Malware Analysis Report

2025-08-05 15:05

Sample ID 250519-r54k2szlz5
Target 2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer
SHA256 b7bccca618d889b72c3ec43f142082cdf5e79df979817de0b884f6fbc2fac7d6
Tags
upx defense_evasion discovery persistence ransomware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V16

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b7bccca618d889b72c3ec43f142082cdf5e79df979817de0b884f6fbc2fac7d6

Threat Level: Known bad

The file 2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer was found to be: Known bad.

Malicious Activity Summary

upx defense_evasion discovery persistence ransomware trojan

Modifies visiblity of hidden/system files in Explorer

Modifies visibility of file extensions in Explorer

UAC bypass

Modifies WinLogon for persistence

Event Triggered Execution: Image File Execution Options Injection

Disables RegEdit via registry modification

Disables use of System Restore points

Drops file in Drivers directory

Loads dropped DLL

Executes dropped EXE

Adds Run key to start application

Drops desktop.ini file(s)

Checks whether UAC is enabled

Enumerates connected drives

Sets desktop wallpaper using registry

Drops file in System32 directory

Drops autorun.inf file

UPX packed file

Drops file in Windows directory

Unsigned PE

System Network Configuration Discovery: Internet Connection Discovery

System Location Discovery: System Language Discovery

Modifies Internet Explorer settings

Suspicious use of SetWindowsHookEx

Modifies registry class

Runs ping.exe

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Modifies Control Panel

System policy modification

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-05-19 14:47

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-05-19 14:47

Reported

2025-05-19 14:50

Platform

win10v2004-20250502-en

Max time kernel

149s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" C:\Users\Admin\AppData\Local\Temp\2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" C:\Users\Admin\AppData\Local\Temp\2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A

Modifies visibility of file extensions in Explorer

defense_evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Users\Admin\AppData\Local\Temp\2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe N/A

Modifies visiblity of hidden/system files in Explorer

defense_evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\AppData\Local\Temp\2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A

UAC bypass

defense_evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A

Disables RegEdit via registry modification

defense_evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A

Disables use of System Restore points

defense_evasion

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
File created C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
File created C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
File created C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
File created C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
File created C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Users\Admin\AppData\Local\Temp\2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe N/A
File created C:\Windows\SysWOW64\drivers\system32.exe C:\Users\Admin\AppData\Local\Temp\2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
File created C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
File created C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Users\Admin\AppData\Local\Temp\2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\system32.exe C:\Users\Admin\AppData\Local\Temp\2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A

Event Triggered Execution: Image File Execution Options Injection

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com C:\Users\Admin\AppData\Local\Temp\2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe\Debugger = "cmd.exe /c del" C:\Users\Admin\AppData\Local\Temp\2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe\Debugger = "drivers\\Kazekage.exe" C:\Users\Admin\AppData\Local\Temp\2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe\Debugger = "drivers\\Kazekage.exe" C:\Users\Admin\AppData\Local\Temp\2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "drivers\\Kazekage.exe" C:\Users\Admin\AppData\Local\Temp\2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe C:\Users\Admin\AppData\Local\Temp\2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe C:\Users\Admin\AppData\Local\Temp\2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe C:\Users\Admin\AppData\Local\Temp\2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe C:\Users\Admin\AppData\Local\Temp\2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe C:\Users\Admin\AppData\Local\Temp\2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "drivers\\Kazekage.exe" C:\Users\Admin\AppData\Local\Temp\2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 19 - 5 - 2025\\smss.exe" C:\Users\Admin\AppData\Local\Temp\2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 19 - 5 - 2025\\Gaara.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 19 - 5 - 2025\\smss.exe" C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 19 - 5 - 2025\\Gaara.exe" C:\Users\Admin\AppData\Local\Temp\2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 19 - 5 - 2025\\smss.exe" C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "19-5-2025.exe" C:\Users\Admin\AppData\Local\Temp\2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" C:\Users\Admin\AppData\Local\Temp\2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "19-5-2025.exe" C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 19 - 5 - 2025\\Gaara.exe" C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "19-5-2025.exe" C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 19 - 5 - 2025\\Gaara.exe" C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "19-5-2025.exe" C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 19 - 5 - 2025\\smss.exe" C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 19 - 5 - 2025\\Gaara.exe" C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 19 - 5 - 2025\\smss.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "19-5-2025.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 19 - 5 - 2025\\smss.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 19 - 5 - 2025\\Gaara.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "19-5-2025.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A

Checks whether UAC is enabled

defense_evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification \??\L:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification \??\X:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\V:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\E:\Desktop.ini C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
File opened for modification \??\J:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\P:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\O:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification \??\R:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification \??\X:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification \??\T:\Desktop.ini C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\R:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\L:\Desktop.ini C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
File opened for modification C:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\G:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification \??\O:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\U:\Desktop.ini C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
File opened for modification D:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification D:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\E:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification \??\T:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification \??\T:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\B:\Desktop.ini C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\G:\Desktop.ini C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\I:\Desktop.ini C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
File opened for modification \??\J:\Desktop.ini C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
File opened for modification \??\E:\Desktop.ini C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
File opened for modification \??\K:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification \??\L:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\Q:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification D:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\L:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\M:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification \??\R:\Desktop.ini C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
File opened for modification \??\T:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification D:\Desktop.ini C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\Y:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\R:\Desktop.ini C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\B:\Desktop.ini C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
File opened for modification \??\G:\Desktop.ini C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
File opened for modification F:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\O:\Desktop.ini C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
File opened for modification \??\W:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification \??\Y:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification C:\Desktop.ini C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
File opened for modification \??\X:\Desktop.ini C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
File opened for modification \??\G:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\I:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification \??\K:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\N:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\P:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification \??\Z:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\B:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\K:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\Y:\Desktop.ini C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\K:\Desktop.ini C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
File opened for modification \??\V:\Desktop.ini C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
File opened for modification \??\B:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\U:\Desktop.ini C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
File opened for modification \??\M:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\S:\Desktop.ini C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
File opened for modification \??\L:\Desktop.ini C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
File opened for modification \??\A:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\I:\Desktop.ini C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
File opened for modification \??\G:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\U: C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\W: C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe N/A
File opened (read-only) \??\N: C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
File opened (read-only) \??\O: C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
File opened (read-only) \??\K: C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\A: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe N/A
File opened (read-only) \??\L: C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
File opened (read-only) \??\P: C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
File opened (read-only) \??\M: C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
File opened (read-only) \??\H: C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\H: C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
File opened (read-only) \??\N: C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
File opened (read-only) \??\Q: C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\R: C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
File opened (read-only) \??\T: C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
File opened (read-only) \??\R: C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\S: C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\A: C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
File opened (read-only) \??\G: C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
File opened (read-only) \??\W: C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\H: C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\Q: C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
File opened (read-only) \??\M: C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
File opened (read-only) \??\M: C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
File opened (read-only) \??\O: C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\S: C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
File opened (read-only) \??\I: C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
File opened (read-only) \??\J: C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\U: C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
File opened (read-only) \??\X: C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\U: C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
File opened (read-only) \??\V: C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification \??\J:\Autorun.inf C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
File created \??\W:\Autorun.inf C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
File opened for modification F:\Autorun.inf C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
File created \??\L:\Autorun.inf C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
File created \??\U:\Autorun.inf C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
File opened for modification \??\S:\Autorun.inf C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
File opened for modification \??\W:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\X:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\A:\Autorun.inf C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
File created \??\G:\Autorun.inf C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
File created \??\Q:\Autorun.inf C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\A:\Autorun.inf C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
File created \??\K:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File created \??\O:\Autorun.inf C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
File opened for modification F:\Autorun.inf C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
File opened for modification D:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\Q:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\Y:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification D:\Autorun.inf C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\H:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe N/A
File created \??\H:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe N/A
File created \??\V:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe N/A
File created \??\N:\Autorun.inf C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
File opened for modification \??\W:\Autorun.inf C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
File created \??\J:\Autorun.inf C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
File created D:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created \??\Y:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification \??\B:\Autorun.inf C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
File created \??\N:\Autorun.inf C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
File opened for modification \??\T:\Autorun.inf C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
File created \??\T:\Autorun.inf C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
File opened for modification \??\A:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created \??\L:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\M:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created \??\X:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification \??\O:\Autorun.inf C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
File opened for modification \??\Q:\Autorun.inf C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
File created \??\R:\Autorun.inf C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
File created \??\U:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\O:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\X:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification \??\H:\Autorun.inf C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
File opened for modification \??\R:\Autorun.inf C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
File created \??\A:\Autorun.inf C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\G:\Autorun.inf C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
File created \??\T:\Autorun.inf C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
File created \??\M:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\W:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification D:\Autorun.inf C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
File opened for modification \??\U:\Autorun.inf C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
File opened for modification \??\J:\Autorun.inf C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
File opened for modification D:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\T:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File created \??\Q:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification \??\Y:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe N/A
File created \??\Z:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe N/A
File created \??\H:\Autorun.inf C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
File opened for modification \??\M:\Autorun.inf C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
File opened for modification \??\S:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\J:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File created \??\U:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\I:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created \??\M:\Autorun.inf C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
File opened for modification \??\X:\Autorun.inf C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\SysWOW64\19-5-2025.exe C:\Users\Admin\AppData\Local\Temp\2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification C:\Windows\SysWOW64\19-5-2025.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
File opened for modification C:\Windows\SysWOW64\Desktop.ini C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\Desktop.ini C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification C:\Windows\SysWOW64\19-5-2025.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\SysWOW64\mscomctl.ocx C:\Users\Admin\AppData\Local\Temp\2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification C:\Windows\SysWOW64\19-5-2025.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
File opened for modification C:\Windows\SysWOW64\19-5-2025.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\SysWOW64\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
File created C:\Windows\SysWOW64\19-5-2025.exe C:\Users\Admin\AppData\Local\Temp\2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\SysWOW64\19-5-2025.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\SysWOW64\mscomctl.ocx C:\Users\Admin\AppData\Local\Temp\2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification C:\Windows\SysWOW64\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\SysWOW64\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification C:\Windows\SysWOW64\mscomctl.ocx C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\Desktop.ini C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\mscomctl.ocx C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
File opened for modification C:\Windows\SysWOW64\mscomctl.ocx C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\mscomctl.ocx C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Users\Admin\AppData\Local\Temp\2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification C:\Windows\SysWOW64\mscomctl.ocx C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\drivers\system32.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Users\Admin\AppData\Local\Temp\2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\SysWOW64\drivers\system32.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\system\msvbvm60.dll C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
File created C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\Fonts\Admin 19 - 5 - 2025\msvbvm60.dll C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\ C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Windows\ C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
File created C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\mscomctl.ocx C:\Users\Admin\AppData\Local\Temp\2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification C:\Windows\mscomctl.ocx C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\ C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\system\mscoree.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe N/A
File created C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe C:\Users\Admin\AppData\Local\Temp\2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe N/A
File created C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
File created C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
File created C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\Fonts\Admin 19 - 5 - 2025\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe N/A
File created C:\Windows\WBEM\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification C:\Windows\system\mscoree.dll C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
File created C:\Windows\Fonts\Admin 19 - 5 - 2025\msvbvm60.dll C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
File opened for modification C:\Windows\system\msvbvm60.dll C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\ C:\Users\Admin\AppData\Local\Temp\2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe N/A
File created C:\Windows\system\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
File created C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\Fonts\The Kazekage.jpg C:\Users\Admin\AppData\Local\Temp\2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe N/A
File created C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\Fonts\The Kazekage.jpg C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
File opened for modification C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
File opened for modification C:\Windows\system\mscoree.dll C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
File created C:\Windows\WBEM\msvbvm60.dll C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
File created C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe C:\Users\Admin\AppData\Local\Temp\2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe N/A
File created C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
File created C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Windows\system\msvbvm60.dll C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\ C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
File opened for modification C:\Windows\Fonts\The Kazekage.jpg C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
File created C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe C:\Users\Admin\AppData\Local\Temp\2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification C:\Windows\Fonts\Admin 19 - 5 - 2025\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe N/A
File created C:\Windows\WBEM\msvbvm60.dll C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\system\mscoree.dll C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
File created C:\Windows\Fonts\Admin 19 - 5 - 2025\msvbvm60.dll C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
File created C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\WBEM\msvbvm60.dll C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe C:\Users\Admin\AppData\Local\Temp\2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe C:\Users\Admin\AppData\Local\Temp\2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
File created C:\Windows\WBEM\msvbvm60.dll C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
File opened for modification C:\Windows\Fonts\The Kazekage.jpg C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
File created C:\Windows\Fonts\Admin 19 - 5 - 2025\msvbvm60.dll C:\Windows\SysWOW64\drivers\Kazekage.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\system32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\system32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\system32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\system32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\system32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\system32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A

Modifies Control Panel

defense_evasion
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" C:\Users\Admin\AppData\Local\Temp\2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Desktop C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" C:\Users\Admin\AppData\Local\Temp\2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Users\Admin\AppData\Local\Temp\2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" C:\Users\Admin\AppData\Local\Temp\2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" C:\Users\Admin\AppData\Local\Temp\2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Screen Saver.Marquee C:\Users\Admin\AppData\Local\Temp\2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" C:\Users\Admin\AppData\Local\Temp\2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Desktop\WallpaperStyle = "2" C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Screen Saver.Marquee\Size = "72" C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" C:\Users\Admin\AppData\Local\Temp\2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Screen Saver.Marquee\Size = "72" C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Screen Saver.Marquee\Speed = "4" C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" C:\Users\Admin\AppData\Local\Temp\2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Screen Saver.Marquee\Speed = "4" C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Desktop\WallpaperStyle = "2" C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Desktop C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Desktop\WallpaperStyle = "2" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Screen Saver.Marquee C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Screen Saver.Marquee\Size = "72" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Desktop C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Desktop C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Screen Saver.Marquee\Size = "72" C:\Users\Admin\AppData\Local\Temp\2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Desktop\WallpaperStyle = "2" C:\Users\Admin\AppData\Local\Temp\2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Screen Saver.Marquee C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Screen Saver.Marquee C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Desktop C:\Users\Admin\AppData\Local\Temp\2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Desktop C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Screen Saver.Marquee\Size = "72" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Screen Saver.Marquee\Speed = "4" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Screen Saver.Marquee\Speed = "4" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" C:\Users\Admin\AppData\Local\Temp\2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Screen Saver.Marquee\Speed = "4" C:\Users\Admin\AppData\Local\Temp\2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Software\Microsoft\Internet Explorer\Main C:\Users\Admin\AppData\Local\Temp\2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" C:\Users\Admin\AppData\Local\Temp\2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\drivers\system32.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command C:\Users\Admin\AppData\Local\Temp\2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command C:\Users\Admin\AppData\Local\Temp\2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command C:\Users\Admin\AppData\Local\Temp\2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command C:\Users\Admin\AppData\Local\Temp\2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" C:\Users\Admin\AppData\Local\Temp\2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" C:\Users\Admin\AppData\Local\Temp\2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" C:\Users\Admin\AppData\Local\Temp\2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" C:\Users\Admin\AppData\Local\Temp\2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3160 wrote to memory of 4624 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe
PID 3160 wrote to memory of 4624 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe
PID 3160 wrote to memory of 4624 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe
PID 4624 wrote to memory of 4980 N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe
PID 4624 wrote to memory of 4980 N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe
PID 4624 wrote to memory of 4980 N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe
PID 4624 wrote to memory of 4832 N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe
PID 4624 wrote to memory of 4832 N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe
PID 4624 wrote to memory of 4832 N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe
PID 4832 wrote to memory of 4788 N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe
PID 4832 wrote to memory of 4788 N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe
PID 4832 wrote to memory of 4788 N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe
PID 4832 wrote to memory of 4368 N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe
PID 4832 wrote to memory of 4368 N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe
PID 4832 wrote to memory of 4368 N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe
PID 4832 wrote to memory of 3624 N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe
PID 4832 wrote to memory of 3624 N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe
PID 4832 wrote to memory of 3624 N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe
PID 3624 wrote to memory of 2308 N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe
PID 3624 wrote to memory of 2308 N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe
PID 3624 wrote to memory of 2308 N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe
PID 3624 wrote to memory of 5624 N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe
PID 3624 wrote to memory of 5624 N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe
PID 3624 wrote to memory of 5624 N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe
PID 3624 wrote to memory of 5224 N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe
PID 3624 wrote to memory of 5224 N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe
PID 3624 wrote to memory of 5224 N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe
PID 3624 wrote to memory of 6096 N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 3624 wrote to memory of 6096 N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 3624 wrote to memory of 6096 N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 6096 wrote to memory of 4040 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe
PID 6096 wrote to memory of 4040 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe
PID 6096 wrote to memory of 4040 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe
PID 6096 wrote to memory of 5916 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe
PID 6096 wrote to memory of 5916 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe
PID 6096 wrote to memory of 5916 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe
PID 6096 wrote to memory of 4968 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe
PID 6096 wrote to memory of 4968 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe
PID 6096 wrote to memory of 4968 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe
PID 6096 wrote to memory of 5540 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 6096 wrote to memory of 5540 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 6096 wrote to memory of 5540 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 6096 wrote to memory of 3216 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 6096 wrote to memory of 3216 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 6096 wrote to memory of 3216 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 3216 wrote to memory of 1640 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe
PID 3216 wrote to memory of 1640 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe
PID 3216 wrote to memory of 1640 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe
PID 3216 wrote to memory of 3332 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe
PID 3216 wrote to memory of 3332 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe
PID 3216 wrote to memory of 3332 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe
PID 3216 wrote to memory of 1296 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe
PID 3216 wrote to memory of 1296 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe
PID 3216 wrote to memory of 1296 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe
PID 3216 wrote to memory of 1012 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 3216 wrote to memory of 1012 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 3216 wrote to memory of 1012 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 3216 wrote to memory of 5300 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 3216 wrote to memory of 5300 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 3216 wrote to memory of 5300 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 3624 wrote to memory of 5084 N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 3624 wrote to memory of 5084 N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 3624 wrote to memory of 5084 N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 4832 wrote to memory of 5004 N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe C:\Windows\SysWOW64\drivers\Kazekage.exe

System policy modification

defense_evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe

"C:\Users\Admin\AppData\Local\Temp\2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe"

C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe

"C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe"

C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe

"C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe"

C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe

"C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe"

C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe

"C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe"

C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe

"C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe"

C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe

"C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe"

C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe

"C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe"

C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe

"C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe"

C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe

"C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe"

C:\Windows\SysWOW64\drivers\Kazekage.exe

C:\Windows\system32\drivers\Kazekage.exe

C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe

"C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe"

C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe

"C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe"

C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe

"C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe"

C:\Windows\SysWOW64\drivers\Kazekage.exe

C:\Windows\system32\drivers\Kazekage.exe

C:\Windows\SysWOW64\drivers\system32.exe

C:\Windows\system32\drivers\system32.exe

C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe

"C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe"

C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe

"C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe"

C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe

"C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe"

C:\Windows\SysWOW64\drivers\Kazekage.exe

C:\Windows\system32\drivers\Kazekage.exe

C:\Windows\SysWOW64\drivers\system32.exe

C:\Windows\system32\drivers\system32.exe

C:\Windows\SysWOW64\drivers\system32.exe

C:\Windows\system32\drivers\system32.exe

C:\Windows\SysWOW64\drivers\Kazekage.exe

C:\Windows\system32\drivers\Kazekage.exe

C:\Windows\SysWOW64\drivers\system32.exe

C:\Windows\system32\drivers\system32.exe

C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe

"C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe"

C:\Windows\SysWOW64\drivers\Kazekage.exe

C:\Windows\system32\drivers\Kazekage.exe

C:\Windows\SysWOW64\drivers\system32.exe

C:\Windows\system32\drivers\system32.exe

C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe

"C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe"

C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe

"C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe"

C:\Windows\SysWOW64\drivers\Kazekage.exe

C:\Windows\system32\drivers\Kazekage.exe

C:\Windows\SysWOW64\drivers\system32.exe

C:\Windows\system32\drivers\system32.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c Fonts\Admin 19 - 5 - 2025\smss.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c Fonts\Admin 19 - 5 - 2025\Gaara.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c 19-5-2025.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c drivers\csrss.exe

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
GB 2.18.27.88:443 www.bing.com tcp
GB 2.18.27.88:443 www.bing.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 c.pki.goog udp
GB 216.58.201.99:80 c.pki.goog tcp

Files

memory/3160-0-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe

MD5 5d94c92d0e4d68fdd3b2bc6be6cef612
SHA1 cd2594f5a9da48781633962b78a22461b75dd54d
SHA256 b7bccca618d889b72c3ec43f142082cdf5e79df979817de0b884f6fbc2fac7d6
SHA512 fc04dc61ce316f16898ca6263687f562cd4a41ef5ed2dbe7b57e947d6672899e6d3e7bab6cb9be3c2d24af0e88dc4775d292a2bc62e866aa7e2b8f4363a99e9a

C:\Windows\System\msvbvm60.dll

MD5 25f62c02619174b35851b0e0455b3d94
SHA1 4e8ee85157f1769f6e3f61c0acbe59072209da71
SHA256 898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2
SHA512 f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

memory/4624-32-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe

MD5 afd29303db6ee02aa734410f3c01467a
SHA1 066ab54884644cf713b05a861267a75f9fe753b1
SHA256 3bb428094af0fe29ea786d9a4d21cadb0f781555980c2cbc6a71dac977256a94
SHA512 e5bf3839f2b891d3441ceffff376d2e6a16a8459c05559123e6efa7ec3d277050f8afc7d5f344497a82b157e639288abb71c481d8225d11cf280a5d9b82207fc

C:\Windows\Fonts\The Kazekage.jpg

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Windows\SysWOW64\drivers\system32.exe

MD5 f45bfc455b25678125656829daeaff37
SHA1 bcd7dd66bb760406eb2309cb09d1485a72b79430
SHA256 fa2f6cb1896cae9e32512ded50f8d5e9d9a2c35a5778e139fe3059ababb6ba5d
SHA512 3edb43da90f3249a40d44c04ad122cbd373d337842413373b637c27327dd69682f8721e8b5bb325dd816fbe2317f3c3389c21790149595cd2e1cd4185b52481a

C:\Windows\SysWOW64\drivers\Kazekage.exe

MD5 c120a1d9ea52655be12440c73bcef24d
SHA1 1033a713e5fc432dc207b5bb0cf77c3f8140a8fb
SHA256 07983115433516c6b1d9175d16f1d82343c287575ebd107c01b9b3cbfd98c952
SHA512 935968d5159e8ebdcd65d274d09f7d7ca56f37d7fb3cd18efabb948a0dd2b157f9a7b1711312d7a7828ce7a1d6f61e060f553d648fd99058213c8f101f6553c8

memory/4980-70-0x0000000000400000-0x000000000042B000-memory.dmp

memory/4832-78-0x0000000000400000-0x000000000042B000-memory.dmp

memory/4980-77-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe

MD5 ab30cdc327911d812d365eb2682b6f14
SHA1 000110c49df63032739224a822dca8181d2350a6
SHA256 c21216746e591bda1efc52627070344fc1d2c1c959f77d9435818ca80af53ed2
SHA512 80251f374d6c90d971321e10ac6620c6e07c96d9dfd9ce20235e23830a512127d2bd2271c7cc629db0477bafe4ffd631f186c0c6f74bc3d4fbdbe4ed7bb994e2

C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe

MD5 b5bd677dfc8d7b10c97fbafa25711035
SHA1 32801820f15d30ae990981a935ba1827d18462f8
SHA256 c8b9fbfe3a954c9ffb3f68455298d1a8e9b18d97d8162fb4090ee1c95cfe20b3
SHA512 2984d0cdfa0172e89940307ac88379082469baf3d923c4165a7a97af628b4c086f7f367b9538524e83e990e5dbdeb015d0db8d1aede9b92763f989bf77fc9755

memory/4368-115-0x0000000000400000-0x000000000042B000-memory.dmp

memory/3624-120-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Windows\Fonts\The Kazekage.jpg

MD5 d6b05020d4a0ec2a3a8b687099e335df
SHA1 df239d830ebcd1cde5c68c46a7b76dad49d415f4
SHA256 9824b98dab6af65a9e84c2ea40e9df948f9766ce2096e81feecad7db8dd6080a
SHA512 78fd360faa4d34f5732056d6e9ad7b9930964441c69cf24535845d397de92179553b9377a25649c01eb5ac7d547c29cc964e69ede7f2af9fc677508a99251fff

C:\Windows\SysWOW64\drivers\Kazekage.exe

MD5 39c26014038df5c722ce85ab22adbdd3
SHA1 80fd1d1bd7fd26db8d9cd4dc2fa117fcee0a2205
SHA256 9c31878274cb12180466f20466187480ae98ed3ef42f5297be226882e0f1814b
SHA512 1bec8f82c50f8abfc0ea636cbb4125824a0257ad12cb8ac5fbec895719343e9bb97e45a76bc40c298f588dfd0635ba01e6fcc346e0506c49f2f689adc46a5971

memory/3160-156-0x0000000000400000-0x000000000042B000-memory.dmp

memory/5224-159-0x0000000000400000-0x000000000042B000-memory.dmp

memory/5540-202-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Windows\SysWOW64\19-5-2025.exe

MD5 8ec9eac2665e276c0a158fda5bbbcac9
SHA1 001d59ca48d702d481e47c6d617a0bfb36e84a45
SHA256 3ed6f555acf21238604fb8650203483e64f004c303bc3d2fe198a4f95b6e6a63
SHA512 920cbd1a0b444c3354882408866ad75f8d02717b0d398ca70929a159bd224b3720338b88d73071ed21fd62316e3941a89d5fc7863dbd3b6b8018de46bda0ffe9

memory/3852-270-0x0000000000400000-0x000000000042B000-memory.dmp

memory/5628-267-0x0000000000400000-0x000000000042B000-memory.dmp

memory/876-262-0x0000000000400000-0x000000000042B000-memory.dmp

memory/1224-259-0x0000000000400000-0x000000000042B000-memory.dmp

memory/5276-256-0x0000000000400000-0x000000000042B000-memory.dmp

memory/3216-253-0x0000000000400000-0x000000000042B000-memory.dmp

memory/3364-250-0x0000000000400000-0x000000000042B000-memory.dmp

memory/5004-244-0x0000000000400000-0x000000000042B000-memory.dmp

memory/5084-241-0x0000000000400000-0x000000000042B000-memory.dmp

memory/5300-238-0x0000000000400000-0x000000000042B000-memory.dmp

memory/6096-235-0x0000000000400000-0x000000000042B000-memory.dmp

memory/1012-234-0x0000000000400000-0x000000000042B000-memory.dmp

memory/3332-229-0x0000000000400000-0x000000000042B000-memory.dmp

memory/3624-224-0x0000000000400000-0x000000000042B000-memory.dmp

memory/3216-206-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Windows\SysWOW64\drivers\system32.exe

MD5 e5a9999e3b680ff2ae33af57e8266496
SHA1 51601d01cc6b099b15b7f799b9b0fc87c3a42847
SHA256 c8b3fce4df5741daafb8dc9e21bdcdb9a96899ce2891ae39d46322f13d94150b
SHA512 cb1c72028cd0ee77cc5c2a29203bbe4686cec702dca0468bf0edba9674b5dd542b7c47d8440483f96e5cc8b3c39654a7c8d36f67dadf2e429bfa81491180abc5

memory/4832-196-0x0000000000400000-0x000000000042B000-memory.dmp

memory/5916-193-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Windows\SysWOW64\19-5-2025.exe

MD5 a04f7c845150dc86333958f02fe39bad
SHA1 2b6133562469d70ce18532865630fcd34303c2b5
SHA256 786275f69251ad09f8af4b256ba17c26cb6447243cb26513a6d87bee68995f9d
SHA512 0f141d2426e74dd7046bc3bb6772dcf8fdc04dfea87c0c24176a7d79b78c7070c1701dcbf7cde0f259a78dfdcd435ff6669eb04051aaf1b3dfb9af0dd2af251e

memory/6096-164-0x0000000000400000-0x000000000042B000-memory.dmp

memory/4624-163-0x0000000000400000-0x000000000042B000-memory.dmp

memory/5624-153-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Windows\SysWOW64\drivers\system32.exe

MD5 084430f6e639cd980f5f3dd70679317f
SHA1 3258f33530907841187a40917660a73b89679705
SHA256 863958e4582bef80c15e1b8c52cbd40d875e54500b8b493b4ade788aeb7bc735
SHA512 32fef8486de0f316f8ea6f07b44f23437690358bbdd1eccb77006633574bd1ea0aa6a165a15d3cdfc6a89a475eefbc6f9292c5a0fe2c15d0c440ff394474f8df

C:\Windows\SysWOW64\19-5-2025.exe

MD5 146a99867d02ee314ef7e9a272195502
SHA1 f26afa19a67cd7ff27664073a4c15271fa0a4030
SHA256 fbe0025a648fd9ef8821edbc5ba5fa338f76e21a46766563be1326390121d8cc
SHA512 92a6ad3c02b9b631bfc1a4d9fa312abfd3fcf7d3049d4be65517624ae1ebe142efdf7ce65b64ed96f5295096d58463e5b8fcddf62c057f20a70cf857235fe4b6

C:\Windows\SysWOW64\drivers\system32.exe

MD5 251b6481ab586bfe0b6e2b8da69e4858
SHA1 2136a61ecee914975df5c661dd060e70de2c1ed1
SHA256 7bfc7f4ba3a24c5e461a6a29e72105db52e0a3c3810e376259ee1c7c738a08b8
SHA512 89152e3d629ef85f5d08591f7d1e41fd44022adde7cbe4f9309c3a72e3ab5b052ef706eee92460427fc9fde48c3c5578b939910927a74eaf5a4e4d3906843135

C:\Windows\SysWOW64\drivers\Kazekage.exe

MD5 fffab0c0ed1f7dc1bd374b17f77d5c01
SHA1 98453ead12bf0b29d20aba56a8b61659c45a79d3
SHA256 2fa4cebc8bfc3de7cb787d4e267b9252832b78c410b17023c82ae8cf960dc245
SHA512 f7db684fc763392a0c7177c223145ef1d4d5756f2c26907ee99b54c570b0a0fd2c963ea141eca61765ecf45943a3bcdb2d2c3844c817f06ebeb719612535a134

C:\Windows\SysWOW64\19-5-2025.exe

MD5 73ad0531079c3da71e234fff12a2f0b4
SHA1 6ddca005f6cc9a447232b0271de6f59285c5d460
SHA256 d0e0b0cbc200d849fc498021d8e3296532397d086650d4515d6cebc9f39691d7
SHA512 d2b5967a0be49822702f05d8f97c42e675f3e6b63e6925d443a0a7b7c8b4df44b39e693ee229b72cdb2fc80bce5ee42a7cb98f9c54f74d4a351011186f407e04

C:\Autorun.inf

MD5 1564dfe69ffed40950e5cb644e0894d1
SHA1 201b6f7a01cc49bb698bea6d4945a082ed454ce4
SHA256 be114a2dbcc08540b314b01882aa836a772a883322a77b67aab31233e26dc184
SHA512 72df187e39674b657974392cfa268e71ef86dc101ebd2303896381ca56d3c05aa9db3f0ab7d0e428d7436e0108c8f19e94c2013814d30b0b95a23a6b9e341097

C:\Admin Games\Readme.txt

MD5 bb5d6abdf8d0948ac6895ce7fdfbc151
SHA1 9266b7a247a4685892197194d2b9b86c8f6dddbd
SHA256 5db2e0915b5464d32e83484f8ae5e3c73d2c78f238fde5f58f9b40dbb5322de8
SHA512 878444760e8df878d65bb62b4798177e168eb099def58ad3634f4348e96705c83f74324f9fa358f0eff389991976698a233ca53e9b72034ae11c86d42322a76c

C:\Windows\SysWOW64\Desktop.ini

MD5 64acfa7e03b01f48294cf30d201a0026
SHA1 10facd995b38a095f30b4a800fa454c0bcbf8438
SHA256 ba8159d865d106e7b4d0043007a63d1541e1de455dc8d7ff0edd3013bd425c62
SHA512 65a9b2e639de74a2a7faa83463a03f5f5b526495e3c793ec1e144c422ed0b842dd304cd5ff4f8aec3d76d826507030c5916f70a231429cea636ec2d8ab43931a

C:\Windows\SysWOW64\mscomctl.ocx

MD5 9b88e635d9fb6dbc87a4b1fac2bd66cb
SHA1 b5eadf49ed0cb8b555643408a5f311b119e106d1
SHA256 e50b01dabb2c888aac0e0f52d7b83e142cd8296f8e3a1ce42d7be4654fdd6b15
SHA512 c23bf7fbb29e7e2e5f36ffec93a56337a4b88e246c44bb40777d80561eba6059b32d615fce390f46775e8107d506317ac78b821950351ad892a76289cb0d175e

Analysis: behavioral2

Detonation Overview

Submitted

2025-05-19 14:47

Reported

2025-05-19 14:50

Platform

win11-20250502-en

Max time kernel

150s

Max time network

128s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" C:\Users\Admin\AppData\Local\Temp\2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" C:\Users\Admin\AppData\Local\Temp\2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe N/A

Modifies visibility of file extensions in Explorer

defense_evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-434880884-4028056734-3558218839-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-434880884-4028056734-3558218839-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Users\Admin\AppData\Local\Temp\2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-434880884-4028056734-3558218839-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-434880884-4028056734-3558218839-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-434880884-4028056734-3558218839-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-434880884-4028056734-3558218839-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A

Modifies visiblity of hidden/system files in Explorer

defense_evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-434880884-4028056734-3558218839-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-434880884-4028056734-3558218839-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\AppData\Local\Temp\2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-434880884-4028056734-3558218839-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-434880884-4028056734-3558218839-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-434880884-4028056734-3558218839-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-434880884-4028056734-3558218839-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A

UAC bypass

defense_evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe N/A

Disables RegEdit via registry modification

defense_evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-434880884-4028056734-3558218839-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-434880884-4028056734-3558218839-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-434880884-4028056734-3558218839-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-434880884-4028056734-3558218839-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-434880884-4028056734-3558218839-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-434880884-4028056734-3558218839-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\drivers\system32.exe N/A

Disables use of System Restore points

defense_evasion

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\drivers\system32.exe C:\Users\Admin\AppData\Local\Temp\2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
File created C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
File created C:\Windows\SysWOW64\drivers\system32.exe C:\Users\Admin\AppData\Local\Temp\2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
File created C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
File created C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
File created C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Users\Admin\AppData\Local\Temp\2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
File created C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Users\Admin\AppData\Local\Temp\2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A

Event Triggered Execution: Image File Execution Options Injection

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe C:\Users\Admin\AppData\Local\Temp\2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe C:\Users\Admin\AppData\Local\Temp\2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "drivers\\Kazekage.exe" C:\Users\Admin\AppData\Local\Temp\2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe C:\Users\Admin\AppData\Local\Temp\2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe C:\Users\Admin\AppData\Local\Temp\2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe\Debugger = "cmd.exe /c del" C:\Users\Admin\AppData\Local\Temp\2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe C:\Users\Admin\AppData\Local\Temp\2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe C:\Users\Admin\AppData\Local\Temp\2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe C:\Users\Admin\AppData\Local\Temp\2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 19 - 5 - 2025\\smss.exe" C:\Users\Admin\AppData\Local\Temp\2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "19-5-2025.exe" C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 19 - 5 - 2025\\Gaara.exe" C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "19-5-2025.exe" C:\Users\Admin\AppData\Local\Temp\2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 19 - 5 - 2025\\smss.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 19 - 5 - 2025\\Gaara.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 19 - 5 - 2025\\Gaara.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "19-5-2025.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "19-5-2025.exe" C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 19 - 5 - 2025\\Gaara.exe" C:\Users\Admin\AppData\Local\Temp\2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" C:\Users\Admin\AppData\Local\Temp\2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "19-5-2025.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 19 - 5 - 2025\\smss.exe" C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "19-5-2025.exe" C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 19 - 5 - 2025\\smss.exe" C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 19 - 5 - 2025\\smss.exe" C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 19 - 5 - 2025\\smss.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 19 - 5 - 2025\\Gaara.exe" C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 19 - 5 - 2025\\Gaara.exe" C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A

Checks whether UAC is enabled

defense_evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification \??\K:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\Q:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\U:\Desktop.ini C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\Z:\Desktop.ini C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
File opened for modification F:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification \??\N:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\Y:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\H:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\T:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification \??\G:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\P:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\Q:\Desktop.ini C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
File opened for modification \??\R:\Desktop.ini C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
File opened for modification F:\Desktop.ini C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\J:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification D:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\N:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\I:\Desktop.ini C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
File opened for modification C:\Desktop.ini C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
File opened for modification \??\J:\Desktop.ini C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\H:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification F:\Desktop.ini C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
File opened for modification \??\G:\Desktop.ini C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\Z:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification \??\P:\Desktop.ini C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
File opened for modification \??\X:\Desktop.ini C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
File opened for modification \??\L:\Desktop.ini C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
File opened for modification D:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification \??\R:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification D:\Desktop.ini C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
File opened for modification C:\Desktop.ini C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\W:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification \??\O:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\O:\Desktop.ini C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
File opened for modification \??\X:\Desktop.ini C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
File opened for modification D:\Desktop.ini C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\A:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\I:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\M:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification F:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\L:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\O:\Desktop.ini C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\T:\Desktop.ini C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\E:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification \??\N:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification \??\O:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification \??\T:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\Z:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\A:\Desktop.ini C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\I:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification \??\V:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification \??\Z:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\K:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\O:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\J:\Desktop.ini C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
File opened for modification \??\U:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification D:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\K:\Desktop.ini C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
File opened for modification \??\Z:\Desktop.ini C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
File opened for modification \??\I:\Desktop.ini C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
File opened for modification \??\I:\Desktop.ini C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\I:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\L:\Desktop.ini C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\H: C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
File opened (read-only) \??\Z: C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
File opened (read-only) \??\H: C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
File opened (read-only) \??\T: C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
File opened (read-only) \??\P: C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
File opened (read-only) \??\X: C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
File opened (read-only) \??\W: C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe N/A
File opened (read-only) \??\O: C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
File opened (read-only) \??\V: C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
File opened (read-only) \??\Y: C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
File opened (read-only) \??\A: C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
File opened (read-only) \??\M: C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
File opened (read-only) \??\Q: C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\B: C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
File opened (read-only) \??\K: C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\V: C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\X: C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\J: C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\E: C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe N/A
File opened (read-only) \??\E: C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
File opened (read-only) \??\A: C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
File opened (read-only) \??\E: C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
File opened (read-only) \??\R: C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
File opened (read-only) \??\W: C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
File opened (read-only) \??\X: C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
File opened (read-only) \??\G: C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
File opened (read-only) \??\L: C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
File opened (read-only) \??\J: C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\J: C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
File opened (read-only) \??\T: C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\K: C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
File opened (read-only) \??\Z: C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
File opened (read-only) \??\Y: C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\I: C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\Z: C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\drivers\system32.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File created \??\H:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\W:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created \??\W:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\Z:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created \??\O:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe N/A
File created \??\B:\Autorun.inf C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
File opened for modification \??\Y:\Autorun.inf C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
File opened for modification \??\Y:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe N/A
File created D:\Autorun.inf C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\N:\Autorun.inf C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
File opened for modification \??\E:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created \??\Q:\Autorun.inf C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\T:\Autorun.inf C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
File created \??\V:\Autorun.inf C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
File created \??\B:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\U:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File created \??\P:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe N/A
File created \??\K:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created \??\U:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe N/A
File created \??\T:\Autorun.inf C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
File created \??\J:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created \??\A:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File created \??\O:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File created \??\B:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification D:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe N/A
File created \??\K:\Autorun.inf C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
File created \??\S:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File created \??\V:\Autorun.inf C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
File created \??\N:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe N/A
File created \??\W:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification \??\T:\Autorun.inf C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
File opened for modification \??\Z:\Autorun.inf C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
File opened for modification \??\J:\Autorun.inf C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
File created \??\J:\Autorun.inf C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\S:\Autorun.inf C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\U:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe N/A
File created \??\T:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\G:\Autorun.inf C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
File opened for modification \??\V:\Autorun.inf C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
File opened for modification \??\K:\Autorun.inf C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\J:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\T:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification D:\Autorun.inf C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
File opened for modification D:\Autorun.inf C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
File opened for modification \??\Q:\Autorun.inf C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
File created \??\R:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created \??\M:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File created \??\U:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File created \??\L:\Autorun.inf C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
File opened for modification \??\H:\Autorun.inf C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
File created \??\N:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created \??\Z:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created \??\S:\Autorun.inf C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\T:\Autorun.inf C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
File created \??\X:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\B:\Autorun.inf C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
File created \??\N:\Autorun.inf C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
File opened for modification \??\X:\Autorun.inf C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
File opened for modification F:\Autorun.inf C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\O:\Autorun.inf C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
File opened for modification \??\L:\Autorun.inf C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
File opened for modification \??\R:\Autorun.inf C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
File opened for modification C:\Autorun.inf C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\L:\Autorun.inf C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\19-5-2025.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\SysWOW64\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Users\Admin\AppData\Local\Temp\2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\mscomctl.ocx C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\SysWOW64\19-5-2025.exe C:\Users\Admin\AppData\Local\Temp\2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification C:\Windows\SysWOW64\19-5-2025.exe C:\Users\Admin\AppData\Local\Temp\2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
File opened for modification C:\Windows\SysWOW64\19-5-2025.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\SysWOW64\mscomctl.ocx C:\Users\Admin\AppData\Local\Temp\2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\Desktop.ini C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification C:\Windows\SysWOW64\19-5-2025.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
File created C:\Windows\SysWOW64\mscomctl.ocx C:\Users\Admin\AppData\Local\Temp\2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\SysWOW64\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\19-5-2025.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\Desktop.ini C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
File opened for modification C:\Windows\SysWOW64\mscomctl.ocx C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\19-5-2025.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification C:\Windows\SysWOW64\mscomctl.ocx C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\Desktop.ini C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
File opened for modification C:\Windows\SysWOW64\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\SysWOW64\mscomctl.ocx C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\SysWOW64\mscomctl.ocx C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-434880884-4028056734-3558218839-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-434880884-4028056734-3558218839-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-434880884-4028056734-3558218839-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-434880884-4028056734-3558218839-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-434880884-4028056734-3558218839-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Users\Admin\AppData\Local\Temp\2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-434880884-4028056734-3558218839-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\WBEM\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification C:\Windows\Fonts\The Kazekage.jpg C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
File created C:\Windows\WBEM\msvbvm60.dll C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
File opened for modification C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\mscomctl.ocx C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
File created C:\Windows\WBEM\msvbvm60.dll C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
File opened for modification C:\Windows\Fonts\The Kazekage.jpg C:\Users\Admin\AppData\Local\Temp\2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe C:\Users\Admin\AppData\Local\Temp\2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe N/A
File created C:\Windows\Fonts\Admin 19 - 5 - 2025\msvbvm60.dll C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Windows\Fonts\The Kazekage.jpg C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\system\msvbvm60.dll C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\system\msvbvm60.dll C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\system\msvbvm60.dll C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
File created C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
File created C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
File opened for modification C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Windows\mscomctl.ocx C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification C:\Windows\system\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
File opened for modification C:\Windows\Fonts\The Kazekage.jpg C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
File created C:\Windows\Fonts\Admin 19 - 5 - 2025\msvbvm60.dll C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
File created C:\Windows\Fonts\Admin 19 - 5 - 2025\msvbvm60.dll C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\WBEM\msvbvm60.dll C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\system\mscoree.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe N/A
File created C:\Windows\Fonts\Admin 19 - 5 - 2025\msvbvm60.dll C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
File created C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
File created C:\Windows\WBEM\msvbvm60.dll C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Windows\ C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\mscomctl.ocx C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Windows\ C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\system\mscoree.dll C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\mscomctl.ocx C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\system\mscoree.dll C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\Fonts\Admin 19 - 5 - 2025\msvbvm60.dll C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\system\msvbvm60.dll C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
File created C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\WBEM\msvbvm60.dll C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\ C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
File created C:\Windows\Fonts\The Kazekage.jpg C:\Users\Admin\AppData\Local\Temp\2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe C:\Users\Admin\AppData\Local\Temp\2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification C:\Windows\Fonts\Admin 19 - 5 - 2025\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe N/A
File created C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
File created C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Windows\system\msvbvm60.dll C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\ C:\Users\Admin\AppData\Local\Temp\2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe N/A
File created C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe C:\Users\Admin\AppData\Local\Temp\2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\system\mscoree.dll C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\system32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\system32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\system32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\system32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\system32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\system32.exe N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A

Modifies Control Panel

defense_evasion
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-434880884-4028056734-3558218839-1000\Control Panel\Desktop\WallpaperStyle = "2" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-434880884-4028056734-3558218839-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-434880884-4028056734-3558218839-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-434880884-4028056734-3558218839-1000\Control Panel\Screen Saver.Marquee\Speed = "4" C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-434880884-4028056734-3558218839-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-434880884-4028056734-3558218839-1000\Control Panel\Desktop C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-434880884-4028056734-3558218839-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-434880884-4028056734-3558218839-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" C:\Users\Admin\AppData\Local\Temp\2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-434880884-4028056734-3558218839-1000\Control Panel\Screen Saver.Marquee\Size = "72" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-434880884-4028056734-3558218839-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-434880884-4028056734-3558218839-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-434880884-4028056734-3558218839-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-434880884-4028056734-3558218839-1000\Control Panel\Screen Saver.Marquee C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-434880884-4028056734-3558218839-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-434880884-4028056734-3558218839-1000\Control Panel\Screen Saver.Marquee\Speed = "4" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-434880884-4028056734-3558218839-1000\Control Panel\Screen Saver.Marquee\Speed = "4" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-434880884-4028056734-3558218839-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-434880884-4028056734-3558218839-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-434880884-4028056734-3558218839-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-434880884-4028056734-3558218839-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-434880884-4028056734-3558218839-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-434880884-4028056734-3558218839-1000\Control Panel\Desktop\WallpaperStyle = "2" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-434880884-4028056734-3558218839-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-434880884-4028056734-3558218839-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-434880884-4028056734-3558218839-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-434880884-4028056734-3558218839-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-434880884-4028056734-3558218839-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" C:\Users\Admin\AppData\Local\Temp\2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-434880884-4028056734-3558218839-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-434880884-4028056734-3558218839-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-434880884-4028056734-3558218839-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\USER\S-1-5-21-434880884-4028056734-3558218839-1000\Control Panel\Screen Saver.Marquee C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-434880884-4028056734-3558218839-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-434880884-4028056734-3558218839-1000\Control Panel\Screen Saver.Marquee C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-434880884-4028056734-3558218839-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-434880884-4028056734-3558218839-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-434880884-4028056734-3558218839-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-434880884-4028056734-3558218839-1000\Control Panel\Screen Saver.Marquee\Speed = "4" C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-434880884-4028056734-3558218839-1000\Control Panel\Screen Saver.Marquee\Size = "72" C:\Users\Admin\AppData\Local\Temp\2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-434880884-4028056734-3558218839-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-434880884-4028056734-3558218839-1000\Control Panel\Screen Saver.Marquee C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-434880884-4028056734-3558218839-1000\Control Panel\Screen Saver.Marquee\Size = "72" C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-434880884-4028056734-3558218839-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-434880884-4028056734-3558218839-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-434880884-4028056734-3558218839-1000\Control Panel\Screen Saver.Marquee\Size = "72" C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-434880884-4028056734-3558218839-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" C:\Users\Admin\AppData\Local\Temp\2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-434880884-4028056734-3558218839-1000\Control Panel\Screen Saver.Marquee C:\Users\Admin\AppData\Local\Temp\2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-434880884-4028056734-3558218839-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" C:\Users\Admin\AppData\Local\Temp\2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-434880884-4028056734-3558218839-1000\Control Panel\Desktop C:\Users\Admin\AppData\Local\Temp\2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-434880884-4028056734-3558218839-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Users\Admin\AppData\Local\Temp\2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-434880884-4028056734-3558218839-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-434880884-4028056734-3558218839-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" C:\Users\Admin\AppData\Local\Temp\2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-434880884-4028056734-3558218839-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" C:\Users\Admin\AppData\Local\Temp\2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-434880884-4028056734-3558218839-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-434880884-4028056734-3558218839-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-434880884-4028056734-3558218839-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-434880884-4028056734-3558218839-1000\Control Panel\Desktop\WallpaperStyle = "2" C:\Users\Admin\AppData\Local\Temp\2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-434880884-4028056734-3558218839-1000\Control Panel\Desktop\WallpaperStyle = "2" C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-434880884-4028056734-3558218839-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-434880884-4028056734-3558218839-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" C:\Users\Admin\AppData\Local\Temp\2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-434880884-4028056734-3558218839-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" C:\Users\Admin\AppData\Local\Temp\2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-434880884-4028056734-3558218839-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-434880884-4028056734-3558218839-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-434880884-4028056734-3558218839-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-434880884-4028056734-3558218839-1000\Control Panel\Desktop C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-434880884-4028056734-3558218839-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\USER\S-1-5-21-434880884-4028056734-3558218839-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-434880884-4028056734-3558218839-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-434880884-4028056734-3558218839-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-434880884-4028056734-3558218839-1000\Software\Microsoft\Internet Explorer\Main C:\Users\Admin\AppData\Local\Temp\2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-434880884-4028056734-3558218839-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-434880884-4028056734-3558218839-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-434880884-4028056734-3558218839-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-434880884-4028056734-3558218839-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-434880884-4028056734-3558218839-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-434880884-4028056734-3558218839-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-434880884-4028056734-3558218839-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" C:\Users\Admin\AppData\Local\Temp\2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" C:\Users\Admin\AppData\Local\Temp\2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" C:\Users\Admin\AppData\Local\Temp\2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command C:\Users\Admin\AppData\Local\Temp\2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" C:\Users\Admin\AppData\Local\Temp\2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command C:\Users\Admin\AppData\Local\Temp\2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" C:\Users\Admin\AppData\Local\Temp\2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command C:\Users\Admin\AppData\Local\Temp\2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command C:\Users\Admin\AppData\Local\Temp\2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5716 wrote to memory of 464 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe
PID 5716 wrote to memory of 464 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe
PID 5716 wrote to memory of 464 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe
PID 464 wrote to memory of 3724 N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe
PID 464 wrote to memory of 3724 N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe
PID 464 wrote to memory of 3724 N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe
PID 464 wrote to memory of 3704 N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe
PID 464 wrote to memory of 3704 N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe
PID 464 wrote to memory of 3704 N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe
PID 3704 wrote to memory of 4956 N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe
PID 3704 wrote to memory of 4956 N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe
PID 3704 wrote to memory of 4956 N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe
PID 3704 wrote to memory of 4960 N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe
PID 3704 wrote to memory of 4960 N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe
PID 3704 wrote to memory of 4960 N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe
PID 3704 wrote to memory of 5052 N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe
PID 3704 wrote to memory of 5052 N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe
PID 3704 wrote to memory of 5052 N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe
PID 5052 wrote to memory of 3768 N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe
PID 5052 wrote to memory of 3768 N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe
PID 5052 wrote to memory of 3768 N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe
PID 5052 wrote to memory of 5844 N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe
PID 5052 wrote to memory of 5844 N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe
PID 5052 wrote to memory of 5844 N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe
PID 5052 wrote to memory of 4480 N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe
PID 5052 wrote to memory of 4480 N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe
PID 5052 wrote to memory of 4480 N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe
PID 5052 wrote to memory of 4420 N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 5052 wrote to memory of 4420 N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 5052 wrote to memory of 4420 N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 4420 wrote to memory of 2252 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe
PID 4420 wrote to memory of 2252 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe
PID 4420 wrote to memory of 2252 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe
PID 4420 wrote to memory of 476 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe
PID 4420 wrote to memory of 476 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe
PID 4420 wrote to memory of 476 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe
PID 4420 wrote to memory of 2764 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe
PID 4420 wrote to memory of 2764 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe
PID 4420 wrote to memory of 2764 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe
PID 4420 wrote to memory of 4428 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 4420 wrote to memory of 4428 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 4420 wrote to memory of 4428 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 4420 wrote to memory of 2840 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 4420 wrote to memory of 2840 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 4420 wrote to memory of 2840 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 2840 wrote to memory of 1720 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe
PID 2840 wrote to memory of 1720 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe
PID 2840 wrote to memory of 1720 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe
PID 2840 wrote to memory of 5008 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe
PID 2840 wrote to memory of 5008 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe
PID 2840 wrote to memory of 5008 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe
PID 2840 wrote to memory of 1936 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe
PID 2840 wrote to memory of 1936 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe
PID 2840 wrote to memory of 1936 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe
PID 2840 wrote to memory of 2104 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 2840 wrote to memory of 2104 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 2840 wrote to memory of 2104 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 2840 wrote to memory of 3428 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 2840 wrote to memory of 3428 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 2840 wrote to memory of 3428 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 5052 wrote to memory of 1968 N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 5052 wrote to memory of 1968 N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 5052 wrote to memory of 1968 N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 3704 wrote to memory of 5504 N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe C:\Windows\SysWOW64\drivers\Kazekage.exe

System policy modification

defense_evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe

"C:\Users\Admin\AppData\Local\Temp\2025-05-19_5d94c92d0e4d68fdd3b2bc6be6cef612_amadey_black-basta_elex_luca-stealer.exe"

C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe

"C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe"

C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe

"C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe"

C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe

"C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe"

C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe

"C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe"

C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe

"C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe"

C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe

"C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe"

C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe

"C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe"

C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe

"C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe"

C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe

"C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe"

C:\Windows\SysWOW64\drivers\Kazekage.exe

C:\Windows\system32\drivers\Kazekage.exe

C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe

"C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe"

C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe

"C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe"

C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe

"C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe"

C:\Windows\SysWOW64\drivers\Kazekage.exe

C:\Windows\system32\drivers\Kazekage.exe

C:\Windows\SysWOW64\drivers\system32.exe

C:\Windows\system32\drivers\system32.exe

C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe

"C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe"

C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe

"C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe"

C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe

"C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe"

C:\Windows\SysWOW64\drivers\Kazekage.exe

C:\Windows\system32\drivers\Kazekage.exe

C:\Windows\SysWOW64\drivers\system32.exe

C:\Windows\system32\drivers\system32.exe

C:\Windows\SysWOW64\drivers\system32.exe

C:\Windows\system32\drivers\system32.exe

C:\Windows\SysWOW64\drivers\Kazekage.exe

C:\Windows\system32\drivers\Kazekage.exe

C:\Windows\SysWOW64\drivers\system32.exe

C:\Windows\system32\drivers\system32.exe

C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe

"C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe"

C:\Windows\SysWOW64\drivers\Kazekage.exe

C:\Windows\system32\drivers\Kazekage.exe

C:\Windows\SysWOW64\drivers\system32.exe

C:\Windows\system32\drivers\system32.exe

C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe

"C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe"

C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe

"C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe"

C:\Windows\SysWOW64\drivers\Kazekage.exe

C:\Windows\system32\drivers\Kazekage.exe

C:\Windows\SysWOW64\drivers\system32.exe

C:\Windows\system32\drivers\system32.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c Fonts\Admin 19 - 5 - 2025\smss.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c Fonts\Admin 19 - 5 - 2025\Gaara.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c 19-5-2025.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c drivers\csrss.exe

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

Network

Files

memory/5716-0-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe

MD5 5d94c92d0e4d68fdd3b2bc6be6cef612
SHA1 cd2594f5a9da48781633962b78a22461b75dd54d
SHA256 b7bccca618d889b72c3ec43f142082cdf5e79df979817de0b884f6fbc2fac7d6
SHA512 fc04dc61ce316f16898ca6263687f562cd4a41ef5ed2dbe7b57e947d6672899e6d3e7bab6cb9be3c2d24af0e88dc4775d292a2bc62e866aa7e2b8f4363a99e9a

C:\Windows\System\msvbvm60.dll

MD5 25f62c02619174b35851b0e0455b3d94
SHA1 4e8ee85157f1769f6e3f61c0acbe59072209da71
SHA256 898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2
SHA512 f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe

MD5 e01be64a0f61f6aead3d765396a07d7c
SHA1 e1f45b8f726488bbeba0cd1af019bae03db6689f
SHA256 94c8052e26a6a10505378d231b4d06bc0c149e75f7e0fa213f2576e1a39a44b3
SHA512 dc5b922413699c1a4a54f32030eb634c7d8e1153be3ff5b07b05abe8f185734fe0fd0ccd3f09d335f1d0e408466a075ab57ac5dca84e18058230cc2304513edc

memory/464-32-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Windows\Fonts\The Kazekage.jpg

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe

MD5 ba32c2f98c4ae46eb2ff657150d0cf55
SHA1 62604d84b009ada2ef578145469a4d250eec8c0d
SHA256 a53a7ceefbeb5fde1bbe5653457b1f5379f087e578862710debc82169f14228d
SHA512 33232fe5c5bde31e8e6fee74c1261e0fc165a1eca74cae60cfa22029ab73c705bf9ccba4ada1f72f2d35648d648b2790e65ff6e15897c235b9d2d15c239e4c4d

C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe

MD5 22597d4a223ddb646ade4558c83bd919
SHA1 fc5739974f10def75387e023bc819b67c496a3dc
SHA256 238332d0e33308a9ea970f030c3a56806aba74e7fa2d3bd201fa68a81a7411e8
SHA512 48bfd8b34bcc6ef538606ff9ffbbee37015e139136a0888c66a4244256a5802bb52c0b584a876692da6b7881691fce4f333e6318aefbc6037eb685b86d39f182

C:\Windows\SysWOW64\drivers\system32.exe

MD5 12410f6a5bc740bfffc65efc4263b7ab
SHA1 c66835b0f91671e244837b14f168450d9c84cdd7
SHA256 8d31c2d8152ff7aab799de9ca2ce1b253773e2356360df00b98ebb36d93a248a
SHA512 1a98b6de9679c0627fb414eb9d8a078c9a2c0f1e4e3234a51a755c1bfb33119b57ae640b429e61eaacdfa2aac9b7643c9c71d19533ddfde742d451c8fdd5e364

memory/3724-70-0x0000000000400000-0x000000000042B000-memory.dmp

memory/3704-77-0x0000000000400000-0x000000000042B000-memory.dmp

memory/3724-80-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe

MD5 9770408be1196cc4c67229f33dba8cf8
SHA1 e7a8a9c0c596a4f01047760229df81b35e6d05be
SHA256 405f0c6c74488a5cd79b36a901ddc88127d138cc86745c3399e17baf58f18952
SHA512 fe10235db60a54ff265bdd901ee665aad461867cf79b401de45bab7d7746204e34093e0fe2ba08e85d1becdbb2901e9b6d9161de92f9dd34f076b3d466d1d26f

C:\Windows\Fonts\The Kazekage.jpg

MD5 d6b05020d4a0ec2a3a8b687099e335df
SHA1 df239d830ebcd1cde5c68c46a7b76dad49d415f4
SHA256 9824b98dab6af65a9e84c2ea40e9df948f9766ce2096e81feecad7db8dd6080a
SHA512 78fd360faa4d34f5732056d6e9ad7b9930964441c69cf24535845d397de92179553b9377a25649c01eb5ac7d547c29cc964e69ede7f2af9fc677508a99251fff

C:\Windows\SysWOW64\drivers\system32.exe

MD5 8bef0a88aaa0e633ff55bf2a5279912f
SHA1 8e1beb4517b8e32b57ac65755663ec2d4fa2c331
SHA256 158ed1f93c61f437a720fdd2c5da37d66bbd6d63aaeebfe0e57a641cf47b31d0
SHA512 7528d24ac13f46cc65fa77efb125e53d9202f69581aca5158e2e8ac8ec86aaadb503ababb2a58f6f689fe1bef78740b231a5c0eb1d3cff7065b2821fbb792612

memory/4960-113-0x0000000000400000-0x000000000042B000-memory.dmp

memory/4956-116-0x0000000000400000-0x000000000042B000-memory.dmp

memory/4960-117-0x0000000000400000-0x000000000042B000-memory.dmp

memory/5052-122-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe

MD5 d823f79e21fb5bf664f346f9d59dc8ca
SHA1 eadcbd08cd5590cf5c6222a0a2da1fe251bdccb7
SHA256 f234335834c96803a6fe2cc1ecdf69c835d38c53196033487ebf489169dabbdc
SHA512 8e157a2c94b374d09507a53993a05e99b7aaf25e55356d8a1a73d89e05a9e6b43451a31243edccc1b413f724cf4c626e4b5d1e50caf34502c47096b78b804847

C:\Windows\SysWOW64\drivers\Kazekage.exe

MD5 807ce72109998efb07dcdc39d9afcb8c
SHA1 8c63cf8c5b67c53b188c069afb8780cd764e3597
SHA256 ab4e27024d68d02970256c6950bc2eb02847374a2e409131e037bc5644af25aa
SHA512 86f1b3557626b53aeb02fd382d4238ca93349d8576d8215b11273f4da67a9d8b334a21c22267750a7cef75a25082d0c37937892ee8dd10655e50f1236cdae019

memory/5716-153-0x0000000000400000-0x000000000042B000-memory.dmp

memory/5844-159-0x0000000000400000-0x000000000042B000-memory.dmp

memory/4480-162-0x0000000000400000-0x000000000042B000-memory.dmp

memory/4420-166-0x0000000000400000-0x000000000042B000-memory.dmp

memory/3704-193-0x0000000000400000-0x000000000042B000-memory.dmp

memory/4428-204-0x0000000000400000-0x000000000042B000-memory.dmp

memory/2840-208-0x0000000000400000-0x000000000042B000-memory.dmp

memory/2840-252-0x0000000000400000-0x000000000042B000-memory.dmp

memory/1364-249-0x0000000000400000-0x000000000042B000-memory.dmp

memory/3228-260-0x0000000000400000-0x000000000042B000-memory.dmp

memory/5504-246-0x0000000000400000-0x000000000042B000-memory.dmp

memory/1968-243-0x0000000000400000-0x000000000042B000-memory.dmp

memory/3428-240-0x0000000000400000-0x000000000042B000-memory.dmp

memory/4420-237-0x0000000000400000-0x000000000042B000-memory.dmp

memory/2104-236-0x0000000000400000-0x000000000042B000-memory.dmp

memory/996-267-0x0000000000400000-0x000000000042B000-memory.dmp

memory/5008-231-0x0000000000400000-0x000000000042B000-memory.dmp

memory/5052-226-0x0000000000400000-0x000000000042B000-memory.dmp

memory/224-270-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Windows\SysWOW64\19-5-2025.exe

MD5 f237c8f8f009bfe2ad926deb3a7813d0
SHA1 865559b29d96405fdd6e1a0780476956a21ed984
SHA256 5b2f364d197978b5fff81bf4c31a1ff15706bbb3128d347962ff266389f8b5d5
SHA512 72b3597576562e466a1d03caf456339faf8f0b32c0a4a1d560b73042aede81e27dcd4db08ebc24014c22bb1c5fb8e61c31facb5c89977bb15d5f932234d95df7

C:\Windows\SysWOW64\drivers\system32.exe

MD5 4ad9239b67d53e75d11acdd58088f23b
SHA1 7db7d302d94d82ee0d62cc81e6f9993e7cbe5d66
SHA256 653d7e9e41be99654c5fa637e7d21a8c61769650216563967ca68356cd1649d0
SHA512 2d0933bfef1c151a44d6c5abdf17302501b54814f7269fc7716b102e365d0d3119208475879e5d698d29b65ca3cd61730387a449f38ff2b8b7ae0a3ae8c1eac2

memory/476-198-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Windows\SysWOW64\19-5-2025.exe

MD5 5c34b616ff7e71c5d4adebb631644401
SHA1 aabeced2816497e74f2d0399961543e3b21eebd4
SHA256 394efdb9637d0e8f56777d1981a54d99b83a98e9c366269fdb236952aa4511e4
SHA512 47089d8d46eebb65a564934214e258f287895456108b09d097ec74303becd6725c876b40bd888442c1a37d8075d7bf54ea73fa83048f5bac09622e68243b597a

memory/464-158-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Windows\SysWOW64\19-5-2025.exe

MD5 af3894156fd6f1ac5d5c2c4cfad25405
SHA1 df084cbcb865887a7b608ebd102601a3e06eadac
SHA256 98c283716767e32c4cfcc3dc9191d7567bd539e4977819217ef0c2100f74ccc0
SHA512 5bf3589e2d6cbfa2de46a54442d596c0d782c9310f7c9d0345a68ac034daedda9f411af9e0fc238770e60ae54c3e0a6756e1e2431ecee28fd4f51a0f1639d197

C:\Windows\SysWOW64\drivers\system32.exe

MD5 7c10a98006db77f85d3bb4e8aded0da8
SHA1 067172ede1ef518055c212b48dd307a45facad00
SHA256 36731782e7a1519dab9e64d852fcf6ae970653ce42d834b6ad7864aface73550
SHA512 164f18cb36999560a663a0ff6d6883d6cb4aee1accccb8fbd1f41825ea1d6ccfcb22e11904ba2bf5b8bd7cd5cbe9d5a68b0d075bdfca1cd719847e056360d883

C:\Autorun.inf

MD5 1564dfe69ffed40950e5cb644e0894d1
SHA1 201b6f7a01cc49bb698bea6d4945a082ed454ce4
SHA256 be114a2dbcc08540b314b01882aa836a772a883322a77b67aab31233e26dc184
SHA512 72df187e39674b657974392cfa268e71ef86dc101ebd2303896381ca56d3c05aa9db3f0ab7d0e428d7436e0108c8f19e94c2013814d30b0b95a23a6b9e341097

C:\Admin Games\Readme.txt

MD5 bb5d6abdf8d0948ac6895ce7fdfbc151
SHA1 9266b7a247a4685892197194d2b9b86c8f6dddbd
SHA256 5db2e0915b5464d32e83484f8ae5e3c73d2c78f238fde5f58f9b40dbb5322de8
SHA512 878444760e8df878d65bb62b4798177e168eb099def58ad3634f4348e96705c83f74324f9fa358f0eff389991976698a233ca53e9b72034ae11c86d42322a76c

C:\Windows\SysWOW64\Desktop.ini

MD5 64acfa7e03b01f48294cf30d201a0026
SHA1 10facd995b38a095f30b4a800fa454c0bcbf8438
SHA256 ba8159d865d106e7b4d0043007a63d1541e1de455dc8d7ff0edd3013bd425c62
SHA512 65a9b2e639de74a2a7faa83463a03f5f5b526495e3c793ec1e144c422ed0b842dd304cd5ff4f8aec3d76d826507030c5916f70a231429cea636ec2d8ab43931a

C:\Admin Games\Gaara games - Naruto.exe

MD5 2d0764d5e8688a24ef5409941179b771
SHA1 4c355d1a104e0bc71da99f60c0814fa2201dd97a
SHA256 87458266cc7fcbee87ee3bc3ff49e072800573bc0e3ba80a63a8fa82d0dd8dca
SHA512 a781b5364d30b3aee53b021208ffbc9e8522bbdcd55b2c04c3873eed6c4d466c098fc22b38b2c1cccb971ad9f6de473cb8521b31b2ab2869a563e541100a63f9