Malware Analysis Report

2025-06-16 06:28

Sample ID 250529-mk1lfazzew
Target 2025-05-29_c5bfc9dfbf623b3d4d641c47d0bbe663_amadey_black-basta_elex_luca-stealer
SHA256 7824141023919e94ba72fbeded3258f7409b77568921e379c1c6a4bfb69015e4
Tags
upx defense_evasion discovery persistence ransomware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V16

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7824141023919e94ba72fbeded3258f7409b77568921e379c1c6a4bfb69015e4

Threat Level: Known bad

The file 2025-05-29_c5bfc9dfbf623b3d4d641c47d0bbe663_amadey_black-basta_elex_luca-stealer was found to be: Known bad.

Malicious Activity Summary

upx defense_evasion discovery persistence ransomware trojan

UAC bypass

Modifies visiblity of hidden/system files in Explorer

Modifies WinLogon for persistence

Modifies visibility of file extensions in Explorer

Drops file in Drivers directory

Disables RegEdit via registry modification

Event Triggered Execution: Image File Execution Options Injection

Disables use of System Restore points

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Drops desktop.ini file(s)

Checks whether UAC is enabled

Enumerates connected drives

Sets desktop wallpaper using registry

Drops autorun.inf file

UPX packed file

Drops file in System32 directory

Drops file in Windows directory

Unsigned PE

System Network Configuration Discovery: Internet Connection Discovery

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

Modifies registry class

Modifies Control Panel

Suspicious use of SetWindowsHookEx

System policy modification

Suspicious behavior: EnumeratesProcesses

Runs ping.exe

Modifies Internet Explorer settings

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-05-29 10:32

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-05-29 10:32

Reported

2025-05-29 10:34

Platform

win10v2004-20250502-en

Max time kernel

149s

Max time network

140s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2025-05-29_c5bfc9dfbf623b3d4d641c47d0bbe663_amadey_black-basta_elex_luca-stealer.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" C:\Users\Admin\AppData\Local\Temp\2025-05-29_c5bfc9dfbf623b3d4d641c47d0bbe663_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" C:\Users\Admin\AppData\Local\Temp\2025-05-29_c5bfc9dfbf623b3d4d641c47d0bbe663_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A

Modifies visibility of file extensions in Explorer

defense_evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Users\Admin\AppData\Local\Temp\2025-05-29_c5bfc9dfbf623b3d4d641c47d0bbe663_amadey_black-basta_elex_luca-stealer.exe N/A

Modifies visiblity of hidden/system files in Explorer

defense_evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\AppData\Local\Temp\2025-05-29_c5bfc9dfbf623b3d4d641c47d0bbe663_amadey_black-basta_elex_luca-stealer.exe N/A

UAC bypass

defense_evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\2025-05-29_c5bfc9dfbf623b3d4d641c47d0bbe663_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A

Disables RegEdit via registry modification

defense_evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\2025-05-29_c5bfc9dfbf623b3d4d641c47d0bbe663_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A

Disables use of System Restore points

defense_evasion

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Users\Admin\AppData\Local\Temp\2025-05-29_c5bfc9dfbf623b3d4d641c47d0bbe663_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
File created C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Users\Admin\AppData\Local\Temp\2025-05-29_c5bfc9dfbf623b3d4d641c47d0bbe663_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
File created C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\system32.exe C:\Users\Admin\AppData\Local\Temp\2025-05-29_c5bfc9dfbf623b3d4d641c47d0bbe663_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
File created C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
File created C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
File created C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
File created C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
File created C:\Windows\SysWOW64\drivers\system32.exe C:\Users\Admin\AppData\Local\Temp\2025-05-29_c5bfc9dfbf623b3d4d641c47d0bbe663_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\system32.exe N/A

Event Triggered Execution: Image File Execution Options Injection

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe C:\Users\Admin\AppData\Local\Temp\2025-05-29_c5bfc9dfbf623b3d4d641c47d0bbe663_amadey_black-basta_elex_luca-stealer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe C:\Users\Admin\AppData\Local\Temp\2025-05-29_c5bfc9dfbf623b3d4d641c47d0bbe663_amadey_black-basta_elex_luca-stealer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\Debugger = "cmd.exe /c del" C:\Users\Admin\AppData\Local\Temp\2025-05-29_c5bfc9dfbf623b3d4d641c47d0bbe663_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe\Debugger = "cmd.exe /c del" C:\Users\Admin\AppData\Local\Temp\2025-05-29_c5bfc9dfbf623b3d4d641c47d0bbe663_amadey_black-basta_elex_luca-stealer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe C:\Users\Admin\AppData\Local\Temp\2025-05-29_c5bfc9dfbf623b3d4d641c47d0bbe663_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe C:\Users\Admin\AppData\Local\Temp\2025-05-29_c5bfc9dfbf623b3d4d641c47d0bbe663_amadey_black-basta_elex_luca-stealer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe C:\Users\Admin\AppData\Local\Temp\2025-05-29_c5bfc9dfbf623b3d4d641c47d0bbe663_amadey_black-basta_elex_luca-stealer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe C:\Users\Admin\AppData\Local\Temp\2025-05-29_c5bfc9dfbf623b3d4d641c47d0bbe663_amadey_black-basta_elex_luca-stealer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe C:\Users\Admin\AppData\Local\Temp\2025-05-29_c5bfc9dfbf623b3d4d641c47d0bbe663_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe\Debugger = "drivers\\Kazekage.exe" C:\Users\Admin\AppData\Local\Temp\2025-05-29_c5bfc9dfbf623b3d4d641c47d0bbe663_amadey_black-basta_elex_luca-stealer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe\Debugger = "drivers\\Kazekage.exe" C:\Users\Admin\AppData\Local\Temp\2025-05-29_c5bfc9dfbf623b3d4d641c47d0bbe663_amadey_black-basta_elex_luca-stealer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe C:\Users\Admin\AppData\Local\Temp\2025-05-29_c5bfc9dfbf623b3d4d641c47d0bbe663_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" C:\Users\Admin\AppData\Local\Temp\2025-05-29_c5bfc9dfbf623b3d4d641c47d0bbe663_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 29 - 5 - 2025\\Gaara.exe" C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "29-5-2025.exe" C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 29 - 5 - 2025\\smss.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 29 - 5 - 2025\\Gaara.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 29 - 5 - 2025\\smss.exe" C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 29 - 5 - 2025\\smss.exe" C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 29 - 5 - 2025\\Gaara.exe" C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "29-5-2025.exe" C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "29-5-2025.exe" C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 29 - 5 - 2025\\smss.exe" C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 29 - 5 - 2025\\Gaara.exe" C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "29-5-2025.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 29 - 5 - 2025\\smss.exe" C:\Users\Admin\AppData\Local\Temp\2025-05-29_c5bfc9dfbf623b3d4d641c47d0bbe663_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 29 - 5 - 2025\\Gaara.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "29-5-2025.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 29 - 5 - 2025\\smss.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 29 - 5 - 2025\\Gaara.exe" C:\Users\Admin\AppData\Local\Temp\2025-05-29_c5bfc9dfbf623b3d4d641c47d0bbe663_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "29-5-2025.exe" C:\Users\Admin\AppData\Local\Temp\2025-05-29_c5bfc9dfbf623b3d4d641c47d0bbe663_amadey_black-basta_elex_luca-stealer.exe N/A

Checks whether UAC is enabled

defense_evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\2025-05-29_c5bfc9dfbf623b3d4d641c47d0bbe663_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification \??\Y:\Desktop.ini C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
File opened for modification \??\K:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\V:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification D:\Desktop.ini C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\N:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\O:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\N:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\V:\Desktop.ini C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\B:\Desktop.ini C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
File opened for modification \??\B:\Desktop.ini C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
File opened for modification \??\E:\Desktop.ini C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
File opened for modification \??\N:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-29_c5bfc9dfbf623b3d4d641c47d0bbe663_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification \??\Z:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\Q:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\S:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\P:\Desktop.ini C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\M:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\P:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-29_c5bfc9dfbf623b3d4d641c47d0bbe663_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification \??\Y:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-29_c5bfc9dfbf623b3d4d641c47d0bbe663_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification F:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\I:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\O:\Desktop.ini C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\B:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\W:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\K:\Desktop.ini C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
File opened for modification \??\P:\Desktop.ini C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
File opened for modification \??\X:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\U:\Desktop.ini C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
File opened for modification D:\Desktop.ini C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
File opened for modification F:\Desktop.ini C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
File opened for modification \??\S:\Desktop.ini C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
File opened for modification \??\W:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\T:\Desktop.ini C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\W:\Desktop.ini C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
File opened for modification D:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-29_c5bfc9dfbf623b3d4d641c47d0bbe663_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification \??\H:\Desktop.ini C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
File opened for modification \??\P:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\K:\Desktop.ini C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
File opened for modification \??\O:\Desktop.ini C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
File opened for modification \??\U:\Desktop.ini C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
File opened for modification \??\E:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-29_c5bfc9dfbf623b3d4d641c47d0bbe663_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification \??\Q:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\G:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\H:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\P:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\E:\Desktop.ini C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\R:\Desktop.ini C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\H:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\N:\Desktop.ini C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\S:\Desktop.ini C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\B:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-29_c5bfc9dfbf623b3d4d641c47d0bbe663_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification \??\U:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\Z:\Desktop.ini C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
File opened for modification \??\K:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\I:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-29_c5bfc9dfbf623b3d4d641c47d0bbe663_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification \??\S:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-29_c5bfc9dfbf623b3d4d641c47d0bbe663_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification \??\T:\Desktop.ini C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
File opened for modification D:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\E:\Desktop.ini C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
File opened for modification \??\H:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-29_c5bfc9dfbf623b3d4d641c47d0bbe663_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification \??\G:\Desktop.ini C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
File opened for modification \??\I:\Desktop.ini C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
File opened for modification \??\V:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\O: C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
File opened (read-only) \??\Q: C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\M: C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
File opened (read-only) \??\Q: C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
File opened (read-only) \??\H: C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
File opened (read-only) \??\L: C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\A: C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
File opened (read-only) \??\E: C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\2025-05-29_c5bfc9dfbf623b3d4d641c47d0bbe663_amadey_black-basta_elex_luca-stealer.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\2025-05-29_c5bfc9dfbf623b3d4d641c47d0bbe663_amadey_black-basta_elex_luca-stealer.exe N/A
File opened (read-only) \??\R: C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\2025-05-29_c5bfc9dfbf623b3d4d641c47d0bbe663_amadey_black-basta_elex_luca-stealer.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\K: C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
File opened (read-only) \??\M: C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
File opened (read-only) \??\Q: C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
File opened (read-only) \??\Z: C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
File opened (read-only) \??\W: C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
File opened (read-only) \??\L: C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\2025-05-29_c5bfc9dfbf623b3d4d641c47d0bbe663_amadey_black-basta_elex_luca-stealer.exe N/A
File opened (read-only) \??\I: C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\2025-05-29_c5bfc9dfbf623b3d4d641c47d0bbe663_amadey_black-basta_elex_luca-stealer.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\2025-05-29_c5bfc9dfbf623b3d4d641c47d0bbe663_amadey_black-basta_elex_luca-stealer.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\B: C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
File opened (read-only) \??\I: C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
File opened (read-only) \??\P: C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
File opened (read-only) \??\Y: C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
File opened (read-only) \??\O: C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\K: C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\U: C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\2025-05-29_c5bfc9dfbf623b3d4d641c47d0bbe663_amadey_black-basta_elex_luca-stealer.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\E: C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
File opened (read-only) \??\G: C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
File opened (read-only) \??\W: C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
File opened (read-only) \??\S: C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\2025-05-29_c5bfc9dfbf623b3d4d641c47d0bbe663_amadey_black-basta_elex_luca-stealer.exe N/A
File opened (read-only) \??\V: C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
File opened (read-only) \??\J: C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
File opened (read-only) \??\L: C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\2025-05-29_c5bfc9dfbf623b3d4d641c47d0bbe663_amadey_black-basta_elex_luca-stealer.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\2025-05-29_c5bfc9dfbf623b3d4d641c47d0bbe663_amadey_black-basta_elex_luca-stealer.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\2025-05-29_c5bfc9dfbf623b3d4d641c47d0bbe663_amadey_black-basta_elex_luca-stealer.exe N/A
File opened (read-only) \??\S: C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\2025-05-29_c5bfc9dfbf623b3d4d641c47d0bbe663_amadey_black-basta_elex_luca-stealer.exe N/A
File opened (read-only) \??\G: C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
File opened (read-only) \??\M: C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification \??\B:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2025-05-29_c5bfc9dfbf623b3d4d641c47d0bbe663_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification \??\M:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2025-05-29_c5bfc9dfbf623b3d4d641c47d0bbe663_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification \??\T:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2025-05-29_c5bfc9dfbf623b3d4d641c47d0bbe663_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification \??\H:\Autorun.inf C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
File opened for modification \??\X:\Autorun.inf C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
File created \??\R:\Autorun.inf C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\L:\Autorun.inf C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
File created \??\Z:\Autorun.inf C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
File created \??\M:\Autorun.inf C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
File created \??\P:\Autorun.inf C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
File created \??\R:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\P:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\R:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created \??\L:\Autorun.inf C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
File opened for modification \??\I:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\Q:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2025-05-29_c5bfc9dfbf623b3d4d641c47d0bbe663_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification \??\Z:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2025-05-29_c5bfc9dfbf623b3d4d641c47d0bbe663_amadey_black-basta_elex_luca-stealer.exe N/A
File created \??\N:\Autorun.inf C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
File created \??\S:\Autorun.inf C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
File created \??\B:\Autorun.inf C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\K:\Autorun.inf C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
File created \??\S:\Autorun.inf C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
File created \??\I:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2025-05-29_c5bfc9dfbf623b3d4d641c47d0bbe663_amadey_black-basta_elex_luca-stealer.exe N/A
File created \??\H:\Autorun.inf C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
File opened for modification \??\P:\Autorun.inf C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
File opened for modification \??\U:\Autorun.inf C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
File created \??\Z:\Autorun.inf C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
File opened for modification \??\W:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\G:\Autorun.inf C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
File opened for modification \??\R:\Autorun.inf C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
File opened for modification \??\S:\Autorun.inf C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
File opened for modification D:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\J:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\J:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2025-05-29_c5bfc9dfbf623b3d4d641c47d0bbe663_amadey_black-basta_elex_luca-stealer.exe N/A
File created \??\L:\Autorun.inf C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
File created \??\R:\Autorun.inf C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
File created \??\H:\Autorun.inf C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
File created \??\Y:\Autorun.inf C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\Q:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\K:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File created \??\L:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File created \??\R:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2025-05-29_c5bfc9dfbf623b3d4d641c47d0bbe663_amadey_black-basta_elex_luca-stealer.exe N/A
File created \??\T:\Autorun.inf C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
File created \??\S:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\R:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2025-05-29_c5bfc9dfbf623b3d4d641c47d0bbe663_amadey_black-basta_elex_luca-stealer.exe N/A
File created \??\M:\Autorun.inf C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
File created \??\V:\Autorun.inf C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
File opened for modification \??\B:\Autorun.inf C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
File created \??\T:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2025-05-29_c5bfc9dfbf623b3d4d641c47d0bbe663_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification C:\Autorun.inf C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
File opened for modification \??\T:\Autorun.inf C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
File created \??\Q:\Autorun.inf C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
File created \??\W:\Autorun.inf C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
File created \??\N:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification D:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2025-05-29_c5bfc9dfbf623b3d4d641c47d0bbe663_amadey_black-basta_elex_luca-stealer.exe N/A
File created \??\K:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2025-05-29_c5bfc9dfbf623b3d4d641c47d0bbe663_amadey_black-basta_elex_luca-stealer.exe N/A
File created \??\P:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2025-05-29_c5bfc9dfbf623b3d4d641c47d0bbe663_amadey_black-basta_elex_luca-stealer.exe N/A
File created \??\W:\Autorun.inf C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
File created \??\H:\Autorun.inf C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
File opened for modification \??\G:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File created \??\G:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File created \??\G:\Autorun.inf C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\N:\Autorun.inf C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-29_c5bfc9dfbf623b3d4d641c47d0bbe663_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification C:\Windows\SysWOW64\mscomctl.ocx C:\Users\Admin\AppData\Local\Temp\2025-05-29_c5bfc9dfbf623b3d4d641c47d0bbe663_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification C:\Windows\SysWOW64\Desktop.ini C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\mscomctl.ocx C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\mscomctl.ocx C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\SysWOW64\29-5-2025.exe C:\Users\Admin\AppData\Local\Temp\2025-05-29_c5bfc9dfbf623b3d4d641c47d0bbe663_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification C:\Windows\SysWOW64\29-5-2025.exe C:\Users\Admin\AppData\Local\Temp\2025-05-29_c5bfc9dfbf623b3d4d641c47d0bbe663_amadey_black-basta_elex_luca-stealer.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\SysWOW64\mscomctl.ocx C:\Users\Admin\AppData\Local\Temp\2025-05-29_c5bfc9dfbf623b3d4d641c47d0bbe663_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification C:\Windows\SysWOW64\mscomctl.ocx C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\29-5-2025.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-29_c5bfc9dfbf623b3d4d641c47d0bbe663_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
File opened for modification C:\Windows\SysWOW64\Desktop.ini C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\Desktop.ini C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
File opened for modification C:\Windows\SysWOW64\mscomctl.ocx C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
File opened for modification C:\Windows\SysWOW64\29-5-2025.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\29-5-2025.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\29-5-2025.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\SysWOW64\mscomctl.ocx C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\SysWOW64\29-5-2025.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Users\Admin\AppData\Local\Temp\2025-05-29_c5bfc9dfbf623b3d4d641c47d0bbe663_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\2025-05-29_c5bfc9dfbf623b3d4d641c47d0bbe663_amadey_black-basta_elex_luca-stealer.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\2025-05-29_c5bfc9dfbf623b3d4d641c47d0bbe663_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification C:\Windows\SysWOW64\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Users\Admin\AppData\Local\Temp\2025-05-29_c5bfc9dfbf623b3d4d641c47d0bbe663_amadey_black-basta_elex_luca-stealer.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\system\mscoree.dll C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\mscomctl.ocx C:\Users\Admin\AppData\Local\Temp\2025-05-29_c5bfc9dfbf623b3d4d641c47d0bbe663_amadey_black-basta_elex_luca-stealer.exe N/A
File created C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
File created C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe C:\Users\Admin\AppData\Local\Temp\2025-05-29_c5bfc9dfbf623b3d4d641c47d0bbe663_amadey_black-basta_elex_luca-stealer.exe N/A
File created C:\Windows\system\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\2025-05-29_c5bfc9dfbf623b3d4d641c47d0bbe663_amadey_black-basta_elex_luca-stealer.exe N/A
File created C:\Windows\Fonts\Admin 29 - 5 - 2025\msvbvm60.dll C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\system\msvbvm60.dll C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\system\msvbvm60.dll C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
File created C:\Windows\WBEM\msvbvm60.dll C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
File created C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\WBEM\msvbvm60.dll C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\WBEM\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\2025-05-29_c5bfc9dfbf623b3d4d641c47d0bbe663_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\mscomctl.ocx C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
File created C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
File opened for modification C:\Windows\ C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
File created C:\Windows\Fonts\Admin 29 - 5 - 2025\msvbvm60.dll C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
File created C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\Fonts\Admin 29 - 5 - 2025\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\2025-05-29_c5bfc9dfbf623b3d4d641c47d0bbe663_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification C:\Windows\system\mscoree.dll C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\Fonts\The Kazekage.jpg C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Windows\system\mscoree.dll C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\mscomctl.ocx C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\ C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\Fonts\The Kazekage.jpg C:\Users\Admin\AppData\Local\Temp\2025-05-29_c5bfc9dfbf623b3d4d641c47d0bbe663_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification C:\Windows\system\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\2025-05-29_c5bfc9dfbf623b3d4d641c47d0bbe663_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
File opened for modification C:\Windows\system\mscoree.dll C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Windows\mscomctl.ocx C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\Fonts\The Kazekage.jpg C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\ C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Windows\ C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
File created C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\2025-05-29_c5bfc9dfbf623b3d4d641c47d0bbe663_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\system\msvbvm60.dll C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\Fonts\Admin 29 - 5 - 2025\msvbvm60.dll C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\mscomctl.ocx C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\Fonts\The Kazekage.jpg C:\Users\Admin\AppData\Local\Temp\2025-05-29_c5bfc9dfbf623b3d4d641c47d0bbe663_amadey_black-basta_elex_luca-stealer.exe N/A
File created C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\Fonts\The Kazekage.jpg C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
File opened for modification C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe C:\Users\Admin\AppData\Local\Temp\2025-05-29_c5bfc9dfbf623b3d4d641c47d0bbe663_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification C:\Windows\system\mscoree.dll C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
File created C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\2025-05-29_c5bfc9dfbf623b3d4d641c47d0bbe663_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
File created C:\Windows\mscomctl.ocx C:\Users\Admin\AppData\Local\Temp\2025-05-29_c5bfc9dfbf623b3d4d641c47d0bbe663_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification C:\Windows\mscomctl.ocx C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
File created C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\ C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\system\mscoree.dll C:\Users\Admin\AppData\Local\Temp\2025-05-29_c5bfc9dfbf623b3d4d641c47d0bbe663_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\system32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\system32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\system32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\system32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\system32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\system32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2025-05-29_c5bfc9dfbf623b3d4d641c47d0bbe663_amadey_black-basta_elex_luca-stealer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A

Modifies Control Panel

defense_evasion
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\Control Panel\Desktop C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\Control Panel\Desktop C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\Control Panel\Desktop C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\Control Panel\Desktop C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\Control Panel\Screen Saver.Marquee C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" C:\Users\Admin\AppData\Local\Temp\2025-05-29_c5bfc9dfbf623b3d4d641c47d0bbe663_amadey_black-basta_elex_luca-stealer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\Control Panel\Screen Saver.Marquee C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\Control Panel\Screen Saver.Marquee\Speed = "4" C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\Control Panel\Screen Saver.Marquee\Speed = "4" C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\Control Panel\Screen Saver.Marquee\Speed = "4" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\Control Panel\Desktop C:\Users\Admin\AppData\Local\Temp\2025-05-29_c5bfc9dfbf623b3d4d641c47d0bbe663_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\Control Panel\Desktop\WallpaperStyle = "2" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\Control Panel\Screen Saver.Marquee\Size = "72" C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\Control Panel\Screen Saver.Marquee\Speed = "4" C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\Control Panel\Screen Saver.Marquee C:\Users\Admin\AppData\Local\Temp\2025-05-29_c5bfc9dfbf623b3d4d641c47d0bbe663_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" C:\Users\Admin\AppData\Local\Temp\2025-05-29_c5bfc9dfbf623b3d4d641c47d0bbe663_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" C:\Users\Admin\AppData\Local\Temp\2025-05-29_c5bfc9dfbf623b3d4d641c47d0bbe663_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" C:\Users\Admin\AppData\Local\Temp\2025-05-29_c5bfc9dfbf623b3d4d641c47d0bbe663_amadey_black-basta_elex_luca-stealer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\Control Panel\Screen Saver.Marquee C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\Control Panel\Desktop\WallpaperStyle = "2" C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\Control Panel\Desktop\WallpaperStyle = "2" C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Users\Admin\AppData\Local\Temp\2025-05-29_c5bfc9dfbf623b3d4d641c47d0bbe663_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" C:\Users\Admin\AppData\Local\Temp\2025-05-29_c5bfc9dfbf623b3d4d641c47d0bbe663_amadey_black-basta_elex_luca-stealer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\Control Panel\Screen Saver.Marquee C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\Control Panel\Screen Saver.Marquee\Size = "72" C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\Control Panel\Screen Saver.Marquee C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\Control Panel\Screen Saver.Marquee\Size = "72" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" C:\Users\Admin\AppData\Local\Temp\2025-05-29_c5bfc9dfbf623b3d4d641c47d0bbe663_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\Software\Microsoft\Internet Explorer\Main C:\Users\Admin\AppData\Local\Temp\2025-05-29_c5bfc9dfbf623b3d4d641c47d0bbe663_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" C:\Users\Admin\AppData\Local\Temp\2025-05-29_c5bfc9dfbf623b3d4d641c47d0bbe663_amadey_black-basta_elex_luca-stealer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" C:\Users\Admin\AppData\Local\Temp\2025-05-29_c5bfc9dfbf623b3d4d641c47d0bbe663_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" C:\Users\Admin\AppData\Local\Temp\2025-05-29_c5bfc9dfbf623b3d4d641c47d0bbe663_amadey_black-basta_elex_luca-stealer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command C:\Users\Admin\AppData\Local\Temp\2025-05-29_c5bfc9dfbf623b3d4d641c47d0bbe663_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" C:\Users\Admin\AppData\Local\Temp\2025-05-29_c5bfc9dfbf623b3d4d641c47d0bbe663_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" C:\Users\Admin\AppData\Local\Temp\2025-05-29_c5bfc9dfbf623b3d4d641c47d0bbe663_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command C:\Users\Admin\AppData\Local\Temp\2025-05-29_c5bfc9dfbf623b3d4d641c47d0bbe663_amadey_black-basta_elex_luca-stealer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command C:\Users\Admin\AppData\Local\Temp\2025-05-29_c5bfc9dfbf623b3d4d641c47d0bbe663_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command C:\Users\Admin\AppData\Local\Temp\2025-05-29_c5bfc9dfbf623b3d4d641c47d0bbe663_amadey_black-basta_elex_luca-stealer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-29_c5bfc9dfbf623b3d4d641c47d0bbe663_amadey_black-basta_elex_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-29_c5bfc9dfbf623b3d4d641c47d0bbe663_amadey_black-basta_elex_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-29_c5bfc9dfbf623b3d4d641c47d0bbe663_amadey_black-basta_elex_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-29_c5bfc9dfbf623b3d4d641c47d0bbe663_amadey_black-basta_elex_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-29_c5bfc9dfbf623b3d4d641c47d0bbe663_amadey_black-basta_elex_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-29_c5bfc9dfbf623b3d4d641c47d0bbe663_amadey_black-basta_elex_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-29_c5bfc9dfbf623b3d4d641c47d0bbe663_amadey_black-basta_elex_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-29_c5bfc9dfbf623b3d4d641c47d0bbe663_amadey_black-basta_elex_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-29_c5bfc9dfbf623b3d4d641c47d0bbe663_amadey_black-basta_elex_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-29_c5bfc9dfbf623b3d4d641c47d0bbe663_amadey_black-basta_elex_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-29_c5bfc9dfbf623b3d4d641c47d0bbe663_amadey_black-basta_elex_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-29_c5bfc9dfbf623b3d4d641c47d0bbe663_amadey_black-basta_elex_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-29_c5bfc9dfbf623b3d4d641c47d0bbe663_amadey_black-basta_elex_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-29_c5bfc9dfbf623b3d4d641c47d0bbe663_amadey_black-basta_elex_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-29_c5bfc9dfbf623b3d4d641c47d0bbe663_amadey_black-basta_elex_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-29_c5bfc9dfbf623b3d4d641c47d0bbe663_amadey_black-basta_elex_luca-stealer.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-29_c5bfc9dfbf623b3d4d641c47d0bbe663_amadey_black-basta_elex_luca-stealer.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3612 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-29_c5bfc9dfbf623b3d4d641c47d0bbe663_amadey_black-basta_elex_luca-stealer.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe
PID 3612 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-29_c5bfc9dfbf623b3d4d641c47d0bbe663_amadey_black-basta_elex_luca-stealer.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe
PID 3612 wrote to memory of 1132 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-29_c5bfc9dfbf623b3d4d641c47d0bbe663_amadey_black-basta_elex_luca-stealer.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe
PID 1132 wrote to memory of 4768 N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe
PID 1132 wrote to memory of 4768 N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe
PID 1132 wrote to memory of 4768 N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe
PID 1132 wrote to memory of 2756 N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe
PID 1132 wrote to memory of 2756 N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe
PID 1132 wrote to memory of 2756 N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe
PID 2756 wrote to memory of 3184 N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe
PID 2756 wrote to memory of 3184 N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe
PID 2756 wrote to memory of 3184 N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe
PID 2756 wrote to memory of 2872 N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe
PID 2756 wrote to memory of 2872 N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe
PID 2756 wrote to memory of 2872 N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe
PID 2756 wrote to memory of 1912 N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe
PID 2756 wrote to memory of 1912 N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe
PID 2756 wrote to memory of 1912 N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe
PID 1912 wrote to memory of 3440 N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe
PID 1912 wrote to memory of 3440 N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe
PID 1912 wrote to memory of 3440 N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe
PID 1912 wrote to memory of 4880 N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe
PID 1912 wrote to memory of 4880 N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe
PID 1912 wrote to memory of 4880 N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe
PID 3612 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-29_c5bfc9dfbf623b3d4d641c47d0bbe663_amadey_black-basta_elex_luca-stealer.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe
PID 3612 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-29_c5bfc9dfbf623b3d4d641c47d0bbe663_amadey_black-basta_elex_luca-stealer.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe
PID 3612 wrote to memory of 3516 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-29_c5bfc9dfbf623b3d4d641c47d0bbe663_amadey_black-basta_elex_luca-stealer.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe
PID 1912 wrote to memory of 316 N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe
PID 1912 wrote to memory of 316 N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe
PID 1912 wrote to memory of 316 N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe
PID 3612 wrote to memory of 744 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-29_c5bfc9dfbf623b3d4d641c47d0bbe663_amadey_black-basta_elex_luca-stealer.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe
PID 3612 wrote to memory of 744 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-29_c5bfc9dfbf623b3d4d641c47d0bbe663_amadey_black-basta_elex_luca-stealer.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe
PID 3612 wrote to memory of 744 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-29_c5bfc9dfbf623b3d4d641c47d0bbe663_amadey_black-basta_elex_luca-stealer.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe
PID 1912 wrote to memory of 2576 N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 1912 wrote to memory of 2576 N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 1912 wrote to memory of 2576 N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 3612 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-29_c5bfc9dfbf623b3d4d641c47d0bbe663_amadey_black-basta_elex_luca-stealer.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 3612 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-29_c5bfc9dfbf623b3d4d641c47d0bbe663_amadey_black-basta_elex_luca-stealer.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 3612 wrote to memory of 1772 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-29_c5bfc9dfbf623b3d4d641c47d0bbe663_amadey_black-basta_elex_luca-stealer.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 1912 wrote to memory of 1380 N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 1912 wrote to memory of 1380 N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 1912 wrote to memory of 1380 N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 1772 wrote to memory of 940 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe
PID 1772 wrote to memory of 940 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe
PID 1772 wrote to memory of 940 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe
PID 1132 wrote to memory of 412 N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe
PID 1132 wrote to memory of 412 N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe
PID 1132 wrote to memory of 412 N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe
PID 2756 wrote to memory of 952 N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 2756 wrote to memory of 952 N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 2756 wrote to memory of 952 N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 1772 wrote to memory of 2692 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe
PID 1772 wrote to memory of 2692 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe
PID 1772 wrote to memory of 2692 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe
PID 1380 wrote to memory of 1388 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe
PID 1380 wrote to memory of 1388 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe
PID 1380 wrote to memory of 1388 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe
PID 1132 wrote to memory of 3328 N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 1132 wrote to memory of 3328 N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 1132 wrote to memory of 3328 N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 2756 wrote to memory of 984 N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 2756 wrote to memory of 984 N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 2756 wrote to memory of 984 N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 1772 wrote to memory of 4972 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe

System policy modification

defense_evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\2025-05-29_c5bfc9dfbf623b3d4d641c47d0bbe663_amadey_black-basta_elex_luca-stealer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\2025-05-29_c5bfc9dfbf623b3d4d641c47d0bbe663_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2025-05-29_c5bfc9dfbf623b3d4d641c47d0bbe663_amadey_black-basta_elex_luca-stealer.exe

"C:\Users\Admin\AppData\Local\Temp\2025-05-29_c5bfc9dfbf623b3d4d641c47d0bbe663_amadey_black-basta_elex_luca-stealer.exe"

C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe

"C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe"

C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe

"C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe"

C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe

"C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe"

C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe

"C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe"

C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe

"C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe"

C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe

"C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe"

C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe

"C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe"

C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe

"C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe"

C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe

"C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe"

C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe

"C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe"

C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe

"C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe"

C:\Windows\SysWOW64\drivers\Kazekage.exe

C:\Windows\system32\drivers\Kazekage.exe

C:\Windows\SysWOW64\drivers\Kazekage.exe

C:\Windows\system32\drivers\Kazekage.exe

C:\Windows\SysWOW64\drivers\system32.exe

C:\Windows\system32\drivers\system32.exe

C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe

"C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe"

C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe

"C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe"

C:\Windows\SysWOW64\drivers\Kazekage.exe

C:\Windows\system32\drivers\Kazekage.exe

C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe

"C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe"

C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe

"C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe"

C:\Windows\SysWOW64\drivers\Kazekage.exe

C:\Windows\system32\drivers\Kazekage.exe

C:\Windows\SysWOW64\drivers\system32.exe

C:\Windows\system32\drivers\system32.exe

C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe

"C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe"

C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe

"C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe"

C:\Windows\SysWOW64\drivers\system32.exe

C:\Windows\system32\drivers\system32.exe

C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe

"C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe"

C:\Windows\SysWOW64\drivers\Kazekage.exe

C:\Windows\system32\drivers\Kazekage.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c Fonts\Admin 29 - 5 - 2025\smss.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c Fonts\Admin 29 - 5 - 2025\Gaara.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c 29-5-2025.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c drivers\csrss.exe

C:\Windows\SysWOW64\drivers\system32.exe

C:\Windows\system32\drivers\system32.exe

C:\Windows\SysWOW64\drivers\Kazekage.exe

C:\Windows\system32\drivers\Kazekage.exe

C:\Windows\SysWOW64\drivers\system32.exe

C:\Windows\system32\drivers\system32.exe

C:\Windows\SysWOW64\drivers\system32.exe

C:\Windows\system32\drivers\system32.exe

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

Network

Country Destination Domain Proto
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 c.pki.goog udp
NL 142.250.27.94:80 c.pki.goog tcp

Files

memory/3612-0-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe

MD5 c5bfc9dfbf623b3d4d641c47d0bbe663
SHA1 34b0a631036bf5ca0b0f925775a754473a5c999c
SHA256 7824141023919e94ba72fbeded3258f7409b77568921e379c1c6a4bfb69015e4
SHA512 eda98400e5c25adf6f01e88e25406ad7eeaf9902b5e437352f06d5612712ae9c77588bc2855e1d5dc20525819f41d645fdfeb230259791d8307bb4dc8983faa2

C:\Windows\System\msvbvm60.dll

MD5 25f62c02619174b35851b0e0455b3d94
SHA1 4e8ee85157f1769f6e3f61c0acbe59072209da71
SHA256 898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2
SHA512 f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

memory/1132-32-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe

MD5 c7857a2d8d97a1317ad024177e402f1f
SHA1 e83513f9944f2ee64670ff6857095a8bc662c230
SHA256 d7756cb9f0244a562a2737edc2d335218f4f508e973cf018454048f279d70bd9
SHA512 be1263d5a0d11e09765116e9bd7ef4dcaab949ea88432bdf42b4b400b1b3584d9d01269535ce99d74df70446faa5378218c4b9934f54a760c4925b5329296927

C:\Windows\Fonts\The Kazekage.jpg

MD5 d6b05020d4a0ec2a3a8b687099e335df
SHA1 df239d830ebcd1cde5c68c46a7b76dad49d415f4
SHA256 9824b98dab6af65a9e84c2ea40e9df948f9766ce2096e81feecad7db8dd6080a
SHA512 78fd360faa4d34f5732056d6e9ad7b9930964441c69cf24535845d397de92179553b9377a25649c01eb5ac7d547c29cc964e69ede7f2af9fc677508a99251fff

C:\Windows\SysWOW64\29-5-2025.exe

MD5 ea2feaf6eb057271f9545c20494ff47d
SHA1 ae5bb6c70a5f4931b208871bfe14f1f714e9003c
SHA256 5b54d48318fcf92d945297265390e0722916a3e5d3c5619c38f10fd097c06bd7
SHA512 299c462bdbb766389c4d1ba387bbac9949f58125e8d2a91797080eb2c902ea9c24d3824f97115509f09ba893d51aa49b809e059e997183d786ec97780a2266a8

memory/4768-70-0x0000000000400000-0x000000000042A000-memory.dmp

memory/4768-74-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe

MD5 4a0ab6f8104fc3159077930552d8acd8
SHA1 3a816b7384056fa4d4748bf03f37489f167e9cc5
SHA256 206c4358297aa4293bab3c4630ee5c02ab28b2f39546d3937a5ce503da2aa277
SHA512 dff79135f168eed77b889790eb1a9a767f1244e34f71ae0cb0a8acb4b08bb68e04b402ffbb01243a758eb8660447ae0205d6f80e613a3b090bfd232565a5eeb2

memory/2756-77-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Windows\Fonts\The Kazekage.jpg

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Windows\SysWOW64\drivers\Kazekage.exe

MD5 5405b3c02e3cee715a025a9f42e9a1ce
SHA1 2815732ab6af4239ef056adafc470079ff6f4cf5
SHA256 17b9c4ccb7f9a749b8d7580676ffe6e5eb035230dfe649593ba061a3687b9e70
SHA512 7f4f47e4fb45ed35c4a53d2779239a8b7f6ce4830a0fecd4981d37ec8ebf5f7c3f2dc0fbca168acc914589c90147c81468b3b50403758dd16a1fc10477e956c7

C:\Windows\SysWOW64\drivers\system32.exe

MD5 a5bd4b5c9963d4dda410aed233814fe7
SHA1 fb8d39458edfad0298e6371ca13415a52581d22c
SHA256 fcbe24c7d6112472de527f1a671376d7fdbbc741e679bf1fde38f3d561d95b3a
SHA512 2312b4b935fd81891eb3d8ffd247d163e504a844abbc52df14b9e05c6e1bce8953f65e9fa34a8adc3339e0366a26ec3e99594da7a3c9b94a15b71f9127940cb9

memory/2872-115-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2872-119-0x0000000000400000-0x000000000042A000-memory.dmp

memory/1912-124-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe

MD5 72ea76d8528a5893758e3771c327460e
SHA1 04a7be3e67139ddbccf74729ab526bc9cb869533
SHA256 32096fb958d10d96cce552d55caccaff62a48bd13f159011de4f080cf8829c5d
SHA512 f1eb9d9e93d5876d666a8b7bef95a8d03e9953abde0731b74901a766266f46486107de1e9ea2f89baea8f22ff7f630605397119c20957dd5ffd4b6f641a769b6

memory/3612-127-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Windows\SysWOW64\29-5-2025.exe

MD5 9b9bd4a1f8b7a32f4fe3a9e80e32c478
SHA1 b7c2fb6c21d779413ed69da39c86d6ce438d7faa
SHA256 5426dafa638343b5fd6c6f293d29d798a5a5ce50b0c1b69f13db94afaf21fd2c
SHA512 8aaa03d7464ac4eadba7be9cd6ef57fbc28abd4667e658312a501adf9082c9375d18c6501ee160e564359eaa8559d18dce557b15d4fdf3ef2db771e145175329

memory/1132-153-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Windows\SysWOW64\drivers\system32.exe

MD5 7cdc6221c52d870d2f7445f37e89d7be
SHA1 61a03f1ec48121c360a71da6ab12cecddafce891
SHA256 a07b30d0882f565d0dd638f9745a3ace66516b5c75323c0fb4b939791a72b9ed
SHA512 faad33ff22652df5989a314a4fee1696e7ff281b8508cb007d86873e44066967d0d24cad2d24d71a172dade8233328ae14c742667430b1f2fc8c216410802c72

memory/4880-159-0x0000000000400000-0x000000000042A000-memory.dmp

memory/316-170-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2756-169-0x0000000000400000-0x000000000042A000-memory.dmp

memory/4880-173-0x0000000000400000-0x000000000042A000-memory.dmp

memory/3516-178-0x0000000000400000-0x000000000042A000-memory.dmp

memory/316-185-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Windows\SysWOW64\drivers\Kazekage.exe

MD5 a25a3f0a8fa81cc94eafcb0a95930b78
SHA1 892f3a882eeedb57e8156afaa75d2bd82f44a91b
SHA256 a0a9507872590860ad6ca53455c71ebfe03eb128acacae203fc89cbd809769f3
SHA512 242a403a2f8b11f11ca535563116cfce3c1d80cd36db55e06bef266d9579b2c7628ed210941de464a778a9957e794677a3069f0b2aa4ba375f9a2b24ecd6700c

memory/2576-190-0x0000000000400000-0x000000000042A000-memory.dmp

memory/1772-188-0x0000000000400000-0x000000000042A000-memory.dmp

memory/1912-195-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Windows\SysWOW64\29-5-2025.exe

MD5 d3af1d59385757b36d46fb2eca161120
SHA1 3abff666c4a691f0dcab9127bfd727d21549cc52
SHA256 5bdb935e4a383570944cc8441cb73374823d40332c1cefe0384ae5b872b46f66
SHA512 62d8403c9d899be43af3cd08e1e88c79477429ed5fcac26f156bef606187f832ac3285d615e3f4b6493949dbe2273668f5f37d6330a6d7747aa28a2c727ec0b6

memory/1380-215-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2576-203-0x0000000000400000-0x000000000042A000-memory.dmp

memory/412-224-0x0000000000400000-0x000000000042A000-memory.dmp

memory/952-230-0x0000000000400000-0x000000000042A000-memory.dmp

memory/1772-251-0x0000000000400000-0x000000000042A000-memory.dmp

memory/984-252-0x0000000000400000-0x000000000042A000-memory.dmp

memory/412-255-0x0000000000400000-0x000000000042A000-memory.dmp

memory/952-260-0x0000000000400000-0x000000000042A000-memory.dmp

memory/1380-263-0x0000000000400000-0x000000000042A000-memory.dmp

memory/1388-267-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2692-262-0x0000000000400000-0x000000000042A000-memory.dmp

memory/984-271-0x0000000000400000-0x000000000042A000-memory.dmp

memory/3328-274-0x0000000000400000-0x000000000042A000-memory.dmp

memory/724-277-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2204-283-0x0000000000400000-0x000000000042A000-memory.dmp

memory/3464-287-0x0000000000400000-0x000000000042A000-memory.dmp

memory/1636-299-0x0000000000400000-0x000000000042A000-memory.dmp

memory/3808-301-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2324-305-0x0000000000400000-0x000000000042A000-memory.dmp

memory/1132-307-0x0000000000400000-0x000000000042A000-memory.dmp

memory/1772-308-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2756-309-0x0000000000400000-0x000000000042A000-memory.dmp

memory/1380-310-0x0000000000400000-0x000000000042A000-memory.dmp

memory/1912-311-0x0000000000400000-0x000000000042A000-memory.dmp

memory/3612-312-0x0000000000400000-0x000000000042A000-memory.dmp

memory/1132-313-0x0000000000400000-0x000000000042A000-memory.dmp

memory/3612-343-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Autorun.inf

MD5 1564dfe69ffed40950e5cb644e0894d1
SHA1 201b6f7a01cc49bb698bea6d4945a082ed454ce4
SHA256 be114a2dbcc08540b314b01882aa836a772a883322a77b67aab31233e26dc184
SHA512 72df187e39674b657974392cfa268e71ef86dc101ebd2303896381ca56d3c05aa9db3f0ab7d0e428d7436e0108c8f19e94c2013814d30b0b95a23a6b9e341097

C:\Admin Games\Readme.txt

MD5 bb5d6abdf8d0948ac6895ce7fdfbc151
SHA1 9266b7a247a4685892197194d2b9b86c8f6dddbd
SHA256 5db2e0915b5464d32e83484f8ae5e3c73d2c78f238fde5f58f9b40dbb5322de8
SHA512 878444760e8df878d65bb62b4798177e168eb099def58ad3634f4348e96705c83f74324f9fa358f0eff389991976698a233ca53e9b72034ae11c86d42322a76c

memory/1132-377-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Windows\SysWOW64\Desktop.ini

MD5 64acfa7e03b01f48294cf30d201a0026
SHA1 10facd995b38a095f30b4a800fa454c0bcbf8438
SHA256 ba8159d865d106e7b4d0043007a63d1541e1de455dc8d7ff0edd3013bd425c62
SHA512 65a9b2e639de74a2a7faa83463a03f5f5b526495e3c793ec1e144c422ed0b842dd304cd5ff4f8aec3d76d826507030c5916f70a231429cea636ec2d8ab43931a

memory/2756-452-0x0000000000400000-0x000000000042A000-memory.dmp

memory/1912-454-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Admin Games\Kazekage VS Hokage.exe

MD5 2efe26b0e46f223693da51ef38fc1526
SHA1 8e0b9120b1688a4f87462b1d389f03cf8b5da283
SHA256 f4ffd77fb0f0610d625de356929c51399a5caa0895243c23a28824503b72a8e6
SHA512 c12d746ffaf2b6782998da4c36db8ec75fadffcd5e56331c798516edac6e60b224f2c5075983b3a973e3a685a318df09156aaa307a0cdc9b6f7c126a2531d342

C:\Admin Games\Hokage-Sampit (Nothing).exe

MD5 98b46f59dcc950f10828147c628aef4a
SHA1 7b0b9b4d82748123975ae96c3d1a777ff76123f6
SHA256 cb636bb339fea45c0b304b73eeaef43dd5069aa6544a88ba5bc5b2369ca261c0
SHA512 5cac49ccf70535c320a90f3a5165fd44a397b6c6c649309a40e20d62a6b7c4a2da9f52fdf6aea27e55d4056a43373ec947fb2818e4481d6cfd70f6dfa5127caa

memory/1772-586-0x0000000000400000-0x000000000042A000-memory.dmp

memory/1380-588-0x0000000000400000-0x000000000042A000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2025-05-29 10:32

Reported

2025-05-29 10:34

Platform

win11-20250502-en

Max time kernel

149s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2025-05-29_c5bfc9dfbf623b3d4d641c47d0bbe663_amadey_black-basta_elex_luca-stealer.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" C:\Users\Admin\AppData\Local\Temp\2025-05-29_c5bfc9dfbf623b3d4d641c47d0bbe663_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" C:\Users\Admin\AppData\Local\Temp\2025-05-29_c5bfc9dfbf623b3d4d641c47d0bbe663_amadey_black-basta_elex_luca-stealer.exe N/A

Modifies visibility of file extensions in Explorer

defense_evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Users\Admin\AppData\Local\Temp\2025-05-29_c5bfc9dfbf623b3d4d641c47d0bbe663_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A

Modifies visiblity of hidden/system files in Explorer

defense_evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\AppData\Local\Temp\2025-05-29_c5bfc9dfbf623b3d4d641c47d0bbe663_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\drivers\system32.exe N/A

UAC bypass

defense_evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\2025-05-29_c5bfc9dfbf623b3d4d641c47d0bbe663_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A

Disables RegEdit via registry modification

defense_evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\2025-05-29_c5bfc9dfbf623b3d4d641c47d0bbe663_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\drivers\system32.exe N/A

Disables use of System Restore points

defense_evasion

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
File created C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Users\Admin\AppData\Local\Temp\2025-05-29_c5bfc9dfbf623b3d4d641c47d0bbe663_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
File created C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
File created C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
File created C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Users\Admin\AppData\Local\Temp\2025-05-29_c5bfc9dfbf623b3d4d641c47d0bbe663_amadey_black-basta_elex_luca-stealer.exe N/A
File created C:\Windows\SysWOW64\drivers\system32.exe C:\Users\Admin\AppData\Local\Temp\2025-05-29_c5bfc9dfbf623b3d4d641c47d0bbe663_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\system32.exe C:\Users\Admin\AppData\Local\Temp\2025-05-29_c5bfc9dfbf623b3d4d641c47d0bbe663_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
File created C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
File created C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A

Event Triggered Execution: Image File Execution Options Injection

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com C:\Users\Admin\AppData\Local\Temp\2025-05-29_c5bfc9dfbf623b3d4d641c47d0bbe663_amadey_black-basta_elex_luca-stealer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe\Debugger = "cmd.exe /c del" C:\Users\Admin\AppData\Local\Temp\2025-05-29_c5bfc9dfbf623b3d4d641c47d0bbe663_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com\Debugger = "cmd.exe /c del" C:\Users\Admin\AppData\Local\Temp\2025-05-29_c5bfc9dfbf623b3d4d641c47d0bbe663_amadey_black-basta_elex_luca-stealer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe C:\Users\Admin\AppData\Local\Temp\2025-05-29_c5bfc9dfbf623b3d4d641c47d0bbe663_amadey_black-basta_elex_luca-stealer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe C:\Users\Admin\AppData\Local\Temp\2025-05-29_c5bfc9dfbf623b3d4d641c47d0bbe663_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe C:\Users\Admin\AppData\Local\Temp\2025-05-29_c5bfc9dfbf623b3d4d641c47d0bbe663_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe\Debugger = "cmd.exe /c del" C:\Users\Admin\AppData\Local\Temp\2025-05-29_c5bfc9dfbf623b3d4d641c47d0bbe663_amadey_black-basta_elex_luca-stealer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe C:\Users\Admin\AppData\Local\Temp\2025-05-29_c5bfc9dfbf623b3d4d641c47d0bbe663_amadey_black-basta_elex_luca-stealer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe C:\Users\Admin\AppData\Local\Temp\2025-05-29_c5bfc9dfbf623b3d4d641c47d0bbe663_amadey_black-basta_elex_luca-stealer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe\Debugger = "cmd.exe /c del" C:\Users\Admin\AppData\Local\Temp\2025-05-29_c5bfc9dfbf623b3d4d641c47d0bbe663_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe C:\Users\Admin\AppData\Local\Temp\2025-05-29_c5bfc9dfbf623b3d4d641c47d0bbe663_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe C:\Users\Admin\AppData\Local\Temp\2025-05-29_c5bfc9dfbf623b3d4d641c47d0bbe663_amadey_black-basta_elex_luca-stealer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe C:\Users\Admin\AppData\Local\Temp\2025-05-29_c5bfc9dfbf623b3d4d641c47d0bbe663_amadey_black-basta_elex_luca-stealer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "drivers\\Kazekage.exe" C:\Users\Admin\AppData\Local\Temp\2025-05-29_c5bfc9dfbf623b3d4d641c47d0bbe663_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\drivers\system32.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 29 - 5 - 2025\\smss.exe" C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 29 - 5 - 2025\\smss.exe" C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 29 - 5 - 2025\\smss.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 29 - 5 - 2025\\Gaara.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "29-5-2025.exe" C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 29 - 5 - 2025\\smss.exe" C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 29 - 5 - 2025\\Gaara.exe" C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "29-5-2025.exe" C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "29-5-2025.exe" C:\Users\Admin\AppData\Local\Temp\2025-05-29_c5bfc9dfbf623b3d4d641c47d0bbe663_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 29 - 5 - 2025\\Gaara.exe" C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "29-5-2025.exe" C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 29 - 5 - 2025\\smss.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "29-5-2025.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" C:\Users\Admin\AppData\Local\Temp\2025-05-29_c5bfc9dfbf623b3d4d641c47d0bbe663_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 29 - 5 - 2025\\Gaara.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "29-5-2025.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 29 - 5 - 2025\\Gaara.exe" C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 29 - 5 - 2025\\smss.exe" C:\Users\Admin\AppData\Local\Temp\2025-05-29_c5bfc9dfbf623b3d4d641c47d0bbe663_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 29 - 5 - 2025\\Gaara.exe" C:\Users\Admin\AppData\Local\Temp\2025-05-29_c5bfc9dfbf623b3d4d641c47d0bbe663_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A

Checks whether UAC is enabled

defense_evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\2025-05-29_c5bfc9dfbf623b3d4d641c47d0bbe663_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification \??\I:\Desktop.ini C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
File opened for modification \??\A:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\E:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-29_c5bfc9dfbf623b3d4d641c47d0bbe663_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification \??\W:\Desktop.ini C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
File opened for modification \??\G:\Desktop.ini C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\T:\Desktop.ini C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\E:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\L:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification D:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\H:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\Y:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\U:\Desktop.ini C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
File opened for modification \??\J:\Desktop.ini C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\H:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\R:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-29_c5bfc9dfbf623b3d4d641c47d0bbe663_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification \??\E:\Desktop.ini C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
File opened for modification \??\I:\Desktop.ini C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
File opened for modification \??\L:\Desktop.ini C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
File opened for modification \??\P:\Desktop.ini C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\J:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-29_c5bfc9dfbf623b3d4d641c47d0bbe663_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification \??\T:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\Y:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-29_c5bfc9dfbf623b3d4d641c47d0bbe663_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification \??\O:\Desktop.ini C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
File opened for modification \??\L:\Desktop.ini C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\M:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-29_c5bfc9dfbf623b3d4d641c47d0bbe663_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification \??\N:\Desktop.ini C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
File opened for modification \??\H:\Desktop.ini C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\H:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-29_c5bfc9dfbf623b3d4d641c47d0bbe663_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification \??\K:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\Q:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\T:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\R:\Desktop.ini C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
File opened for modification \??\G:\Desktop.ini C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
File opened for modification \??\V:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\P:\Desktop.ini C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
File opened for modification \??\L:\Desktop.ini C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
File opened for modification \??\P:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\B:\Desktop.ini C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
File opened for modification F:\Desktop.ini C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
File opened for modification \??\P:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\W:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\T:\Desktop.ini C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
File opened for modification \??\E:\Desktop.ini C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\N:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-29_c5bfc9dfbf623b3d4d641c47d0bbe663_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification \??\S:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\U:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-29_c5bfc9dfbf623b3d4d641c47d0bbe663_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification \??\U:\Desktop.ini C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
File opened for modification \??\H:\Desktop.ini C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
File opened for modification \??\P:\Desktop.ini C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
File opened for modification D:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-29_c5bfc9dfbf623b3d4d641c47d0bbe663_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification \??\O:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-29_c5bfc9dfbf623b3d4d641c47d0bbe663_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification \??\B:\Desktop.ini C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
File opened for modification D:\Desktop.ini C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
File opened for modification \??\U:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Desktop.ini C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\O:\Desktop.ini C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
File opened for modification \??\B:\Desktop.ini C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
File opened for modification \??\S:\Desktop.ini C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
File opened for modification \??\X:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-29_c5bfc9dfbf623b3d4d641c47d0bbe663_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification \??\E:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\N:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\K:\Desktop.ini C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
File opened for modification \??\I:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-29_c5bfc9dfbf623b3d4d641c47d0bbe663_amadey_black-basta_elex_luca-stealer.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\L: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\P: C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
File opened (read-only) \??\U: C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
File opened (read-only) \??\N: C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\2025-05-29_c5bfc9dfbf623b3d4d641c47d0bbe663_amadey_black-basta_elex_luca-stealer.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\A: C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
File opened (read-only) \??\W: C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\2025-05-29_c5bfc9dfbf623b3d4d641c47d0bbe663_amadey_black-basta_elex_luca-stealer.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\J: C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
File opened (read-only) \??\S: C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\E: C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
File opened (read-only) \??\P: C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\K: C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
File opened (read-only) \??\K: C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
File opened (read-only) \??\R: C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\S: C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
File opened (read-only) \??\U: C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\2025-05-29_c5bfc9dfbf623b3d4d641c47d0bbe663_amadey_black-basta_elex_luca-stealer.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\B: C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
File opened (read-only) \??\P: C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\2025-05-29_c5bfc9dfbf623b3d4d641c47d0bbe663_amadey_black-basta_elex_luca-stealer.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\2025-05-29_c5bfc9dfbf623b3d4d641c47d0bbe663_amadey_black-basta_elex_luca-stealer.exe N/A
File opened (read-only) \??\U: C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\H: C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
File opened (read-only) \??\Q: C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\2025-05-29_c5bfc9dfbf623b3d4d641c47d0bbe663_amadey_black-basta_elex_luca-stealer.exe N/A
File opened (read-only) \??\O: C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
File opened (read-only) \??\V: C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
File opened (read-only) \??\L: C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\2025-05-29_c5bfc9dfbf623b3d4d641c47d0bbe663_amadey_black-basta_elex_luca-stealer.exe N/A
File opened (read-only) \??\X: C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
File opened (read-only) \??\G: C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
File opened (read-only) \??\L: C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\E: C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
File opened (read-only) \??\M: C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
File opened (read-only) \??\J: C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
File opened (read-only) \??\V: C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\2025-05-29_c5bfc9dfbf623b3d4d641c47d0bbe663_amadey_black-basta_elex_luca-stealer.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\2025-05-29_c5bfc9dfbf623b3d4d641c47d0bbe663_amadey_black-basta_elex_luca-stealer.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\2025-05-29_c5bfc9dfbf623b3d4d641c47d0bbe663_amadey_black-basta_elex_luca-stealer.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\Y: C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
File opened (read-only) \??\Q: C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
File opened (read-only) \??\W: C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification \??\P:\Autorun.inf C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
File created \??\U:\Autorun.inf C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
File opened for modification \??\N:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created \??\G:\Autorun.inf C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
File created \??\J:\Autorun.inf C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
File opened for modification C:\Autorun.inf C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
File created \??\A:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File created \??\A:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2025-05-29_c5bfc9dfbf623b3d4d641c47d0bbe663_amadey_black-basta_elex_luca-stealer.exe N/A
File created \??\R:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2025-05-29_c5bfc9dfbf623b3d4d641c47d0bbe663_amadey_black-basta_elex_luca-stealer.exe N/A
File created \??\T:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2025-05-29_c5bfc9dfbf623b3d4d641c47d0bbe663_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification \??\V:\Autorun.inf C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
File created \??\U:\Autorun.inf C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\Z:\Autorun.inf C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
File created \??\O:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\E:\Autorun.inf C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
File opened for modification \??\H:\Autorun.inf C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
File created \??\A:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\J:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\S:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification F:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File created \??\Z:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification F:\Autorun.inf C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
File opened for modification \??\J:\Autorun.inf C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
File opened for modification \??\Q:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2025-05-29_c5bfc9dfbf623b3d4d641c47d0bbe663_amadey_black-basta_elex_luca-stealer.exe N/A
File created \??\B:\Autorun.inf C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
File created \??\S:\Autorun.inf C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
File created \??\B:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File created \??\B:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2025-05-29_c5bfc9dfbf623b3d4d641c47d0bbe663_amadey_black-basta_elex_luca-stealer.exe N/A
File created \??\H:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2025-05-29_c5bfc9dfbf623b3d4d641c47d0bbe663_amadey_black-basta_elex_luca-stealer.exe N/A
File created \??\K:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2025-05-29_c5bfc9dfbf623b3d4d641c47d0bbe663_amadey_black-basta_elex_luca-stealer.exe N/A
File created \??\M:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2025-05-29_c5bfc9dfbf623b3d4d641c47d0bbe663_amadey_black-basta_elex_luca-stealer.exe N/A
File created \??\T:\Autorun.inf C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
File opened for modification \??\U:\Autorun.inf C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
File created \??\P:\Autorun.inf C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\O:\Autorun.inf C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
File opened for modification \??\X:\Autorun.inf C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
File opened for modification \??\S:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\H:\Autorun.inf C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
File created \??\G:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File created \??\X:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File created \??\L:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2025-05-29_c5bfc9dfbf623b3d4d641c47d0bbe663_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification \??\A:\Autorun.inf C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\I:\Autorun.inf C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
File created \??\T:\Autorun.inf C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
File opened for modification \??\S:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2025-05-29_c5bfc9dfbf623b3d4d641c47d0bbe663_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification \??\T:\Autorun.inf C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\Z:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2025-05-29_c5bfc9dfbf623b3d4d641c47d0bbe663_amadey_black-basta_elex_luca-stealer.exe N/A
File created \??\A:\Autorun.inf C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
File created \??\Y:\Autorun.inf C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
File created \??\J:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2025-05-29_c5bfc9dfbf623b3d4d641c47d0bbe663_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification \??\W:\Autorun.inf C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
File created \??\N:\Autorun.inf C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
File created \??\V:\Autorun.inf C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
File opened for modification \??\V:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification F:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2025-05-29_c5bfc9dfbf623b3d4d641c47d0bbe663_amadey_black-basta_elex_luca-stealer.exe N/A
File created \??\Y:\Autorun.inf C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
File created \??\O:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2025-05-29_c5bfc9dfbf623b3d4d641c47d0bbe663_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification \??\J:\Autorun.inf C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\P:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created \??\T:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\G:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2025-05-29_c5bfc9dfbf623b3d4d641c47d0bbe663_amadey_black-basta_elex_luca-stealer.exe N/A
File created \??\X:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2025-05-29_c5bfc9dfbf623b3d4d641c47d0bbe663_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification C:\Autorun.inf C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\29-5-2025.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\SysWOW64\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-29_c5bfc9dfbf623b3d4d641c47d0bbe663_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification C:\Windows\SysWOW64\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\2025-05-29_c5bfc9dfbf623b3d4d641c47d0bbe663_amadey_black-basta_elex_luca-stealer.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\2025-05-29_c5bfc9dfbf623b3d4d641c47d0bbe663_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification C:\Windows\SysWOW64\Desktop.ini C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\mscomctl.ocx C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\29-5-2025.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\SysWOW64\Desktop.ini C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\29-5-2025.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
File created C:\Windows\SysWOW64\mscomctl.ocx C:\Users\Admin\AppData\Local\Temp\2025-05-29_c5bfc9dfbf623b3d4d641c47d0bbe663_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification C:\Windows\SysWOW64\mscomctl.ocx C:\Users\Admin\AppData\Local\Temp\2025-05-29_c5bfc9dfbf623b3d4d641c47d0bbe663_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification C:\Windows\SysWOW64\29-5-2025.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\Desktop.ini C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
File created C:\Windows\SysWOW64\29-5-2025.exe C:\Users\Admin\AppData\Local\Temp\2025-05-29_c5bfc9dfbf623b3d4d641c47d0bbe663_amadey_black-basta_elex_luca-stealer.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\SysWOW64\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-29_c5bfc9dfbf623b3d4d641c47d0bbe663_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification C:\Windows\SysWOW64\mscomctl.ocx C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
File opened for modification C:\Windows\SysWOW64\mscomctl.ocx C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\mscomctl.ocx C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\SysWOW64\29-5-2025.exe C:\Users\Admin\AppData\Local\Temp\2025-05-29_c5bfc9dfbf623b3d4d641c47d0bbe663_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification C:\Windows\SysWOW64\29-5-2025.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Users\Admin\AppData\Local\Temp\2025-05-29_c5bfc9dfbf623b3d4d641c47d0bbe663_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification C:\Windows\SysWOW64\mscomctl.ocx C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Users\Admin\AppData\Local\Temp\2025-05-29_c5bfc9dfbf623b3d4d641c47d0bbe663_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Fonts\The Kazekage.jpg C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\WBEM\msvbvm60.dll C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
File created C:\Windows\WBEM\msvbvm60.dll C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
File created C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\mscomctl.ocx C:\Users\Admin\AppData\Local\Temp\2025-05-29_c5bfc9dfbf623b3d4d641c47d0bbe663_amadey_black-basta_elex_luca-stealer.exe N/A
File created C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
File created C:\Windows\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\2025-05-29_c5bfc9dfbf623b3d4d641c47d0bbe663_amadey_black-basta_elex_luca-stealer.exe N/A
File created C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
File opened for modification C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
File created C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\ C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Windows\Fonts\The Kazekage.jpg C:\Users\Admin\AppData\Local\Temp\2025-05-29_c5bfc9dfbf623b3d4d641c47d0bbe663_amadey_black-basta_elex_luca-stealer.exe N/A
File created C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
File created C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\system\msvbvm60.dll C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\Fonts\The Kazekage.jpg C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\mscomctl.ocx C:\Users\Admin\AppData\Local\Temp\2025-05-29_c5bfc9dfbf623b3d4d641c47d0bbe663_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification C:\Windows\Fonts\Admin 29 - 5 - 2025\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\2025-05-29_c5bfc9dfbf623b3d4d641c47d0bbe663_amadey_black-basta_elex_luca-stealer.exe N/A
File created C:\Windows\system\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\2025-05-29_c5bfc9dfbf623b3d4d641c47d0bbe663_amadey_black-basta_elex_luca-stealer.exe N/A
File created C:\Windows\Fonts\Admin 29 - 5 - 2025\msvbvm60.dll C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\mscomctl.ocx C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\system\msvbvm60.dll C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
File created C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
File created C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe C:\Users\Admin\AppData\Local\Temp\2025-05-29_c5bfc9dfbf623b3d4d641c47d0bbe663_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification C:\Windows\system\mscoree.dll C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
File created C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
File created C:\Windows\Fonts\Admin 29 - 5 - 2025\msvbvm60.dll C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Windows\system\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\2025-05-29_c5bfc9dfbf623b3d4d641c47d0bbe663_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
File created C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\ C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\mscomctl.ocx C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\ C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\system\mscoree.dll C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\system\mscoree.dll C:\Users\Admin\AppData\Local\Temp\2025-05-29_c5bfc9dfbf623b3d4d641c47d0bbe663_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe C:\Users\Admin\AppData\Local\Temp\2025-05-29_c5bfc9dfbf623b3d4d641c47d0bbe663_amadey_black-basta_elex_luca-stealer.exe N/A
File created C:\Windows\Fonts\Admin 29 - 5 - 2025\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\2025-05-29_c5bfc9dfbf623b3d4d641c47d0bbe663_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
File created C:\Windows\WBEM\msvbvm60.dll C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\Fonts\Admin 29 - 5 - 2025\msvbvm60.dll C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\mscomctl.ocx C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
File created C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe C:\Users\Admin\AppData\Local\Temp\2025-05-29_c5bfc9dfbf623b3d4d641c47d0bbe663_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification C:\Windows\system\msvbvm60.dll C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\Fonts\The Kazekage.jpg C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
File opened for modification C:\Windows\system\mscoree.dll C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Windows\ C:\Users\Admin\AppData\Local\Temp\2025-05-29_c5bfc9dfbf623b3d4d641c47d0bbe663_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe C:\Users\Admin\AppData\Local\Temp\2025-05-29_c5bfc9dfbf623b3d4d641c47d0bbe663_amadey_black-basta_elex_luca-stealer.exe N/A
File created C:\Windows\WBEM\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\2025-05-29_c5bfc9dfbf623b3d4d641c47d0bbe663_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification C:\Windows\Fonts\The Kazekage.jpg C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
File opened for modification C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2025-05-29_c5bfc9dfbf623b3d4d641c47d0bbe663_amadey_black-basta_elex_luca-stealer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\system32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\system32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\system32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\system32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\system32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\system32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A

Modifies Control Panel

defense_evasion
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Control Panel\Desktop\WallpaperStyle = "2" C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Control Panel\Desktop\WallpaperStyle = "2" C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Control Panel\Desktop\WallpaperStyle = "2" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Control Panel\Screen Saver.Marquee C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Control Panel\Screen Saver.Marquee\Speed = "4" C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" C:\Users\Admin\AppData\Local\Temp\2025-05-29_c5bfc9dfbf623b3d4d641c47d0bbe663_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Control Panel\Screen Saver.Marquee\Speed = "4" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" C:\Users\Admin\AppData\Local\Temp\2025-05-29_c5bfc9dfbf623b3d4d641c47d0bbe663_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" C:\Users\Admin\AppData\Local\Temp\2025-05-29_c5bfc9dfbf623b3d4d641c47d0bbe663_amadey_black-basta_elex_luca-stealer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Control Panel\Screen Saver.Marquee C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Control Panel\Screen Saver.Marquee\Speed = "4" C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Control Panel\Desktop C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Control Panel\Desktop C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Control Panel\Screen Saver.Marquee\Size = "72" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Control Panel\Screen Saver.Marquee\Size = "72" C:\Users\Admin\AppData\Local\Temp\2025-05-29_c5bfc9dfbf623b3d4d641c47d0bbe663_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Control Panel\Screen Saver.Marquee\Size = "72" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Control Panel\Desktop C:\Users\Admin\AppData\Local\Temp\2025-05-29_c5bfc9dfbf623b3d4d641c47d0bbe663_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Users\Admin\AppData\Local\Temp\2025-05-29_c5bfc9dfbf623b3d4d641c47d0bbe663_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Control Panel\Desktop\WallpaperStyle = "2" C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Control Panel\Screen Saver.Marquee C:\Users\Admin\AppData\Local\Temp\2025-05-29_c5bfc9dfbf623b3d4d641c47d0bbe663_amadey_black-basta_elex_luca-stealer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Control Panel\Screen Saver.Marquee C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Control Panel\Desktop C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Control Panel\Desktop\WallpaperStyle = "2" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Control Panel\Desktop C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" C:\Users\Admin\AppData\Local\Temp\2025-05-29_c5bfc9dfbf623b3d4d641c47d0bbe663_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Control Panel\Screen Saver.Marquee\Speed = "4" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Control Panel\Screen Saver.Marquee\Speed = "4" C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" C:\Users\Admin\AppData\Local\Temp\2025-05-29_c5bfc9dfbf623b3d4d641c47d0bbe663_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Control Panel\Screen Saver.Marquee\Size = "72" C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" C:\Users\Admin\AppData\Local\Temp\2025-05-29_c5bfc9dfbf623b3d4d641c47d0bbe663_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Software\Microsoft\Internet Explorer\Main C:\Users\Admin\AppData\Local\Temp\2025-05-29_c5bfc9dfbf623b3d4d641c47d0bbe663_amadey_black-basta_elex_luca-stealer.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command C:\Users\Admin\AppData\Local\Temp\2025-05-29_c5bfc9dfbf623b3d4d641c47d0bbe663_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" C:\Users\Admin\AppData\Local\Temp\2025-05-29_c5bfc9dfbf623b3d4d641c47d0bbe663_amadey_black-basta_elex_luca-stealer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command C:\Users\Admin\AppData\Local\Temp\2025-05-29_c5bfc9dfbf623b3d4d641c47d0bbe663_amadey_black-basta_elex_luca-stealer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" C:\Users\Admin\AppData\Local\Temp\2025-05-29_c5bfc9dfbf623b3d4d641c47d0bbe663_amadey_black-basta_elex_luca-stealer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" C:\Users\Admin\AppData\Local\Temp\2025-05-29_c5bfc9dfbf623b3d4d641c47d0bbe663_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command C:\Users\Admin\AppData\Local\Temp\2025-05-29_c5bfc9dfbf623b3d4d641c47d0bbe663_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" C:\Users\Admin\AppData\Local\Temp\2025-05-29_c5bfc9dfbf623b3d4d641c47d0bbe663_amadey_black-basta_elex_luca-stealer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command C:\Users\Admin\AppData\Local\Temp\2025-05-29_c5bfc9dfbf623b3d4d641c47d0bbe663_amadey_black-basta_elex_luca-stealer.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-29_c5bfc9dfbf623b3d4d641c47d0bbe663_amadey_black-basta_elex_luca-stealer.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5940 wrote to memory of 4068 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-29_c5bfc9dfbf623b3d4d641c47d0bbe663_amadey_black-basta_elex_luca-stealer.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe
PID 5940 wrote to memory of 4068 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-29_c5bfc9dfbf623b3d4d641c47d0bbe663_amadey_black-basta_elex_luca-stealer.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe
PID 5940 wrote to memory of 4068 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-29_c5bfc9dfbf623b3d4d641c47d0bbe663_amadey_black-basta_elex_luca-stealer.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe
PID 4068 wrote to memory of 3132 N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe
PID 4068 wrote to memory of 3132 N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe
PID 4068 wrote to memory of 3132 N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe
PID 4068 wrote to memory of 4884 N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe
PID 4068 wrote to memory of 4884 N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe
PID 4068 wrote to memory of 4884 N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe
PID 4884 wrote to memory of 4860 N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe
PID 4884 wrote to memory of 4860 N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe
PID 4884 wrote to memory of 4860 N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe
PID 4884 wrote to memory of 4956 N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe
PID 4884 wrote to memory of 4956 N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe
PID 4884 wrote to memory of 4956 N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe
PID 4884 wrote to memory of 5084 N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe
PID 4884 wrote to memory of 5084 N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe
PID 4884 wrote to memory of 5084 N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe
PID 5084 wrote to memory of 4212 N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe
PID 5084 wrote to memory of 4212 N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe
PID 5084 wrote to memory of 4212 N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe
PID 5084 wrote to memory of 5492 N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe
PID 5084 wrote to memory of 5492 N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe
PID 5084 wrote to memory of 5492 N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe
PID 5084 wrote to memory of 4464 N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe
PID 5084 wrote to memory of 4464 N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe
PID 5084 wrote to memory of 4464 N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe
PID 5084 wrote to memory of 5116 N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 5084 wrote to memory of 5116 N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 5084 wrote to memory of 5116 N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 5116 wrote to memory of 4468 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe
PID 5116 wrote to memory of 4468 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe
PID 5116 wrote to memory of 4468 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe
PID 5116 wrote to memory of 2192 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe
PID 5116 wrote to memory of 2192 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe
PID 5116 wrote to memory of 2192 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe
PID 5116 wrote to memory of 5856 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe
PID 5116 wrote to memory of 5856 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe
PID 5116 wrote to memory of 5856 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe
PID 5116 wrote to memory of 3048 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 5116 wrote to memory of 3048 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 5116 wrote to memory of 3048 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 5116 wrote to memory of 4160 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 5116 wrote to memory of 4160 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 5116 wrote to memory of 4160 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 4160 wrote to memory of 1680 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe
PID 4160 wrote to memory of 1680 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe
PID 4160 wrote to memory of 1680 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe
PID 4160 wrote to memory of 2724 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe
PID 4160 wrote to memory of 2724 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe
PID 4160 wrote to memory of 2724 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe
PID 4160 wrote to memory of 760 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe
PID 4160 wrote to memory of 760 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe
PID 4160 wrote to memory of 760 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe
PID 4160 wrote to memory of 1504 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 4160 wrote to memory of 1504 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 4160 wrote to memory of 1504 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 4160 wrote to memory of 1576 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 4160 wrote to memory of 1576 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 4160 wrote to memory of 1576 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 5084 wrote to memory of 2484 N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 5084 wrote to memory of 2484 N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 5084 wrote to memory of 2484 N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 4884 wrote to memory of 2120 N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe C:\Windows\SysWOW64\drivers\Kazekage.exe

System policy modification

defense_evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\2025-05-29_c5bfc9dfbf623b3d4d641c47d0bbe663_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\2025-05-29_c5bfc9dfbf623b3d4d641c47d0bbe663_amadey_black-basta_elex_luca-stealer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\SysWOW64\drivers\system32.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2025-05-29_c5bfc9dfbf623b3d4d641c47d0bbe663_amadey_black-basta_elex_luca-stealer.exe

"C:\Users\Admin\AppData\Local\Temp\2025-05-29_c5bfc9dfbf623b3d4d641c47d0bbe663_amadey_black-basta_elex_luca-stealer.exe"

C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe

"C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe"

C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe

"C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe"

C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe

"C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe"

C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe

"C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe"

C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe

"C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe"

C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe

"C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe"

C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe

"C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe"

C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe

"C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe"

C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe

"C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe"

C:\Windows\SysWOW64\drivers\Kazekage.exe

C:\Windows\system32\drivers\Kazekage.exe

C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe

"C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe"

C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe

"C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe"

C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe

"C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe"

C:\Windows\SysWOW64\drivers\Kazekage.exe

C:\Windows\system32\drivers\Kazekage.exe

C:\Windows\SysWOW64\drivers\system32.exe

C:\Windows\system32\drivers\system32.exe

C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe

"C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe"

C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe

"C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe"

C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe

"C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe"

C:\Windows\SysWOW64\drivers\Kazekage.exe

C:\Windows\system32\drivers\Kazekage.exe

C:\Windows\SysWOW64\drivers\system32.exe

C:\Windows\system32\drivers\system32.exe

C:\Windows\SysWOW64\drivers\system32.exe

C:\Windows\system32\drivers\system32.exe

C:\Windows\SysWOW64\drivers\Kazekage.exe

C:\Windows\system32\drivers\Kazekage.exe

C:\Windows\SysWOW64\drivers\system32.exe

C:\Windows\system32\drivers\system32.exe

C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe

"C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe"

C:\Windows\SysWOW64\drivers\Kazekage.exe

C:\Windows\system32\drivers\Kazekage.exe

C:\Windows\SysWOW64\drivers\system32.exe

C:\Windows\system32\drivers\system32.exe

C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe

"C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe"

C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe

"C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe"

C:\Windows\SysWOW64\drivers\Kazekage.exe

C:\Windows\system32\drivers\Kazekage.exe

C:\Windows\SysWOW64\drivers\system32.exe

C:\Windows\system32\drivers\system32.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c Fonts\Admin 29 - 5 - 2025\smss.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c Fonts\Admin 29 - 5 - 2025\Gaara.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c 29-5-2025.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c drivers\csrss.exe

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

Network

Files

memory/5940-0-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe

MD5 c5bfc9dfbf623b3d4d641c47d0bbe663
SHA1 34b0a631036bf5ca0b0f925775a754473a5c999c
SHA256 7824141023919e94ba72fbeded3258f7409b77568921e379c1c6a4bfb69015e4
SHA512 eda98400e5c25adf6f01e88e25406ad7eeaf9902b5e437352f06d5612712ae9c77588bc2855e1d5dc20525819f41d645fdfeb230259791d8307bb4dc8983faa2

C:\Windows\System\msvbvm60.dll

MD5 25f62c02619174b35851b0e0455b3d94
SHA1 4e8ee85157f1769f6e3f61c0acbe59072209da71
SHA256 898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2
SHA512 f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe

MD5 c7857a2d8d97a1317ad024177e402f1f
SHA1 e83513f9944f2ee64670ff6857095a8bc662c230
SHA256 d7756cb9f0244a562a2737edc2d335218f4f508e973cf018454048f279d70bd9
SHA512 be1263d5a0d11e09765116e9bd7ef4dcaab949ea88432bdf42b4b400b1b3584d9d01269535ce99d74df70446faa5378218c4b9934f54a760c4925b5329296927

memory/4068-32-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Windows\Fonts\The Kazekage.jpg

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Windows\SysWOW64\29-5-2025.exe

MD5 ad18e835a7b2ebad6d33f64a01d4da41
SHA1 7e6e0618180a96c259e34794be2f6fb6064315db
SHA256 e2c553ceca6b15a7f46209cc85611d96204627ab3c812dc080ed7fa19b07b8d5
SHA512 e37142a105a49ffbb608feee4ec479bca6adcb382db128559d902e19906a0e3eb5dc2b84b06890893063282ef6251bb3c9ec7bbe052cdae7d3fdfd251178c5c8

memory/3132-70-0x0000000000400000-0x000000000042A000-memory.dmp

memory/4884-79-0x0000000000400000-0x000000000042A000-memory.dmp

memory/3132-78-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe

MD5 4a0ab6f8104fc3159077930552d8acd8
SHA1 3a816b7384056fa4d4748bf03f37489f167e9cc5
SHA256 206c4358297aa4293bab3c4630ee5c02ab28b2f39546d3937a5ce503da2aa277
SHA512 dff79135f168eed77b889790eb1a9a767f1244e34f71ae0cb0a8acb4b08bb68e04b402ffbb01243a758eb8660447ae0205d6f80e613a3b090bfd232565a5eeb2

C:\Windows\Fonts\The Kazekage.jpg

MD5 d6b05020d4a0ec2a3a8b687099e335df
SHA1 df239d830ebcd1cde5c68c46a7b76dad49d415f4
SHA256 9824b98dab6af65a9e84c2ea40e9df948f9766ce2096e81feecad7db8dd6080a
SHA512 78fd360faa4d34f5732056d6e9ad7b9930964441c69cf24535845d397de92179553b9377a25649c01eb5ac7d547c29cc964e69ede7f2af9fc677508a99251fff

C:\Windows\SysWOW64\29-5-2025.exe

MD5 08a749e4584b8e9dc05d7a9797298eef
SHA1 33d415f4e7a359fcf0b2e1c10ee02fdc45aa1277
SHA256 515bf14a952d92be659cc426155cfe3aedee44232fa28003ac8c5611b6a95f3d
SHA512 5e112f8feaa48c7a98fe0b6ad9bf2f80189df747df6319d1c2c777dfbeafd7181c2679fd04916cb27b7af85c8cb5a6159ca08d12382e5ad9e021c6c9e6005a89

C:\Windows\SysWOW64\drivers\Kazekage.exe

MD5 b03036d3117ff4719c87aeade1cdcef1
SHA1 d2014ff06414c9a8e6a23dc21dd73c9189bdeccf
SHA256 b882101ae404b35bf231738803a0bb7377e6c8d155d9eeccdd669902cd7f43ef
SHA512 9088b0911fcbd9ee8e8478bbd346121380c1077fd160feaa0a49596f5eeae3ac3eb6aabd7038c8ed26ec149e5d0a8b606125b805ee4eb42b00e4efda34c69387

C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe

MD5 d129383fb405c3b0102dae6f37b3608b
SHA1 910036635852858e81679c83b2a17ac0b2d0667a
SHA256 4b60ecb3e84640281c1e9486b5d5aecfc46e32aab1cc06d84f7df5c9259741d9
SHA512 d943a9363f4f66c01747b3deacb3e1dfc33c48a630d9c467934ed931b92b766fbcf9c6e3a12fecee0ecbcd121a68b262f690636f760efc23798ae98c8fab8fc2

C:\Windows\SysWOW64\drivers\system32.exe

MD5 4c0dd19870d31c955ff305ffbef90031
SHA1 8841ce03babd2571a5d86d3e128b825e06af9ba2
SHA256 2fc027aaccd4f3930aad9f66e7172e6cd2632ceb2c9ea86e2695aa7b533a1164
SHA512 a5f474b64877e48df03733a44c3ff0ee6fda75f1eafef8501e120398955b53dfee3a6660fc8a88b359d5edf1fed73e4ef794da2859b2f396fc3e5a9a66008b15

memory/4860-110-0x0000000000400000-0x000000000042A000-memory.dmp

memory/4956-119-0x0000000000400000-0x000000000042A000-memory.dmp

memory/5084-124-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Windows\SysWOW64\drivers\system32.exe

MD5 b8652764f752e749e46df26bb89c9ece
SHA1 01f4665d7a022906407fdbd3a2d77c6ed7120416
SHA256 40708a6848a9a231b46ba382b81fab0aa2069341633b87a1212f98cf614562e3
SHA512 f109b3f528aa0f9850391ba81754ef687f18c758c3398ab9bc1fec2152859c65567c3d3a80d3d539f9d09c5489a9efdaf609d7bcc825608311535b8f3ed09b31

memory/5940-162-0x0000000000400000-0x000000000042A000-memory.dmp

memory/4464-167-0x0000000000400000-0x000000000042A000-memory.dmp

memory/4464-165-0x0000000000400000-0x000000000042A000-memory.dmp

memory/5116-172-0x0000000000400000-0x000000000042A000-memory.dmp

memory/4068-171-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Windows\SysWOW64\drivers\Kazekage.exe

MD5 59deb7780b8bf03eb2fb9e61699ab95c
SHA1 e41fb356783eb15e8b5f19f2b2d6fffe98e4d813
SHA256 54859cb06b347cc51145239bd4a6203e2b3d253fd93ea5b9458f9dda0a930fac
SHA512 3c54cdcfd036baae6f59bb506ece5c1d9bdfc63363a357dc6f07cafb621c9214bad06195e16229a1f12032da05e3b705d9ce81f0a099d5cf757689782070691e

memory/5492-161-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Windows\SysWOW64\drivers\system32.exe

MD5 5884d5eaa96a903589ef85f6d004634a
SHA1 9da34c5883074393235c5dc69bb272181742c9ab
SHA256 9d4581dbdc15519103715c05b2f9c6426b5b68a94b4e2d428b666005c45193d4
SHA512 80b38bc9eb71372d4c32c5ee2a4ae7fa18a79deaa14d04ba7a8b7d28ff75de3ac8a4b869a68d6e864c2edc77685f943f478785ec260df8640946ec4ab8bc4b01

memory/4884-195-0x0000000000400000-0x000000000042A000-memory.dmp

memory/3048-215-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2724-243-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2740-297-0x0000000000400000-0x000000000042A000-memory.dmp

memory/3468-293-0x0000000000400000-0x000000000042A000-memory.dmp

memory/1916-286-0x0000000000400000-0x000000000042A000-memory.dmp

memory/224-282-0x0000000000400000-0x000000000042A000-memory.dmp

memory/3444-278-0x0000000000400000-0x000000000042A000-memory.dmp

memory/4160-274-0x0000000000400000-0x000000000042A000-memory.dmp

memory/3936-270-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2120-266-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2484-259-0x0000000000400000-0x000000000042A000-memory.dmp

memory/1576-255-0x0000000000400000-0x000000000042A000-memory.dmp

memory/1504-251-0x0000000000400000-0x000000000042A000-memory.dmp

memory/5116-247-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Windows\SysWOW64\29-5-2025.exe

MD5 7939ea84955e704739fbdaa293639198
SHA1 6e7a38190d46133989e2dee4cef56368298ebef2
SHA256 24fd3c153c2c4cc4e2c578e7aa2b43b5029a5c5d8cad9553410462c171f2824f
SHA512 ed98e4313e88e31c3407dd2620d9b08162dea5b7381d7ade19d9e8a269e2cb5bf7da1f7d3e5758b21bb4a3dac70f183cde9168688680dc3fb01dc7d7a1c03f16

memory/4160-219-0x0000000000400000-0x000000000042A000-memory.dmp

memory/5084-211-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2192-206-0x0000000000400000-0x000000000042A000-memory.dmp

memory/5940-298-0x0000000000400000-0x000000000042A000-memory.dmp

memory/4068-299-0x0000000000400000-0x000000000042A000-memory.dmp

memory/4884-300-0x0000000000400000-0x000000000042A000-memory.dmp

memory/5084-301-0x0000000000400000-0x000000000042A000-memory.dmp

memory/5116-302-0x0000000000400000-0x000000000042A000-memory.dmp

memory/4160-303-0x0000000000400000-0x000000000042A000-memory.dmp

memory/5940-304-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Autorun.inf

MD5 1564dfe69ffed40950e5cb644e0894d1
SHA1 201b6f7a01cc49bb698bea6d4945a082ed454ce4
SHA256 be114a2dbcc08540b314b01882aa836a772a883322a77b67aab31233e26dc184
SHA512 72df187e39674b657974392cfa268e71ef86dc101ebd2303896381ca56d3c05aa9db3f0ab7d0e428d7436e0108c8f19e94c2013814d30b0b95a23a6b9e341097

C:\Admin Games\Readme.txt

MD5 bb5d6abdf8d0948ac6895ce7fdfbc151
SHA1 9266b7a247a4685892197194d2b9b86c8f6dddbd
SHA256 5db2e0915b5464d32e83484f8ae5e3c73d2c78f238fde5f58f9b40dbb5322de8
SHA512 878444760e8df878d65bb62b4798177e168eb099def58ad3634f4348e96705c83f74324f9fa358f0eff389991976698a233ca53e9b72034ae11c86d42322a76c

memory/4068-377-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Windows\SysWOW64\Desktop.ini

MD5 64acfa7e03b01f48294cf30d201a0026
SHA1 10facd995b38a095f30b4a800fa454c0bcbf8438
SHA256 ba8159d865d106e7b4d0043007a63d1541e1de455dc8d7ff0edd3013bd425c62
SHA512 65a9b2e639de74a2a7faa83463a03f5f5b526495e3c793ec1e144c422ed0b842dd304cd5ff4f8aec3d76d826507030c5916f70a231429cea636ec2d8ab43931a

memory/5084-488-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Admin Games\Gaara games - Naruto.exe

MD5 a89a20e5e0ff567a509e809465d6c92b
SHA1 7e9419a545f6bb09c3a87024623c403c53ed8e45
SHA256 65fd798ae4cacca41d279b40370c39a51ffb658e0d92fc4640af46f1ee4b6206
SHA512 5d38feb09fe3f33d21692c2be5b61c6fa23334ecbda6ebe7737f7496be404a24178a1dc86ff08fe87d2fb6c10f6b008a7c654500700072ad9c21929747e05fa7

memory/4160-553-0x0000000000400000-0x000000000042A000-memory.dmp

memory/5940-576-0x0000000000400000-0x000000000042A000-memory.dmp

memory/4884-578-0x0000000000400000-0x000000000042A000-memory.dmp

memory/5116-580-0x0000000000400000-0x000000000042A000-memory.dmp