Malware Analysis Report

2025-08-05 15:06

Sample ID 250519-swsmvsbj8t
Target 2025-05-19_9fbf1ff83b3c37e71173a3cd3df39f72_amadey_black-basta_elex_luca-stealer
SHA256 489227276746ce1106b4d4e1a6dd73e77e6021038551f4bb858ac5413fb93bb5
Tags
upx defense_evasion discovery persistence ransomware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V16

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

489227276746ce1106b4d4e1a6dd73e77e6021038551f4bb858ac5413fb93bb5

Threat Level: Known bad

The file 2025-05-19_9fbf1ff83b3c37e71173a3cd3df39f72_amadey_black-basta_elex_luca-stealer was found to be: Known bad.

Malicious Activity Summary

upx defense_evasion discovery persistence ransomware trojan

Modifies visibility of file extensions in Explorer

Modifies WinLogon for persistence

Modifies visiblity of hidden/system files in Explorer

UAC bypass

Drops file in Drivers directory

Event Triggered Execution: Image File Execution Options Injection

Disables RegEdit via registry modification

Disables use of System Restore points

Executes dropped EXE

Loads dropped DLL

Drops desktop.ini file(s)

Adds Run key to start application

Enumerates connected drives

Checks whether UAC is enabled

Sets desktop wallpaper using registry

UPX packed file

Drops autorun.inf file

Drops file in System32 directory

Drops file in Windows directory

System Network Configuration Discovery: Internet Connection Discovery

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

System policy modification

Modifies Control Panel

Suspicious behavior: EnumeratesProcesses

Modifies Internet Explorer settings

Runs ping.exe

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-05-19 15:28

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-05-19 15:28

Reported

2025-05-19 15:31

Platform

win10v2004-20250502-en

Max time kernel

149s

Max time network

143s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2025-05-19_9fbf1ff83b3c37e71173a3cd3df39f72_amadey_black-basta_elex_luca-stealer.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" C:\Users\Admin\AppData\Local\Temp\2025-05-19_9fbf1ff83b3c37e71173a3cd3df39f72_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" C:\Users\Admin\AppData\Local\Temp\2025-05-19_9fbf1ff83b3c37e71173a3cd3df39f72_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A

Modifies visibility of file extensions in Explorer

defense_evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Users\Admin\AppData\Local\Temp\2025-05-19_9fbf1ff83b3c37e71173a3cd3df39f72_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A

Modifies visiblity of hidden/system files in Explorer

defense_evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\AppData\Local\Temp\2025-05-19_9fbf1ff83b3c37e71173a3cd3df39f72_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A

UAC bypass

defense_evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\2025-05-19_9fbf1ff83b3c37e71173a3cd3df39f72_amadey_black-basta_elex_luca-stealer.exe N/A

Disables RegEdit via registry modification

defense_evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\2025-05-19_9fbf1ff83b3c37e71173a3cd3df39f72_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A

Disables use of System Restore points

defense_evasion

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Users\Admin\AppData\Local\Temp\2025-05-19_9fbf1ff83b3c37e71173a3cd3df39f72_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Users\Admin\AppData\Local\Temp\2025-05-19_9fbf1ff83b3c37e71173a3cd3df39f72_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
File created C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\system32.exe C:\Users\Admin\AppData\Local\Temp\2025-05-19_9fbf1ff83b3c37e71173a3cd3df39f72_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
File created C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
File created C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
File created C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
File created C:\Windows\SysWOW64\drivers\system32.exe C:\Users\Admin\AppData\Local\Temp\2025-05-19_9fbf1ff83b3c37e71173a3cd3df39f72_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A

Event Triggered Execution: Image File Execution Options Injection

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe C:\Users\Admin\AppData\Local\Temp\2025-05-19_9fbf1ff83b3c37e71173a3cd3df39f72_amadey_black-basta_elex_luca-stealer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe C:\Users\Admin\AppData\Local\Temp\2025-05-19_9fbf1ff83b3c37e71173a3cd3df39f72_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe C:\Users\Admin\AppData\Local\Temp\2025-05-19_9fbf1ff83b3c37e71173a3cd3df39f72_amadey_black-basta_elex_luca-stealer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe C:\Users\Admin\AppData\Local\Temp\2025-05-19_9fbf1ff83b3c37e71173a3cd3df39f72_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe\Debugger = "cmd.exe /c del" C:\Users\Admin\AppData\Local\Temp\2025-05-19_9fbf1ff83b3c37e71173a3cd3df39f72_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "drivers\\Kazekage.exe" C:\Users\Admin\AppData\Local\Temp\2025-05-19_9fbf1ff83b3c37e71173a3cd3df39f72_amadey_black-basta_elex_luca-stealer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe\Debugger = "cmd.exe /c del" C:\Users\Admin\AppData\Local\Temp\2025-05-19_9fbf1ff83b3c37e71173a3cd3df39f72_amadey_black-basta_elex_luca-stealer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe\Debugger = "cmd.exe /c del" C:\Users\Admin\AppData\Local\Temp\2025-05-19_9fbf1ff83b3c37e71173a3cd3df39f72_amadey_black-basta_elex_luca-stealer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe C:\Users\Admin\AppData\Local\Temp\2025-05-19_9fbf1ff83b3c37e71173a3cd3df39f72_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "drivers\\Kazekage.exe" C:\Users\Admin\AppData\Local\Temp\2025-05-19_9fbf1ff83b3c37e71173a3cd3df39f72_amadey_black-basta_elex_luca-stealer.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 19 - 5 - 2025\\smss.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 19 - 5 - 2025\\Gaara.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 19 - 5 - 2025\\smss.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "19-5-2025.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 19 - 5 - 2025\\Gaara.exe" C:\Users\Admin\AppData\Local\Temp\2025-05-19_9fbf1ff83b3c37e71173a3cd3df39f72_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 19 - 5 - 2025\\smss.exe" C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "19-5-2025.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "19-5-2025.exe" C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 19 - 5 - 2025\\Gaara.exe" C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "19-5-2025.exe" C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 19 - 5 - 2025\\smss.exe" C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 19 - 5 - 2025\\Gaara.exe" C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 19 - 5 - 2025\\smss.exe" C:\Users\Admin\AppData\Local\Temp\2025-05-19_9fbf1ff83b3c37e71173a3cd3df39f72_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "19-5-2025.exe" C:\Users\Admin\AppData\Local\Temp\2025-05-19_9fbf1ff83b3c37e71173a3cd3df39f72_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "19-5-2025.exe" C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 19 - 5 - 2025\\Gaara.exe" C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 19 - 5 - 2025\\Gaara.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" C:\Users\Admin\AppData\Local\Temp\2025-05-19_9fbf1ff83b3c37e71173a3cd3df39f72_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 19 - 5 - 2025\\smss.exe" C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A

Checks whether UAC is enabled

defense_evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\2025-05-19_9fbf1ff83b3c37e71173a3cd3df39f72_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\drivers\system32.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification \??\K:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\M:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_9fbf1ff83b3c37e71173a3cd3df39f72_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification \??\Z:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_9fbf1ff83b3c37e71173a3cd3df39f72_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification C:\Desktop.ini C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
File opened for modification D:\Desktop.ini C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\B:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Desktop.ini C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
File opened for modification \??\Z:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\K:\Desktop.ini C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
File opened for modification \??\O:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\T:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\N:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_9fbf1ff83b3c37e71173a3cd3df39f72_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification \??\B:\Desktop.ini C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\I:\Desktop.ini C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\A:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification F:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_9fbf1ff83b3c37e71173a3cd3df39f72_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification \??\J:\Desktop.ini C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\Q:\Desktop.ini C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\M:\Desktop.ini C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
File opened for modification \??\W:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_9fbf1ff83b3c37e71173a3cd3df39f72_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification \??\K:\Desktop.ini C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\M:\Desktop.ini C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
File opened for modification \??\N:\Desktop.ini C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\P:\Desktop.ini C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\V:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\A:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\J:\Desktop.ini C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
File opened for modification \??\B:\Desktop.ini C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
File opened for modification F:\Desktop.ini C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
File opened for modification \??\Q:\Desktop.ini C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
File opened for modification \??\W:\Desktop.ini C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
File opened for modification D:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\G:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\P:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\N:\Desktop.ini C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
File opened for modification \??\B:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_9fbf1ff83b3c37e71173a3cd3df39f72_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification \??\H:\Desktop.ini C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\U:\Desktop.ini C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\A:\Desktop.ini C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
File opened for modification \??\R:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\P:\Desktop.ini C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
File opened for modification \??\R:\Desktop.ini C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
File opened for modification \??\S:\Desktop.ini C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
File opened for modification \??\O:\Desktop.ini C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\V:\Desktop.ini C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\W:\Desktop.ini C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\Z:\Desktop.ini C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\Y:\Desktop.ini C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
File opened for modification \??\Z:\Desktop.ini C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
File opened for modification \??\K:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_9fbf1ff83b3c37e71173a3cd3df39f72_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification \??\L:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_9fbf1ff83b3c37e71173a3cd3df39f72_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification \??\A:\Desktop.ini C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\L:\Desktop.ini C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\M:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\Q:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\E:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_9fbf1ff83b3c37e71173a3cd3df39f72_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification D:\Desktop.ini C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
File opened for modification \??\V:\Desktop.ini C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
File opened for modification \??\J:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\W:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\O:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_9fbf1ff83b3c37e71173a3cd3df39f72_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification \??\R:\Desktop.ini C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\S:\Desktop.ini C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
File opened for modification C:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\U: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\2025-05-19_9fbf1ff83b3c37e71173a3cd3df39f72_amadey_black-basta_elex_luca-stealer.exe N/A
File opened (read-only) \??\G: C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
File opened (read-only) \??\I: C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
File opened (read-only) \??\U: C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
File opened (read-only) \??\W: C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\2025-05-19_9fbf1ff83b3c37e71173a3cd3df39f72_amadey_black-basta_elex_luca-stealer.exe N/A
File opened (read-only) \??\O: C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
File opened (read-only) \??\H: C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
File opened (read-only) \??\R: C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
File opened (read-only) \??\U: C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
File opened (read-only) \??\E: C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
File opened (read-only) \??\O: C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\2025-05-19_9fbf1ff83b3c37e71173a3cd3df39f72_amadey_black-basta_elex_luca-stealer.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\2025-05-19_9fbf1ff83b3c37e71173a3cd3df39f72_amadey_black-basta_elex_luca-stealer.exe N/A
File opened (read-only) \??\A: C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
File opened (read-only) \??\S: C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
File opened (read-only) \??\X: C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
File opened (read-only) \??\B: C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
File opened (read-only) \??\A: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\2025-05-19_9fbf1ff83b3c37e71173a3cd3df39f72_amadey_black-basta_elex_luca-stealer.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\2025-05-19_9fbf1ff83b3c37e71173a3cd3df39f72_amadey_black-basta_elex_luca-stealer.exe N/A
File opened (read-only) \??\K: C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
File opened (read-only) \??\P: C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
File opened (read-only) \??\P: C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\L: C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\Y: C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
File opened (read-only) \??\A: C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
File opened (read-only) \??\E: C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
File opened (read-only) \??\R: C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\2025-05-19_9fbf1ff83b3c37e71173a3cd3df39f72_amadey_black-basta_elex_luca-stealer.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\2025-05-19_9fbf1ff83b3c37e71173a3cd3df39f72_amadey_black-basta_elex_luca-stealer.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\2025-05-19_9fbf1ff83b3c37e71173a3cd3df39f72_amadey_black-basta_elex_luca-stealer.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\I: C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\A: C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
File opened (read-only) \??\H: C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
File opened (read-only) \??\N: C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\Q: C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
File opened (read-only) \??\Z: C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\2025-05-19_9fbf1ff83b3c37e71173a3cd3df39f72_amadey_black-basta_elex_luca-stealer.exe N/A
File opened (read-only) \??\H: C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
File opened (read-only) \??\R: C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
File opened (read-only) \??\V: C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
File opened (read-only) \??\W: C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\2025-05-19_9fbf1ff83b3c37e71173a3cd3df39f72_amadey_black-basta_elex_luca-stealer.exe N/A
File opened (read-only) \??\J: C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
File opened (read-only) \??\K: C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File created \??\J:\Autorun.inf C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
File opened for modification \??\Q:\Autorun.inf C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\B:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\L:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created \??\W:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2025-05-19_9fbf1ff83b3c37e71173a3cd3df39f72_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification \??\O:\Autorun.inf C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
File opened for modification D:\Autorun.inf C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
File created \??\J:\Autorun.inf C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
File opened for modification \??\L:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File created \??\K:\Autorun.inf C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
File opened for modification \??\Z:\Autorun.inf C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\R:\Autorun.inf C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
File opened for modification \??\T:\Autorun.inf C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
File opened for modification \??\M:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created \??\S:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created \??\H:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2025-05-19_9fbf1ff83b3c37e71173a3cd3df39f72_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification C:\Autorun.inf C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
File created \??\O:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File created D:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\R:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created \??\T:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created \??\P:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2025-05-19_9fbf1ff83b3c37e71173a3cd3df39f72_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification \??\N:\Autorun.inf C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
File created \??\N:\Autorun.inf C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
File created \??\O:\Autorun.inf C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
File opened for modification \??\Y:\Autorun.inf C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
File opened for modification \??\Z:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File created \??\E:\Autorun.inf C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
File opened for modification \??\K:\Autorun.inf C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
File created \??\N:\Autorun.inf C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
File opened for modification \??\L:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2025-05-19_9fbf1ff83b3c37e71173a3cd3df39f72_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification \??\X:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2025-05-19_9fbf1ff83b3c37e71173a3cd3df39f72_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification \??\T:\Autorun.inf C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
File created \??\G:\Autorun.inf C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
File created \??\L:\Autorun.inf C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
File created D:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File created \??\X:\Autorun.inf C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
File created \??\S:\Autorun.inf C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
File created \??\I:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File created \??\O:\Autorun.inf C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
File opened for modification \??\E:\Autorun.inf C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\A:\Autorun.inf C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
File opened for modification \??\G:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\J:\Autorun.inf C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\U:\Autorun.inf C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
File created \??\E:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created \??\G:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\E:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2025-05-19_9fbf1ff83b3c37e71173a3cd3df39f72_amadey_black-basta_elex_luca-stealer.exe N/A
File created \??\N:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2025-05-19_9fbf1ff83b3c37e71173a3cd3df39f72_amadey_black-basta_elex_luca-stealer.exe N/A
File created \??\X:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2025-05-19_9fbf1ff83b3c37e71173a3cd3df39f72_amadey_black-basta_elex_luca-stealer.exe N/A
File created \??\W:\Autorun.inf C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
File created \??\J:\Autorun.inf C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
File created \??\M:\Autorun.inf C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
File created \??\A:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created \??\V:\Autorun.inf C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\V:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2025-05-19_9fbf1ff83b3c37e71173a3cd3df39f72_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification \??\R:\Autorun.inf C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\N:\Autorun.inf C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
File opened for modification \??\G:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2025-05-19_9fbf1ff83b3c37e71173a3cd3df39f72_amadey_black-basta_elex_luca-stealer.exe N/A
File created \??\T:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2025-05-19_9fbf1ff83b3c37e71173a3cd3df39f72_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification \??\I:\Autorun.inf C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
File created \??\W:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\T:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created \??\U:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\19-5-2025.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Users\Admin\AppData\Local\Temp\2025-05-19_9fbf1ff83b3c37e71173a3cd3df39f72_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\Desktop.ini C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_9fbf1ff83b3c37e71173a3cd3df39f72_amadey_black-basta_elex_luca-stealer.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_9fbf1ff83b3c37e71173a3cd3df39f72_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification C:\Windows\SysWOW64\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\SysWOW64\mscomctl.ocx C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\SysWOW64\mscomctl.ocx C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\SysWOW64\19-5-2025.exe C:\Users\Admin\AppData\Local\Temp\2025-05-19_9fbf1ff83b3c37e71173a3cd3df39f72_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification C:\Windows\SysWOW64\19-5-2025.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\SysWOW64\mscomctl.ocx C:\Users\Admin\AppData\Local\Temp\2025-05-19_9fbf1ff83b3c37e71173a3cd3df39f72_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\SysWOW64\19-5-2025.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\Desktop.ini C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\mscomctl.ocx C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\SysWOW64\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\SysWOW64\mscomctl.ocx C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\19-5-2025.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\SysWOW64\mscomctl.ocx C:\Users\Admin\AppData\Local\Temp\2025-05-19_9fbf1ff83b3c37e71173a3cd3df39f72_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification C:\Windows\SysWOW64\mscomctl.ocx C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\19-5-2025.exe C:\Users\Admin\AppData\Local\Temp\2025-05-19_9fbf1ff83b3c37e71173a3cd3df39f72_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification C:\Windows\SysWOW64\19-5-2025.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
File created C:\Windows\SysWOW64\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-19_9fbf1ff83b3c37e71173a3cd3df39f72_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_9fbf1ff83b3c37e71173a3cd3df39f72_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\Desktop.ini C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\SysWOW64\drivers\Kazekage.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Users\Admin\AppData\Local\Temp\2025-05-19_9fbf1ff83b3c37e71173a3cd3df39f72_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\SysWOW64\drivers\system32.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Fonts\The Kazekage.jpg C:\Users\Admin\AppData\Local\Temp\2025-05-19_9fbf1ff83b3c37e71173a3cd3df39f72_amadey_black-basta_elex_luca-stealer.exe N/A
File created C:\Windows\Fonts\Admin 19 - 5 - 2025\msvbvm60.dll C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
File created C:\Windows\WBEM\msvbvm60.dll C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\ C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Windows\ C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
File opened for modification C:\Windows\mscomctl.ocx C:\Users\Admin\AppData\Local\Temp\2025-05-19_9fbf1ff83b3c37e71173a3cd3df39f72_amadey_black-basta_elex_luca-stealer.exe N/A
File created C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
File opened for modification C:\Windows\ C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\Fonts\The Kazekage.jpg C:\Users\Admin\AppData\Local\Temp\2025-05-19_9fbf1ff83b3c37e71173a3cd3df39f72_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification C:\Windows\system\mscoree.dll C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
File created C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
File opened for modification C:\Windows\system\msvbvm60.dll C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
File opened for modification C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\mscomctl.ocx C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Windows\system\mscoree.dll C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
File opened for modification C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe C:\Users\Admin\AppData\Local\Temp\2025-05-19_9fbf1ff83b3c37e71173a3cd3df39f72_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification C:\Windows\system\msvbvm60.dll C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\system\mscoree.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_9fbf1ff83b3c37e71173a3cd3df39f72_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe C:\Users\Admin\AppData\Local\Temp\2025-05-19_9fbf1ff83b3c37e71173a3cd3df39f72_amadey_black-basta_elex_luca-stealer.exe N/A
File created C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe C:\Users\Admin\AppData\Local\Temp\2025-05-19_9fbf1ff83b3c37e71173a3cd3df39f72_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe C:\Users\Admin\AppData\Local\Temp\2025-05-19_9fbf1ff83b3c37e71173a3cd3df39f72_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
File created C:\Windows\Fonts\Admin 19 - 5 - 2025\msvbvm60.dll C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\system\msvbvm60.dll C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\Fonts\The Kazekage.jpg C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
File created C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
File opened for modification C:\Windows\Fonts\The Kazekage.jpg C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Windows\system\mscoree.dll C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\mscomctl.ocx C:\Users\Admin\AppData\Local\Temp\2025-05-19_9fbf1ff83b3c37e71173a3cd3df39f72_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification C:\Windows\mscomctl.ocx C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
File created C:\Windows\system\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_9fbf1ff83b3c37e71173a3cd3df39f72_amadey_black-basta_elex_luca-stealer.exe N/A
File created C:\Windows\WBEM\msvbvm60.dll C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
File created C:\Windows\WBEM\msvbvm60.dll C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
File opened for modification C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Windows\Fonts\The Kazekage.jpg C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\system\mscoree.dll C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\Fonts\The Kazekage.jpg C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_9fbf1ff83b3c37e71173a3cd3df39f72_amadey_black-basta_elex_luca-stealer.exe N/A
File created C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
File opened for modification C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\Fonts\Admin 19 - 5 - 2025\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_9fbf1ff83b3c37e71173a3cd3df39f72_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification C:\Windows\Fonts\Admin 19 - 5 - 2025\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_9fbf1ff83b3c37e71173a3cd3df39f72_amadey_black-basta_elex_luca-stealer.exe N/A
File created C:\Windows\Fonts\Admin 19 - 5 - 2025\msvbvm60.dll C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
File created C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
File created C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\Fonts\Admin 19 - 5 - 2025\msvbvm60.dll C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe C:\Users\Admin\AppData\Local\Temp\2025-05-19_9fbf1ff83b3c37e71173a3cd3df39f72_amadey_black-basta_elex_luca-stealer.exe N/A
File created C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe C:\Users\Admin\AppData\Local\Temp\2025-05-19_9fbf1ff83b3c37e71173a3cd3df39f72_amadey_black-basta_elex_luca-stealer.exe N/A
File created C:\Windows\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\2025-05-19_9fbf1ff83b3c37e71173a3cd3df39f72_amadey_black-basta_elex_luca-stealer.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\system32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\system32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\system32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\system32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2025-05-19_9fbf1ff83b3c37e71173a3cd3df39f72_amadey_black-basta_elex_luca-stealer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\system32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\system32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A

Modifies Control Panel

defense_evasion
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\Control Panel\Screen Saver.Marquee C:\Users\Admin\AppData\Local\Temp\2025-05-19_9fbf1ff83b3c37e71173a3cd3df39f72_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" C:\Users\Admin\AppData\Local\Temp\2025-05-19_9fbf1ff83b3c37e71173a3cd3df39f72_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\Control Panel\Screen Saver.Marquee\Size = "72" C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" C:\Users\Admin\AppData\Local\Temp\2025-05-19_9fbf1ff83b3c37e71173a3cd3df39f72_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\Control Panel\Desktop\WallpaperStyle = "2" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" C:\Users\Admin\AppData\Local\Temp\2025-05-19_9fbf1ff83b3c37e71173a3cd3df39f72_amadey_black-basta_elex_luca-stealer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\Control Panel\Screen Saver.Marquee C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\Control Panel\Desktop\WallpaperStyle = "2" C:\Users\Admin\AppData\Local\Temp\2025-05-19_9fbf1ff83b3c37e71173a3cd3df39f72_amadey_black-basta_elex_luca-stealer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\Control Panel\Desktop C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" C:\Users\Admin\AppData\Local\Temp\2025-05-19_9fbf1ff83b3c37e71173a3cd3df39f72_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" C:\Users\Admin\AppData\Local\Temp\2025-05-19_9fbf1ff83b3c37e71173a3cd3df39f72_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\Control Panel\Desktop C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\Control Panel\Screen Saver.Marquee C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\Control Panel\Screen Saver.Marquee C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Users\Admin\AppData\Local\Temp\2025-05-19_9fbf1ff83b3c37e71173a3cd3df39f72_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" C:\Users\Admin\AppData\Local\Temp\2025-05-19_9fbf1ff83b3c37e71173a3cd3df39f72_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\Control Panel\Screen Saver.Marquee\Speed = "4" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\Control Panel\Desktop C:\Users\Admin\AppData\Local\Temp\2025-05-19_9fbf1ff83b3c37e71173a3cd3df39f72_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\Control Panel\Screen Saver.Marquee\Speed = "4" C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\Control Panel\Screen Saver.Marquee\Size = "72" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\Control Panel\Screen Saver.Marquee\Speed = "4" C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\Control Panel\Desktop C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\Control Panel\Desktop\WallpaperStyle = "2" C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" C:\Users\Admin\AppData\Local\Temp\2025-05-19_9fbf1ff83b3c37e71173a3cd3df39f72_amadey_black-basta_elex_luca-stealer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\Control Panel\Screen Saver.Marquee C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\Control Panel\Screen Saver.Marquee\Speed = "4" C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\Control Panel\Screen Saver.Marquee C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" C:\Users\Admin\AppData\Local\Temp\2025-05-19_9fbf1ff83b3c37e71173a3cd3df39f72_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\Control Panel\Screen Saver.Marquee\Speed = "4" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\Control Panel\Desktop C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\Control Panel\Screen Saver.Marquee\Size = "72" C:\Users\Admin\AppData\Local\Temp\2025-05-19_9fbf1ff83b3c37e71173a3cd3df39f72_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\Software\Microsoft\Internet Explorer\Main C:\Users\Admin\AppData\Local\Temp\2025-05-19_9fbf1ff83b3c37e71173a3cd3df39f72_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" C:\Users\Admin\AppData\Local\Temp\2025-05-19_9fbf1ff83b3c37e71173a3cd3df39f72_amadey_black-basta_elex_luca-stealer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-186956858-2143653872-2609589082-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command C:\Users\Admin\AppData\Local\Temp\2025-05-19_9fbf1ff83b3c37e71173a3cd3df39f72_amadey_black-basta_elex_luca-stealer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" C:\Users\Admin\AppData\Local\Temp\2025-05-19_9fbf1ff83b3c37e71173a3cd3df39f72_amadey_black-basta_elex_luca-stealer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command C:\Users\Admin\AppData\Local\Temp\2025-05-19_9fbf1ff83b3c37e71173a3cd3df39f72_amadey_black-basta_elex_luca-stealer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command C:\Users\Admin\AppData\Local\Temp\2025-05-19_9fbf1ff83b3c37e71173a3cd3df39f72_amadey_black-basta_elex_luca-stealer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install C:\Users\Admin\AppData\Local\Temp\2025-05-19_9fbf1ff83b3c37e71173a3cd3df39f72_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" C:\Users\Admin\AppData\Local\Temp\2025-05-19_9fbf1ff83b3c37e71173a3cd3df39f72_amadey_black-basta_elex_luca-stealer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile C:\Users\Admin\AppData\Local\Temp\2025-05-19_9fbf1ff83b3c37e71173a3cd3df39f72_amadey_black-basta_elex_luca-stealer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell C:\Users\Admin\AppData\Local\Temp\2025-05-19_9fbf1ff83b3c37e71173a3cd3df39f72_amadey_black-basta_elex_luca-stealer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command C:\Users\Admin\AppData\Local\Temp\2025-05-19_9fbf1ff83b3c37e71173a3cd3df39f72_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" C:\Users\Admin\AppData\Local\Temp\2025-05-19_9fbf1ff83b3c37e71173a3cd3df39f72_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" C:\Users\Admin\AppData\Local\Temp\2025-05-19_9fbf1ff83b3c37e71173a3cd3df39f72_amadey_black-basta_elex_luca-stealer.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-19_9fbf1ff83b3c37e71173a3cd3df39f72_amadey_black-basta_elex_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-19_9fbf1ff83b3c37e71173a3cd3df39f72_amadey_black-basta_elex_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-19_9fbf1ff83b3c37e71173a3cd3df39f72_amadey_black-basta_elex_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-19_9fbf1ff83b3c37e71173a3cd3df39f72_amadey_black-basta_elex_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-19_9fbf1ff83b3c37e71173a3cd3df39f72_amadey_black-basta_elex_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-19_9fbf1ff83b3c37e71173a3cd3df39f72_amadey_black-basta_elex_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-19_9fbf1ff83b3c37e71173a3cd3df39f72_amadey_black-basta_elex_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-19_9fbf1ff83b3c37e71173a3cd3df39f72_amadey_black-basta_elex_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-19_9fbf1ff83b3c37e71173a3cd3df39f72_amadey_black-basta_elex_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-19_9fbf1ff83b3c37e71173a3cd3df39f72_amadey_black-basta_elex_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-19_9fbf1ff83b3c37e71173a3cd3df39f72_amadey_black-basta_elex_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-19_9fbf1ff83b3c37e71173a3cd3df39f72_amadey_black-basta_elex_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-19_9fbf1ff83b3c37e71173a3cd3df39f72_amadey_black-basta_elex_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-19_9fbf1ff83b3c37e71173a3cd3df39f72_amadey_black-basta_elex_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-19_9fbf1ff83b3c37e71173a3cd3df39f72_amadey_black-basta_elex_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-19_9fbf1ff83b3c37e71173a3cd3df39f72_amadey_black-basta_elex_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-19_9fbf1ff83b3c37e71173a3cd3df39f72_amadey_black-basta_elex_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-19_9fbf1ff83b3c37e71173a3cd3df39f72_amadey_black-basta_elex_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-19_9fbf1ff83b3c37e71173a3cd3df39f72_amadey_black-basta_elex_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-19_9fbf1ff83b3c37e71173a3cd3df39f72_amadey_black-basta_elex_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-19_9fbf1ff83b3c37e71173a3cd3df39f72_amadey_black-basta_elex_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-19_9fbf1ff83b3c37e71173a3cd3df39f72_amadey_black-basta_elex_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-19_9fbf1ff83b3c37e71173a3cd3df39f72_amadey_black-basta_elex_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-19_9fbf1ff83b3c37e71173a3cd3df39f72_amadey_black-basta_elex_luca-stealer.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-19_9fbf1ff83b3c37e71173a3cd3df39f72_amadey_black-basta_elex_luca-stealer.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1360 wrote to memory of 4216 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-19_9fbf1ff83b3c37e71173a3cd3df39f72_amadey_black-basta_elex_luca-stealer.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe
PID 1360 wrote to memory of 4216 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-19_9fbf1ff83b3c37e71173a3cd3df39f72_amadey_black-basta_elex_luca-stealer.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe
PID 1360 wrote to memory of 4216 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-19_9fbf1ff83b3c37e71173a3cd3df39f72_amadey_black-basta_elex_luca-stealer.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe
PID 4216 wrote to memory of 3060 N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe
PID 4216 wrote to memory of 3060 N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe
PID 4216 wrote to memory of 3060 N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe
PID 4216 wrote to memory of 4516 N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe
PID 4216 wrote to memory of 4516 N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe
PID 4216 wrote to memory of 4516 N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe
PID 4516 wrote to memory of 4832 N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe
PID 4516 wrote to memory of 4832 N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe
PID 4516 wrote to memory of 4832 N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe
PID 4516 wrote to memory of 4044 N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe
PID 4516 wrote to memory of 4044 N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe
PID 4516 wrote to memory of 4044 N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe
PID 4516 wrote to memory of 4024 N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe
PID 4516 wrote to memory of 4024 N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe
PID 4516 wrote to memory of 4024 N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe
PID 4024 wrote to memory of 4716 N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe
PID 4024 wrote to memory of 4716 N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe
PID 4024 wrote to memory of 4716 N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe
PID 4024 wrote to memory of 5020 N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe
PID 4024 wrote to memory of 5020 N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe
PID 4024 wrote to memory of 5020 N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe
PID 4024 wrote to memory of 1800 N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe
PID 4024 wrote to memory of 1800 N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe
PID 4024 wrote to memory of 1800 N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe
PID 1360 wrote to memory of 4424 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-19_9fbf1ff83b3c37e71173a3cd3df39f72_amadey_black-basta_elex_luca-stealer.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe
PID 1360 wrote to memory of 4424 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-19_9fbf1ff83b3c37e71173a3cd3df39f72_amadey_black-basta_elex_luca-stealer.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe
PID 1360 wrote to memory of 4424 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-19_9fbf1ff83b3c37e71173a3cd3df39f72_amadey_black-basta_elex_luca-stealer.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe
PID 4024 wrote to memory of 3068 N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 4024 wrote to memory of 3068 N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 4024 wrote to memory of 3068 N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 1360 wrote to memory of 4344 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-19_9fbf1ff83b3c37e71173a3cd3df39f72_amadey_black-basta_elex_luca-stealer.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe
PID 1360 wrote to memory of 4344 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-19_9fbf1ff83b3c37e71173a3cd3df39f72_amadey_black-basta_elex_luca-stealer.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe
PID 1360 wrote to memory of 4344 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-19_9fbf1ff83b3c37e71173a3cd3df39f72_amadey_black-basta_elex_luca-stealer.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe
PID 4216 wrote to memory of 776 N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe
PID 4216 wrote to memory of 776 N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe
PID 4216 wrote to memory of 776 N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe
PID 1360 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-19_9fbf1ff83b3c37e71173a3cd3df39f72_amadey_black-basta_elex_luca-stealer.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 1360 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-19_9fbf1ff83b3c37e71173a3cd3df39f72_amadey_black-basta_elex_luca-stealer.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 1360 wrote to memory of 2740 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-19_9fbf1ff83b3c37e71173a3cd3df39f72_amadey_black-basta_elex_luca-stealer.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 4216 wrote to memory of 3604 N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 4216 wrote to memory of 3604 N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 4216 wrote to memory of 3604 N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 3068 wrote to memory of 2448 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe
PID 3068 wrote to memory of 2448 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe
PID 3068 wrote to memory of 2448 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe
PID 3068 wrote to memory of 4528 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe
PID 3068 wrote to memory of 4528 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe
PID 3068 wrote to memory of 4528 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe
PID 1360 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-19_9fbf1ff83b3c37e71173a3cd3df39f72_amadey_black-basta_elex_luca-stealer.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 1360 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-19_9fbf1ff83b3c37e71173a3cd3df39f72_amadey_black-basta_elex_luca-stealer.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 1360 wrote to memory of 1220 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-19_9fbf1ff83b3c37e71173a3cd3df39f72_amadey_black-basta_elex_luca-stealer.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 4216 wrote to memory of 4512 N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 4216 wrote to memory of 4512 N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 4216 wrote to memory of 4512 N/A C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 3068 wrote to memory of 5084 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe
PID 3068 wrote to memory of 5084 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe
PID 3068 wrote to memory of 5084 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe
PID 1220 wrote to memory of 2724 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe
PID 1220 wrote to memory of 2724 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe
PID 1220 wrote to memory of 2724 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe
PID 3068 wrote to memory of 5028 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\Kazekage.exe

System policy modification

defense_evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\2025-05-19_9fbf1ff83b3c37e71173a3cd3df39f72_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\2025-05-19_9fbf1ff83b3c37e71173a3cd3df39f72_amadey_black-basta_elex_luca-stealer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\drivers\system32.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2025-05-19_9fbf1ff83b3c37e71173a3cd3df39f72_amadey_black-basta_elex_luca-stealer.exe

"C:\Users\Admin\AppData\Local\Temp\2025-05-19_9fbf1ff83b3c37e71173a3cd3df39f72_amadey_black-basta_elex_luca-stealer.exe"

C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe

"C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe"

C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe

"C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe"

C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe

"C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe"

C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe

"C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe"

C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe

"C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe"

C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe

"C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe"

C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe

"C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe"

C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe

"C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe"

C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe

"C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe"

C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe

"C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe"

C:\Windows\SysWOW64\drivers\Kazekage.exe

C:\Windows\system32\drivers\Kazekage.exe

C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe

"C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe"

C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe

"C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe"

C:\Windows\SysWOW64\drivers\Kazekage.exe

C:\Windows\system32\drivers\Kazekage.exe

C:\Windows\SysWOW64\drivers\Kazekage.exe

C:\Windows\system32\drivers\Kazekage.exe

C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe

"C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe"

C:\Windows\SysWOW64\drivers\system32.exe

C:\Windows\system32\drivers\system32.exe

C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe

"C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe"

C:\Windows\SysWOW64\drivers\system32.exe

C:\Windows\system32\drivers\system32.exe

C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe

"C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe"

C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe

"C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe"

C:\Windows\SysWOW64\drivers\Kazekage.exe

C:\Windows\system32\drivers\Kazekage.exe

C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe

"C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe"

C:\Windows\SysWOW64\drivers\system32.exe

C:\Windows\system32\drivers\system32.exe

C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe

"C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe"

C:\Windows\SysWOW64\drivers\system32.exe

C:\Windows\system32\drivers\system32.exe

C:\Windows\SysWOW64\drivers\Kazekage.exe

C:\Windows\system32\drivers\Kazekage.exe

C:\Windows\SysWOW64\drivers\Kazekage.exe

C:\Windows\system32\drivers\Kazekage.exe

C:\Windows\SysWOW64\drivers\system32.exe

C:\Windows\system32\drivers\system32.exe

C:\Windows\SysWOW64\drivers\system32.exe

C:\Windows\system32\drivers\system32.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c Fonts\Admin 19 - 5 - 2025\smss.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c Fonts\Admin 19 - 5 - 2025\Gaara.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c 19-5-2025.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c drivers\csrss.exe

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
NL 104.97.14.192:443 www.bing.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 c.pki.goog udp
GB 216.58.201.99:80 c.pki.goog tcp

Files

memory/1360-0-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe

MD5 9fbf1ff83b3c37e71173a3cd3df39f72
SHA1 9a08ef3851165a695d99f19eaf9c584da3fb9bce
SHA256 489227276746ce1106b4d4e1a6dd73e77e6021038551f4bb858ac5413fb93bb5
SHA512 e2def7c93c83c37aa2ee83760b25cd89d260a7fc1d01ac95a824e55b37d06849ff55d611ed9fc08ecef1e24e975b910767d8ea7c7748bcad1a429086ce801753

C:\Windows\System\msvbvm60.dll

MD5 25f62c02619174b35851b0e0455b3d94
SHA1 4e8ee85157f1769f6e3f61c0acbe59072209da71
SHA256 898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2
SHA512 f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe

MD5 483701bf9173b08c529db12053d8fbc9
SHA1 81a6f3dabbd54776b554b88375c0d9d8b90238cc
SHA256 15917bf4b54b84388467e41f5864b824afe800be96abc1fc3bc4dfa77741bbb6
SHA512 4311f212e93306ac83dc3700383fe50f63f7d5e57f2cf279c37c00b2d865a388afc0f86828071c574c337da7ac91bbf77b525e9acaa6e12d09798fb0e51ab7dd

memory/4216-32-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Windows\Fonts\The Kazekage.jpg

MD5 d6b05020d4a0ec2a3a8b687099e335df
SHA1 df239d830ebcd1cde5c68c46a7b76dad49d415f4
SHA256 9824b98dab6af65a9e84c2ea40e9df948f9766ce2096e81feecad7db8dd6080a
SHA512 78fd360faa4d34f5732056d6e9ad7b9930964441c69cf24535845d397de92179553b9377a25649c01eb5ac7d547c29cc964e69ede7f2af9fc677508a99251fff

C:\Windows\SysWOW64\drivers\Kazekage.exe

MD5 0672cd2748515e73717daff2cbeca805
SHA1 8a4f36edcf6cdeb349659ce11c24e2c22f3849a0
SHA256 db80ed83b1848eae34a012cbf3fb218a1e0f5668608a2e602de35a3f707f4b9d
SHA512 5f82f7ccd2416b228c6cd35972d6e675f8b81a15aa9f04bc2934383383f4af7ac1771cc964342165637719c03d776add7a7aea71f7cd6e4a4e2041decfd528dc

memory/3060-70-0x0000000000400000-0x000000000042A000-memory.dmp

memory/4516-77-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe

MD5 fea9ad1a1387ae85b8e7d591765bce59
SHA1 939f324e9898e554620b91f0428762640ee3e384
SHA256 6cda94851f0a3d5528e46568b1b54db3a83d016d10e8afd80bf867755cc6252e
SHA512 f17e00ad3397c9ff0d2f60b2d3f7e9076728f822a0daba899ccc2069f96bad66dadd15bc3e5d8eed9bd69b18fd0f6fa85762fec6eb4c54ee54ec1160e4305fc5

C:\Windows\SysWOW64\drivers\system32.exe

MD5 3ba509a743f6805572a4755b991d60d0
SHA1 5c800dca6df5a0387ac2866be3649d5009b8dbd2
SHA256 21a42abec7ef6f8c17364c1b777b54c805c0a2b3addb4d845caa9b852e2b5550
SHA512 1082f446cdb47ca1bcf0f0e6ea135bd071e056ceaf4b776e853fa847f7d5bcf06c5fc1f3c8e2662ef0aae2df8c65b8dd49e32d76d7f1efc18e089ee60be7166b

memory/3060-81-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Windows\SysWOW64\19-5-2025.exe

MD5 8184395c40b009b558a646df4c79dc7d
SHA1 9303c3a4f1f69896772b5107b9ccfa6bd4a4c93b
SHA256 0a4ed0c83bb9b52c6f6c13c4c45c630bea4a0a9770aa69c73b599f541b1d95c1
SHA512 935c4e4a2379af1b6f8e2db64fde1eb8f59b7c9b33f9a9f9423e7885f5b1da726deb430f03c4074bd4b7421794c34783ee7e8d385d5ec7b0bb6ee9ca5e591064

C:\Windows\SysWOW64\drivers\system32.exe

MD5 c00f0af56268d076e8f134900c5ee74c
SHA1 112a9be96b0c06429c6a7854b9af068e8838943e
SHA256 d37d82b304b56b040f19ee651abc7556f1bfe43acbdcc2660fc45942b328e3ed
SHA512 962d1df873ac0101876b5b33a237c08e42a42483608b6572898e8e88819cd2203de55dae535c0e0298cc3e54ad6444a04d52149b834ea7e74af04a5093e8c436

C:\Windows\SysWOW64\drivers\Kazekage.exe

MD5 6b28a1f763745cc3bcadacd670f3b400
SHA1 862e95f309fa3173d0c19e9c98ed587c2d5f6034
SHA256 50d63c3d78fc19280a410c94c50c85fd903e424c0050edb9686c9203b7fe653d
SHA512 af3881de86d91220c9318f6941f76a565f92a8e132c91c2e1cfc24382eba25524679fe304606639ede1c9e242979d836503472acbe3754a882249c015e7f21c2

memory/4044-114-0x0000000000400000-0x000000000042A000-memory.dmp

memory/4044-119-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe

MD5 ddd9086333a7fc4ff40c8df343c20fcd
SHA1 73261be33015c8b50e6d3214047a36e2d7fd3f21
SHA256 0fbee6cde2c64c4f493901e3844e00f4319a849f806dbc742632f6c3cbcfc607
SHA512 3d901b4b51a4267de2042c9e13bc2f71f8208ad33a5bae15eab730eeccefb56d018bc776169bc6ec5e3e846c3b9bbc83f79531890f0fa1e03b5dabfdf5c03883

memory/4024-122-0x0000000000400000-0x000000000042A000-memory.dmp

memory/1360-127-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Windows\SysWOW64\drivers\Kazekage.exe

MD5 9e2da44c1da5b1a68bcb0ddda435ccbf
SHA1 4efb327c71dbb8bd6bef3146a77bb0f4e4902cbf
SHA256 4b7675ee7c53fcb0d332b284eb12c2a23f70734468c8f3e464f52efa68c8166d
SHA512 f957340a013cc10de13e4a4de8e2f0490a81bcc8e090921bb025dfc537da33160008952650d57eb62f0dd2b87eea083ffae06755323205e9b706def11e367aba

C:\Windows\SysWOW64\drivers\system32.exe

MD5 d7db4c66be6d8ff9ebd8019b9d807256
SHA1 b8c4b3652695e9e1a7d1cf2ace4b4468f2e9c064
SHA256 6a8ab718350a267808b3b10fb0620dcd10753e1c744bcb230f07ff8eb03fb327
SHA512 e008f30083f63c0e9e79adf1cd18c35acbea678913b24c0fa7279c73d21720b681e6f40a9ba44a00da167e4d321d3cd028d19f98bcb1dab0a7761ba6a6646a1e

memory/4216-152-0x0000000000400000-0x000000000042A000-memory.dmp

memory/4716-159-0x0000000000400000-0x000000000042A000-memory.dmp

memory/4516-164-0x0000000000400000-0x000000000042A000-memory.dmp

memory/5020-167-0x0000000000400000-0x000000000042A000-memory.dmp

memory/1800-170-0x0000000000400000-0x000000000042A000-memory.dmp

memory/4424-173-0x0000000000400000-0x000000000042A000-memory.dmp

memory/3068-178-0x0000000000400000-0x000000000042A000-memory.dmp

memory/4424-187-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2740-203-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2448-220-0x0000000000400000-0x000000000042A000-memory.dmp

memory/3604-217-0x0000000000400000-0x000000000042A000-memory.dmp

memory/4024-202-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Windows\SysWOW64\drivers\system32.exe

MD5 92dbf679eadff83ba4ad1336d3124754
SHA1 71d537e9fd202ef2b91cf117b028ec33e092c38d
SHA256 3c1aefdddaf4485217b0375f84e7ddf9ac5ad2f91966629ef36f826fdaaf842d
SHA512 c205045f0c631e7e59e23fe341b8c82ae19f69154eb95fe4b076cfc8591473b96e67a314845cbbf4787abf75ec8ebd3ec1bb387c5af4162e1d8200f41c34204a

memory/776-222-0x0000000000400000-0x000000000042A000-memory.dmp

memory/1220-236-0x0000000000400000-0x000000000042A000-memory.dmp

memory/3604-238-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2448-233-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2740-228-0x0000000000400000-0x000000000042A000-memory.dmp

memory/4512-243-0x0000000000400000-0x000000000042A000-memory.dmp

memory/4528-249-0x0000000000400000-0x000000000042A000-memory.dmp

memory/3068-252-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Windows\SysWOW64\19-5-2025.exe

MD5 d265a52c834881c9d81b3e3fe06d00c2
SHA1 10ada1ce207baf6a59823e53cff0d1d2653ff4ac
SHA256 5e039a4c42600dfc961386373be825caa62bd8b6da3beb02f44e1c3440ab6a35
SHA512 6bc2587c86fd358040cfc99f808950fb0e297385458d22ad22bb464380fcdd7d8771ef569497801f80c261091f3a6c35c7236942cdaf526beed5f927cb539428

memory/4512-251-0x0000000000400000-0x000000000042A000-memory.dmp

memory/5028-275-0x0000000000400000-0x000000000042A000-memory.dmp

memory/5108-278-0x0000000000400000-0x000000000042A000-memory.dmp

memory/4984-280-0x0000000000400000-0x000000000042A000-memory.dmp

memory/4564-285-0x0000000000400000-0x000000000042A000-memory.dmp

memory/3592-293-0x0000000000400000-0x000000000042A000-memory.dmp

memory/1220-291-0x0000000000400000-0x000000000042A000-memory.dmp

memory/4244-298-0x0000000000400000-0x000000000042A000-memory.dmp

memory/3392-303-0x0000000000400000-0x000000000042A000-memory.dmp

memory/1392-307-0x0000000000400000-0x000000000042A000-memory.dmp

memory/3080-305-0x0000000000400000-0x000000000042A000-memory.dmp

memory/1360-308-0x0000000000400000-0x000000000042A000-memory.dmp

memory/4216-309-0x0000000000400000-0x000000000042A000-memory.dmp

memory/3068-310-0x0000000000400000-0x000000000042A000-memory.dmp

memory/4516-311-0x0000000000400000-0x000000000042A000-memory.dmp

memory/1220-312-0x0000000000400000-0x000000000042A000-memory.dmp

memory/4024-313-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Autorun.inf

MD5 1564dfe69ffed40950e5cb644e0894d1
SHA1 201b6f7a01cc49bb698bea6d4945a082ed454ce4
SHA256 be114a2dbcc08540b314b01882aa836a772a883322a77b67aab31233e26dc184
SHA512 72df187e39674b657974392cfa268e71ef86dc101ebd2303896381ca56d3c05aa9db3f0ab7d0e428d7436e0108c8f19e94c2013814d30b0b95a23a6b9e341097

C:\Admin Games\Readme.txt

MD5 bb5d6abdf8d0948ac6895ce7fdfbc151
SHA1 9266b7a247a4685892197194d2b9b86c8f6dddbd
SHA256 5db2e0915b5464d32e83484f8ae5e3c73d2c78f238fde5f58f9b40dbb5322de8
SHA512 878444760e8df878d65bb62b4798177e168eb099def58ad3634f4348e96705c83f74324f9fa358f0eff389991976698a233ca53e9b72034ae11c86d42322a76c

memory/1360-369-0x0000000000400000-0x000000000042A000-memory.dmp

memory/4516-413-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Windows\SysWOW64\Desktop.ini

MD5 64acfa7e03b01f48294cf30d201a0026
SHA1 10facd995b38a095f30b4a800fa454c0bcbf8438
SHA256 ba8159d865d106e7b4d0043007a63d1541e1de455dc8d7ff0edd3013bd425c62
SHA512 65a9b2e639de74a2a7faa83463a03f5f5b526495e3c793ec1e144c422ed0b842dd304cd5ff4f8aec3d76d826507030c5916f70a231429cea636ec2d8ab43931a

memory/4216-499-0x0000000000400000-0x000000000042A000-memory.dmp

memory/4024-544-0x0000000000400000-0x000000000042A000-memory.dmp

memory/3068-547-0x0000000000400000-0x000000000042A000-memory.dmp

memory/1220-549-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Admin Games\Gaara games - Naruto.exe

MD5 475a9a2052fe3fd7275a6101fc223ba0
SHA1 48809163c9760a896a6ed4b0f8add85977b94280
SHA256 bbae37be3153718047f8d2b625e0a3a7b583909c5ced38c03799becca4f0139d
SHA512 f40df588d8a060361299230fc7c714dd568c243f4905e9e9febc0ba6923e83994bd792b902d31fde334315b51a2f2510c9f223bebeee6e27365bf45ef22f9f91