Malware Analysis Report

2025-08-10 20:10

Sample ID 250518-naagya1lx7
Target 2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer
SHA256 4e7db50b82d6096cc22d0e64a0513005e021cd11401799294d43f075ff960d39
Tags
defense_evasion discovery persistence ransomware trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V16

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4e7db50b82d6096cc22d0e64a0513005e021cd11401799294d43f075ff960d39

Threat Level: Known bad

The file 2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer was found to be: Known bad.

Malicious Activity Summary

defense_evasion discovery persistence ransomware trojan upx

UAC bypass

Modifies visiblity of hidden/system files in Explorer

Modifies WinLogon for persistence

Modifies visibility of file extensions in Explorer

Drops file in Drivers directory

Event Triggered Execution: Image File Execution Options Injection

Disables RegEdit via registry modification

Disables use of System Restore points

Executes dropped EXE

Loads dropped DLL

Enumerates connected drives

Checks whether UAC is enabled

Adds Run key to start application

Drops desktop.ini file(s)

Drops autorun.inf file

Drops file in System32 directory

Sets desktop wallpaper using registry

UPX packed file

Drops file in Windows directory

Unsigned PE

System Network Configuration Discovery: Internet Connection Discovery

System Location Discovery: System Language Discovery

System policy modification

Modifies Internet Explorer settings

Runs ping.exe

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Modifies registry class

Modifies Control Panel

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-05-18 11:11

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-05-18 11:11

Reported

2025-05-18 11:13

Platform

win10v2004-20250502-en

Max time kernel

150s

Max time network

141s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A

Modifies visibility of file extensions in Explorer

defense_evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A

Modifies visiblity of hidden/system files in Explorer

defense_evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A

UAC bypass

defense_evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\drivers\system32.exe N/A

Disables RegEdit via registry modification

defense_evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\drivers\system32.exe N/A

Disables use of System Restore points

defense_evasion

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\system32.exe C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
File created C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
File created C:\Windows\SysWOW64\drivers\system32.exe C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
File created C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
File created C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
File created C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
File created C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A

Event Triggered Execution: Image File Execution Options Injection

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe\Debugger = "cmd.exe /c del" C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe\Debugger = "cmd.exe /c del" C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe\Debugger = "cmd.exe /c del" C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe\Debugger = "cmd.exe /c del" C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "18-5-2025.exe" C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 18 - 5 - 2025\\Gaara.exe" C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 18 - 5 - 2025\\Gaara.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "18-5-2025.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 18 - 5 - 2025\\smss.exe" C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "18-5-2025.exe" C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "18-5-2025.exe" C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "18-5-2025.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 18 - 5 - 2025\\Gaara.exe" C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "18-5-2025.exe" C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 18 - 5 - 2025\\Gaara.exe" C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 18 - 5 - 2025\\smss.exe" C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 18 - 5 - 2025\\Gaara.exe" C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 18 - 5 - 2025\\smss.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 18 - 5 - 2025\\smss.exe" C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 18 - 5 - 2025\\Gaara.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 18 - 5 - 2025\\smss.exe" C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 18 - 5 - 2025\\smss.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A

Checks whether UAC is enabled

defense_evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\drivers\system32.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification \??\Y:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification F:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification \??\L:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification \??\E:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\I:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\Q:\Desktop.ini C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
File opened for modification \??\G:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\T:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\H:\Desktop.ini C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
File opened for modification \??\W:\Desktop.ini C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
File opened for modification \??\Z:\Desktop.ini C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
File opened for modification \??\O:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification \??\I:\Desktop.ini C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\S:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification \??\O:\Desktop.ini C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
File opened for modification \??\U:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification \??\M:\Desktop.ini C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\P:\Desktop.ini C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\W:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\U:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\X:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification D:\Desktop.ini C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
File opened for modification \??\W:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification \??\H:\Desktop.ini C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\V:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\A:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\Z:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification \??\P:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification \??\O:\Desktop.ini C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
File opened for modification F:\Desktop.ini C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Desktop.ini C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
File opened for modification D:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification F:\Desktop.ini C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
File opened for modification \??\J:\Desktop.ini C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
File opened for modification \??\O:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\P:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\N:\Desktop.ini C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
File opened for modification \??\S:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification \??\T:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification \??\L:\Desktop.ini C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\A:\Desktop.ini C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
File opened for modification \??\L:\Desktop.ini C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
File opened for modification \??\U:\Desktop.ini C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
File opened for modification C:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\U:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Desktop.ini C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
File opened for modification \??\I:\Desktop.ini C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
File opened for modification \??\V:\Desktop.ini C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
File opened for modification C:\Desktop.ini C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
File opened for modification \??\Z:\Desktop.ini C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\K:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\R:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\W:\Desktop.ini C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
File opened for modification \??\V:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\T:\Desktop.ini C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
File opened for modification \??\A:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification D:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\Q:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\R:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\K:\Desktop.ini C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
File opened for modification \??\L:\Desktop.ini C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
File opened for modification \??\S:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\O: C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\A: C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
File opened (read-only) \??\B: C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
File opened (read-only) \??\Q: C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\K: C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
File opened (read-only) \??\S: C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
File opened (read-only) \??\E: C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
File opened (read-only) \??\L: C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
File opened (read-only) \??\M: C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
File opened (read-only) \??\P: C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
File opened (read-only) \??\V: C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
File opened (read-only) \??\J: C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\B: C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
File opened (read-only) \??\V: C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
File opened (read-only) \??\K: C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
File opened (read-only) \??\R: C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
File opened (read-only) \??\J: C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
File opened (read-only) \??\P: C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
File opened (read-only) \??\W: C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
File opened (read-only) \??\X: C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\U: C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
File opened (read-only) \??\Y: C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\T: C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
File opened (read-only) \??\J: C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
File opened (read-only) \??\M: C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
File opened (read-only) \??\P: C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
File opened (read-only) \??\T: C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
File opened (read-only) \??\N: C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
File opened (read-only) \??\U: C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\G: C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
File opened (read-only) \??\I: C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
File opened (read-only) \??\U: C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
File opened (read-only) \??\L: C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
File opened (read-only) \??\Q: C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
File opened (read-only) \??\W: C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
File opened (read-only) \??\A: C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
File opened (read-only) \??\G: C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
File opened (read-only) \??\O: C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File created \??\N:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created \??\T:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\M:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
File created \??\N:\Autorun.inf C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
File opened for modification \??\M:\Autorun.inf C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\B:\Autorun.inf C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
File created \??\X:\Autorun.inf C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
File created \??\B:\Autorun.inf C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
File created \??\M:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
File created \??\A:\Autorun.inf C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
File created \??\V:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\B:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification D:\Autorun.inf C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
File opened for modification \??\X:\Autorun.inf C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
File created \??\H:\Autorun.inf C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
File opened for modification \??\H:\Autorun.inf C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\Y:\Autorun.inf C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
File created \??\R:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
File created \??\V:\Autorun.inf C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
File opened for modification \??\O:\Autorun.inf C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
File opened for modification \??\K:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\L:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\O:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\X:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File created \??\E:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
File created \??\T:\Autorun.inf C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
File created \??\U:\Autorun.inf C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
File created \??\W:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created \??\N:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\G:\Autorun.inf C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
File created \??\S:\Autorun.inf C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\N:\Autorun.inf C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
File opened for modification \??\S:\Autorun.inf C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
File opened for modification F:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
File created \??\I:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
File created \??\W:\Autorun.inf C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
File created \??\E:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File created \??\B:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
File created \??\S:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
File created \??\R:\Autorun.inf C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
File opened for modification \??\G:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created \??\J:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\K:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification C:\Autorun.inf C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
File opened for modification \??\A:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\H:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\M:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\N:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\B:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\M:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File created \??\R:\Autorun.inf C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\X:\Autorun.inf C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
File created \??\B:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created \??\E:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created \??\Q:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\V:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
File created \??\P:\Autorun.inf C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
File created \??\O:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\X:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
File created \??\J:\Autorun.inf C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
File opened for modification \??\K:\Autorun.inf C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
File opened for modification \??\Z:\Autorun.inf C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
File opened for modification \??\R:\Autorun.inf C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
File created \??\L:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\18-5-2025.exe C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
File opened for modification C:\Windows\SysWOW64\18-5-2025.exe C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
File created C:\Windows\SysWOW64\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification C:\Windows\SysWOW64\mscomctl.ocx C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\SysWOW64\18-5-2025.exe C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification C:\Windows\SysWOW64\18-5-2025.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\SysWOW64\mscomctl.ocx C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification C:\Windows\SysWOW64\Desktop.ini C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\Desktop.ini C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\mscomctl.ocx C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\SysWOW64\18-5-2025.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\SysWOW64\mscomctl.ocx C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification C:\Windows\SysWOW64\mscomctl.ocx C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\SysWOW64\mscomctl.ocx C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
File created C:\Windows\SysWOW64\18-5-2025.exe C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification C:\Windows\SysWOW64\18-5-2025.exe C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
File opened for modification C:\Windows\SysWOW64\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification C:\Windows\SysWOW64\mscomctl.ocx C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\Desktop.ini C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
File opened for modification C:\Windows\SysWOW64\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\SysWOW64\drivers\system32.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification C:\Windows\Fonts\The Kazekage.jpg C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\system\mscoree.dll C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\system\msvbvm60.dll C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
File created C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\mscomctl.ocx C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
File created C:\Windows\Fonts\Admin 18 - 5 - 2025\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
File created C:\Windows\Fonts\Admin 18 - 5 - 2025\msvbvm60.dll C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
File created C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
File created C:\Windows\WBEM\msvbvm60.dll C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
File created C:\Windows\Fonts\Admin 18 - 5 - 2025\msvbvm60.dll C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\WBEM\msvbvm60.dll C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\mscomctl.ocx C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
File created C:\Windows\WBEM\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification C:\Windows\system\mscoree.dll C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
File created C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\Fonts\Admin 18 - 5 - 2025\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
File created C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
File created C:\Windows\Fonts\Admin 18 - 5 - 2025\msvbvm60.dll C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\system\msvbvm60.dll C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
File created C:\Windows\Fonts\Admin 18 - 5 - 2025\msvbvm60.dll C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Windows\system\msvbvm60.dll C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
File created C:\Windows\WBEM\msvbvm60.dll C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
File opened for modification C:\Windows\ C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification C:\Windows\Fonts\The Kazekage.jpg C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
File opened for modification C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Windows\ C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
File created C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
File created C:\Windows\system\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
File created C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
File opened for modification C:\Windows\system\msvbvm60.dll C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Windows\mscomctl.ocx C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
File opened for modification C:\Windows\mscomctl.ocx C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\system\mscoree.dll C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification C:\Windows\ C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\system\mscoree.dll C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
File created C:\Windows\Fonts\The Kazekage.jpg C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
File created C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
File opened for modification C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\Fonts\The Kazekage.jpg C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification C:\Windows\Fonts\The Kazekage.jpg C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
File created C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\WBEM\msvbvm60.dll C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\mscomctl.ocx C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\system\mscoree.dll C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\system\mscoree.dll C:\Windows\SysWOW64\drivers\system32.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\system32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\system32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\system32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\system32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\system32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\system32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A

Modifies Control Panel

defense_evasion
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\Screen Saver.Marquee\Speed = "4" C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\Screen Saver.Marquee C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\Desktop\WallpaperStyle = "2" C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\Desktop\WallpaperStyle = "2" C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\Screen Saver.Marquee\Speed = "4" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\Desktop C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\Desktop C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\Desktop\WallpaperStyle = "2" C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\Screen Saver.Marquee C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\Desktop\WallpaperStyle = "2" C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\Screen Saver.Marquee\Size = "72" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\Screen Saver.Marquee C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\Screen Saver.Marquee\Size = "72" C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\Screen Saver.Marquee\Speed = "4" C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\Screen Saver.Marquee C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\Screen Saver.Marquee\Size = "72" C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\Screen Saver.Marquee\Size = "72" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\Screen Saver.Marquee\Speed = "4" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\Desktop C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\Screen Saver.Marquee\Size = "72" C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\Screen Saver.Marquee\Size = "72" C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\Screen Saver.Marquee C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\Screen Saver.Marquee C:\Windows\SysWOW64\drivers\Kazekage.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Software\Microsoft\Internet Explorer\Main C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
N/A N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3120 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe
PID 3120 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe
PID 3120 wrote to memory of 1492 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe
PID 1492 wrote to memory of 3580 N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe
PID 1492 wrote to memory of 3580 N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe
PID 1492 wrote to memory of 3580 N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe
PID 1492 wrote to memory of 2868 N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe
PID 1492 wrote to memory of 2868 N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe
PID 1492 wrote to memory of 2868 N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe
PID 2868 wrote to memory of 4684 N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe
PID 2868 wrote to memory of 4684 N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe
PID 2868 wrote to memory of 4684 N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe
PID 2868 wrote to memory of 116 N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe
PID 2868 wrote to memory of 116 N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe
PID 2868 wrote to memory of 116 N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe
PID 2868 wrote to memory of 3020 N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe
PID 2868 wrote to memory of 3020 N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe
PID 2868 wrote to memory of 3020 N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe
PID 3020 wrote to memory of 1744 N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe
PID 3020 wrote to memory of 1744 N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe
PID 3020 wrote to memory of 1744 N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe
PID 3020 wrote to memory of 2296 N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe
PID 3020 wrote to memory of 2296 N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe
PID 3020 wrote to memory of 2296 N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe
PID 3020 wrote to memory of 4852 N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe
PID 3020 wrote to memory of 4852 N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe
PID 3020 wrote to memory of 4852 N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe
PID 3020 wrote to memory of 536 N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 3020 wrote to memory of 536 N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 3020 wrote to memory of 536 N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 3120 wrote to memory of 2240 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe
PID 3120 wrote to memory of 2240 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe
PID 3120 wrote to memory of 2240 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe
PID 3120 wrote to memory of 3604 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe
PID 3120 wrote to memory of 3604 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe
PID 3120 wrote to memory of 3604 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe
PID 536 wrote to memory of 4460 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe
PID 536 wrote to memory of 4460 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe
PID 536 wrote to memory of 4460 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe
PID 536 wrote to memory of 2916 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe
PID 536 wrote to memory of 2916 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe
PID 536 wrote to memory of 2916 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe
PID 3120 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 3120 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 3120 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 536 wrote to memory of 4620 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe
PID 536 wrote to memory of 4620 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe
PID 536 wrote to memory of 4620 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe
PID 3120 wrote to memory of 3840 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 3120 wrote to memory of 3840 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 3120 wrote to memory of 3840 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 1492 wrote to memory of 4864 N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe
PID 1492 wrote to memory of 4864 N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe
PID 1492 wrote to memory of 4864 N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe
PID 536 wrote to memory of 1916 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 536 wrote to memory of 1916 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 536 wrote to memory of 1916 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 1492 wrote to memory of 2696 N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 1492 wrote to memory of 2696 N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 1492 wrote to memory of 2696 N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 536 wrote to memory of 4064 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 536 wrote to memory of 4064 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 536 wrote to memory of 4064 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 3840 wrote to memory of 4412 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe

System policy modification

defense_evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\SysWOW64\drivers\system32.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe

"C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe"

C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe

"C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe"

C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe

"C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe"

C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe

"C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe"

C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe

"C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe"

C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe

"C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe"

C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe

"C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe"

C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe

"C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe"

C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe

"C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe"

C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe

"C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe"

C:\Windows\SysWOW64\drivers\Kazekage.exe

C:\Windows\system32\drivers\Kazekage.exe

C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe

"C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe"

C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe

"C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe"

C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe

"C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe"

C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe

"C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe"

C:\Windows\SysWOW64\drivers\Kazekage.exe

C:\Windows\system32\drivers\Kazekage.exe

C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe

"C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe"

C:\Windows\SysWOW64\drivers\system32.exe

C:\Windows\system32\drivers\system32.exe

C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe

"C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe"

C:\Windows\SysWOW64\drivers\Kazekage.exe

C:\Windows\system32\drivers\Kazekage.exe

C:\Windows\SysWOW64\drivers\Kazekage.exe

C:\Windows\system32\drivers\Kazekage.exe

C:\Windows\SysWOW64\drivers\system32.exe

C:\Windows\system32\drivers\system32.exe

C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe

"C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe"

C:\Windows\SysWOW64\drivers\system32.exe

C:\Windows\system32\drivers\system32.exe

C:\Windows\SysWOW64\drivers\system32.exe

C:\Windows\system32\drivers\system32.exe

C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe

"C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe"

C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe

"C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe"

C:\Windows\SysWOW64\drivers\Kazekage.exe

C:\Windows\system32\drivers\Kazekage.exe

C:\Windows\SysWOW64\drivers\Kazekage.exe

C:\Windows\system32\drivers\Kazekage.exe

C:\Windows\SysWOW64\drivers\system32.exe

C:\Windows\system32\drivers\system32.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c Fonts\Admin 18 - 5 - 2025\smss.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c Fonts\Admin 18 - 5 - 2025\Gaara.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c 18-5-2025.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c drivers\csrss.exe

C:\Windows\SysWOW64\drivers\system32.exe

C:\Windows\system32\drivers\system32.exe

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

Network

Country Destination Domain Proto
GB 2.18.27.76:443 www.bing.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.178.3:80 c.pki.goog tcp

Files

memory/3120-0-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe

MD5 6db685c7c2e3c7b1262455f5dd2607f0
SHA1 795ac9de22496df1395ac03c2960d75e9fbb5264
SHA256 4e7db50b82d6096cc22d0e64a0513005e021cd11401799294d43f075ff960d39
SHA512 ac262ceb58e43899a5c08ab0abe45522855e1c88c2ff801190172f2f94fe7add8eae3aa43d95dbd2e8a74080486699c2ea25fba6be2ecf31c515d0e1e428be51

C:\Windows\System\msvbvm60.dll

MD5 25f62c02619174b35851b0e0455b3d94
SHA1 4e8ee85157f1769f6e3f61c0acbe59072209da71
SHA256 898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2
SHA512 f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe

MD5 c1e12c8e320ba1262fb0d7b48f7830d8
SHA1 b34424dde2a2de4edb039392f23b656032e59b93
SHA256 6f861cfbd3569e9069f4c44459e8c05f428417eb6791ee52ba221d18646e67f5
SHA512 fd9c257c47427f1e3315d7cf8e3c751c2a14f9e0beba86eeeb2259dccc0698b16a727126cfeca01f62315667df772394819aab754afdb09558cacd4acd59f244

memory/1492-32-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Windows\Fonts\The Kazekage.jpg

MD5 d6b05020d4a0ec2a3a8b687099e335df
SHA1 df239d830ebcd1cde5c68c46a7b76dad49d415f4
SHA256 9824b98dab6af65a9e84c2ea40e9df948f9766ce2096e81feecad7db8dd6080a
SHA512 78fd360faa4d34f5732056d6e9ad7b9930964441c69cf24535845d397de92179553b9377a25649c01eb5ac7d547c29cc964e69ede7f2af9fc677508a99251fff

C:\Windows\SysWOW64\drivers\system32.exe

MD5 b90ebbf53af4a626ce927f6e6db5957f
SHA1 e3e4eb6892b405d851f90f85405d2aa293a2f139
SHA256 d401c64f7ce91605ebc2d4a556dce17a3a3a757305e2c21a22794fd67e6ab434
SHA512 3a0158c06539e87994ff6420df79a017c17d483aade391c40cdc554453dfdcbe280bb93382a9b5a6c3ee2e2c52b0d47956d2d96543d987b7fec8ebba15e2e868

memory/3580-70-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Windows\SysWOW64\drivers\Kazekage.exe

MD5 b8856d5dc116af4b7b7b5acdfa60807f
SHA1 573546145d4563bf060c0a46b4eee2d4da4dca2f
SHA256 e4f94219841169ca940eb69ded9e54038e3e7c09b46dc8548f039448232bab0e
SHA512 f2baec56290e3bfd139b4b726d057cf74a1fdf5c158ee845c6828b73a8fded3aacafd6e3f35a2c8eb173d2727991155f21ebd83213ce5c8e421be050b74fd91f

C:\Windows\SysWOW64\18-5-2025.exe

MD5 82f89e0efd5366bf83fa3088cfee942e
SHA1 3b5d55ba9602668dca5d91e16e30efb7e66b9f07
SHA256 50b7e07979abc00b558d66758f53fca92e51292fa0993eca7082a85c74f3c426
SHA512 d06f9f4bc0214a25b602d1d41f0fed7bd11b766d20ad1d972f85d434fa4e56bcd28e65c83c40b4815d29e9110dd7347458cc42d3294ceb8211c868e98328876b

memory/3580-73-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe

MD5 b40505dd9bfbd4cee5bbd3330764476b
SHA1 260c7cf6363e052534320347f4c70e37649086d2
SHA256 ba7960c02ac5bac9103b539efd0132c675444dd92a34c8d8b12f7f0446366fc0
SHA512 a184224fefe6bb5ec0c2897c11a944e130db16a159fc4b047b997971a90b75028354f9d2c459eaf12d664d8ca9689d0ea38ae08147c7b6a1e6f561940825b33b

memory/2868-76-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe

MD5 0587e4f8237ea92f227b596ddeffe39b
SHA1 b34b8ff8969df0a0a65eb5bdd2e4262f813dca98
SHA256 3e284151765d98efa1fcb69c46e14c0bd594dd04179fefef3d662e4fe5423c81
SHA512 12bcbc6b6872059fd8ae52271ae89daeebef5c44e0871ed94ad377db086111499e899c704d266f23c437772628ee59236a5a6ae3c1b9aa2c1dfcf9cb46e7ff9d

C:\Windows\SysWOW64\drivers\system32.exe

MD5 05ceb1872969e2a0aa00d134559f611c
SHA1 9362de422bee0e6f17628573b992abe6e6f54db8
SHA256 e2d0736f22fe1fffe8f0f08d1c0b60810eaee0522f748a32a5f6651ae3543e5e
SHA512 eba0dce6e8ffd002672d552e06eb4169194264695919a68f3aa007dcecb6bc3ac77ad3870a8a60e2e46daf2f552d7f9c6da88cad1a56210350ee16f00d841f8a

memory/116-119-0x0000000000400000-0x000000000042B000-memory.dmp

memory/3020-121-0x0000000000400000-0x000000000042B000-memory.dmp

memory/3120-120-0x0000000000400000-0x000000000042B000-memory.dmp

memory/1492-127-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Windows\SysWOW64\18-5-2025.exe

MD5 9cfaa7f33f099a3a2111c467818a9453
SHA1 e80ddc7b4d8ee03b035461f4621b690d9907dc0b
SHA256 d36ce338e7609b4befad73350b8a1838cb908a64a1fc2462f5dd0910b3099b92
SHA512 503b5643a6477cefa3f47e123e31ba33f5ec6339f9b840f7181525db1f6cc9526044237e508c1565da04e764476616ca95c7432d72a1946f3fee2da7478bff42

C:\Windows\SysWOW64\drivers\system32.exe

MD5 43b3acde70a8e97ec5c1f56820746ef3
SHA1 f5c85ecd27d36622a181c13009244befc9ba2ea6
SHA256 7b4a68fd4cc6d6da139f0da8ca52ac170c1c939fa2c9bf499577a91bda8197c6
SHA512 c0c94e4eb717622a9bb6d78eb886cc07577fbd9ad818828e5aa04e060e77540c05fc31768b0b565cc90cb011780b5fbc3e80b25177441029904d1db9f6919600

memory/2296-153-0x0000000000400000-0x000000000042B000-memory.dmp

memory/2868-158-0x0000000000400000-0x000000000042B000-memory.dmp

memory/2296-160-0x0000000000400000-0x000000000042B000-memory.dmp

memory/4852-162-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Windows\SysWOW64\drivers\Kazekage.exe

MD5 11d664154930e8524ec6f9c2ca5ec54a
SHA1 a00e400329656d34f1e0f06f71e0bf71f3291997
SHA256 99c87383e7ab52e3f32d9adc98aa275afee8304850d476495b035ebf6654c4a6
SHA512 401f4259eb4af2abb8779fa26c5e94a9afffadbfe32538f0b667bd748ffd0463fc35a30adf73adaae15b1c2224a9bfb0dbb03c024d433c3ba518c2a7683045b7

memory/536-166-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Windows\SysWOW64\18-5-2025.exe

MD5 73046555826e790b83611bcf283f89be
SHA1 62119c7facf960b4253a8798d5ba10c96bf9f721
SHA256 93fbada7fd924b04f8ede0b55f8844968e43414e99c46127147c47f2a064660c
SHA512 65971365bd97c1891569693712036ff0f8f7a9c4de675eed5e29e5327a4b5fe8c8796b71603663843b1f0ee42a59eca3a8df1e5b38071a6b674d6cd231ec489f

memory/3020-195-0x0000000000400000-0x000000000042B000-memory.dmp

memory/2240-193-0x0000000000400000-0x000000000042B000-memory.dmp

memory/4460-205-0x0000000000400000-0x000000000042B000-memory.dmp

memory/1952-207-0x0000000000400000-0x000000000042B000-memory.dmp

memory/3604-209-0x0000000000400000-0x000000000042B000-memory.dmp

memory/1952-215-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Windows\SysWOW64\drivers\system32.exe

MD5 2be3a78a67d8a21a0e57d09d8dc5b88d
SHA1 2196b991d80ed0ea9caa58dc8519cc2df9f63d67
SHA256 c6d7e90e370c726fe78562dfbf095a8651139598400ab7e9b3a850767d40cb04
SHA512 62540a1a6dc71de6b6916ce8bbc1e7483d387de9d6aae9f01866076a28af4ff6f2e54f4023b710d715e9d9a0fb5f436db2a4bba6e7e61b1b5ce2fd726cc3f51c

memory/3840-217-0x0000000000400000-0x000000000042B000-memory.dmp

memory/2916-213-0x0000000000400000-0x000000000042B000-memory.dmp

memory/536-226-0x0000000000400000-0x000000000042B000-memory.dmp

memory/4864-234-0x0000000000400000-0x000000000042B000-memory.dmp

memory/1916-237-0x0000000000400000-0x000000000042B000-memory.dmp

memory/3608-247-0x0000000000400000-0x000000000042B000-memory.dmp

memory/2696-249-0x0000000000400000-0x000000000042B000-memory.dmp

memory/4064-255-0x0000000000400000-0x000000000042B000-memory.dmp

memory/3608-259-0x0000000000400000-0x000000000042B000-memory.dmp

memory/4684-261-0x0000000000400000-0x000000000042B000-memory.dmp

memory/1804-262-0x0000000000400000-0x000000000042B000-memory.dmp

memory/3840-260-0x0000000000400000-0x000000000042B000-memory.dmp

memory/704-267-0x0000000000400000-0x000000000042B000-memory.dmp

memory/1832-273-0x0000000000400000-0x000000000042B000-memory.dmp

memory/212-272-0x0000000000400000-0x000000000042B000-memory.dmp

memory/3708-276-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Autorun.inf

MD5 1564dfe69ffed40950e5cb644e0894d1
SHA1 201b6f7a01cc49bb698bea6d4945a082ed454ce4
SHA256 be114a2dbcc08540b314b01882aa836a772a883322a77b67aab31233e26dc184
SHA512 72df187e39674b657974392cfa268e71ef86dc101ebd2303896381ca56d3c05aa9db3f0ab7d0e428d7436e0108c8f19e94c2013814d30b0b95a23a6b9e341097

C:\Admin Games\Readme.txt

MD5 bb5d6abdf8d0948ac6895ce7fdfbc151
SHA1 9266b7a247a4685892197194d2b9b86c8f6dddbd
SHA256 5db2e0915b5464d32e83484f8ae5e3c73d2c78f238fde5f58f9b40dbb5322de8
SHA512 878444760e8df878d65bb62b4798177e168eb099def58ad3634f4348e96705c83f74324f9fa358f0eff389991976698a233ca53e9b72034ae11c86d42322a76c

C:\Windows\SysWOW64\Desktop.ini

MD5 64acfa7e03b01f48294cf30d201a0026
SHA1 10facd995b38a095f30b4a800fa454c0bcbf8438
SHA256 ba8159d865d106e7b4d0043007a63d1541e1de455dc8d7ff0edd3013bd425c62
SHA512 65a9b2e639de74a2a7faa83463a03f5f5b526495e3c793ec1e144c422ed0b842dd304cd5ff4f8aec3d76d826507030c5916f70a231429cea636ec2d8ab43931a

Analysis: behavioral2

Detonation Overview

Submitted

2025-05-18 11:11

Reported

2025-05-18 11:13

Platform

win11-20250502-en

Max time kernel

150s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A

Modifies visibility of file extensions in Explorer

defense_evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\drivers\system32.exe N/A

Modifies visiblity of hidden/system files in Explorer

defense_evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\drivers\system32.exe N/A

UAC bypass

defense_evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A

Disables RegEdit via registry modification

defense_evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A

Disables use of System Restore points

defense_evasion

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
File created C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
File created C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
File created C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
File created C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
File created C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
File created C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\SysWOW64\drivers\system32.exe C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\system32.exe C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A

Event Triggered Execution: Image File Execution Options Injection

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe\Debugger = "cmd.exe /c del" C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe\Debugger = "cmd.exe /c del" C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "drivers\\Kazekage.exe" C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "drivers\\Kazekage.exe" C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe\Debugger = "cmd.exe /c del" C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe\Debugger = "cmd.exe /c del" C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 18 - 5 - 2025\\smss.exe" C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 18 - 5 - 2025\\Gaara.exe" C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 18 - 5 - 2025\\smss.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 18 - 5 - 2025\\Gaara.exe" C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 18 - 5 - 2025\\smss.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "18-5-2025.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 18 - 5 - 2025\\smss.exe" C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 18 - 5 - 2025\\Gaara.exe" C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "18-5-2025.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 18 - 5 - 2025\\smss.exe" C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 18 - 5 - 2025\\Gaara.exe" C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 18 - 5 - 2025\\Gaara.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "18-5-2025.exe" C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "18-5-2025.exe" C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 18 - 5 - 2025\\Gaara.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "18-5-2025.exe" C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 18 - 5 - 2025\\smss.exe" C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "18-5-2025.exe" C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A

Checks whether UAC is enabled

defense_evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\drivers\system32.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification \??\W:\Desktop.ini C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
File opened for modification \??\O:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\Q:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\Y:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\Z:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\J:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification \??\X:\Desktop.ini C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
File opened for modification F:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\R:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification D:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification \??\Z:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification \??\R:\Desktop.ini C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
File opened for modification \??\A:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\X:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\G:\Desktop.ini C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\X:\Desktop.ini C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
File opened for modification \??\Z:\Desktop.ini C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
File opened for modification \??\G:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\R:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification \??\E:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification \??\L:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\U:\Desktop.ini C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
File opened for modification \??\N:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\L:\Desktop.ini C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
File opened for modification \??\S:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\B:\Desktop.ini C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\M:\Desktop.ini C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
File opened for modification F:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\T:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\O:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification \??\W:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification \??\Y:\Desktop.ini C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
File opened for modification \??\M:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\A:\Desktop.ini C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\G:\Desktop.ini C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
File opened for modification \??\L:\Desktop.ini C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
File opened for modification \??\Z:\Desktop.ini C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
File opened for modification \??\J:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\S:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\P:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification \??\V:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification \??\U:\Desktop.ini C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
File opened for modification F:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification \??\G:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\T:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\A:\Desktop.ini C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
File opened for modification \??\P:\Desktop.ini C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
File opened for modification F:\Desktop.ini C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
File opened for modification \??\Q:\Desktop.ini C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
File opened for modification \??\Y:\Desktop.ini C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
File opened for modification \??\J:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\B:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification \??\R:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification \??\E:\Desktop.ini C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
File opened for modification \??\T:\Desktop.ini C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
File opened for modification \??\H:\Desktop.ini C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\K:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\M:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification \??\T:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification \??\B:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\U:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\N:\Desktop.ini C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
File opened for modification \??\J:\Desktop.ini C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\B: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\H: C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
File opened (read-only) \??\U: C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
File opened (read-only) \??\V: C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\Y: C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
File opened (read-only) \??\A: C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
File opened (read-only) \??\R: C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
File opened (read-only) \??\T: C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
File opened (read-only) \??\V: C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\Q: C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
File opened (read-only) \??\V: C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
File opened (read-only) \??\X: C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
File opened (read-only) \??\O: C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
File opened (read-only) \??\L: C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
File opened (read-only) \??\K: C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
File opened (read-only) \??\L: C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\Y: C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
File opened (read-only) \??\U: C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
File opened (read-only) \??\A: C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
File opened (read-only) \??\Y: C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\R: C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\I: C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
File opened (read-only) \??\S: C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
File opened (read-only) \??\J: C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
File opened (read-only) \??\P: C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
File opened (read-only) \??\W: C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\G: C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
File opened (read-only) \??\J: C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
File opened (read-only) \??\N: C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
File opened (read-only) \??\Q: C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
File opened (read-only) \??\B: C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
File opened (read-only) \??\M: C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
File opened (read-only) \??\A: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\A: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\Z: C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification \??\B:\Autorun.inf C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
File created \??\O:\Autorun.inf C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
File created \??\W:\Autorun.inf C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
File opened for modification \??\O:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
File created \??\S:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification \??\L:\Autorun.inf C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
File created \??\J:\Autorun.inf C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\Q:\Autorun.inf C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
File created \??\W:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\E:\Autorun.inf C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
File created \??\W:\Autorun.inf C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
File created \??\Y:\Autorun.inf C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\T:\Autorun.inf C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
File opened for modification D:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File created \??\Y:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\A:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification \??\W:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification \??\I:\Autorun.inf C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
File created \??\P:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created \??\Z:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\J:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification \??\R:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification \??\M:\Autorun.inf C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
File created \??\S:\Autorun.inf C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
File created \??\O:\Autorun.inf C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\T:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created \??\G:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File created \??\V:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File created \??\X:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\G:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification \??\L:\Autorun.inf C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\R:\Autorun.inf C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
File created \??\X:\Autorun.inf C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
File created \??\E:\Autorun.inf C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
File created \??\I:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
File created \??\X:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
File created \??\I:\Autorun.inf C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
File created \??\P:\Autorun.inf C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
File created \??\Y:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\E:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\I:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created F:\Autorun.inf C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
File created \??\J:\Autorun.inf C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
File created \??\V:\Autorun.inf C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
File created \??\E:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\R:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\H:\Autorun.inf C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
File opened for modification \??\K:\Autorun.inf C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
File opened for modification \??\V:\Autorun.inf C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
File opened for modification \??\Y:\Autorun.inf C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
File opened for modification \??\Q:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created \??\B:\Autorun.inf C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\E:\Autorun.inf C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
File opened for modification \??\U:\Autorun.inf C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
File opened for modification \??\W:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created \??\P:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
File created \??\T:\Autorun.inf C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
File created \??\Z:\Autorun.inf C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
File created \??\V:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created \??\Q:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
File created \??\G:\Autorun.inf C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\B:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\H:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\18-5-2025.exe C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\18-5-2025.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\SysWOW64\mscomctl.ocx C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\18-5-2025.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\mscomctl.ocx C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\mscomctl.ocx C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\SysWOW64\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\SysWOW64\mscomctl.ocx C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\SysWOW64\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
File created C:\Windows\SysWOW64\18-5-2025.exe C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification C:\Windows\SysWOW64\18-5-2025.exe C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
File created C:\Windows\SysWOW64\mscomctl.ocx C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\mscomctl.ocx C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\SysWOW64\Desktop.ini C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
File created C:\Windows\SysWOW64\Desktop.ini C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\Desktop.ini C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
File opened for modification C:\Windows\SysWOW64\Desktop.ini C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification C:\Windows\SysWOW64\18-5-2025.exe C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
File opened for modification C:\Windows\SysWOW64\mscomctl.ocx C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification C:\Windows\SysWOW64\18-5-2025.exe C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\SysWOW64\drivers\system32.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\system\mscoree.dll C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\Fonts\Admin 18 - 5 - 2025\msvbvm60.dll C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\WBEM\msvbvm60.dll C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\mscomctl.ocx C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
File created C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
File created C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
File created C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\ C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
File created C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
File created C:\Windows\WBEM\msvbvm60.dll C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
File created C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\ C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
File created C:\Windows\Fonts\Admin 18 - 5 - 2025\msvbvm60.dll C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
File opened for modification C:\Windows\ C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\mscomctl.ocx C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
File opened for modification C:\Windows\Fonts\The Kazekage.jpg C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification C:\Windows\system\msvbvm60.dll C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
File created C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\mscomctl.ocx C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\ C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\ C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\system\mscoree.dll C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
File created C:\Windows\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification C:\Windows\system\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\system\mscoree.dll C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
File created C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
File opened for modification C:\Windows\Fonts\The Kazekage.jpg C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\WBEM\msvbvm60.dll C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\system\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
File created C:\Windows\WBEM\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
File created C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
File created C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Windows\system\msvbvm60.dll C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\mscomctl.ocx C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\Fonts\The Kazekage.jpg C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
File created C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Windows\Fonts\The Kazekage.jpg C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
File opened for modification C:\Windows\Fonts\The Kazekage.jpg C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
File created C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
File created C:\Windows\Fonts\Admin 18 - 5 - 2025\msvbvm60.dll C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\ C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
File opened for modification C:\Windows\mscomctl.ocx C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
File created C:\Windows\Fonts\Admin 18 - 5 - 2025\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification C:\Windows\Fonts\Admin 18 - 5 - 2025\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification C:\Windows\system\msvbvm60.dll C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
File created C:\Windows\Fonts\Admin 18 - 5 - 2025\msvbvm60.dll C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\system\mscoree.dll C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\system32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\system32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\system32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\system32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\system32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\system32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A

Modifies Control Panel

defense_evasion
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Control Panel\Desktop C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Control Panel\Screen Saver.Marquee\Speed = "4" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Control Panel\Screen Saver.Marquee C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Control Panel\Screen Saver.Marquee\Size = "72" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Control Panel\Desktop C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Control Panel\Desktop\WallpaperStyle = "2" C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Control Panel\Screen Saver.Marquee C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Control Panel\Screen Saver.Marquee\Speed = "4" C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Control Panel\Desktop\WallpaperStyle = "2" C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Control Panel\Screen Saver.Marquee\Speed = "4" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Control Panel\Screen Saver.Marquee C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Control Panel\Screen Saver.Marquee\Size = "72" C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Control Panel\Screen Saver.Marquee C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Control Panel\Screen Saver.Marquee C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Control Panel\Desktop C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Control Panel\Screen Saver.Marquee\Size = "72" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Control Panel\Desktop\WallpaperStyle = "2" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Control Panel\Screen Saver.Marquee\Size = "72" C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Control Panel\Screen Saver.Marquee\Speed = "4" C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Control Panel\Desktop\WallpaperStyle = "2" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Control Panel\Desktop C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Control Panel\Screen Saver.Marquee\Size = "72" C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Control Panel\Screen Saver.Marquee\Speed = "4" C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Control Panel\Desktop C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Control Panel\Desktop C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Control Panel\Desktop\WallpaperStyle = "2" C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Internet Explorer\Main C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3588213599-686740421-4058676312-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\drivers\system32.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
N/A N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4364 wrote to memory of 1280 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe
PID 4364 wrote to memory of 1280 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe
PID 4364 wrote to memory of 1280 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe
PID 1280 wrote to memory of 5028 N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe
PID 1280 wrote to memory of 5028 N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe
PID 1280 wrote to memory of 5028 N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe
PID 1280 wrote to memory of 5716 N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe
PID 1280 wrote to memory of 5716 N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe
PID 1280 wrote to memory of 5716 N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe
PID 5716 wrote to memory of 2040 N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe
PID 5716 wrote to memory of 2040 N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe
PID 5716 wrote to memory of 2040 N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe
PID 5716 wrote to memory of 2064 N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe
PID 5716 wrote to memory of 2064 N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe
PID 5716 wrote to memory of 2064 N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe
PID 5716 wrote to memory of 3428 N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe
PID 5716 wrote to memory of 3428 N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe
PID 5716 wrote to memory of 3428 N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe
PID 3428 wrote to memory of 3152 N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe
PID 3428 wrote to memory of 3152 N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe
PID 3428 wrote to memory of 3152 N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe
PID 3428 wrote to memory of 3252 N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe
PID 3428 wrote to memory of 3252 N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe
PID 3428 wrote to memory of 3252 N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe
PID 3428 wrote to memory of 5584 N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe
PID 3428 wrote to memory of 5584 N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe
PID 3428 wrote to memory of 5584 N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe
PID 3428 wrote to memory of 6064 N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 3428 wrote to memory of 6064 N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 3428 wrote to memory of 6064 N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 6064 wrote to memory of 2568 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe
PID 6064 wrote to memory of 2568 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe
PID 6064 wrote to memory of 2568 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe
PID 6064 wrote to memory of 1984 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe
PID 6064 wrote to memory of 1984 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe
PID 6064 wrote to memory of 1984 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe
PID 6064 wrote to memory of 2004 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe
PID 6064 wrote to memory of 2004 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe
PID 6064 wrote to memory of 2004 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe
PID 6064 wrote to memory of 6000 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 6064 wrote to memory of 6000 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 6064 wrote to memory of 6000 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 6064 wrote to memory of 6124 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 6064 wrote to memory of 6124 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 6064 wrote to memory of 6124 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 6124 wrote to memory of 5600 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe
PID 6124 wrote to memory of 5600 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe
PID 6124 wrote to memory of 5600 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe
PID 6124 wrote to memory of 3704 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe
PID 6124 wrote to memory of 3704 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe
PID 6124 wrote to memory of 3704 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe
PID 6124 wrote to memory of 3440 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe
PID 6124 wrote to memory of 3440 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe
PID 6124 wrote to memory of 3440 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe
PID 6124 wrote to memory of 5356 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 6124 wrote to memory of 5356 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 6124 wrote to memory of 5356 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 6124 wrote to memory of 5736 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 6124 wrote to memory of 5736 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 6124 wrote to memory of 5736 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 3428 wrote to memory of 492 N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 3428 wrote to memory of 492 N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 3428 wrote to memory of 492 N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 5716 wrote to memory of 4556 N/A C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe C:\Windows\SysWOW64\drivers\Kazekage.exe

System policy modification

defense_evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe

"C:\Users\Admin\AppData\Local\Temp\2025-05-18_6db685c7c2e3c7b1262455f5dd2607f0_amadey_black-basta_elex_luca-stealer.exe"

C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe

"C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe"

C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe

"C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe"

C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe

"C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe"

C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe

"C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe"

C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe

"C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe"

C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe

"C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe"

C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe

"C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe"

C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe

"C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe"

C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe

"C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe"

C:\Windows\SysWOW64\drivers\Kazekage.exe

C:\Windows\system32\drivers\Kazekage.exe

C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe

"C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe"

C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe

"C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe"

C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe

"C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe"

C:\Windows\SysWOW64\drivers\Kazekage.exe

C:\Windows\system32\drivers\Kazekage.exe

C:\Windows\SysWOW64\drivers\system32.exe

C:\Windows\system32\drivers\system32.exe

C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe

"C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe"

C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe

"C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe"

C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe

"C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe"

C:\Windows\SysWOW64\drivers\Kazekage.exe

C:\Windows\system32\drivers\Kazekage.exe

C:\Windows\SysWOW64\drivers\system32.exe

C:\Windows\system32\drivers\system32.exe

C:\Windows\SysWOW64\drivers\system32.exe

C:\Windows\system32\drivers\system32.exe

C:\Windows\SysWOW64\drivers\Kazekage.exe

C:\Windows\system32\drivers\Kazekage.exe

C:\Windows\SysWOW64\drivers\system32.exe

C:\Windows\system32\drivers\system32.exe

C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe

"C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe"

C:\Windows\SysWOW64\drivers\Kazekage.exe

C:\Windows\system32\drivers\Kazekage.exe

C:\Windows\SysWOW64\drivers\system32.exe

C:\Windows\system32\drivers\system32.exe

C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe

"C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe"

C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe

"C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe"

C:\Windows\SysWOW64\drivers\Kazekage.exe

C:\Windows\system32\drivers\Kazekage.exe

C:\Windows\SysWOW64\drivers\system32.exe

C:\Windows\system32\drivers\system32.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c Fonts\Admin 18 - 5 - 2025\smss.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c Fonts\Admin 18 - 5 - 2025\Gaara.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c 18-5-2025.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c drivers\csrss.exe

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

Network

Country Destination Domain Proto
IE 52.111.236.21:443 tcp

Files

memory/4364-0-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe

MD5 6db685c7c2e3c7b1262455f5dd2607f0
SHA1 795ac9de22496df1395ac03c2960d75e9fbb5264
SHA256 4e7db50b82d6096cc22d0e64a0513005e021cd11401799294d43f075ff960d39
SHA512 ac262ceb58e43899a5c08ab0abe45522855e1c88c2ff801190172f2f94fe7add8eae3aa43d95dbd2e8a74080486699c2ea25fba6be2ecf31c515d0e1e428be51

C:\Windows\System\msvbvm60.dll

MD5 25f62c02619174b35851b0e0455b3d94
SHA1 4e8ee85157f1769f6e3f61c0acbe59072209da71
SHA256 898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2
SHA512 f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

C:\Windows\Fonts\Admin 18 - 5 - 2025\smss.exe

MD5 2ff0d748d6751211b16e15a641c198ac
SHA1 94643dcbc44958565c7c7a234758be262382f22b
SHA256 ae96f97c21ed343750b18bebcd3162efc4128ad39c3069e2242352dc87e425e1
SHA512 01d1c1bf04df3c5806b09e63639d9219a14eaa756dc1bf659f14f177701b12a4b9a1215b421f6f71682d61a44523883c042bf2bea74d8536aaee53af1e63ba21

memory/1280-32-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Windows\Fonts\The Kazekage.jpg

MD5 d6b05020d4a0ec2a3a8b687099e335df
SHA1 df239d830ebcd1cde5c68c46a7b76dad49d415f4
SHA256 9824b98dab6af65a9e84c2ea40e9df948f9766ce2096e81feecad7db8dd6080a
SHA512 78fd360faa4d34f5732056d6e9ad7b9930964441c69cf24535845d397de92179553b9377a25649c01eb5ac7d547c29cc964e69ede7f2af9fc677508a99251fff

C:\Windows\SysWOW64\18-5-2025.exe

MD5 5f02c2d75706f97b05cfc71680ff40f1
SHA1 62d25405133c4e1b699d1d7c0950c6492c695eef
SHA256 874d135ebd3c77ab05995204472a5a615ffc0a9a5021ea6877bd904dcf87b82d
SHA512 471c0872b4398ae29b62f43cc36b4ade6bec0038969d1c5db463c95b35e206a02a38fa640c00fed7e7d6a1d500a2c6f0b796eced2d0887026a039ff4a37e79e3

memory/5028-70-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Windows\Fonts\Admin 18 - 5 - 2025\Gaara.exe

MD5 a8ef494fc27f20a08a9403db818f4005
SHA1 69f593b32af2896b51bc735b2f46e901a48bb44d
SHA256 2062c5301cb2a4e4d78d049af19e46726d0578f327656c10b425a789212230da
SHA512 c7e3e0dd0f6217d4f196786c7d118e80f2fecb81b8c9cf34f8d872fb7d03d5b737cf1657d91114636fa877d0c4ecfd8dd503765abb3b0d8886cbb6661ba9dbf0

memory/5716-77-0x0000000000400000-0x000000000042B000-memory.dmp

memory/5028-78-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Windows\Fonts\The Kazekage.jpg

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Windows\SysWOW64\drivers\Kazekage.exe

MD5 66de1e3c59e23b1b859e51111c0240b6
SHA1 59f71cf03b177b3bb706e8883e6c54a0e8ea7549
SHA256 ecaa4f31860fe12e948be7895f8b7cc245d26a69a3f8f4de5128e3466a7560a8
SHA512 428d4d6710f7698571af008988a26a653ce5e8e1acd2dc50915533d02a1e7249aeb7a953469165b5f970491bc9246abfd4350db91df1945b27a0af7c41442708

C:\Windows\SysWOW64\drivers\system32.exe

MD5 c4678b8898426185f821b2b9f5248ae5
SHA1 da8ac5e5d92b032226dee58dbf45e8035ecb11ff
SHA256 2690d5d27d58ddd7ae576a84cd27d3a423331c008bfdbacd7d495c85e7df92c8
SHA512 dcfcde5af59a8886feff990b485f2393b474e836ee075dbeed6367bf899b4c59ed80e46909c16d08dd7408312dab62168c6ed8503d98572f54a96e8bf7d9e332

memory/2064-113-0x0000000000400000-0x000000000042B000-memory.dmp

memory/2064-116-0x0000000000400000-0x000000000042B000-memory.dmp

memory/3428-121-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Windows\Fonts\Admin 18 - 5 - 2025\csrss.exe

MD5 ff85ad85de0ef3d53f9d459f37dd8152
SHA1 5e7424342278a1bf4f02706139a83ae771c6f480
SHA256 026a33f6e84e564da582aa9d90fc66b977bc6fe2f84f499bee88ea82aa72597b
SHA512 34b4ffa4d370a2bb18bf7c493625dd5fb8de2af19be276db474ec021611d8ce10b451251b1786ff832a82e6bd34a7829d5640fff33ff89b8f6f4267f384d3ea5

C:\Windows\SysWOW64\18-5-2025.exe

MD5 6ab7cd697faa1ec40733ea59d054bcf0
SHA1 7b6a8743eac4b7b4502d02fee325b967a58fd34f
SHA256 df808be522dcdf44c40143c62f03ac18c3287a9d0b5b71fe2983489903b0b317
SHA512 66f4d51dd62f2354efc6e9f062a3762928ce929bef18834ae53536dbc6d0fde54c59bf8e451daf35a3126bbd8d4510ba4b9b0f709fba24f332e40e7063053c2b

memory/5584-160-0x0000000000400000-0x000000000042B000-memory.dmp

memory/4364-157-0x0000000000400000-0x000000000042B000-memory.dmp

memory/6064-165-0x0000000000400000-0x000000000042B000-memory.dmp

memory/1280-164-0x0000000000400000-0x000000000042B000-memory.dmp

memory/1984-197-0x0000000000400000-0x000000000042B000-memory.dmp

memory/6000-201-0x0000000000400000-0x000000000042B000-memory.dmp

memory/6000-204-0x0000000000400000-0x000000000042B000-memory.dmp

memory/6124-208-0x0000000000400000-0x000000000042B000-memory.dmp

memory/4556-246-0x0000000000400000-0x000000000042B000-memory.dmp

memory/6124-251-0x0000000000400000-0x000000000042B000-memory.dmp

memory/1432-257-0x0000000000400000-0x000000000042B000-memory.dmp

memory/2964-260-0x0000000000400000-0x000000000042B000-memory.dmp

memory/5416-263-0x0000000000400000-0x000000000042B000-memory.dmp

memory/492-243-0x0000000000400000-0x000000000042B000-memory.dmp

memory/5736-240-0x0000000000400000-0x000000000042B000-memory.dmp

memory/6064-237-0x0000000000400000-0x000000000042B000-memory.dmp

memory/5356-236-0x0000000000400000-0x000000000042B000-memory.dmp

memory/3704-231-0x0000000000400000-0x000000000042B000-memory.dmp

memory/3428-226-0x0000000000400000-0x000000000042B000-memory.dmp

memory/3576-268-0x0000000000400000-0x000000000042B000-memory.dmp

memory/4100-269-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Windows\SysWOW64\18-5-2025.exe

MD5 624208221842092388093d78143731f6
SHA1 33f678259a404f6bc5a11608cc0a6b1919f17a08
SHA256 e3a5db1af950547cecb5fa00b955ac196f81f233781c122de97b5854c3b64a96
SHA512 d56872a43f069dfe2a503e34994cf211db77acc1cc3eee4d890d3f599faaabfb1c28547dc669505a63e19963b459fe03061a5f80b35af8b4fbba2356c7e93e80

memory/3576-272-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Windows\SysWOW64\drivers\system32.exe

MD5 afa661b521bc0cafa0d53db46932d9db
SHA1 990319880e5bd584308248997c33dba68f0b3e85
SHA256 7273a932acb6f2e03ad429985a4a6b626ba2372b5261e511d49e88610204232c
SHA512 e1704a4e9b33025b08393416f9225c34124af966c751cade3768c2667adc12199a2d6cf4987efc3beda466ed9d92d4498dcbebc61b60cf8ee1b2bcdbdd0ce35a

C:\Windows\SysWOW64\drivers\Kazekage.exe

MD5 b86d73400052e2ff81389bb872fc9c0a
SHA1 a0ed987cfe47817f7a15cabc6e342191914d0ea4
SHA256 34441ea7a71910bce2c00e4d9b347a34c61891335b3009345072deb2b442a577
SHA512 f03962bbdedc8350ab7f375ce457291a809ecc85242be704a84720370abfdae8c02786a4080e69ccb644b48d9b210909cf69a50acd36d71e1bb300709c269401

memory/5716-192-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Windows\SysWOW64\18-5-2025.exe

MD5 67d54acf18948d7743198a3011ffea63
SHA1 cbd26521f3ddec67a9603995c053f2da195190d2
SHA256 5ab5adc7bc1456cee6116ae68d65629271186f659e0347a97efbb3b94c9b716a
SHA512 d54f15fb75bd05b1832ed88eb6c25c410c91e170d7f0a3c1037df536fe715600f6729dd27b380571c71483cd639043308e6d91da9d4c3c7633b87fd1be4e9094

memory/3252-156-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Autorun.inf

MD5 1564dfe69ffed40950e5cb644e0894d1
SHA1 201b6f7a01cc49bb698bea6d4945a082ed454ce4
SHA256 be114a2dbcc08540b314b01882aa836a772a883322a77b67aab31233e26dc184
SHA512 72df187e39674b657974392cfa268e71ef86dc101ebd2303896381ca56d3c05aa9db3f0ab7d0e428d7436e0108c8f19e94c2013814d30b0b95a23a6b9e341097

C:\Admin Games\Readme.txt

MD5 bb5d6abdf8d0948ac6895ce7fdfbc151
SHA1 9266b7a247a4685892197194d2b9b86c8f6dddbd
SHA256 5db2e0915b5464d32e83484f8ae5e3c73d2c78f238fde5f58f9b40dbb5322de8
SHA512 878444760e8df878d65bb62b4798177e168eb099def58ad3634f4348e96705c83f74324f9fa358f0eff389991976698a233ca53e9b72034ae11c86d42322a76c

C:\Windows\SysWOW64\Desktop.ini

MD5 64acfa7e03b01f48294cf30d201a0026
SHA1 10facd995b38a095f30b4a800fa454c0bcbf8438
SHA256 ba8159d865d106e7b4d0043007a63d1541e1de455dc8d7ff0edd3013bd425c62
SHA512 65a9b2e639de74a2a7faa83463a03f5f5b526495e3c793ec1e144c422ed0b842dd304cd5ff4f8aec3d76d826507030c5916f70a231429cea636ec2d8ab43931a