ddfb3aa64
SHA512bef11dc94b48455f63f2784c489e714eeed9b95b71f815c48ad8e2cc4797593f9e79f248836ea216effdf31fcd3a81964e4ba1c516ef0f64b288bbbaee498719
-
Filesize
8.1MB
MD516483a543ed3daaa72f271758aa04842
SHA1dc9764045d9b21a72d9c56c9a6256dbd64275d29
SHA25621709eac07c9545389b14f0452dab838cc211fcafbba440c2ebdd291bbba929f
SHA512820b986540ff7354146779eef768dfc7441924cd4da75d69df275261dd53f1673356bd070c20cd904b4830eb9c88308133481cdbff5f601b2dea8b1f7a16ff85
-
Filesize
65B
MD564acfa7e03b01f48294cf30d201a0026
SHA110facd995b38a095f30b4a800fa454c0bcbf8438
SHA256ba8159d865d106e7b4d0043007a63d1541e1de455dc8d7ff0edd3013bd425c62
SHA51265a9b2e639de74a2a7faa83463a03f5f5b526495e3c793ec1e144c422ed0b842dd304cd5ff4f8aec3d76d826507030c5916f70a231429cea636ec2d8ab43931a
-
Filesize
8.1MB
MD509bd480e5abb70ebf00f9898953e111b
SHA13a5af9bc19a4c4d935549331853a80f68bfbb4f5
SHA256e2c610a34d1e8f074bba3d347bfcd7874936a1b8f8e84b30606dab7a782de499
SHA512a000b4f56da9d278d581043ab74870d90de6afa6d457d9d4ca5fe0ae69dbfb1d519870e8201456516e8b3d4bcfccf5621ac15972b29a316a460b3c74beee46cf
-
Filesize
8.1MB
MD5415151d5dff7c5802378a5380df0c891
SHA1efea1044673855981cb2173d64d5147fe75e2ca9
SHA256ad991b23909407d8f141ef929220a4fa5fbc007d4dfdb723293e5d8aa099daca
SHA512a83b2a87eab25fae7c17927c173607e9d96f7db2593e65b3b541f6249acec0b115dfe8cf88279cfa24dd5d5b823868f0ceb77a7960284bea7d62e0fb111a93e0
-
Filesize
8.1MB
MD5eed24dca9cc4da0a70bf670922e462c6
SHA1ce76ea11a3348c5ee8f00c39360b7846d325b59f
SHA256cc6f3b92b4fd98bfe90f8a5af219419454e14f5f97e1704651a6017826e805cb
SHA5128327e07ba10d80047e9d1ab30c04fccd192c503eda18d095c7b9f36a3292df1dea496da9ea43bd0ac56b2f9ae068f7d5a9d116ec55eaa5a76331a7c7bdb175ec
-
Filesize
8.1MB
MD5506a3f4f1441c0ccc52232c0e7441bc7
SHA19e4793e953df7f704b815eec400234037a595799
SHA2563c572c000fccf092e765809f2e86baddbd0d39315196ad91a50e6e8eee7b0339
SHA512303ae6b16988fde13fab4b220d0c9d554490047e1f6416bc7d49d8f2a4fb0ada15f81ce62604bfe0e1b2ee82c36f64f9ac8d08ddc2ea10f751d8cdc3c172c955
-
Filesize
8.1MB
MD5f5d6939d4b117d6dc92d1ecbf55ca4d9
SHA16066a5c9841eb5c9cd86bd7548ae07338888c1a8
SHA2565bd58506d92962ffb4f83caa4d7be53628b91132f98ec66c5720aa57da41d50d
SHA5127087af2f68d0cc5d8f5c7df8862fbc4e24c1bc3e5bad6ca44fb0dfd0ccc90651dece571b900ab2fd91cab9fed76fa2f6910e421ec38bc12166e484e3a21d2a58
-
Filesize
1.4MB
MD525f62c02619174b35851b0e0455b3d94
SHA14e8ee85157f1769f6e3f61c0acbe59072209da71
SHA256898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2
SHA512f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a
-
Filesize
8.1MB
MD5e7e8c00e1dca1daf5318bfcb9986f51a
SHA1322eb3c5d7720ad8c01ce4008165058fc67a1946
SHA256d282458d8c277ac6d8404b46b680141fbcfa42ef3a271f63f2fa0947e9011eb4
SHA51229937e95e4f10f15ecd35bf4debace8690735bb31badbcc6d834e1e232c5fbc320bd679e61e4c3ce31e1f17ebc47625c533a114fc9d03977a6c96f53599b4654
-
Filesize
8.1MB
MD541e6eb59a6c9ab8bb3a58fb68d737dd8
SHA12903fd373c11fc9b4cee9e93829233b5e13c0aa6
SHA25635cdb2bbf57828e0c4c8843315c80f447cac19526860a0a0768f9b2deb9a7fe4
SHA512509e7f7561763f5594d61e80fcbe0eaffb5c1d1066cd3aa2a17434fc31356fe8ee55455e5cae52cbad4a51e43704e317ff845d3cdc76de61ab913ffa7be7c721