Malware Analysis Report

2025-08-05 15:06

Sample ID 250519-qpw1lagr3t
Target 2025-05-19_baa9c23af961b3c811a4f76b05c3c764_amadey_black-basta_elex_luca-stealer
SHA256 8aa43bb73206286b0e7f4332fbf9bacc8970ad0c187062737fb34a0d354fac09
Tags
upx defense_evasion discovery persistence ransomware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V16

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8aa43bb73206286b0e7f4332fbf9bacc8970ad0c187062737fb34a0d354fac09

Threat Level: Known bad

The file 2025-05-19_baa9c23af961b3c811a4f76b05c3c764_amadey_black-basta_elex_luca-stealer was found to be: Known bad.

Malicious Activity Summary

upx defense_evasion discovery persistence ransomware trojan

UAC bypass

Modifies WinLogon for persistence

Modifies visibility of file extensions in Explorer

Modifies visiblity of hidden/system files in Explorer

Disables RegEdit via registry modification

Disables use of System Restore points

Event Triggered Execution: Image File Execution Options Injection

Drops file in Drivers directory

Loads dropped DLL

Executes dropped EXE

Checks whether UAC is enabled

Adds Run key to start application

Enumerates connected drives

Drops desktop.ini file(s)

Sets desktop wallpaper using registry

UPX packed file

Drops file in System32 directory

Drops autorun.inf file

Drops file in Windows directory

System Network Configuration Discovery: Internet Connection Discovery

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Modifies Internet Explorer settings

Modifies registry class

Runs ping.exe

Modifies Control Panel

System policy modification

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-05-19 13:26

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-05-19 13:26

Reported

2025-05-19 13:29

Platform

win10v2004-20250502-en

Max time kernel

149s

Max time network

140s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2025-05-19_baa9c23af961b3c811a4f76b05c3c764_amadey_black-basta_elex_luca-stealer.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" C:\Users\Admin\AppData\Local\Temp\2025-05-19_baa9c23af961b3c811a4f76b05c3c764_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" C:\Users\Admin\AppData\Local\Temp\2025-05-19_baa9c23af961b3c811a4f76b05c3c764_amadey_black-basta_elex_luca-stealer.exe N/A

Modifies visibility of file extensions in Explorer

defense_evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Users\Admin\AppData\Local\Temp\2025-05-19_baa9c23af961b3c811a4f76b05c3c764_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A

Modifies visiblity of hidden/system files in Explorer

defense_evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\AppData\Local\Temp\2025-05-19_baa9c23af961b3c811a4f76b05c3c764_amadey_black-basta_elex_luca-stealer.exe N/A

UAC bypass

defense_evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\2025-05-19_baa9c23af961b3c811a4f76b05c3c764_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\drivers\system32.exe N/A

Disables RegEdit via registry modification

defense_evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\2025-05-19_baa9c23af961b3c811a4f76b05c3c764_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A

Disables use of System Restore points

defense_evasion

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Users\Admin\AppData\Local\Temp\2025-05-19_baa9c23af961b3c811a4f76b05c3c764_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\system32.exe C:\Users\Admin\AppData\Local\Temp\2025-05-19_baa9c23af961b3c811a4f76b05c3c764_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
File created C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
File created C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
File created C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
File created C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
File created C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Users\Admin\AppData\Local\Temp\2025-05-19_baa9c23af961b3c811a4f76b05c3c764_amadey_black-basta_elex_luca-stealer.exe N/A
File created C:\Windows\SysWOW64\drivers\system32.exe C:\Users\Admin\AppData\Local\Temp\2025-05-19_baa9c23af961b3c811a4f76b05c3c764_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A

Event Triggered Execution: Image File Execution Options Injection

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe C:\Users\Admin\AppData\Local\Temp\2025-05-19_baa9c23af961b3c811a4f76b05c3c764_amadey_black-basta_elex_luca-stealer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com\Debugger = "cmd.exe /c del" C:\Users\Admin\AppData\Local\Temp\2025-05-19_baa9c23af961b3c811a4f76b05c3c764_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger = "drivers\\Kazekage.exe" C:\Users\Admin\AppData\Local\Temp\2025-05-19_baa9c23af961b3c811a4f76b05c3c764_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe C:\Users\Admin\AppData\Local\Temp\2025-05-19_baa9c23af961b3c811a4f76b05c3c764_amadey_black-basta_elex_luca-stealer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe C:\Users\Admin\AppData\Local\Temp\2025-05-19_baa9c23af961b3c811a4f76b05c3c764_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe C:\Users\Admin\AppData\Local\Temp\2025-05-19_baa9c23af961b3c811a4f76b05c3c764_amadey_black-basta_elex_luca-stealer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "drivers\\Kazekage.exe" C:\Users\Admin\AppData\Local\Temp\2025-05-19_baa9c23af961b3c811a4f76b05c3c764_amadey_black-basta_elex_luca-stealer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe\Debugger = "cmd.exe /c del" C:\Users\Admin\AppData\Local\Temp\2025-05-19_baa9c23af961b3c811a4f76b05c3c764_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe C:\Users\Admin\AppData\Local\Temp\2025-05-19_baa9c23af961b3c811a4f76b05c3c764_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 19 - 5 - 2025\\smss.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 19 - 5 - 2025\\Gaara.exe" C:\Users\Admin\AppData\Local\Temp\2025-05-19_baa9c23af961b3c811a4f76b05c3c764_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" C:\Users\Admin\AppData\Local\Temp\2025-05-19_baa9c23af961b3c811a4f76b05c3c764_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 19 - 5 - 2025\\smss.exe" C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 19 - 5 - 2025\\Gaara.exe" C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 19 - 5 - 2025\\smss.exe" C:\Users\Admin\AppData\Local\Temp\2025-05-19_baa9c23af961b3c811a4f76b05c3c764_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "19-5-2025.exe" C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 19 - 5 - 2025\\smss.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "19-5-2025.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 19 - 5 - 2025\\Gaara.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "19-5-2025.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 19 - 5 - 2025\\Gaara.exe" C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "19-5-2025.exe" C:\Users\Admin\AppData\Local\Temp\2025-05-19_baa9c23af961b3c811a4f76b05c3c764_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 19 - 5 - 2025\\smss.exe" C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "19-5-2025.exe" C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 19 - 5 - 2025\\smss.exe" C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "19-5-2025.exe" C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 19 - 5 - 2025\\Gaara.exe" C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 19 - 5 - 2025\\Gaara.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A

Checks whether UAC is enabled

defense_evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\2025-05-19_baa9c23af961b3c811a4f76b05c3c764_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification \??\B:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_baa9c23af961b3c811a4f76b05c3c764_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification \??\Q:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_baa9c23af961b3c811a4f76b05c3c764_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification \??\X:\Desktop.ini C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
File opened for modification \??\A:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\I:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\Q:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\Z:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_baa9c23af961b3c811a4f76b05c3c764_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification \??\A:\Desktop.ini C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
File opened for modification \??\W:\Desktop.ini C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
File opened for modification C:\Desktop.ini C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\P:\Desktop.ini C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
File opened for modification \??\G:\Desktop.ini C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
File opened for modification C:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_baa9c23af961b3c811a4f76b05c3c764_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification \??\L:\Desktop.ini C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
File opened for modification \??\N:\Desktop.ini C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\E:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_baa9c23af961b3c811a4f76b05c3c764_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification \??\M:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\V:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\X:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\B:\Desktop.ini C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
File opened for modification \??\M:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_baa9c23af961b3c811a4f76b05c3c764_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification \??\T:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_baa9c23af961b3c811a4f76b05c3c764_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification \??\V:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_baa9c23af961b3c811a4f76b05c3c764_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification \??\P:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\A:\Desktop.ini C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\J:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\M:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\R:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification D:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_baa9c23af961b3c811a4f76b05c3c764_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification \??\J:\Desktop.ini C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
File opened for modification \??\Z:\Desktop.ini C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
File opened for modification \??\P:\Desktop.ini C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
File opened for modification F:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\P:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\W:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\E:\Desktop.ini C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\Y:\Desktop.ini C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\A:\Desktop.ini C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification D:\Desktop.ini C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\R:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_baa9c23af961b3c811a4f76b05c3c764_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification \??\R:\Desktop.ini C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
File opened for modification \??\K:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\O:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\R:\Desktop.ini C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
File opened for modification F:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_baa9c23af961b3c811a4f76b05c3c764_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification \??\H:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_baa9c23af961b3c811a4f76b05c3c764_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification \??\S:\Desktop.ini C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
File opened for modification \??\W:\Desktop.ini C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
File opened for modification F:\Desktop.ini C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
File opened for modification \??\G:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\L:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\Z:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\T:\Desktop.ini C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\H:\Desktop.ini C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
File opened for modification \??\S:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_baa9c23af961b3c811a4f76b05c3c764_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification \??\X:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_baa9c23af961b3c811a4f76b05c3c764_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification \??\S:\Desktop.ini C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
File opened for modification D:\Desktop.ini C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
File opened for modification \??\I:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_baa9c23af961b3c811a4f76b05c3c764_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification \??\U:\Desktop.ini C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
File opened for modification F:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\K:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\V:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\V: C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
File opened (read-only) \??\U: C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
File opened (read-only) \??\J: C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
File opened (read-only) \??\S: C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\P: C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
File opened (read-only) \??\Y: C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
File opened (read-only) \??\Z: C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
File opened (read-only) \??\G: C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
File opened (read-only) \??\V: C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\2025-05-19_baa9c23af961b3c811a4f76b05c3c764_amadey_black-basta_elex_luca-stealer.exe N/A
File opened (read-only) \??\W: C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
File opened (read-only) \??\O: C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
File opened (read-only) \??\R: C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
File opened (read-only) \??\N: C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\2025-05-19_baa9c23af961b3c811a4f76b05c3c764_amadey_black-basta_elex_luca-stealer.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\2025-05-19_baa9c23af961b3c811a4f76b05c3c764_amadey_black-basta_elex_luca-stealer.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\S: C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
File opened (read-only) \??\B: C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
File opened (read-only) \??\M: C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
File opened (read-only) \??\E: C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
File opened (read-only) \??\Q: C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\R: C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\2025-05-19_baa9c23af961b3c811a4f76b05c3c764_amadey_black-basta_elex_luca-stealer.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\2025-05-19_baa9c23af961b3c811a4f76b05c3c764_amadey_black-basta_elex_luca-stealer.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\H: C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
File opened (read-only) \??\I: C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
File opened (read-only) \??\W: C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\2025-05-19_baa9c23af961b3c811a4f76b05c3c764_amadey_black-basta_elex_luca-stealer.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\V: C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\2025-05-19_baa9c23af961b3c811a4f76b05c3c764_amadey_black-basta_elex_luca-stealer.exe N/A
File opened (read-only) \??\Z: C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\2025-05-19_baa9c23af961b3c811a4f76b05c3c764_amadey_black-basta_elex_luca-stealer.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\2025-05-19_baa9c23af961b3c811a4f76b05c3c764_amadey_black-basta_elex_luca-stealer.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\2025-05-19_baa9c23af961b3c811a4f76b05c3c764_amadey_black-basta_elex_luca-stealer.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\2025-05-19_baa9c23af961b3c811a4f76b05c3c764_amadey_black-basta_elex_luca-stealer.exe N/A
File opened (read-only) \??\S: C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\M: C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\T: C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\2025-05-19_baa9c23af961b3c811a4f76b05c3c764_amadey_black-basta_elex_luca-stealer.exe N/A
File opened (read-only) \??\K: C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\2025-05-19_baa9c23af961b3c811a4f76b05c3c764_amadey_black-basta_elex_luca-stealer.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\2025-05-19_baa9c23af961b3c811a4f76b05c3c764_amadey_black-basta_elex_luca-stealer.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\L: C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\2025-05-19_baa9c23af961b3c811a4f76b05c3c764_amadey_black-basta_elex_luca-stealer.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\J: C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File created \??\R:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2025-05-19_baa9c23af961b3c811a4f76b05c3c764_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification \??\K:\Autorun.inf C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\M:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification F:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2025-05-19_baa9c23af961b3c811a4f76b05c3c764_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification \??\W:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2025-05-19_baa9c23af961b3c811a4f76b05c3c764_amadey_black-basta_elex_luca-stealer.exe N/A
File created \??\E:\Autorun.inf C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
File created \??\L:\Autorun.inf C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
File opened for modification F:\Autorun.inf C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
File created \??\O:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created \??\G:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\Z:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File created \??\T:\Autorun.inf C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
File opened for modification C:\Autorun.inf C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
File opened for modification \??\M:\Autorun.inf C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
File opened for modification \??\N:\Autorun.inf C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
File created \??\V:\Autorun.inf C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
File opened for modification \??\A:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\E:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\U:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created \??\V:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2025-05-19_baa9c23af961b3c811a4f76b05c3c764_amadey_black-basta_elex_luca-stealer.exe N/A
File created \??\U:\Autorun.inf C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
File created \??\B:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File created \??\H:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2025-05-19_baa9c23af961b3c811a4f76b05c3c764_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification \??\Z:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2025-05-19_baa9c23af961b3c811a4f76b05c3c764_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification \??\S:\Autorun.inf C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
File created \??\S:\Autorun.inf C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
File created \??\M:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created \??\Z:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created \??\W:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File created F:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2025-05-19_baa9c23af961b3c811a4f76b05c3c764_amadey_black-basta_elex_luca-stealer.exe N/A
File created \??\W:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2025-05-19_baa9c23af961b3c811a4f76b05c3c764_amadey_black-basta_elex_luca-stealer.exe N/A
File created \??\A:\Autorun.inf C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
File created \??\E:\Autorun.inf C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
File created \??\A:\Autorun.inf C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
File created \??\W:\Autorun.inf C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
File opened for modification \??\Q:\Autorun.inf C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
File opened for modification \??\U:\Autorun.inf C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
File created \??\H:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\I:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\Q:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created \??\S:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File created \??\Q:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2025-05-19_baa9c23af961b3c811a4f76b05c3c764_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification \??\P:\Autorun.inf C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\B:\Autorun.inf C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
File created \??\H:\Autorun.inf C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
File created \??\P:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created \??\A:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File created \??\E:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2025-05-19_baa9c23af961b3c811a4f76b05c3c764_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification \??\W:\Autorun.inf C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
File opened for modification \??\Y:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\A:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File created \??\H:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File created \??\N:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\G:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2025-05-19_baa9c23af961b3c811a4f76b05c3c764_amadey_black-basta_elex_luca-stealer.exe N/A
File created \??\M:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2025-05-19_baa9c23af961b3c811a4f76b05c3c764_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification \??\R:\Autorun.inf C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
File created \??\J:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\E:\Autorun.inf C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
File created \??\B:\Autorun.inf C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
File created \??\P:\Autorun.inf C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
File created \??\Z:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2025-05-19_baa9c23af961b3c811a4f76b05c3c764_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification \??\X:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File created \??\T:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File created \??\A:\Autorun.inf C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_baa9c23af961b3c811a4f76b05c3c764_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification C:\Windows\SysWOW64\19-5-2025.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\SysWOW64\mscomctl.ocx C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\SysWOW64\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_baa9c23af961b3c811a4f76b05c3c764_amadey_black-basta_elex_luca-stealer.exe N/A
File created C:\Windows\SysWOW64\mscomctl.ocx C:\Users\Admin\AppData\Local\Temp\2025-05-19_baa9c23af961b3c811a4f76b05c3c764_amadey_black-basta_elex_luca-stealer.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\SysWOW64\19-5-2025.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Users\Admin\AppData\Local\Temp\2025-05-19_baa9c23af961b3c811a4f76b05c3c764_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification C:\Windows\SysWOW64\mscomctl.ocx C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
File opened for modification C:\Windows\SysWOW64\mscomctl.ocx C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\mscomctl.ocx C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\SysWOW64\19-5-2025.exe C:\Users\Admin\AppData\Local\Temp\2025-05-19_baa9c23af961b3c811a4f76b05c3c764_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification C:\Windows\SysWOW64\19-5-2025.exe C:\Users\Admin\AppData\Local\Temp\2025-05-19_baa9c23af961b3c811a4f76b05c3c764_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification C:\Windows\SysWOW64\19-5-2025.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
File opened for modification C:\Windows\SysWOW64\19-5-2025.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\Desktop.ini C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_baa9c23af961b3c811a4f76b05c3c764_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification C:\Windows\SysWOW64\Desktop.ini C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\SysWOW64\mscomctl.ocx C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\SysWOW64\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_baa9c23af961b3c811a4f76b05c3c764_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\SysWOW64\19-5-2025.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
File opened for modification C:\Windows\SysWOW64\Desktop.ini C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\SysWOW64\mscomctl.ocx C:\Users\Admin\AppData\Local\Temp\2025-05-19_baa9c23af961b3c811a4f76b05c3c764_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Users\Admin\AppData\Local\Temp\2025-05-19_baa9c23af961b3c811a4f76b05c3c764_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\msvbvm60.dll C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
File created C:\Windows\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_baa9c23af961b3c811a4f76b05c3c764_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
File created C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\mscomctl.ocx C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\system\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_baa9c23af961b3c811a4f76b05c3c764_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification C:\Windows\system\msvbvm60.dll C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
File created C:\Windows\Fonts\Admin 19 - 5 - 2025\msvbvm60.dll C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\system\mscoree.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_baa9c23af961b3c811a4f76b05c3c764_amadey_black-basta_elex_luca-stealer.exe N/A
File created C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
File created C:\Windows\Fonts\Admin 19 - 5 - 2025\msvbvm60.dll C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
File created C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
File created C:\Windows\Fonts\Admin 19 - 5 - 2025\msvbvm60.dll C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
File opened for modification C:\Windows\system\msvbvm60.dll C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
File created C:\Windows\WBEM\msvbvm60.dll C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\Fonts\The Kazekage.jpg C:\Users\Admin\AppData\Local\Temp\2025-05-19_baa9c23af961b3c811a4f76b05c3c764_amadey_black-basta_elex_luca-stealer.exe N/A
File created C:\Windows\Fonts\Admin 19 - 5 - 2025\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_baa9c23af961b3c811a4f76b05c3c764_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification C:\Windows\Fonts\Admin 19 - 5 - 2025\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_baa9c23af961b3c811a4f76b05c3c764_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification C:\Windows\system\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_baa9c23af961b3c811a4f76b05c3c764_amadey_black-basta_elex_luca-stealer.exe N/A
File created C:\Windows\WBEM\msvbvm60.dll C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
File created C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\ C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\mscomctl.ocx C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
File created C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe C:\Users\Admin\AppData\Local\Temp\2025-05-19_baa9c23af961b3c811a4f76b05c3c764_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe C:\Users\Admin\AppData\Local\Temp\2025-05-19_baa9c23af961b3c811a4f76b05c3c764_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification C:\Windows\system\msvbvm60.dll C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
File created C:\Windows\mscomctl.ocx C:\Users\Admin\AppData\Local\Temp\2025-05-19_baa9c23af961b3c811a4f76b05c3c764_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification C:\Windows\mscomctl.ocx C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Windows\ C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe C:\Users\Admin\AppData\Local\Temp\2025-05-19_baa9c23af961b3c811a4f76b05c3c764_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
File created C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Windows\mscomctl.ocx C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe C:\Users\Admin\AppData\Local\Temp\2025-05-19_baa9c23af961b3c811a4f76b05c3c764_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification C:\Windows\Fonts\The Kazekage.jpg C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\Fonts\The Kazekage.jpg C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\Fonts\The Kazekage.jpg C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\WBEM\msvbvm60.dll C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\Fonts\The Kazekage.jpg C:\Users\Admin\AppData\Local\Temp\2025-05-19_baa9c23af961b3c811a4f76b05c3c764_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\system\mscoree.dll C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\ C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
File created C:\Windows\WBEM\msvbvm60.dll C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\Fonts\The Kazekage.jpg C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
File created C:\Windows\Fonts\Admin 19 - 5 - 2025\msvbvm60.dll C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Windows\system\msvbvm60.dll C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\ C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\system\mscoree.dll C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
File created C:\Windows\Fonts\Admin 19 - 5 - 2025\msvbvm60.dll C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\system\msvbvm60.dll C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\system32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\system32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\system32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\system32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2025-05-19_baa9c23af961b3c811a4f76b05c3c764_amadey_black-basta_elex_luca-stealer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\system32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A

Modifies Control Panel

defense_evasion
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Desktop\WallpaperStyle = "2" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Screen Saver.Marquee\Speed = "4" C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Screen Saver.Marquee\Speed = "4" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" C:\Users\Admin\AppData\Local\Temp\2025-05-19_baa9c23af961b3c811a4f76b05c3c764_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Desktop\WallpaperStyle = "2" C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Screen Saver.Marquee C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Screen Saver.Marquee C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Screen Saver.Marquee C:\Users\Admin\AppData\Local\Temp\2025-05-19_baa9c23af961b3c811a4f76b05c3c764_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Users\Admin\AppData\Local\Temp\2025-05-19_baa9c23af961b3c811a4f76b05c3c764_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" C:\Users\Admin\AppData\Local\Temp\2025-05-19_baa9c23af961b3c811a4f76b05c3c764_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Screen Saver.Marquee\Size = "72" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Screen Saver.Marquee\Size = "72" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" C:\Users\Admin\AppData\Local\Temp\2025-05-19_baa9c23af961b3c811a4f76b05c3c764_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Screen Saver.Marquee\Size = "72" C:\Users\Admin\AppData\Local\Temp\2025-05-19_baa9c23af961b3c811a4f76b05c3c764_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Screen Saver.Marquee\Speed = "4" C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Screen Saver.Marquee C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Screen Saver.Marquee\Speed = "4" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Desktop\WallpaperStyle = "2" C:\Users\Admin\AppData\Local\Temp\2025-05-19_baa9c23af961b3c811a4f76b05c3c764_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Desktop C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" C:\Users\Admin\AppData\Local\Temp\2025-05-19_baa9c23af961b3c811a4f76b05c3c764_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" C:\Users\Admin\AppData\Local\Temp\2025-05-19_baa9c23af961b3c811a4f76b05c3c764_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Desktop\WallpaperStyle = "2" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Desktop C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Screen Saver.Marquee C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Desktop C:\Users\Admin\AppData\Local\Temp\2025-05-19_baa9c23af961b3c811a4f76b05c3c764_amadey_black-basta_elex_luca-stealer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Desktop C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Desktop C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Desktop\WallpaperStyle = "2" C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Screen Saver.Marquee\Speed = "4" C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" C:\Users\Admin\AppData\Local\Temp\2025-05-19_baa9c23af961b3c811a4f76b05c3c764_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Desktop\WallpaperStyle = "2" C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Software\Microsoft\Internet Explorer\Main C:\Users\Admin\AppData\Local\Temp\2025-05-19_baa9c23af961b3c811a4f76b05c3c764_amadey_black-basta_elex_luca-stealer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" C:\Users\Admin\AppData\Local\Temp\2025-05-19_baa9c23af961b3c811a4f76b05c3c764_amadey_black-basta_elex_luca-stealer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" C:\Users\Admin\AppData\Local\Temp\2025-05-19_baa9c23af961b3c811a4f76b05c3c764_amadey_black-basta_elex_luca-stealer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" C:\Users\Admin\AppData\Local\Temp\2025-05-19_baa9c23af961b3c811a4f76b05c3c764_amadey_black-basta_elex_luca-stealer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" C:\Users\Admin\AppData\Local\Temp\2025-05-19_baa9c23af961b3c811a4f76b05c3c764_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" C:\Users\Admin\AppData\Local\Temp\2025-05-19_baa9c23af961b3c811a4f76b05c3c764_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command C:\Users\Admin\AppData\Local\Temp\2025-05-19_baa9c23af961b3c811a4f76b05c3c764_amadey_black-basta_elex_luca-stealer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command C:\Users\Admin\AppData\Local\Temp\2025-05-19_baa9c23af961b3c811a4f76b05c3c764_amadey_black-basta_elex_luca-stealer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command C:\Users\Admin\AppData\Local\Temp\2025-05-19_baa9c23af961b3c811a4f76b05c3c764_amadey_black-basta_elex_luca-stealer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command C:\Users\Admin\AppData\Local\Temp\2025-05-19_baa9c23af961b3c811a4f76b05c3c764_amadey_black-basta_elex_luca-stealer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-19_baa9c23af961b3c811a4f76b05c3c764_amadey_black-basta_elex_luca-stealer.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5804 wrote to memory of 4672 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-19_baa9c23af961b3c811a4f76b05c3c764_amadey_black-basta_elex_luca-stealer.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe
PID 5804 wrote to memory of 4672 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-19_baa9c23af961b3c811a4f76b05c3c764_amadey_black-basta_elex_luca-stealer.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe
PID 5804 wrote to memory of 4672 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-19_baa9c23af961b3c811a4f76b05c3c764_amadey_black-basta_elex_luca-stealer.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe
PID 4672 wrote to memory of 4956 N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe
PID 4672 wrote to memory of 4956 N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe
PID 4672 wrote to memory of 4956 N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe
PID 4672 wrote to memory of 2392 N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe
PID 4672 wrote to memory of 2392 N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe
PID 4672 wrote to memory of 2392 N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe
PID 2392 wrote to memory of 5924 N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe
PID 2392 wrote to memory of 5924 N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe
PID 2392 wrote to memory of 5924 N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe
PID 2392 wrote to memory of 3216 N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe
PID 2392 wrote to memory of 3216 N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe
PID 2392 wrote to memory of 3216 N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe
PID 2392 wrote to memory of 6100 N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe
PID 2392 wrote to memory of 6100 N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe
PID 2392 wrote to memory of 6100 N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe
PID 6100 wrote to memory of 5308 N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe
PID 6100 wrote to memory of 5308 N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe
PID 6100 wrote to memory of 5308 N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe
PID 6100 wrote to memory of 5280 N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe
PID 6100 wrote to memory of 5280 N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe
PID 6100 wrote to memory of 5280 N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe
PID 6100 wrote to memory of 2920 N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe
PID 6100 wrote to memory of 2920 N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe
PID 6100 wrote to memory of 2920 N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe
PID 5804 wrote to memory of 1440 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-19_baa9c23af961b3c811a4f76b05c3c764_amadey_black-basta_elex_luca-stealer.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe
PID 5804 wrote to memory of 1440 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-19_baa9c23af961b3c811a4f76b05c3c764_amadey_black-basta_elex_luca-stealer.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe
PID 5804 wrote to memory of 1440 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-19_baa9c23af961b3c811a4f76b05c3c764_amadey_black-basta_elex_luca-stealer.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe
PID 5804 wrote to memory of 928 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-19_baa9c23af961b3c811a4f76b05c3c764_amadey_black-basta_elex_luca-stealer.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe
PID 5804 wrote to memory of 928 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-19_baa9c23af961b3c811a4f76b05c3c764_amadey_black-basta_elex_luca-stealer.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe
PID 5804 wrote to memory of 928 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-19_baa9c23af961b3c811a4f76b05c3c764_amadey_black-basta_elex_luca-stealer.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe
PID 6100 wrote to memory of 748 N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 6100 wrote to memory of 748 N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 6100 wrote to memory of 748 N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 4672 wrote to memory of 3672 N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe
PID 4672 wrote to memory of 3672 N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe
PID 4672 wrote to memory of 3672 N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe
PID 5804 wrote to memory of 3948 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-19_baa9c23af961b3c811a4f76b05c3c764_amadey_black-basta_elex_luca-stealer.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 5804 wrote to memory of 3948 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-19_baa9c23af961b3c811a4f76b05c3c764_amadey_black-basta_elex_luca-stealer.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 5804 wrote to memory of 3948 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-19_baa9c23af961b3c811a4f76b05c3c764_amadey_black-basta_elex_luca-stealer.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 4672 wrote to memory of 4484 N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 4672 wrote to memory of 4484 N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 4672 wrote to memory of 4484 N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 748 wrote to memory of 232 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe
PID 748 wrote to memory of 232 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe
PID 748 wrote to memory of 232 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe
PID 5804 wrote to memory of 4520 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-19_baa9c23af961b3c811a4f76b05c3c764_amadey_black-basta_elex_luca-stealer.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 5804 wrote to memory of 4520 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-19_baa9c23af961b3c811a4f76b05c3c764_amadey_black-basta_elex_luca-stealer.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 5804 wrote to memory of 4520 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-19_baa9c23af961b3c811a4f76b05c3c764_amadey_black-basta_elex_luca-stealer.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 748 wrote to memory of 8 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe
PID 748 wrote to memory of 8 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe
PID 748 wrote to memory of 8 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe
PID 4672 wrote to memory of 4284 N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 4672 wrote to memory of 4284 N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 4672 wrote to memory of 4284 N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 748 wrote to memory of 1964 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe
PID 748 wrote to memory of 1964 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe
PID 748 wrote to memory of 1964 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe
PID 4520 wrote to memory of 968 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe
PID 4520 wrote to memory of 968 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe
PID 4520 wrote to memory of 968 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe
PID 748 wrote to memory of 4160 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\Kazekage.exe

System policy modification

defense_evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\2025-05-19_baa9c23af961b3c811a4f76b05c3c764_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\2025-05-19_baa9c23af961b3c811a4f76b05c3c764_amadey_black-basta_elex_luca-stealer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2025-05-19_baa9c23af961b3c811a4f76b05c3c764_amadey_black-basta_elex_luca-stealer.exe

"C:\Users\Admin\AppData\Local\Temp\2025-05-19_baa9c23af961b3c811a4f76b05c3c764_amadey_black-basta_elex_luca-stealer.exe"

C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe

"C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe"

C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe

"C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe"

C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe

"C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe"

C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe

"C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe"

C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe

"C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe"

C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe

"C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe"

C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe

"C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe"

C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe

"C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe"

C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe

"C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe"

C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe

"C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe"

C:\Windows\SysWOW64\drivers\Kazekage.exe

C:\Windows\system32\drivers\Kazekage.exe

C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe

"C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe"

C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe

"C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe"

C:\Windows\SysWOW64\drivers\Kazekage.exe

C:\Windows\system32\drivers\Kazekage.exe

C:\Windows\SysWOW64\drivers\Kazekage.exe

C:\Windows\system32\drivers\Kazekage.exe

C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe

"C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe"

C:\Windows\SysWOW64\drivers\system32.exe

C:\Windows\system32\drivers\system32.exe

C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe

"C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe"

C:\Windows\SysWOW64\drivers\system32.exe

C:\Windows\system32\drivers\system32.exe

C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe

"C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe"

C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe

"C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe"

C:\Windows\SysWOW64\drivers\Kazekage.exe

C:\Windows\system32\drivers\Kazekage.exe

C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe

"C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe"

C:\Windows\SysWOW64\drivers\system32.exe

C:\Windows\system32\drivers\system32.exe

C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe

"C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe"

C:\Windows\SysWOW64\drivers\system32.exe

C:\Windows\system32\drivers\system32.exe

C:\Windows\SysWOW64\drivers\Kazekage.exe

C:\Windows\system32\drivers\Kazekage.exe

C:\Windows\SysWOW64\drivers\Kazekage.exe

C:\Windows\system32\drivers\Kazekage.exe

C:\Windows\SysWOW64\drivers\system32.exe

C:\Windows\system32\drivers\system32.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c Fonts\Admin 19 - 5 - 2025\smss.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c Fonts\Admin 19 - 5 - 2025\Gaara.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c 19-5-2025.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c drivers\csrss.exe

C:\Windows\SysWOW64\drivers\system32.exe

C:\Windows\system32\drivers\system32.exe

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
FR 23.192.237.211:443 www.bing.com tcp
FR 23.192.237.211:443 www.bing.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 c.pki.goog udp
GB 216.58.201.99:80 c.pki.goog tcp

Files

memory/5804-0-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe

MD5 baa9c23af961b3c811a4f76b05c3c764
SHA1 69c6ee80195d20934ced477a0f2388611c0389b2
SHA256 8aa43bb73206286b0e7f4332fbf9bacc8970ad0c187062737fb34a0d354fac09
SHA512 bef53f68ad8174a5d1206c88af7ae78368f61d9718460e1384fa8450f9d3fb2efca16c5e91812858c9a671c1db6f12bd03989563d12127c000caf1f705bfed46

C:\Windows\msvbvm60.dll

MD5 25f62c02619174b35851b0e0455b3d94
SHA1 4e8ee85157f1769f6e3f61c0acbe59072209da71
SHA256 898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2
SHA512 f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe

MD5 e6e069105f5133fc9dd7d7219481df4b
SHA1 bd563359aa7bbf0f67181f52e654661e405211d2
SHA256 27cfacbcaf009c2e2ddb7a1b2d872461c753381292fb0c0c7f9a4a6df1c6102f
SHA512 9b912f6b40d78fd14c9d1cf784245c49952580eb23a4eb40c9e3fc6ac1a03019de0faa5bf0a17b1d8fdca953c1a7793e8921732985928caaaebf8853ec22530b

memory/4672-34-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Windows\Fonts\The Kazekage.jpg

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe

MD5 79108523f9e271f47596464ebedadc37
SHA1 271699872b6ce8aa89fbd4896a7f52d9f63fa43b
SHA256 2e7d6c03a28c99f0587599c57f229c6e68c2bd6b15ca26b58930301ccac6a40d
SHA512 c6e6e10850343c94c89b6a25179d916132c29c36302aabbe7d0753c045484943030e60bcffd8d80fd866cf3f6357a403f53d7397086e6f4fdc1315c9737f2412

C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe

MD5 fce0c5f924a347afbde784ecade85a05
SHA1 53b547a066cf800552d0619b1a64b9036bf254bc
SHA256 3878d31bb3b9b5ca2a8d1baddb07cb6877263df8c08f8cc5e06cc09ffcbfd5ad
SHA512 45840493975cce086b7acd6c36714d818be37f0d36458762b5b83e1779b9044ce7c9bd4ee1ee3c090de2372913a09615cd26b2c7ccef8ab602fd7ff64cf79fc0

C:\Windows\SysWOW64\19-5-2025.exe

MD5 8153689a257be075a7b82bc9252f8eef
SHA1 c117b1f50bd8f5ada056e349fa2b16ff8a5f595e
SHA256 3589376afbf68ce9358df1a17a1e4d8fd86e4c8c43ab9eb0d63958b299a3c6ee
SHA512 92e717603ea685474f2e49a223c422196cd2a6106329b021ed2f8fecc19091d43fe311e9fd004320dca06fdfbd7b278ab720769fb97deb29fd9d7f8a7dddeea9

C:\Windows\msvbvm60.dll

MD5 3121a783fc1c4c2c6942fe2cae6f1b22
SHA1 05cf5ce7d797e689d7d1e153ab5941a099aa5336
SHA256 9ea03d1d840ce2049d689eccc7e51d122f3c04ad622d278f7cf49ed3b9ea5e1e
SHA512 4a3fdc9ac82aa243defb004518900e35be9674728006fe6cb5ff5699bd3aa2827191dd05c5ec8dd432809254c9633916765ff19dc2b561c7bf68ba6c2cb1bea8

memory/4956-70-0x0000000000400000-0x000000000042A000-memory.dmp

memory/4956-79-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2392-77-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Windows\Fonts\The Kazekage.jpg

MD5 d6b05020d4a0ec2a3a8b687099e335df
SHA1 df239d830ebcd1cde5c68c46a7b76dad49d415f4
SHA256 9824b98dab6af65a9e84c2ea40e9df948f9766ce2096e81feecad7db8dd6080a
SHA512 78fd360faa4d34f5732056d6e9ad7b9930964441c69cf24535845d397de92179553b9377a25649c01eb5ac7d547c29cc964e69ede7f2af9fc677508a99251fff

C:\Windows\SysWOW64\19-5-2025.exe

MD5 6128c7de0bd786c62a8d7a1780540547
SHA1 fddd02275cc91423793f5dd57e21e1740d635a09
SHA256 06b760ced482ae22f11bd5c8b186951c6e9f7d2e26997ee1e9a40cfa7433bf62
SHA512 1c8ecf7afdafdcb5049b55a662b46237b633d8d13e941baa5630fb4348b56d10c6d96be4e44c683ccbbbff86b393a05cc1e5756bea2c37c70dfd28d34df460c5

C:\Windows\SysWOW64\drivers\system32.exe

MD5 cc104bcacba865fdc22928681448737c
SHA1 bf92584341c586f00bb0b47c6fd5dd58caea6cd3
SHA256 e0719ad01e092c55d80db0d4f64a0f5e5df3b05f238c50b14e771efb32fef1b8
SHA512 d505b58a74c4ecffb99161bba672a68c349d703b2e4d5cd2a0411cb03ac8045995c12729e9960b9e9c2d471b649ce5962496f2920cbbb21a4c64522e6d7ccb50

C:\Windows\SysWOW64\drivers\Kazekage.exe

MD5 a1594c571c6f95a1b7079ea05c2fded9
SHA1 15928eeea57640c24d98f773e8dbbbd6ea3a4040
SHA256 1f679d51317fa25513111b4034e39a8a6e1f1047fec125e1c4718856aa2fb026
SHA512 cd9e777e94832a0235516128d653919158a5df3d92062e5e03780c6edb07c701807049743de5687b54ba7ee65a64d45b11b22848f47a5adda8e6d81809c92575

memory/3216-118-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe

MD5 9c10bca1e73170de774ee6190c0892f5
SHA1 96c4851fc7726f2d8033c60c82ad8b6f0a606004
SHA256 b642c9311b1119821b591800eeffe5376c39a273ae2d3970a725223578137233
SHA512 7371aca1f84cd7564079e878c4a4dfc40c102fc029213f9a1c180c4b42ace6acc63e27aae4e6e9cf6f38c08ac27ebaea3dc8aacec7220f382194d6276a7a7ecc

memory/6100-122-0x0000000000400000-0x000000000042A000-memory.dmp

memory/5804-121-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Windows\SysWOW64\19-5-2025.exe

MD5 9bf33e262b79f66040de89c83e907313
SHA1 fb68b1ea0253fc80ebc7a2ec9a3047a3905d055b
SHA256 a00030511aaeb8c8429174c86212b5c0a26834ca8ac0a7cfb9651a1b29cf3d48
SHA512 4b3b442165a1a30f3152c44ec3fc67f1feec3d61a4adc9c0f7303e3929a7c15acacbf914d7ff622d5516500f88a237611127ea1fddc3eb49dd3d8a979ad0be91

memory/4672-137-0x0000000000400000-0x000000000042A000-memory.dmp

memory/5308-153-0x0000000000400000-0x000000000042A000-memory.dmp

memory/5280-159-0x0000000000400000-0x000000000042A000-memory.dmp

memory/5308-161-0x0000000000400000-0x000000000042A000-memory.dmp

memory/5280-168-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2392-165-0x0000000000400000-0x000000000042A000-memory.dmp

memory/1440-171-0x0000000000400000-0x000000000042A000-memory.dmp

memory/928-180-0x0000000000400000-0x000000000042A000-memory.dmp

memory/1440-182-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2920-179-0x0000000000400000-0x000000000042A000-memory.dmp

memory/748-188-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Windows\SysWOW64\drivers\Kazekage.exe

MD5 0112a0559a08154c9d0381f5babc4e11
SHA1 63f9e05aa83fbebd75c2390d338008badf2e74a1
SHA256 38b96e197ba0f453e69a61d6cc98d1dba2f9f14b5fe9099ef475025e99d3f260
SHA512 0a555fb842c779b9405293e199b16e5cc2027d0d707dce876b14bfde6ef6076355f177b1beb4ddddce0166afa04b8eb24574cb2e7bfeea8fad4164067e4106f8

memory/928-198-0x0000000000400000-0x000000000042A000-memory.dmp

memory/6100-211-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Windows\SysWOW64\drivers\system32.exe

MD5 ef1ac29feaa3fef0906368f0b9cf1f92
SHA1 ff1d057e532b2ff345ed6a3c9982664997a3402b
SHA256 bc02898181ec05688f7e2a2509a887ad40bf755c137ce070df6fd1001a5a461c
SHA512 bb9e7fc380f8b6ce7366cbdcfa082ab255a914dcc7d0a7cf04ee041be9e2052546a79b01b7a49849595066815815d1ab292f38144ee6373f395967dc8428e5e3

C:\Windows\SysWOW64\19-5-2025.exe

MD5 b6043061f8c73777d18c71ef2dbf1a49
SHA1 4b1c673992457ff0fab1d16ea8a27bdbd0a68c04
SHA256 f3664e86efab61d433804d2cc2caa14cfe17278f8c07be44467401440d71a54c
SHA512 26e28ee5df54ea60d3377ddd79263a7e5b557e3de1e6110e9657680b20efdbf46763d9d8c6a71d8937fe24727b9c94e243e73afdc830aa0553190ee50c62afed

memory/3948-228-0x0000000000400000-0x000000000042A000-memory.dmp

memory/4520-232-0x0000000000400000-0x000000000042A000-memory.dmp

memory/232-238-0x0000000000400000-0x000000000042A000-memory.dmp

memory/4284-241-0x0000000000400000-0x000000000042A000-memory.dmp

memory/8-253-0x0000000000400000-0x000000000042A000-memory.dmp

memory/4284-260-0x0000000000400000-0x000000000042A000-memory.dmp

memory/748-261-0x0000000000400000-0x000000000042A000-memory.dmp

memory/1964-265-0x0000000000400000-0x000000000042A000-memory.dmp

memory/4160-275-0x0000000000400000-0x000000000042A000-memory.dmp

memory/4504-279-0x0000000000400000-0x000000000042A000-memory.dmp

memory/4612-282-0x0000000000400000-0x000000000042A000-memory.dmp

memory/1532-284-0x0000000000400000-0x000000000042A000-memory.dmp

memory/4520-288-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2856-287-0x0000000000400000-0x000000000042A000-memory.dmp

memory/4600-290-0x0000000000400000-0x000000000042A000-memory.dmp

memory/4612-294-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2856-298-0x0000000000400000-0x000000000042A000-memory.dmp

memory/6100-301-0x0000000000400000-0x000000000042A000-memory.dmp

memory/1684-303-0x0000000000400000-0x000000000042A000-memory.dmp

memory/6132-307-0x0000000000400000-0x000000000042A000-memory.dmp

memory/4764-309-0x0000000000400000-0x000000000042A000-memory.dmp

memory/5804-310-0x0000000000400000-0x000000000042A000-memory.dmp

memory/4672-311-0x0000000000400000-0x000000000042A000-memory.dmp

memory/748-312-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2392-313-0x0000000000400000-0x000000000042A000-memory.dmp

memory/4520-314-0x0000000000400000-0x000000000042A000-memory.dmp

memory/6100-315-0x0000000000400000-0x000000000042A000-memory.dmp

memory/5804-316-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Autorun.inf

MD5 1564dfe69ffed40950e5cb644e0894d1
SHA1 201b6f7a01cc49bb698bea6d4945a082ed454ce4
SHA256 be114a2dbcc08540b314b01882aa836a772a883322a77b67aab31233e26dc184
SHA512 72df187e39674b657974392cfa268e71ef86dc101ebd2303896381ca56d3c05aa9db3f0ab7d0e428d7436e0108c8f19e94c2013814d30b0b95a23a6b9e341097

C:\Admin Games\Readme.txt

MD5 bb5d6abdf8d0948ac6895ce7fdfbc151
SHA1 9266b7a247a4685892197194d2b9b86c8f6dddbd
SHA256 5db2e0915b5464d32e83484f8ae5e3c73d2c78f238fde5f58f9b40dbb5322de8
SHA512 878444760e8df878d65bb62b4798177e168eb099def58ad3634f4348e96705c83f74324f9fa358f0eff389991976698a233ca53e9b72034ae11c86d42322a76c

memory/5804-371-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2392-415-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Windows\SysWOW64\Desktop.ini

MD5 64acfa7e03b01f48294cf30d201a0026
SHA1 10facd995b38a095f30b4a800fa454c0bcbf8438
SHA256 ba8159d865d106e7b4d0043007a63d1541e1de455dc8d7ff0edd3013bd425c62
SHA512 65a9b2e639de74a2a7faa83463a03f5f5b526495e3c793ec1e144c422ed0b842dd304cd5ff4f8aec3d76d826507030c5916f70a231429cea636ec2d8ab43931a

memory/4672-501-0x0000000000400000-0x000000000042A000-memory.dmp

memory/6100-587-0x0000000000400000-0x000000000042A000-memory.dmp

memory/748-591-0x0000000000400000-0x000000000042A000-memory.dmp

memory/4520-592-0x0000000000400000-0x000000000042A000-memory.dmp