Malware Analysis Report

2025-08-10 20:09

Sample ID 250518-m62qmack6x
Target 2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer
SHA256 4e7db50b82d6096cc22d0e64a0513005e021cd11401799294d43f075ff960d39
Tags
upx defense_evasion discovery persistence ransomware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V16

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4e7db50b82d6096cc22d0e64a0513005e021cd11401799294d43f075ff960d39

Threat Level: Known bad

The file 2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer was found to be: Known bad.

Malicious Activity Summary

upx defense_evasion discovery persistence ransomware trojan

Modifies visibility of file extensions in Explorer

UAC bypass

Modifies WinLogon for persistence

Modifies visiblity of hidden/system files in Explorer

Disables RegEdit via registry modification

Disables use of System Restore points

Event Triggered Execution: Image File Execution Options Injection

Drops file in Drivers directory

Loads dropped DLL

Executes dropped EXE

Adds Run key to start application

Drops desktop.ini file(s)

Enumerates connected drives

Checks whether UAC is enabled

Sets desktop wallpaper using registry

UPX packed file

Drops file in System32 directory

Drops autorun.inf file

Drops file in Windows directory

System Location Discovery: System Language Discovery

Unsigned PE

System Network Configuration Discovery: Internet Connection Discovery

Suspicious behavior: EnumeratesProcesses

Modifies registry class

Modifies Control Panel

System policy modification

Modifies Internet Explorer settings

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Runs ping.exe

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-05-18 11:05

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-05-18 11:05

Reported

2025-05-18 11:08

Platform

win10v2004-20250502-en

Max time kernel

150s

Max time network

143s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A

Modifies visibility of file extensions in Explorer

defense_evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A

Modifies visiblity of hidden/system files in Explorer

defense_evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A

UAC bypass

defense_evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A

Disables RegEdit via registry modification

defense_evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A

Disables use of System Restore points

defense_evasion

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
File created C:\Windows\SysWOW64\drivers\system32.exe C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\system32.exe C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
File created C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
File created C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
File created C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
File created C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
File created C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
File created C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
File created C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
File created C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A

Event Triggered Execution: Image File Execution Options Injection

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe\Debugger = "cmd.exe /c del" C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "drivers\\Kazekage.exe" C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe\Debugger = "cmd.exe /c del" C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe\Debugger = "cmd.exe /c del" C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe\Debugger = "cmd.exe /c del" C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "drivers\\Kazekage.exe" C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 18 - 5 - 2025\\smss.exe" C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 18 - 5 - 2025\\Gaara.exe" C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "18-5-2025.exe" C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 18 - 5 - 2025\\Gaara.exe" C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "18-5-2025.exe" C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 18 - 5 - 2025\\smss.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "18-5-2025.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "18-5-2025.exe" C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 18 - 5 - 2025\\smss.exe" C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 18 - 5 - 2025\\Gaara.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 18 - 5 - 2025\\Gaara.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 18 - 5 - 2025\\smss.exe" C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 18 - 5 - 2025\\smss.exe" C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 18 - 5 - 2025\\Gaara.exe" C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 18 - 5 - 2025\\Gaara.exe" C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "18-5-2025.exe" C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "18-5-2025.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 18 - 5 - 2025\\smss.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A

Checks whether UAC is enabled

defense_evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification \??\A:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification \??\B:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification \??\M:\Desktop.ini C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\G:\Desktop.ini C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
File opened for modification \??\P:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\W:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification \??\H:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification D:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\I:\Desktop.ini C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
File opened for modification \??\V:\Desktop.ini C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
File opened for modification \??\X:\Desktop.ini C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Desktop.ini C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\Y:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\R:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\E:\Desktop.ini C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
File opened for modification \??\S:\Desktop.ini C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\A:\Desktop.ini C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
File opened for modification \??\U:\Desktop.ini C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
File opened for modification \??\A:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\I:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\N:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\H:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification C:\Desktop.ini C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
File opened for modification \??\L:\Desktop.ini C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
File opened for modification D:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\K:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\N:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\Y:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification \??\Q:\Desktop.ini C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
File opened for modification \??\O:\Desktop.ini C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\J:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\R:\Desktop.ini C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
File opened for modification \??\Q:\Desktop.ini C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
File opened for modification \??\V:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\X:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification F:\Desktop.ini C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
File opened for modification \??\W:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\H:\Desktop.ini C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
File opened for modification \??\J:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification F:\Desktop.ini C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\O:\Desktop.ini C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
File opened for modification \??\E:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\W:\Desktop.ini C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
File opened for modification \??\G:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\L:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\T:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\L:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\Z:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\Z:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification \??\H:\Desktop.ini C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\Q:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\A:\Desktop.ini C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
File opened for modification D:\Desktop.ini C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
File opened for modification \??\P:\Desktop.ini C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\M:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\J:\Desktop.ini C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
File opened for modification D:\Desktop.ini C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\J:\Desktop.ini C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
File opened for modification \??\L:\Desktop.ini C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\R:\Desktop.ini C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
File opened for modification \??\T:\Desktop.ini C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
File opened for modification \??\M:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\G: C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
File opened (read-only) \??\G: C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
File opened (read-only) \??\Z: C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\B: C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
File opened (read-only) \??\O: C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
File opened (read-only) \??\T: C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\H: C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
File opened (read-only) \??\U: C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
File opened (read-only) \??\A: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\L: C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
File opened (read-only) \??\P: C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
File opened (read-only) \??\X: C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
File opened (read-only) \??\A: C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
File opened (read-only) \??\H: C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
File opened (read-only) \??\P: C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
File opened (read-only) \??\Q: C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
File opened (read-only) \??\L: C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
File opened (read-only) \??\V: C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\O: C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
File opened (read-only) \??\R: C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
File opened (read-only) \??\K: C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
File opened (read-only) \??\L: C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\Y: C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
File opened (read-only) \??\E: C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
File opened (read-only) \??\O: C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\I: C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
File opened (read-only) \??\N: C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
File opened (read-only) \??\H: C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
File opened (read-only) \??\R: C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\T: C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
File opened (read-only) \??\A: C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
File opened (read-only) \??\J: C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\E: C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
File opened (read-only) \??\X: C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification \??\V:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification \??\W:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification \??\R:\Autorun.inf C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
File opened for modification \??\I:\Autorun.inf C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
File created \??\Z:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\N:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification \??\T:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
File created \??\Z:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created \??\R:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
File created \??\A:\Autorun.inf C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
File opened for modification C:\Autorun.inf C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
File opened for modification \??\N:\Autorun.inf C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
File created \??\O:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\B:\Autorun.inf C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
File created \??\H:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created \??\S:\Autorun.inf C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\R:\Autorun.inf C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
File opened for modification \??\T:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File created \??\Z:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification \??\A:\Autorun.inf C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\W:\Autorun.inf C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
File created \??\V:\Autorun.inf C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
File opened for modification \??\E:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\N:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\G:\Autorun.inf C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
File opened for modification \??\R:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
File created \??\T:\Autorun.inf C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
File opened for modification \??\W:\Autorun.inf C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
File created \??\K:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\H:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
File created \??\N:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\I:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File created \??\J:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\A:\Autorun.inf C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
File opened for modification \??\B:\Autorun.inf C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
File opened for modification \??\L:\Autorun.inf C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\H:\Autorun.inf C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
File opened for modification D:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\M:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\P:\Autorun.inf C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
File created \??\R:\Autorun.inf C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
File created \??\W:\Autorun.inf C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
File created \??\A:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created \??\U:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\I:\Autorun.inf C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
File opened for modification F:\Autorun.inf C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
File opened for modification \??\G:\Autorun.inf C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
File opened for modification \??\O:\Autorun.inf C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
File created \??\I:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File created \??\L:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\L:\Autorun.inf C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
File created \??\Z:\Autorun.inf C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
File opened for modification F:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\Q:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\X:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\J:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\N:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\H:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\L:\Autorun.inf C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
File opened for modification \??\O:\Autorun.inf C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
File opened for modification \??\U:\Autorun.inf C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
File created \??\E:\Autorun.inf C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
File created \??\V:\Autorun.inf C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
File created \??\H:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\Desktop.ini C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\18-5-2025.exe C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification C:\Windows\SysWOW64\18-5-2025.exe C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\18-5-2025.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\SysWOW64\mscomctl.ocx C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\Desktop.ini C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
File created C:\Windows\SysWOW64\mscomctl.ocx C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification C:\Windows\SysWOW64\Desktop.ini C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification C:\Windows\SysWOW64\18-5-2025.exe C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\mscomctl.ocx C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\SysWOW64\mscomctl.ocx C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\SysWOW64\mscomctl.ocx C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\SysWOW64\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\18-5-2025.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\SysWOW64\18-5-2025.exe C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification C:\Windows\SysWOW64\mscomctl.ocx C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
File opened for modification C:\Windows\SysWOW64\mscomctl.ocx C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\SysWOW64\18-5-2025.exe C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
File created C:\Windows\SysWOW64\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\SysWOW64\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\ C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
File created C:\Windows\system\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
File created C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
File created C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
File created C:\Windows\Fonts\The Kazekage.jpg C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
File created C:\Windows\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
File opened for modification C:\Windows\system\msvbvm60.dll C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
File created C:\Windows\WBEM\msvbvm60.dll C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\mscomctl.ocx C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\ C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
File created C:\Windows\Fonts\Admin 18 - 5 - 2025\msvbvm60.dll C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
File opened for modification C:\Windows\system\msvbvm60.dll C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Windows\system\mscoree.dll C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
File created C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\Fonts\Admin 18 - 5 - 2025\msvbvm60.dll C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
File created C:\Windows\Fonts\Admin 18 - 5 - 2025\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification C:\Windows\Fonts\The Kazekage.jpg C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Windows\system\mscoree.dll C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
File created C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
File created C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\system\msvbvm60.dll C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\Fonts\The Kazekage.jpg C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
File created C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification C:\Windows\system\mscoree.dll C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
File created C:\Windows\mscomctl.ocx C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification C:\Windows\ C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
File created C:\Windows\WBEM\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
File created C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
File created C:\Windows\WBEM\msvbvm60.dll C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
File opened for modification C:\Windows\system\mscoree.dll C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\mscomctl.ocx C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification C:\Windows\Fonts\Admin 18 - 5 - 2025\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
File opened for modification C:\Windows\mscomctl.ocx C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\WBEM\msvbvm60.dll C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
File created C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\ C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Windows\mscomctl.ocx C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\Fonts\Admin 18 - 5 - 2025\msvbvm60.dll C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\system\msvbvm60.dll C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
File created C:\Windows\Fonts\Admin 18 - 5 - 2025\msvbvm60.dll C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\system32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\system32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\system32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\system32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\system32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A

Modifies Control Panel

defense_evasion
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\Control Panel\Screen Saver.Marquee\Size = "72" C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\Control Panel\Screen Saver.Marquee\Speed = "4" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\Control Panel\Screen Saver.Marquee C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\Control Panel\Screen Saver.Marquee\Size = "72" C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\Control Panel\Desktop C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\Control Panel\Desktop\WallpaperStyle = "2" C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\Control Panel\Desktop\WallpaperStyle = "2" C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\Control Panel\Desktop\WallpaperStyle = "2" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\Control Panel\Screen Saver.Marquee C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\Control Panel\Screen Saver.Marquee\Size = "72" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\Control Panel\Screen Saver.Marquee\Size = "72" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\Control Panel\Screen Saver.Marquee\Speed = "4" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\Control Panel\Desktop C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\Control Panel\Screen Saver.Marquee C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\Control Panel\Screen Saver.Marquee\Size = "72" C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\Control Panel\Desktop C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\Control Panel\Desktop C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\Control Panel\Screen Saver.Marquee\Size = "72" C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\Control Panel\Screen Saver.Marquee\Speed = "4" C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\Control Panel\Desktop\WallpaperStyle = "2" C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\Control Panel\Desktop\WallpaperStyle = "2" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\Software\Microsoft\Internet Explorer\Main C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" C:\Windows\SysWOW64\drivers\system32.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
N/A N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5064 wrote to memory of 3852 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe
PID 5064 wrote to memory of 3852 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe
PID 5064 wrote to memory of 3852 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe
PID 3852 wrote to memory of 1040 N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe
PID 3852 wrote to memory of 1040 N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe
PID 3852 wrote to memory of 1040 N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe
PID 3852 wrote to memory of 1812 N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe
PID 3852 wrote to memory of 1812 N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe
PID 3852 wrote to memory of 1812 N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe
PID 1812 wrote to memory of 4844 N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe
PID 1812 wrote to memory of 4844 N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe
PID 1812 wrote to memory of 4844 N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe
PID 1812 wrote to memory of 1240 N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe
PID 1812 wrote to memory of 1240 N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe
PID 1812 wrote to memory of 1240 N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe
PID 1812 wrote to memory of 4552 N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe
PID 1812 wrote to memory of 4552 N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe
PID 1812 wrote to memory of 4552 N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe
PID 4552 wrote to memory of 3984 N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe
PID 4552 wrote to memory of 3984 N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe
PID 4552 wrote to memory of 3984 N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe
PID 4552 wrote to memory of 4424 N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe
PID 4552 wrote to memory of 4424 N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe
PID 4552 wrote to memory of 4424 N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe
PID 4552 wrote to memory of 1948 N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe
PID 4552 wrote to memory of 1948 N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe
PID 4552 wrote to memory of 1948 N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe
PID 4552 wrote to memory of 744 N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 4552 wrote to memory of 744 N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 4552 wrote to memory of 744 N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 5064 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe
PID 5064 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe
PID 5064 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe
PID 5064 wrote to memory of 1820 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe
PID 5064 wrote to memory of 1820 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe
PID 5064 wrote to memory of 1820 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe
PID 744 wrote to memory of 2256 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe
PID 744 wrote to memory of 2256 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe
PID 744 wrote to memory of 2256 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe
PID 5064 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 5064 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 5064 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 744 wrote to memory of 4004 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe
PID 744 wrote to memory of 4004 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe
PID 744 wrote to memory of 4004 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe
PID 5064 wrote to memory of 5084 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 5064 wrote to memory of 5084 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 5064 wrote to memory of 5084 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 3852 wrote to memory of 4188 N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe
PID 3852 wrote to memory of 4188 N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe
PID 3852 wrote to memory of 4188 N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe
PID 744 wrote to memory of 4024 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe
PID 744 wrote to memory of 4024 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe
PID 744 wrote to memory of 4024 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe
PID 3852 wrote to memory of 3060 N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 3852 wrote to memory of 3060 N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 3852 wrote to memory of 3060 N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 744 wrote to memory of 2500 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 744 wrote to memory of 2500 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 744 wrote to memory of 2500 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 3852 wrote to memory of 4536 N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 3852 wrote to memory of 4536 N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 3852 wrote to memory of 4536 N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 5084 wrote to memory of 2232 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe

System policy modification

defense_evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe

"C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe"

C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe

"C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe"

C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe

"C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe"

C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe

"C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe"

C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe

"C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe"

C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe

"C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe"

C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe

"C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe"

C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe

"C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe"

C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe

"C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe"

C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe

"C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe"

C:\Windows\SysWOW64\drivers\Kazekage.exe

C:\Windows\system32\drivers\Kazekage.exe

C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe

"C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe"

C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe

"C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe"

C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe

"C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe"

C:\Windows\SysWOW64\drivers\Kazekage.exe

C:\Windows\system32\drivers\Kazekage.exe

C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe

"C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe"

C:\Windows\SysWOW64\drivers\system32.exe

C:\Windows\system32\drivers\system32.exe

C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe

"C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe"

C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe

"C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe"

C:\Windows\SysWOW64\drivers\Kazekage.exe

C:\Windows\system32\drivers\Kazekage.exe

C:\Windows\SysWOW64\drivers\Kazekage.exe

C:\Windows\system32\drivers\Kazekage.exe

C:\Windows\SysWOW64\drivers\system32.exe

C:\Windows\system32\drivers\system32.exe

C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe

"C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe"

C:\Windows\SysWOW64\drivers\system32.exe

C:\Windows\system32\drivers\system32.exe

C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe

"C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe"

C:\Windows\SysWOW64\drivers\system32.exe

C:\Windows\system32\drivers\system32.exe

C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe

"C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe"

C:\Windows\SysWOW64\drivers\Kazekage.exe

C:\Windows\system32\drivers\Kazekage.exe

C:\Windows\SysWOW64\drivers\Kazekage.exe

C:\Windows\system32\drivers\Kazekage.exe

C:\Windows\SysWOW64\drivers\system32.exe

C:\Windows\system32\drivers\system32.exe

C:\Windows\SysWOW64\drivers\system32.exe

C:\Windows\system32\drivers\system32.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c Fonts\Admin 18 - 5 - 2025\smss.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c Fonts\Admin 18 - 5 - 2025\Gaara.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c 18-5-2025.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c drivers\csrss.exe

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

Network

Country Destination Domain Proto
GB 2.18.27.76:443 www.bing.com tcp
GB 2.18.27.76:443 www.bing.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.178.3:80 c.pki.goog tcp

Files

memory/5064-0-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe

MD5 6db685c7c2e3c7b1262455f5dd2607f0
SHA1 795ac9de22496df1395ac03c2960d75e9fbb5264
SHA256 4e7db50b82d6096cc22d0e64a0513005e021cd11401799294d43f075ff960d39
SHA512 ac262ceb58e43899a5c08ab0abe45522855e1c88c2ff801190172f2f94fe7add8eae3aa43d95dbd2e8a74080486699c2ea25fba6be2ecf31c515d0e1e428be51

C:\Windows\System\msvbvm60.dll

MD5 25f62c02619174b35851b0e0455b3d94
SHA1 4e8ee85157f1769f6e3f61c0acbe59072209da71
SHA256 898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2
SHA512 f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe

MD5 f15da5f411777f32ff1f14bf763e5caf
SHA1 67a7c701fb6e642122b32501740653bc8702233c
SHA256 8b3b208e83aa0427694a0bc18137725d40282eb1719a9bd464ce6df65dd34309
SHA512 6e67040b0f7fac3fb98f4baa5c0ad2ac29dce60baea2e9ad440caa4025ff6ccdad15613587cf4aba330224b4715bd1f2605451c92f8b614bd08f29af592cc289

memory/3852-32-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Windows\Fonts\The Kazekage.jpg

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Windows\SysWOW64\drivers\system32.exe

MD5 6c278874f20ba32c622eb545982ba610
SHA1 c609dbe86fea38f93c3ec5f398315d70ab9dc4ad
SHA256 22a61950efb5b29bc8b3b9336c7d414d305977eee026e7dd0590fae08d87ea1c
SHA512 2fa3a35072c4c900e1a452d18cee378efa08b68072ff342a6eb664f995124c52c8f7f9a6179e50979ea3052d32d3eb08fd19be336ea86578d388e4d70cc6d3aa

memory/1040-72-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe

MD5 88517ad19cf5419a92590d019d337953
SHA1 5c708094538a42a1273ca3a70e4036a3d203bb65
SHA256 bdfb77776ec97f16297b108a7a917178e3695797ae2424aae8bfbb304cdbd1d2
SHA512 0bca56d357135a37ee866df496cd2f2f48bcb889cc44a85ea229554575a8ac9ea804c82a89ee13c6d17848bcf34c7a467c335ed80b6cee85f36ab260f5690163

memory/1812-75-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Windows\Fonts\The Kazekage.jpg

MD5 d6b05020d4a0ec2a3a8b687099e335df
SHA1 df239d830ebcd1cde5c68c46a7b76dad49d415f4
SHA256 9824b98dab6af65a9e84c2ea40e9df948f9766ce2096e81feecad7db8dd6080a
SHA512 78fd360faa4d34f5732056d6e9ad7b9930964441c69cf24535845d397de92179553b9377a25649c01eb5ac7d547c29cc964e69ede7f2af9fc677508a99251fff

C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe

MD5 470a3b9131466a09e31a104798fd8ae5
SHA1 14f84d138d34c68690273708503845efbe781762
SHA256 ccfccf6060b4fb2e02aebfc78d197942853ee3c143e4830cb84038281f489cc0
SHA512 c8990e8d095d1d3c95b413d9a31c4e808d91e0f84ffa1f1d7b6bca0faa3a8b359a5bfb07a1073d2df13a0853780e9309d5eec38075e40e9e1a1168da537d5559

C:\Windows\SysWOW64\drivers\system32.exe

MD5 63c7ea76272045620a92f837e81b6823
SHA1 f866590adbc6497735d258cf83d04732c8e5a65d
SHA256 8aeebda4592fbdbddfc32f79ccabbd27467087bdbb877336a661c4be8f2df1ce
SHA512 fefdc07e796b2cbcc7fe16065431d4c7e43106707fd4e004eac085e2ec27641a8cb56d4931cac1deacd4759d3da03fd5d7d88edcdb61fec3e0798ac2f7967934

C:\Windows\SysWOW64\drivers\Kazekage.exe

MD5 5508de702dc2440df476902daeaa6247
SHA1 2c3d7ba195c0d6bc8292578426b08f583e490b1a
SHA256 605b77c4804959472f4176767632a1e3a404455285422e593ebb7f2f1fec4a9f
SHA512 2e36635381dbb2c9228fbf06ea454dc11bd5c834712ced185d40acbab4092885023ddbd67146068e9b9eba48ad540ddd9e54a4b862a10da137f8fd19d2055633

C:\Windows\SysWOW64\18-5-2025.exe

MD5 2119dfd5b3ae334e262252ab286dbab2
SHA1 b65c2af47c2a61149068b2b385c7ad41dbaaba50
SHA256 77b070823f96e95aa58ca01b7effa45d8a2e513f25e0db5d033e3bb72c7db65c
SHA512 53d865040f2cc2b9cc0f3a385945b12654ebda907fe026f0e0597ca1e84cc834a8edca9782dd215c728ae41b3ab28bf87f9aa787ecc16ee2333a63eb09cefe95

memory/4844-108-0x0000000000400000-0x000000000042B000-memory.dmp

memory/1240-113-0x0000000000400000-0x000000000042B000-memory.dmp

memory/1240-116-0x0000000000400000-0x000000000042B000-memory.dmp

memory/4552-121-0x0000000000400000-0x000000000042B000-memory.dmp

memory/5064-138-0x0000000000400000-0x000000000042B000-memory.dmp

memory/3852-148-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Windows\SysWOW64\drivers\system32.exe

MD5 2eb3194f76a5eb28901c1389ddef01af
SHA1 de0192c386bc301f5d371247877b07d386a042d1
SHA256 a2078cc50c6dfb0b2173240436a17227fddb6bcf1a23c5d63ac364b691f01144
SHA512 6676e8b30734e0c17bbaaee0a0e5cd60b2210735943eadcb386cd1627a7eb551ab15a6c8b0e1d65102b766086a61bf57e479c07c944dcf39147647e3ffca81c3

memory/3984-154-0x0000000000400000-0x000000000042B000-memory.dmp

memory/4424-159-0x0000000000400000-0x000000000042B000-memory.dmp

memory/1948-162-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Windows\SysWOW64\drivers\Kazekage.exe

MD5 bcf1d12eb6d5acbbca65b5eaf79a161c
SHA1 05484cd07e044413543d7a880e0c3a518e8e0e05
SHA256 3ff5d5bddef1956d79ba4e00692bfa15ff1aadf71cdae1a4de5f1d3053f3c2b7
SHA512 d16c4bcbd14a9248c1c62eb6504796d0d7942542b3b6dc9a6ad1754cb8c297f9714040baed1d2ebbb313d69914835a15c7735ffb5cd4d1d43db5c29e36217be5

memory/1812-165-0x0000000000400000-0x000000000042B000-memory.dmp

memory/744-166-0x0000000000400000-0x000000000042B000-memory.dmp

memory/1772-182-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Windows\SysWOW64\drivers\system32.exe

MD5 c74079b66a4083438fdb2202a76e96d4
SHA1 854ac8ea80568fe69cd0db7797c3b93f0fbcfcea
SHA256 da09f35868c3160107c4d6a5d20ba8b8b7ad9408b62d7912b22d3c003b2229d6
SHA512 d6756e6257a5b203ce9fc03d4006c01bf2d710b62b439eeab3fb32fbfd7c1846676d8e73e5432d49999d8409dbb7d60fb8e3907f29dad2e753cfe8052af1998f

C:\Windows\SysWOW64\drivers\system32.exe

MD5 9306a8fa003f129221deba2a1374f168
SHA1 449eca465f8af358130b2478b2c87ebf18a8952b
SHA256 127e81b4934c6c4d959d38eec7492192bd2414fbfbb427a4c4adc9096bcf32dd
SHA512 4fde487352f8ad0046e81b38c425e274e59b71955711d0f11cd9db51d7d74981461249836c2d2e47c4854a4b2eda55ea95b92ac7ddc2aca776e49b5b107c68d8

memory/4552-202-0x0000000000400000-0x000000000042B000-memory.dmp

memory/1820-203-0x0000000000400000-0x000000000042B000-memory.dmp

memory/5084-214-0x0000000000400000-0x000000000042B000-memory.dmp

memory/1620-210-0x0000000000400000-0x000000000042B000-memory.dmp

memory/4004-222-0x0000000000400000-0x000000000042B000-memory.dmp

memory/2500-230-0x0000000000400000-0x000000000042B000-memory.dmp

memory/744-229-0x0000000000400000-0x000000000042B000-memory.dmp

memory/3060-243-0x0000000000400000-0x000000000042B000-memory.dmp

memory/464-246-0x0000000000400000-0x000000000042B000-memory.dmp

memory/4536-248-0x0000000000400000-0x000000000042B000-memory.dmp

memory/2232-251-0x0000000000400000-0x000000000042B000-memory.dmp

memory/464-256-0x0000000000400000-0x000000000042B000-memory.dmp

memory/3752-259-0x0000000000400000-0x000000000042B000-memory.dmp

memory/2684-258-0x0000000000400000-0x000000000042B000-memory.dmp

memory/5084-257-0x0000000000400000-0x000000000042B000-memory.dmp

memory/2676-264-0x0000000000400000-0x000000000042B000-memory.dmp

memory/4828-269-0x0000000000400000-0x000000000042B000-memory.dmp

memory/1580-272-0x0000000000400000-0x000000000042B000-memory.dmp

memory/2092-275-0x0000000000400000-0x000000000042B000-memory.dmp

memory/5108-276-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Autorun.inf

MD5 1564dfe69ffed40950e5cb644e0894d1
SHA1 201b6f7a01cc49bb698bea6d4945a082ed454ce4
SHA256 be114a2dbcc08540b314b01882aa836a772a883322a77b67aab31233e26dc184
SHA512 72df187e39674b657974392cfa268e71ef86dc101ebd2303896381ca56d3c05aa9db3f0ab7d0e428d7436e0108c8f19e94c2013814d30b0b95a23a6b9e341097

C:\Admin Games\Readme.txt

MD5 bb5d6abdf8d0948ac6895ce7fdfbc151
SHA1 9266b7a247a4685892197194d2b9b86c8f6dddbd
SHA256 5db2e0915b5464d32e83484f8ae5e3c73d2c78f238fde5f58f9b40dbb5322de8
SHA512 878444760e8df878d65bb62b4798177e168eb099def58ad3634f4348e96705c83f74324f9fa358f0eff389991976698a233ca53e9b72034ae11c86d42322a76c

C:\Windows\SysWOW64\Desktop.ini

MD5 64acfa7e03b01f48294cf30d201a0026
SHA1 10facd995b38a095f30b4a800fa454c0bcbf8438
SHA256 ba8159d865d106e7b4d0043007a63d1541e1de455dc8d7ff0edd3013bd425c62
SHA512 65a9b2e639de74a2a7faa83463a03f5f5b526495e3c793ec1e144c422ed0b842dd304cd5ff4f8aec3d76d826507030c5916f70a231429cea636ec2d8ab43931a