Malware Analysis Report

2025-06-16 06:28

Sample ID 250529-nxe1ya1vct
Target 2025-05-29_404422d6216f51d4af2865176fc3f6cd_amadey_black-basta_elex_luca-stealer
SHA256 e004dd9f230d14d73324973ae5a9770dfa76faee4d3792e561bb48b519d883e1
Tags
upx defense_evasion discovery persistence ransomware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V16

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e004dd9f230d14d73324973ae5a9770dfa76faee4d3792e561bb48b519d883e1

Threat Level: Known bad

The file 2025-05-29_404422d6216f51d4af2865176fc3f6cd_amadey_black-basta_elex_luca-stealer was found to be: Known bad.

Malicious Activity Summary

upx defense_evasion discovery persistence ransomware trojan

Modifies visiblity of hidden/system files in Explorer

Modifies visibility of file extensions in Explorer

Modifies WinLogon for persistence

UAC bypass

Disables use of System Restore points

Event Triggered Execution: Image File Execution Options Injection

Disables RegEdit via registry modification

Drops file in Drivers directory

Loads dropped DLL

Executes dropped EXE

Adds Run key to start application

Enumerates connected drives

Checks whether UAC is enabled

Drops desktop.ini file(s)

Drops autorun.inf file

UPX packed file

Drops file in System32 directory

Sets desktop wallpaper using registry

Drops file in Windows directory

Unsigned PE

System Location Discovery: System Language Discovery

System Network Configuration Discovery: Internet Connection Discovery

Runs ping.exe

System policy modification

Modifies Internet Explorer settings

Modifies Control Panel

Modifies registry class

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-05-29 11:46

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-05-29 11:46

Reported

2025-05-29 11:48

Platform

win10v2004-20250502-en

Max time kernel

150s

Max time network

140s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2025-05-29_404422d6216f51d4af2865176fc3f6cd_amadey_black-basta_elex_luca-stealer.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" C:\Users\Admin\AppData\Local\Temp\2025-05-29_404422d6216f51d4af2865176fc3f6cd_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" C:\Users\Admin\AppData\Local\Temp\2025-05-29_404422d6216f51d4af2865176fc3f6cd_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A

Modifies visibility of file extensions in Explorer

defense_evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Users\Admin\AppData\Local\Temp\2025-05-29_404422d6216f51d4af2865176fc3f6cd_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\drivers\system32.exe N/A

Modifies visiblity of hidden/system files in Explorer

defense_evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\AppData\Local\Temp\2025-05-29_404422d6216f51d4af2865176fc3f6cd_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A

UAC bypass

defense_evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\2025-05-29_404422d6216f51d4af2865176fc3f6cd_amadey_black-basta_elex_luca-stealer.exe N/A

Disables RegEdit via registry modification

defense_evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\2025-05-29_404422d6216f51d4af2865176fc3f6cd_amadey_black-basta_elex_luca-stealer.exe N/A

Disables use of System Restore points

defense_evasion

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
File created C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
File created C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
File created C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
File created C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Users\Admin\AppData\Local\Temp\2025-05-29_404422d6216f51d4af2865176fc3f6cd_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\SysWOW64\drivers\system32.exe C:\Users\Admin\AppData\Local\Temp\2025-05-29_404422d6216f51d4af2865176fc3f6cd_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\system32.exe C:\Users\Admin\AppData\Local\Temp\2025-05-29_404422d6216f51d4af2865176fc3f6cd_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
File created C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
File created C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Users\Admin\AppData\Local\Temp\2025-05-29_404422d6216f51d4af2865176fc3f6cd_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\system32.exe N/A

Event Triggered Execution: Image File Execution Options Injection

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe\Debugger = "cmd.exe /c del" C:\Users\Admin\AppData\Local\Temp\2025-05-29_404422d6216f51d4af2865176fc3f6cd_amadey_black-basta_elex_luca-stealer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe C:\Users\Admin\AppData\Local\Temp\2025-05-29_404422d6216f51d4af2865176fc3f6cd_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe\Debugger = "cmd.exe /c del" C:\Users\Admin\AppData\Local\Temp\2025-05-29_404422d6216f51d4af2865176fc3f6cd_amadey_black-basta_elex_luca-stealer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe C:\Users\Admin\AppData\Local\Temp\2025-05-29_404422d6216f51d4af2865176fc3f6cd_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe\Debugger = "drivers\\Kazekage.exe" C:\Users\Admin\AppData\Local\Temp\2025-05-29_404422d6216f51d4af2865176fc3f6cd_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe C:\Users\Admin\AppData\Local\Temp\2025-05-29_404422d6216f51d4af2865176fc3f6cd_amadey_black-basta_elex_luca-stealer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe C:\Users\Admin\AppData\Local\Temp\2025-05-29_404422d6216f51d4af2865176fc3f6cd_amadey_black-basta_elex_luca-stealer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe C:\Users\Admin\AppData\Local\Temp\2025-05-29_404422d6216f51d4af2865176fc3f6cd_amadey_black-basta_elex_luca-stealer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe\Debugger = "cmd.exe /c del" C:\Users\Admin\AppData\Local\Temp\2025-05-29_404422d6216f51d4af2865176fc3f6cd_amadey_black-basta_elex_luca-stealer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe C:\Users\Admin\AppData\Local\Temp\2025-05-29_404422d6216f51d4af2865176fc3f6cd_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com\Debugger = "cmd.exe /c del" C:\Users\Admin\AppData\Local\Temp\2025-05-29_404422d6216f51d4af2865176fc3f6cd_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe C:\Users\Admin\AppData\Local\Temp\2025-05-29_404422d6216f51d4af2865176fc3f6cd_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe\Debugger = "drivers\\Kazekage.exe" C:\Users\Admin\AppData\Local\Temp\2025-05-29_404422d6216f51d4af2865176fc3f6cd_amadey_black-basta_elex_luca-stealer.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "29-5-2025.exe" C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 29 - 5 - 2025\\smss.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 29 - 5 - 2025\\Gaara.exe" C:\Users\Admin\AppData\Local\Temp\2025-05-29_404422d6216f51d4af2865176fc3f6cd_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "29-5-2025.exe" C:\Users\Admin\AppData\Local\Temp\2025-05-29_404422d6216f51d4af2865176fc3f6cd_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" C:\Users\Admin\AppData\Local\Temp\2025-05-29_404422d6216f51d4af2865176fc3f6cd_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 29 - 5 - 2025\\smss.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 29 - 5 - 2025\\Gaara.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 29 - 5 - 2025\\smss.exe" C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 29 - 5 - 2025\\Gaara.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "29-5-2025.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 29 - 5 - 2025\\Gaara.exe" C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "29-5-2025.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 29 - 5 - 2025\\Gaara.exe" C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 29 - 5 - 2025\\Gaara.exe" C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 29 - 5 - 2025\\smss.exe" C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "29-5-2025.exe" C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 29 - 5 - 2025\\smss.exe" C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "29-5-2025.exe" C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 29 - 5 - 2025\\smss.exe" C:\Users\Admin\AppData\Local\Temp\2025-05-29_404422d6216f51d4af2865176fc3f6cd_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A

Checks whether UAC is enabled

defense_evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\2025-05-29_404422d6216f51d4af2865176fc3f6cd_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification \??\V:\Desktop.ini C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
File opened for modification C:\Desktop.ini C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
File opened for modification D:\Desktop.ini C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
File opened for modification \??\G:\Desktop.ini C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
File opened for modification \??\E:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-29_404422d6216f51d4af2865176fc3f6cd_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification C:\Desktop.ini C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\P:\Desktop.ini C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\I:\Desktop.ini C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
File opened for modification \??\Z:\Desktop.ini C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
File opened for modification D:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-29_404422d6216f51d4af2865176fc3f6cd_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification \??\H:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-29_404422d6216f51d4af2865176fc3f6cd_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification \??\U:\Desktop.ini C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
File opened for modification \??\P:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-29_404422d6216f51d4af2865176fc3f6cd_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification \??\V:\Desktop.ini C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
File opened for modification \??\Y:\Desktop.ini C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
File opened for modification \??\G:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\I:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\K:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-29_404422d6216f51d4af2865176fc3f6cd_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification D:\Desktop.ini C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
File opened for modification \??\H:\Desktop.ini C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
File opened for modification \??\W:\Desktop.ini C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
File opened for modification \??\Q:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification F:\Desktop.ini C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
File opened for modification \??\I:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\M:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\X:\Desktop.ini C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\Q:\Desktop.ini C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
File opened for modification C:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\R:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-29_404422d6216f51d4af2865176fc3f6cd_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification \??\V:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\W:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\T:\Desktop.ini C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\N:\Desktop.ini C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
File opened for modification \??\E:\Desktop.ini C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
File opened for modification \??\M:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-29_404422d6216f51d4af2865176fc3f6cd_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification \??\V:\Desktop.ini C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
File opened for modification \??\O:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\W:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-29_404422d6216f51d4af2865176fc3f6cd_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification C:\Desktop.ini C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
File opened for modification \??\A:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\L:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\P:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\X:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\M:\Desktop.ini C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\O:\Desktop.ini C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
File opened for modification \??\K:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\J:\Desktop.ini C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\S:\Desktop.ini C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
File opened for modification \??\A:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\B:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\Z:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\M:\Desktop.ini C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
File opened for modification \??\X:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\Y:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\O:\Desktop.ini C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
File opened for modification \??\T:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-29_404422d6216f51d4af2865176fc3f6cd_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification \??\R:\Desktop.ini C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
File opened for modification \??\S:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification F:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-29_404422d6216f51d4af2865176fc3f6cd_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification \??\A:\Desktop.ini C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\R:\Desktop.ini C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
File opened for modification \??\U:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\J:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\S:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-29_404422d6216f51d4af2865176fc3f6cd_amadey_black-basta_elex_luca-stealer.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\2025-05-29_404422d6216f51d4af2865176fc3f6cd_amadey_black-basta_elex_luca-stealer.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\2025-05-29_404422d6216f51d4af2865176fc3f6cd_amadey_black-basta_elex_luca-stealer.exe N/A
File opened (read-only) \??\B: C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
File opened (read-only) \??\Q: C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\E: C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\2025-05-29_404422d6216f51d4af2865176fc3f6cd_amadey_black-basta_elex_luca-stealer.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\L: C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
File opened (read-only) \??\H: C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
File opened (read-only) \??\M: C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
File opened (read-only) \??\W: C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\H: C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\2025-05-29_404422d6216f51d4af2865176fc3f6cd_amadey_black-basta_elex_luca-stealer.exe N/A
File opened (read-only) \??\E: C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
File opened (read-only) \??\J: C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
File opened (read-only) \??\I: C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
File opened (read-only) \??\O: C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\I: C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\2025-05-29_404422d6216f51d4af2865176fc3f6cd_amadey_black-basta_elex_luca-stealer.exe N/A
File opened (read-only) \??\Z: C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\A: C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
File opened (read-only) \??\B: C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\G: C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\T: C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
File opened (read-only) \??\P: C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\R: C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\T: C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\2025-05-29_404422d6216f51d4af2865176fc3f6cd_amadey_black-basta_elex_luca-stealer.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\2025-05-29_404422d6216f51d4af2865176fc3f6cd_amadey_black-basta_elex_luca-stealer.exe N/A
File opened (read-only) \??\V: C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
File opened (read-only) \??\X: C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\2025-05-29_404422d6216f51d4af2865176fc3f6cd_amadey_black-basta_elex_luca-stealer.exe N/A
File opened (read-only) \??\J: C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
File opened (read-only) \??\U: C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
File opened (read-only) \??\R: C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
File opened (read-only) \??\Y: C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\Y: C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\V: C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
File opened (read-only) \??\T: C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\L: C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
File opened (read-only) \??\B: C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\2025-05-29_404422d6216f51d4af2865176fc3f6cd_amadey_black-basta_elex_luca-stealer.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification \??\U:\Autorun.inf C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
File opened for modification \??\M:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2025-05-29_404422d6216f51d4af2865176fc3f6cd_amadey_black-basta_elex_luca-stealer.exe N/A
File created D:\Autorun.inf C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
File created \??\Q:\Autorun.inf C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
File created \??\W:\Autorun.inf C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\Q:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2025-05-29_404422d6216f51d4af2865176fc3f6cd_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification \??\M:\Autorun.inf C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
File opened for modification D:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File created \??\U:\Autorun.inf C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
File created D:\Autorun.inf C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\I:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2025-05-29_404422d6216f51d4af2865176fc3f6cd_amadey_black-basta_elex_luca-stealer.exe N/A
File created \??\N:\Autorun.inf C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
File opened for modification \??\T:\Autorun.inf C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
File created \??\I:\Autorun.inf C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\Q:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\I:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\X:\Autorun.inf C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
File created \??\V:\Autorun.inf C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
File created \??\R:\Autorun.inf C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
File created \??\G:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created \??\J:\Autorun.inf C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
File opened for modification \??\A:\Autorun.inf C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
File created \??\Q:\Autorun.inf C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
File created \??\H:\Autorun.inf C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
File opened for modification \??\A:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created \??\J:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\W:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File created \??\X:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2025-05-29_404422d6216f51d4af2865176fc3f6cd_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification \??\B:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\G:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\Y:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\Z:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2025-05-29_404422d6216f51d4af2865176fc3f6cd_amadey_black-basta_elex_luca-stealer.exe N/A
File created \??\A:\Autorun.inf C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
File created \??\L:\Autorun.inf C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
File opened for modification \??\O:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\L:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\M:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File created \??\G:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2025-05-29_404422d6216f51d4af2865176fc3f6cd_amadey_black-basta_elex_luca-stealer.exe N/A
File created \??\G:\Autorun.inf C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
File created \??\T:\Autorun.inf C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\J:\Autorun.inf C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
File created D:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification F:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2025-05-29_404422d6216f51d4af2865176fc3f6cd_amadey_black-basta_elex_luca-stealer.exe N/A
File created \??\B:\Autorun.inf C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
File opened for modification \??\Y:\Autorun.inf C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\S:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created \??\K:\Autorun.inf C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
File opened for modification \??\J:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created \??\H:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\U:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File created \??\H:\Autorun.inf C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
File created \??\V:\Autorun.inf C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
File created \??\Z:\Autorun.inf C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
File created F:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2025-05-29_404422d6216f51d4af2865176fc3f6cd_amadey_black-basta_elex_luca-stealer.exe N/A
File created \??\Q:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2025-05-29_404422d6216f51d4af2865176fc3f6cd_amadey_black-basta_elex_luca-stealer.exe N/A
File created \??\Z:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2025-05-29_404422d6216f51d4af2865176fc3f6cd_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification \??\V:\Autorun.inf C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
File opened for modification \??\U:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2025-05-29_404422d6216f51d4af2865176fc3f6cd_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification \??\E:\Autorun.inf C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
File created \??\H:\Autorun.inf C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
File created \??\X:\Autorun.inf C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
File created \??\O:\Autorun.inf C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
File created \??\W:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\J:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2025-05-29_404422d6216f51d4af2865176fc3f6cd_amadey_black-basta_elex_luca-stealer.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\mscomctl.ocx C:\Users\Admin\AppData\Local\Temp\2025-05-29_404422d6216f51d4af2865176fc3f6cd_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification C:\Windows\SysWOW64\mscomctl.ocx C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\SysWOW64\mscomctl.ocx C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\SysWOW64\29-5-2025.exe C:\Users\Admin\AppData\Local\Temp\2025-05-29_404422d6216f51d4af2865176fc3f6cd_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\2025-05-29_404422d6216f51d4af2865176fc3f6cd_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\SysWOW64\mscomctl.ocx C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\2025-05-29_404422d6216f51d4af2865176fc3f6cd_amadey_black-basta_elex_luca-stealer.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
File opened for modification C:\Windows\SysWOW64\29-5-2025.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\SysWOW64\29-5-2025.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\29-5-2025.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\29-5-2025.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\SysWOW64\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-29_404422d6216f51d4af2865176fc3f6cd_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\mscomctl.ocx C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\SysWOW64\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\SysWOW64\mscomctl.ocx C:\Users\Admin\AppData\Local\Temp\2025-05-29_404422d6216f51d4af2865176fc3f6cd_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Users\Admin\AppData\Local\Temp\2025-05-29_404422d6216f51d4af2865176fc3f6cd_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\SysWOW64\29-5-2025.exe C:\Users\Admin\AppData\Local\Temp\2025-05-29_404422d6216f51d4af2865176fc3f6cd_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification C:\Windows\SysWOW64\Desktop.ini C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
File opened for modification C:\Windows\SysWOW64\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\SysWOW64\mscomctl.ocx C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\SysWOW64\Desktop.ini C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
File opened for modification C:\Windows\SysWOW64\Desktop.ini C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\29-5-2025.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-29_404422d6216f51d4af2865176fc3f6cd_amadey_black-basta_elex_luca-stealer.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Users\Admin\AppData\Local\Temp\2025-05-29_404422d6216f51d4af2865176fc3f6cd_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
File created C:\Windows\WBEM\msvbvm60.dll C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\Fonts\Admin 29 - 5 - 2025\msvbvm60.dll C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\mscomctl.ocx C:\Users\Admin\AppData\Local\Temp\2025-05-29_404422d6216f51d4af2865176fc3f6cd_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification C:\Windows\ C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\mscomctl.ocx C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Windows\system\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\2025-05-29_404422d6216f51d4af2865176fc3f6cd_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification C:\Windows\system\mscoree.dll C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
File opened for modification C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
File created C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\mscomctl.ocx C:\Users\Admin\AppData\Local\Temp\2025-05-29_404422d6216f51d4af2865176fc3f6cd_amadey_black-basta_elex_luca-stealer.exe N/A
File created C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
File created C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe C:\Users\Admin\AppData\Local\Temp\2025-05-29_404422d6216f51d4af2865176fc3f6cd_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification C:\Windows\Fonts\The Kazekage.jpg C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\mscomctl.ocx C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\ C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
File created C:\Windows\Fonts\The Kazekage.jpg C:\Users\Admin\AppData\Local\Temp\2025-05-29_404422d6216f51d4af2865176fc3f6cd_amadey_black-basta_elex_luca-stealer.exe N/A
File created C:\Windows\WBEM\msvbvm60.dll C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
File created C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Windows\system\mscoree.dll C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\Fonts\The Kazekage.jpg C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\mscomctl.ocx C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\WBEM\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\2025-05-29_404422d6216f51d4af2865176fc3f6cd_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification C:\Windows\system\mscoree.dll C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
File created C:\Windows\Fonts\Admin 29 - 5 - 2025\msvbvm60.dll C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
File created C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\Fonts\Admin 29 - 5 - 2025\msvbvm60.dll C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\WBEM\msvbvm60.dll C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe C:\Users\Admin\AppData\Local\Temp\2025-05-29_404422d6216f51d4af2865176fc3f6cd_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification C:\Windows\system\msvbvm60.dll C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
File opened for modification C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
File created C:\Windows\Fonts\Admin 29 - 5 - 2025\msvbvm60.dll C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\system\msvbvm60.dll C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\system\mscoree.dll C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\ C:\Users\Admin\AppData\Local\Temp\2025-05-29_404422d6216f51d4af2865176fc3f6cd_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification C:\Windows\Fonts\The Kazekage.jpg C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
File opened for modification C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
File created C:\Windows\WBEM\msvbvm60.dll C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\ C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
File opened for modification C:\Windows\ C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe C:\Users\Admin\AppData\Local\Temp\2025-05-29_404422d6216f51d4af2865176fc3f6cd_amadey_black-basta_elex_luca-stealer.exe N/A
File created C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe C:\Users\Admin\AppData\Local\Temp\2025-05-29_404422d6216f51d4af2865176fc3f6cd_amadey_black-basta_elex_luca-stealer.exe N/A
File created C:\Windows\Fonts\Admin 29 - 5 - 2025\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\2025-05-29_404422d6216f51d4af2865176fc3f6cd_amadey_black-basta_elex_luca-stealer.exe N/A
File created C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
File created C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\2025-05-29_404422d6216f51d4af2865176fc3f6cd_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
File created C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
File opened for modification C:\Windows\system\mscoree.dll C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
File created C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\system32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\system32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2025-05-29_404422d6216f51d4af2865176fc3f6cd_amadey_black-basta_elex_luca-stealer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\system32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\system32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\system32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\system32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A

Modifies Control Panel

defense_evasion
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" C:\Users\Admin\AppData\Local\Temp\2025-05-29_404422d6216f51d4af2865176fc3f6cd_amadey_black-basta_elex_luca-stealer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Screen Saver.Marquee C:\Users\Admin\AppData\Local\Temp\2025-05-29_404422d6216f51d4af2865176fc3f6cd_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Desktop C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Screen Saver.Marquee\Size = "72" C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" C:\Users\Admin\AppData\Local\Temp\2025-05-29_404422d6216f51d4af2865176fc3f6cd_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Desktop\WallpaperStyle = "2" C:\Users\Admin\AppData\Local\Temp\2025-05-29_404422d6216f51d4af2865176fc3f6cd_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Screen Saver.Marquee\Size = "72" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Screen Saver.Marquee\Size = "72" C:\Users\Admin\AppData\Local\Temp\2025-05-29_404422d6216f51d4af2865176fc3f6cd_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Users\Admin\AppData\Local\Temp\2025-05-29_404422d6216f51d4af2865176fc3f6cd_amadey_black-basta_elex_luca-stealer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Desktop C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Screen Saver.Marquee\Speed = "4" C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Desktop C:\Users\Admin\AppData\Local\Temp\2025-05-29_404422d6216f51d4af2865176fc3f6cd_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" C:\Users\Admin\AppData\Local\Temp\2025-05-29_404422d6216f51d4af2865176fc3f6cd_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Screen Saver.Marquee\Speed = "4" C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" C:\Users\Admin\AppData\Local\Temp\2025-05-29_404422d6216f51d4af2865176fc3f6cd_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Screen Saver.Marquee C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Screen Saver.Marquee\Size = "72" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Desktop\WallpaperStyle = "2" C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Screen Saver.Marquee\Size = "72" C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Screen Saver.Marquee\Speed = "4" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Screen Saver.Marquee\Speed = "4" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Desktop\WallpaperStyle = "2" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Screen Saver.Marquee C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Desktop\WallpaperStyle = "2" C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" C:\Users\Admin\AppData\Local\Temp\2025-05-29_404422d6216f51d4af2865176fc3f6cd_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" C:\Users\Admin\AppData\Local\Temp\2025-05-29_404422d6216f51d4af2865176fc3f6cd_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" C:\Users\Admin\AppData\Local\Temp\2025-05-29_404422d6216f51d4af2865176fc3f6cd_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Screen Saver.Marquee\Speed = "4" C:\Users\Admin\AppData\Local\Temp\2025-05-29_404422d6216f51d4af2865176fc3f6cd_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" C:\Windows\SysWOW64\drivers\system32.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Software\Microsoft\Internet Explorer\Main C:\Users\Admin\AppData\Local\Temp\2025-05-29_404422d6216f51d4af2865176fc3f6cd_amadey_black-basta_elex_luca-stealer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" C:\Users\Admin\AppData\Local\Temp\2025-05-29_404422d6216f51d4af2865176fc3f6cd_amadey_black-basta_elex_luca-stealer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3951986358-4006919840-1009690842-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command C:\Users\Admin\AppData\Local\Temp\2025-05-29_404422d6216f51d4af2865176fc3f6cd_amadey_black-basta_elex_luca-stealer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command C:\Users\Admin\AppData\Local\Temp\2025-05-29_404422d6216f51d4af2865176fc3f6cd_amadey_black-basta_elex_luca-stealer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" C:\Users\Admin\AppData\Local\Temp\2025-05-29_404422d6216f51d4af2865176fc3f6cd_amadey_black-basta_elex_luca-stealer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command C:\Users\Admin\AppData\Local\Temp\2025-05-29_404422d6216f51d4af2865176fc3f6cd_amadey_black-basta_elex_luca-stealer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command C:\Users\Admin\AppData\Local\Temp\2025-05-29_404422d6216f51d4af2865176fc3f6cd_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" C:\Users\Admin\AppData\Local\Temp\2025-05-29_404422d6216f51d4af2865176fc3f6cd_amadey_black-basta_elex_luca-stealer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" C:\Users\Admin\AppData\Local\Temp\2025-05-29_404422d6216f51d4af2865176fc3f6cd_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" C:\Users\Admin\AppData\Local\Temp\2025-05-29_404422d6216f51d4af2865176fc3f6cd_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-29_404422d6216f51d4af2865176fc3f6cd_amadey_black-basta_elex_luca-stealer.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5248 wrote to memory of 5732 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-29_404422d6216f51d4af2865176fc3f6cd_amadey_black-basta_elex_luca-stealer.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe
PID 5248 wrote to memory of 5732 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-29_404422d6216f51d4af2865176fc3f6cd_amadey_black-basta_elex_luca-stealer.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe
PID 5248 wrote to memory of 5732 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-29_404422d6216f51d4af2865176fc3f6cd_amadey_black-basta_elex_luca-stealer.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe
PID 5732 wrote to memory of 1264 N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe
PID 5732 wrote to memory of 1264 N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe
PID 5732 wrote to memory of 1264 N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe
PID 5732 wrote to memory of 4372 N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe
PID 5732 wrote to memory of 4372 N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe
PID 5732 wrote to memory of 4372 N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe
PID 4372 wrote to memory of 4672 N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe
PID 4372 wrote to memory of 4672 N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe
PID 4372 wrote to memory of 4672 N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe
PID 4372 wrote to memory of 3356 N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe
PID 4372 wrote to memory of 3356 N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe
PID 4372 wrote to memory of 3356 N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe
PID 4372 wrote to memory of 548 N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe
PID 4372 wrote to memory of 548 N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe
PID 4372 wrote to memory of 548 N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe
PID 548 wrote to memory of 4996 N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe
PID 548 wrote to memory of 4996 N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe
PID 548 wrote to memory of 4996 N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe
PID 548 wrote to memory of 2392 N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe
PID 548 wrote to memory of 2392 N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe
PID 548 wrote to memory of 2392 N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe
PID 548 wrote to memory of 2816 N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe
PID 548 wrote to memory of 2816 N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe
PID 548 wrote to memory of 2816 N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe
PID 548 wrote to memory of 2368 N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 548 wrote to memory of 2368 N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 548 wrote to memory of 2368 N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 2368 wrote to memory of 3228 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe
PID 2368 wrote to memory of 3228 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe
PID 2368 wrote to memory of 3228 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe
PID 2368 wrote to memory of 1200 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe
PID 2368 wrote to memory of 1200 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe
PID 2368 wrote to memory of 1200 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe
PID 2368 wrote to memory of 2240 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe
PID 2368 wrote to memory of 2240 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe
PID 2368 wrote to memory of 2240 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe
PID 2368 wrote to memory of 4984 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 2368 wrote to memory of 4984 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 2368 wrote to memory of 4984 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 2368 wrote to memory of 1100 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 2368 wrote to memory of 1100 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 2368 wrote to memory of 1100 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 1100 wrote to memory of 4936 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe
PID 1100 wrote to memory of 4936 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe
PID 1100 wrote to memory of 4936 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe
PID 1100 wrote to memory of 2096 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe
PID 1100 wrote to memory of 2096 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe
PID 1100 wrote to memory of 2096 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe
PID 1100 wrote to memory of 2080 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe
PID 1100 wrote to memory of 2080 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe
PID 1100 wrote to memory of 2080 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe
PID 1100 wrote to memory of 4144 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 1100 wrote to memory of 4144 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 1100 wrote to memory of 4144 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 1100 wrote to memory of 5232 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 1100 wrote to memory of 5232 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 1100 wrote to memory of 5232 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 548 wrote to memory of 5204 N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 548 wrote to memory of 5204 N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 548 wrote to memory of 5204 N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 4372 wrote to memory of 4408 N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe C:\Windows\SysWOW64\drivers\Kazekage.exe

System policy modification

defense_evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\2025-05-29_404422d6216f51d4af2865176fc3f6cd_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\2025-05-29_404422d6216f51d4af2865176fc3f6cd_amadey_black-basta_elex_luca-stealer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2025-05-29_404422d6216f51d4af2865176fc3f6cd_amadey_black-basta_elex_luca-stealer.exe

"C:\Users\Admin\AppData\Local\Temp\2025-05-29_404422d6216f51d4af2865176fc3f6cd_amadey_black-basta_elex_luca-stealer.exe"

C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe

"C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe"

C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe

"C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe"

C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe

"C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe"

C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe

"C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe"

C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe

"C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe"

C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe

"C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe"

C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe

"C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe"

C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe

"C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe"

C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe

"C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe"

C:\Windows\SysWOW64\drivers\Kazekage.exe

C:\Windows\system32\drivers\Kazekage.exe

C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe

"C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe"

C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe

"C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe"

C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe

"C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe"

C:\Windows\SysWOW64\drivers\Kazekage.exe

C:\Windows\system32\drivers\Kazekage.exe

C:\Windows\SysWOW64\drivers\system32.exe

C:\Windows\system32\drivers\system32.exe

C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe

"C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe"

C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe

"C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe"

C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe

"C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe"

C:\Windows\SysWOW64\drivers\Kazekage.exe

C:\Windows\system32\drivers\Kazekage.exe

C:\Windows\SysWOW64\drivers\system32.exe

C:\Windows\system32\drivers\system32.exe

C:\Windows\SysWOW64\drivers\system32.exe

C:\Windows\system32\drivers\system32.exe

C:\Windows\SysWOW64\drivers\Kazekage.exe

C:\Windows\system32\drivers\Kazekage.exe

C:\Windows\SysWOW64\drivers\system32.exe

C:\Windows\system32\drivers\system32.exe

C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe

"C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe"

C:\Windows\SysWOW64\drivers\Kazekage.exe

C:\Windows\system32\drivers\Kazekage.exe

C:\Windows\SysWOW64\drivers\system32.exe

C:\Windows\system32\drivers\system32.exe

C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe

"C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe"

C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe

"C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe"

C:\Windows\SysWOW64\drivers\Kazekage.exe

C:\Windows\system32\drivers\Kazekage.exe

C:\Windows\SysWOW64\drivers\system32.exe

C:\Windows\system32\drivers\system32.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c Fonts\Admin 29 - 5 - 2025\smss.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c Fonts\Admin 29 - 5 - 2025\Gaara.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c 29-5-2025.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c drivers\csrss.exe

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 c.pki.goog udp
NL 142.250.27.94:80 c.pki.goog tcp

Files

memory/5248-0-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe

MD5 404422d6216f51d4af2865176fc3f6cd
SHA1 32681cbb1902ec1d159c34411730a0175e608fba
SHA256 e004dd9f230d14d73324973ae5a9770dfa76faee4d3792e561bb48b519d883e1
SHA512 f972e5984d5df64f066ba6d83668d94437a5dddef8a7d2d305f1daee32d47c20d023eacd2ba61c29e752e8054c922c6ab7e20a8dd801b5f0bf9598c0fec2c157

C:\Windows\System\msvbvm60.dll

MD5 25f62c02619174b35851b0e0455b3d94
SHA1 4e8ee85157f1769f6e3f61c0acbe59072209da71
SHA256 898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2
SHA512 f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe

MD5 c4f74a3c27302b2fbd683577802613b5
SHA1 b4790688317be23e9724d75f7f640af59ca7e982
SHA256 01a268fe4f9cf5c33f459419cf48eae47e1566f1cca40537dd919d24e040fa7b
SHA512 e35513f7742431fb5577c68c54ea25af61fbbe03c548171548720a194abcb952528008058de1f871cfed271ba93a8b9e0ac7a5e21c852d91c8a94567acc1ed45

memory/5732-32-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Windows\Fonts\The Kazekage.jpg

MD5 d6b05020d4a0ec2a3a8b687099e335df
SHA1 df239d830ebcd1cde5c68c46a7b76dad49d415f4
SHA256 9824b98dab6af65a9e84c2ea40e9df948f9766ce2096e81feecad7db8dd6080a
SHA512 78fd360faa4d34f5732056d6e9ad7b9930964441c69cf24535845d397de92179553b9377a25649c01eb5ac7d547c29cc964e69ede7f2af9fc677508a99251fff

C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe

MD5 3bbeb14bade7d57da0d757b80c15044b
SHA1 1114e47b10160568b5b016b99cffe836dd83e8ce
SHA256 37295137250d2ef9465b3e7298b3a154b78dcc2310ddae1e80617016880bec03
SHA512 2cea3ef8aa3a42d7f88f5c1186d757bf957c9f52c5d062db6396f57875484de28d8ccf8bf7689e15a11a6fe0cd9137041e0f7ac70539709ff660a772a4ee3885

C:\Windows\SysWOW64\29-5-2025.exe

MD5 0dc721747ab7f328c56ac61672e99213
SHA1 d91e7ca439b74e98b3ced2f0dfa1bd712f1fc832
SHA256 defa1e6e9be6e542ba3de083090f7386ab96133a1db641ab474d61012a86d00e
SHA512 78cb0f1a81860c9972ed4b995c09e78b07c40494eb6e1e60722044ee7ab6a4b13ac6ff02718f5f0b304f3d990afcc5f75cfad8255d03d5c3cdd1e59c5af935df

C:\Windows\SysWOW64\drivers\system32.exe

MD5 b34061f86124988a54e714ea451b8228
SHA1 bc7fc6f464ad721642c2aedb2da19c84eb9931af
SHA256 54105b171dc5c263c53ae5fddf87e4b8cc4949464e3ad0d9d75d605c43a1f7ec
SHA512 4f500de6b75b50488a7f74b17d892a38a78376b3f1ddc8a9b2dbb30ac58c24cfb5b4603e1b30f7cde4355236448e346cdb012b6f953fd9437677c80ffa9c0e4c

C:\Windows\SysWOW64\drivers\Kazekage.exe

MD5 d3672cd0480b66fc45d039d89de0b120
SHA1 fec8a021a757dcf7189318d67b650b90c898f456
SHA256 b72d20d2051cd4b1719be91e225f46acc9408e3ad427ac2e729d56e8478077d7
SHA512 5095933ab7c44dcfafb5e04d4a80f7bad5cb33d8439b7a3e1063ad8baa6d84c6fc10f420316777def9d85301c4d838ccd665a11413c0394de56b6f3a28236136

memory/1264-70-0x0000000000400000-0x000000000042A000-memory.dmp

memory/1264-73-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe

MD5 b4bd185a59cc4294dc4d17aed220db83
SHA1 31af11f1545ed3440f181fbb50c1f08a71d9b2cd
SHA256 6230bc0d5712f0e9695743884110245edbee3df7f5dafc184dfc08bac47cc19a
SHA512 c5cf25b45969ac43689021f7f25abe35ea350e6622cb61383ebd436761da64c6f18f50c80d8e92ad84acfb8123b63f4822e3249dd0e7a2cee1fe380e627aabd0

memory/4372-78-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Windows\Fonts\The Kazekage.jpg

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Windows\SysWOW64\drivers\Kazekage.exe

MD5 ce950179685775ffdd1a784e02a50210
SHA1 e4a0d9b80700c6f21a3c3d0907b2361f2018d423
SHA256 6f88bb16d5e1c04edfc2db5c74def8206482484424ae18893d4237e9d83f36a9
SHA512 2372808b80fdf631860f93be3b0f7ec505fabfb448fa904d8528d2d3e75dd8918e70403db4f66fdef117573ed6bbafbdd1206564ef3263c2eb2336acb61e9225

C:\Windows\SysWOW64\drivers\system32.exe

MD5 c754ff31dfe4d4ec53d3c3804daa0cc4
SHA1 b3b6f163ecabc9ac500866f0867d9846cd063722
SHA256 03df47a0e1c479eab6e1772b55ecca96b93fd9a5395bae7d4e98beebd41da61f
SHA512 89b088f1a1094aeb5539d16b0b11242df5f9ec452212ed3c47f4682a2d594babc9aac5ba28e9abd2c6fb84bf86c7ba6d57e4325a7ca479d69b52c57973f693a7

memory/3356-116-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe

MD5 88b228dfc4a6f3c472707767dc6918c1
SHA1 e644fb1861d3959548239be8fcc7d4c1c8c6b660
SHA256 f1d63f0d20fe320b77721b4fe092a6f716fb724a366c8e567cd074ced6b0c12c
SHA512 7e8dc8cbfb4536ba17cf2e549910647ba335ea24713ce6dba18cde55d7ee7d9a75cbd82910349d58fc53e2f3a30663b1607327b9d592b5bff35059a58500c575

memory/548-119-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Windows\SysWOW64\29-5-2025.exe

MD5 2fc194bf9c56b46534ecaf5c89c89fd0
SHA1 46dcbb8a7fd054fb68744c19dc11c45d43015317
SHA256 d4f81180c9807ac67efe51745156393f50ed4da15df1765c8dcfda9b21f50d03
SHA512 0796a7d6b09516b7fe499a92b579bfce6aa392491d8aae84cb915d3fce540268c500f2e3ef855a02410e678e080035a5ad4a70633075a05ec0544669a971493d

C:\Windows\SysWOW64\drivers\Kazekage.exe

MD5 0e0fc2ced4a39c6e0a11079506410559
SHA1 a7e0c98840613f2a8ab596033c6bcd88957e4fb5
SHA256 add56237b4682d41a2b6a4d17f2f325628c7854981f89d226c164cb162a2ac07
SHA512 a9fbf8fadcb566113a9ca0c38298c014dea336ac3b272955b78448da4486ff78a018b02edccde8d3aa883f26e00c7934e0ac5178f9175a4af7d1a0cda00db15b

C:\Windows\SysWOW64\drivers\system32.exe

MD5 417c2a95e8f310b219058a47da2239d2
SHA1 c10ed0a1470670b0614ab33b6f46bb3a2c471933
SHA256 af596488fb81f584bbb8ed4d26f94a4c37e879f07697695bfd64872dd4dcec69
SHA512 b8d61bede18f54960dfcede520150e4297c5c6d9c4c404ba9e98dafe5b65d487908e73f298af537ff323fc1f6cfc9bef6c8e6d603aca4e7596c7a1ed49b8f8e0

memory/5248-148-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2392-155-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2816-162-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2816-166-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Windows\SysWOW64\29-5-2025.exe

MD5 30187d1b8a1d60245c7aefaf0d37d81d
SHA1 8b6946c86f338ca235f6597b969145bac66d92bf
SHA256 1a00fce8561748395ec55ecde2d7f03b94434a80906e0171d80e593cb6c71648
SHA512 70ef5ef0f021e51f1f50be2f4ae6edadff97300cbc2d66d028efe17d6d2a8c544e28e7495f97b568e41366e183e9c08be9af694d4049eeb7233a541bfd9a2f8a

memory/4372-204-0x0000000000400000-0x000000000042A000-memory.dmp

memory/4984-212-0x0000000000400000-0x000000000042A000-memory.dmp

memory/548-234-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2096-241-0x0000000000400000-0x000000000042A000-memory.dmp

memory/364-280-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2148-284-0x0000000000400000-0x000000000042A000-memory.dmp

memory/5796-291-0x0000000000400000-0x000000000042A000-memory.dmp

memory/1740-276-0x0000000000400000-0x000000000042A000-memory.dmp

memory/1100-272-0x0000000000400000-0x000000000042A000-memory.dmp

memory/1404-268-0x0000000000400000-0x000000000042A000-memory.dmp

memory/4408-261-0x0000000000400000-0x000000000042A000-memory.dmp

memory/5204-257-0x0000000000400000-0x000000000042A000-memory.dmp

memory/5232-253-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2368-249-0x0000000000400000-0x000000000042A000-memory.dmp

memory/4144-248-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Windows\SysWOW64\29-5-2025.exe

MD5 5ca83dc2e1a4c80a87f6ba1b17aabda9
SHA1 20a4b9a1c4431f6a03827b27331b7e436c73a1e2
SHA256 5f25cec87e7f45f453fa7b985229d74cedd899e4026596d4734f61c23a220d0f
SHA512 5800e2b0be5bc2cb275c6c5f02e400170c5a0c9d6f6a23f27533a04985982cb70018817e4d9abaca1da79f189e5f6c517ed5014c031c0fe68503a45b70a5939b

memory/1100-216-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Windows\SysWOW64\drivers\system32.exe

MD5 ec7df29c634559341bef61fa7b7b7c21
SHA1 4a81f3c5fcc8a2a14aa9c8d54cd154e8e11b2ebb
SHA256 0a77db3771b709a8d14a12e7abc153fabe9daa7317e12837c675a7bda1c37cb9
SHA512 f15bd5d663d3e6dd63a8440de17cb667ea1d45366fb17ee4cc12b13402180295c84d444941b4f2561d4a6327bf8002971832513df8e88980ee5a523c2e44c922

memory/1200-201-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2368-170-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2392-159-0x0000000000400000-0x000000000042A000-memory.dmp

memory/5732-154-0x0000000000400000-0x000000000042A000-memory.dmp

memory/5732-295-0x0000000000400000-0x000000000042A000-memory.dmp

memory/4372-296-0x0000000000400000-0x000000000042A000-memory.dmp

memory/4016-298-0x0000000000400000-0x000000000042A000-memory.dmp

memory/548-299-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2368-300-0x0000000000400000-0x000000000042A000-memory.dmp

memory/1100-301-0x0000000000400000-0x000000000042A000-memory.dmp

memory/5248-302-0x0000000000400000-0x000000000042A000-memory.dmp

memory/548-305-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2368-306-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Autorun.inf

MD5 1564dfe69ffed40950e5cb644e0894d1
SHA1 201b6f7a01cc49bb698bea6d4945a082ed454ce4
SHA256 be114a2dbcc08540b314b01882aa836a772a883322a77b67aab31233e26dc184
SHA512 72df187e39674b657974392cfa268e71ef86dc101ebd2303896381ca56d3c05aa9db3f0ab7d0e428d7436e0108c8f19e94c2013814d30b0b95a23a6b9e341097

C:\Admin Games\Readme.txt

MD5 bb5d6abdf8d0948ac6895ce7fdfbc151
SHA1 9266b7a247a4685892197194d2b9b86c8f6dddbd
SHA256 5db2e0915b5464d32e83484f8ae5e3c73d2c78f238fde5f58f9b40dbb5322de8
SHA512 878444760e8df878d65bb62b4798177e168eb099def58ad3634f4348e96705c83f74324f9fa358f0eff389991976698a233ca53e9b72034ae11c86d42322a76c

memory/5248-360-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Windows\SysWOW64\Desktop.ini

MD5 64acfa7e03b01f48294cf30d201a0026
SHA1 10facd995b38a095f30b4a800fa454c0bcbf8438
SHA256 ba8159d865d106e7b4d0043007a63d1541e1de455dc8d7ff0edd3013bd425c62
SHA512 65a9b2e639de74a2a7faa83463a03f5f5b526495e3c793ec1e144c422ed0b842dd304cd5ff4f8aec3d76d826507030c5916f70a231429cea636ec2d8ab43931a

memory/548-489-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2368-520-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Admin Games\Hokage-Sampit (Nothing).exe

MD5 2bfdf5c0e765b50f289f68e8f3b39735
SHA1 8335cd278d64957e4e2f7f76b3b897f2e84a2a8a
SHA256 2d5a59b7483a4d1bcbc1719399526b7a7e77aef88c6814c4a15133e1c44615ce
SHA512 c810b47c50d6092a13b030a833d0d1c2430d01fbc2b01632006e2bb21280aa8d23a98d2f629bc12fa3dd624c45e74921ed6e1fd13445c41c7c4fc9211254f570

memory/5732-575-0x0000000000400000-0x000000000042A000-memory.dmp

memory/4372-576-0x0000000000400000-0x000000000042A000-memory.dmp

memory/1100-579-0x0000000000400000-0x000000000042A000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2025-05-29 11:46

Reported

2025-05-29 11:48

Platform

win11-20250502-en

Max time kernel

150s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2025-05-29_404422d6216f51d4af2865176fc3f6cd_amadey_black-basta_elex_luca-stealer.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" C:\Users\Admin\AppData\Local\Temp\2025-05-29_404422d6216f51d4af2865176fc3f6cd_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" C:\Users\Admin\AppData\Local\Temp\2025-05-29_404422d6216f51d4af2865176fc3f6cd_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A

Modifies visibility of file extensions in Explorer

defense_evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Users\Admin\AppData\Local\Temp\2025-05-29_404422d6216f51d4af2865176fc3f6cd_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A

Modifies visiblity of hidden/system files in Explorer

defense_evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\AppData\Local\Temp\2025-05-29_404422d6216f51d4af2865176fc3f6cd_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A

UAC bypass

defense_evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\2025-05-29_404422d6216f51d4af2865176fc3f6cd_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A

Disables RegEdit via registry modification

defense_evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\2025-05-29_404422d6216f51d4af2865176fc3f6cd_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\drivers\system32.exe N/A

Disables use of System Restore points

defense_evasion

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
File created C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
File created C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Users\Admin\AppData\Local\Temp\2025-05-29_404422d6216f51d4af2865176fc3f6cd_amadey_black-basta_elex_luca-stealer.exe N/A
File created C:\Windows\SysWOW64\drivers\system32.exe C:\Users\Admin\AppData\Local\Temp\2025-05-29_404422d6216f51d4af2865176fc3f6cd_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
File created C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
File created C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Users\Admin\AppData\Local\Temp\2025-05-29_404422d6216f51d4af2865176fc3f6cd_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\system32.exe C:\Users\Admin\AppData\Local\Temp\2025-05-29_404422d6216f51d4af2865176fc3f6cd_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
File created C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A

Event Triggered Execution: Image File Execution Options Injection

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe\Debugger = "cmd.exe /c del" C:\Users\Admin\AppData\Local\Temp\2025-05-29_404422d6216f51d4af2865176fc3f6cd_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe C:\Users\Admin\AppData\Local\Temp\2025-05-29_404422d6216f51d4af2865176fc3f6cd_amadey_black-basta_elex_luca-stealer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe C:\Users\Admin\AppData\Local\Temp\2025-05-29_404422d6216f51d4af2865176fc3f6cd_amadey_black-basta_elex_luca-stealer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe\Debugger = "cmd.exe /c del" C:\Users\Admin\AppData\Local\Temp\2025-05-29_404422d6216f51d4af2865176fc3f6cd_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe\Debugger = "cmd.exe /c del" C:\Users\Admin\AppData\Local\Temp\2025-05-29_404422d6216f51d4af2865176fc3f6cd_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe C:\Users\Admin\AppData\Local\Temp\2025-05-29_404422d6216f51d4af2865176fc3f6cd_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com\Debugger = "cmd.exe /c del" C:\Users\Admin\AppData\Local\Temp\2025-05-29_404422d6216f51d4af2865176fc3f6cd_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger = "drivers\\Kazekage.exe" C:\Users\Admin\AppData\Local\Temp\2025-05-29_404422d6216f51d4af2865176fc3f6cd_amadey_black-basta_elex_luca-stealer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe C:\Users\Admin\AppData\Local\Temp\2025-05-29_404422d6216f51d4af2865176fc3f6cd_amadey_black-basta_elex_luca-stealer.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 29 - 5 - 2025\\Gaara.exe" C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 29 - 5 - 2025\\Gaara.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 29 - 5 - 2025\\smss.exe" C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 29 - 5 - 2025\\Gaara.exe" C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "29-5-2025.exe" C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "29-5-2025.exe" C:\Users\Admin\AppData\Local\Temp\2025-05-29_404422d6216f51d4af2865176fc3f6cd_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" C:\Users\Admin\AppData\Local\Temp\2025-05-29_404422d6216f51d4af2865176fc3f6cd_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 29 - 5 - 2025\\smss.exe" C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 29 - 5 - 2025\\smss.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 29 - 5 - 2025\\smss.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "29-5-2025.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 29 - 5 - 2025\\Gaara.exe" C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "29-5-2025.exe" C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 29 - 5 - 2025\\Gaara.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 29 - 5 - 2025\\smss.exe" C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 29 - 5 - 2025\\Gaara.exe" C:\Users\Admin\AppData\Local\Temp\2025-05-29_404422d6216f51d4af2865176fc3f6cd_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "29-5-2025.exe" C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "29-5-2025.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 29 - 5 - 2025\\smss.exe" C:\Users\Admin\AppData\Local\Temp\2025-05-29_404422d6216f51d4af2865176fc3f6cd_amadey_black-basta_elex_luca-stealer.exe N/A

Checks whether UAC is enabled

defense_evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\2025-05-29_404422d6216f51d4af2865176fc3f6cd_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification \??\R:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\V:\Desktop.ini C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
File opened for modification \??\E:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\U:\Desktop.ini C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\X:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\B:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\Q:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\R:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\W:\Desktop.ini C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
File opened for modification \??\T:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\E:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-29_404422d6216f51d4af2865176fc3f6cd_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification D:\Desktop.ini C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
File opened for modification \??\N:\Desktop.ini C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
File opened for modification \??\O:\Desktop.ini C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
File opened for modification \??\S:\Desktop.ini C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
File opened for modification \??\J:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\O:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\S:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\R:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-29_404422d6216f51d4af2865176fc3f6cd_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification \??\G:\Desktop.ini C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
File opened for modification \??\V:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\M:\Desktop.ini C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\J:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-29_404422d6216f51d4af2865176fc3f6cd_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification \??\X:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-29_404422d6216f51d4af2865176fc3f6cd_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification \??\J:\Desktop.ini C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
File opened for modification \??\V:\Desktop.ini C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
File opened for modification \??\W:\Desktop.ini C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
File opened for modification \??\R:\Desktop.ini C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
File opened for modification F:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-29_404422d6216f51d4af2865176fc3f6cd_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification \??\K:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-29_404422d6216f51d4af2865176fc3f6cd_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification \??\G:\Desktop.ini C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
File opened for modification \??\G:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\J:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\V:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\H:\Desktop.ini C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
File opened for modification C:\Desktop.ini C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\H:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-29_404422d6216f51d4af2865176fc3f6cd_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification \??\O:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-29_404422d6216f51d4af2865176fc3f6cd_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification \??\A:\Desktop.ini C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
File opened for modification \??\J:\Desktop.ini C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
File opened for modification \??\J:\Desktop.ini C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\V:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-29_404422d6216f51d4af2865176fc3f6cd_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification \??\W:\Desktop.ini C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\X:\Desktop.ini C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
File opened for modification D:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\T:\Desktop.ini C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
File opened for modification C:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\L:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\A:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-29_404422d6216f51d4af2865176fc3f6cd_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification \??\P:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-29_404422d6216f51d4af2865176fc3f6cd_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification \??\Q:\Desktop.ini C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
File opened for modification F:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\O:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\B:\Desktop.ini C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
File opened for modification \??\I:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-29_404422d6216f51d4af2865176fc3f6cd_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification \??\Q:\Desktop.ini C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
File opened for modification D:\Desktop.ini C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
File opened for modification \??\L:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\K:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\P:\Desktop.ini C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\S:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-29_404422d6216f51d4af2865176fc3f6cd_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification \??\L:\Desktop.ini C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
File opened for modification \??\B:\Desktop.ini C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
File opened for modification D:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-29_404422d6216f51d4af2865176fc3f6cd_amadey_black-basta_elex_luca-stealer.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\J: C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\2025-05-29_404422d6216f51d4af2865176fc3f6cd_amadey_black-basta_elex_luca-stealer.exe N/A
File opened (read-only) \??\V: C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\X: C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\2025-05-29_404422d6216f51d4af2865176fc3f6cd_amadey_black-basta_elex_luca-stealer.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\2025-05-29_404422d6216f51d4af2865176fc3f6cd_amadey_black-basta_elex_luca-stealer.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\2025-05-29_404422d6216f51d4af2865176fc3f6cd_amadey_black-basta_elex_luca-stealer.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\2025-05-29_404422d6216f51d4af2865176fc3f6cd_amadey_black-basta_elex_luca-stealer.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\G: C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\V: C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
File opened (read-only) \??\X: C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
File opened (read-only) \??\N: C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\K: C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\M: C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
File opened (read-only) \??\S: C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
File opened (read-only) \??\T: C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
File opened (read-only) \??\K: C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\Q: C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\I: C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
File opened (read-only) \??\B: C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
File opened (read-only) \??\S: C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
File opened (read-only) \??\Z: C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\G: C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\2025-05-29_404422d6216f51d4af2865176fc3f6cd_amadey_black-basta_elex_luca-stealer.exe N/A
File opened (read-only) \??\J: C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\L: C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
File opened (read-only) \??\Z: C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
File opened (read-only) \??\O: C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
File opened (read-only) \??\U: C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\K: C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\A: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\I: C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
File opened (read-only) \??\H: C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\2025-05-29_404422d6216f51d4af2865176fc3f6cd_amadey_black-basta_elex_luca-stealer.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\2025-05-29_404422d6216f51d4af2865176fc3f6cd_amadey_black-basta_elex_luca-stealer.exe N/A
File opened (read-only) \??\W: C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\2025-05-29_404422d6216f51d4af2865176fc3f6cd_amadey_black-basta_elex_luca-stealer.exe N/A
File opened (read-only) \??\S: C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\U: C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\2025-05-29_404422d6216f51d4af2865176fc3f6cd_amadey_black-basta_elex_luca-stealer.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\2025-05-29_404422d6216f51d4af2865176fc3f6cd_amadey_black-basta_elex_luca-stealer.exe N/A
File opened (read-only) \??\O: C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\2025-05-29_404422d6216f51d4af2865176fc3f6cd_amadey_black-basta_elex_luca-stealer.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File created \??\H:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2025-05-29_404422d6216f51d4af2865176fc3f6cd_amadey_black-basta_elex_luca-stealer.exe N/A
File created \??\B:\Autorun.inf C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
File created \??\Y:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created \??\X:\Autorun.inf C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
File created \??\X:\Autorun.inf C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
File created \??\I:\Autorun.inf C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
File created \??\Z:\Autorun.inf C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\O:\Autorun.inf C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
File opened for modification \??\N:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\X:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\B:\Autorun.inf C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
File created \??\E:\Autorun.inf C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
File created \??\R:\Autorun.inf C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
File created \??\B:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2025-05-29_404422d6216f51d4af2865176fc3f6cd_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification \??\T:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2025-05-29_404422d6216f51d4af2865176fc3f6cd_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification \??\Z:\Autorun.inf C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
File created \??\Q:\Autorun.inf C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
File created \??\U:\Autorun.inf C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
File created \??\Y:\Autorun.inf C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
File opened for modification \??\Q:\Autorun.inf C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
File created \??\O:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2025-05-29_404422d6216f51d4af2865176fc3f6cd_amadey_black-basta_elex_luca-stealer.exe N/A
File created D:\Autorun.inf C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
File opened for modification \??\Q:\Autorun.inf C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
File opened for modification F:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\X:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\J:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2025-05-29_404422d6216f51d4af2865176fc3f6cd_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification \??\L:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2025-05-29_404422d6216f51d4af2865176fc3f6cd_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification \??\X:\Autorun.inf C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
File created \??\E:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\Q:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification F:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\K:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File created \??\N:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\Y:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created \??\J:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2025-05-29_404422d6216f51d4af2865176fc3f6cd_amadey_black-basta_elex_luca-stealer.exe N/A
File created \??\R:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2025-05-29_404422d6216f51d4af2865176fc3f6cd_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification \??\A:\Autorun.inf C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
File created \??\X:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created \??\M:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File created \??\Z:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification D:\Autorun.inf C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\J:\Autorun.inf C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
File created \??\U:\Autorun.inf C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
File opened for modification D:\Autorun.inf C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
File opened for modification \??\M:\Autorun.inf C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
File created \??\G:\Autorun.inf C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
File created \??\B:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created \??\N:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created \??\S:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File created F:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2025-05-29_404422d6216f51d4af2865176fc3f6cd_amadey_black-basta_elex_luca-stealer.exe N/A
File created \??\A:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created \??\H:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created \??\M:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2025-05-29_404422d6216f51d4af2865176fc3f6cd_amadey_black-basta_elex_luca-stealer.exe N/A
File created \??\E:\Autorun.inf C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
File created \??\H:\Autorun.inf C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
File created \??\J:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\N:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File created D:\Autorun.inf C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
File opened for modification \??\R:\Autorun.inf C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
File created \??\U:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2025-05-29_404422d6216f51d4af2865176fc3f6cd_amadey_black-basta_elex_luca-stealer.exe N/A
File created \??\Y:\Autorun.inf C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
File opened for modification \??\E:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created \??\O:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\S:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\29-5-2025.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\SysWOW64\mscomctl.ocx C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
File created C:\Windows\SysWOW64\mscomctl.ocx C:\Users\Admin\AppData\Local\Temp\2025-05-29_404422d6216f51d4af2865176fc3f6cd_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification C:\Windows\SysWOW64\Desktop.ini C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\SysWOW64\29-5-2025.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
File opened for modification C:\Windows\SysWOW64\mscomctl.ocx C:\Users\Admin\AppData\Local\Temp\2025-05-29_404422d6216f51d4af2865176fc3f6cd_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\2025-05-29_404422d6216f51d4af2865176fc3f6cd_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification C:\Windows\SysWOW64\Desktop.ini C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\mscomctl.ocx C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\29-5-2025.exe C:\Users\Admin\AppData\Local\Temp\2025-05-29_404422d6216f51d4af2865176fc3f6cd_amadey_black-basta_elex_luca-stealer.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\2025-05-29_404422d6216f51d4af2865176fc3f6cd_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\mscomctl.ocx C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\SysWOW64\Desktop.ini C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
File opened for modification C:\Windows\SysWOW64\29-5-2025.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
File opened for modification C:\Windows\SysWOW64\29-5-2025.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\SysWOW64\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-29_404422d6216f51d4af2865176fc3f6cd_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Users\Admin\AppData\Local\Temp\2025-05-29_404422d6216f51d4af2865176fc3f6cd_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\mscomctl.ocx C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
File created C:\Windows\SysWOW64\29-5-2025.exe C:\Users\Admin\AppData\Local\Temp\2025-05-29_404422d6216f51d4af2865176fc3f6cd_amadey_black-basta_elex_luca-stealer.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\mscomctl.ocx C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
File opened for modification C:\Windows\SysWOW64\29-5-2025.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\SysWOW64\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-29_404422d6216f51d4af2865176fc3f6cd_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Users\Admin\AppData\Local\Temp\2025-05-29_404422d6216f51d4af2865176fc3f6cd_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\2025-05-29_404422d6216f51d4af2865176fc3f6cd_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
File created C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
File created C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Windows\Fonts\The Kazekage.jpg C:\Users\Admin\AppData\Local\Temp\2025-05-29_404422d6216f51d4af2865176fc3f6cd_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification C:\Windows\system\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\2025-05-29_404422d6216f51d4af2865176fc3f6cd_amadey_black-basta_elex_luca-stealer.exe N/A
File created C:\Windows\WBEM\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\2025-05-29_404422d6216f51d4af2865176fc3f6cd_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification C:\Windows\system\mscoree.dll C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\Fonts\The Kazekage.jpg C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\Fonts\Admin 29 - 5 - 2025\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\2025-05-29_404422d6216f51d4af2865176fc3f6cd_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
File created C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
File created C:\Windows\Fonts\Admin 29 - 5 - 2025\msvbvm60.dll C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Windows\mscomctl.ocx C:\Users\Admin\AppData\Local\Temp\2025-05-29_404422d6216f51d4af2865176fc3f6cd_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification C:\Windows\system\msvbvm60.dll C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
File created C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\Fonts\Admin 29 - 5 - 2025\msvbvm60.dll C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\WBEM\msvbvm60.dll C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\system\mscoree.dll C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\ C:\Users\Admin\AppData\Local\Temp\2025-05-29_404422d6216f51d4af2865176fc3f6cd_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe C:\Users\Admin\AppData\Local\Temp\2025-05-29_404422d6216f51d4af2865176fc3f6cd_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
File created C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\Fonts\Admin 29 - 5 - 2025\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\2025-05-29_404422d6216f51d4af2865176fc3f6cd_amadey_black-basta_elex_luca-stealer.exe N/A
File created C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
File created C:\Windows\WBEM\msvbvm60.dll C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
File opened for modification C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Windows\system\msvbvm60.dll C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
File created C:\Windows\WBEM\msvbvm60.dll C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Windows\ C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\system\msvbvm60.dll C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe C:\Users\Admin\AppData\Local\Temp\2025-05-29_404422d6216f51d4af2865176fc3f6cd_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe C:\Users\Admin\AppData\Local\Temp\2025-05-29_404422d6216f51d4af2865176fc3f6cd_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
File created C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
File opened for modification C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\Fonts\Admin 29 - 5 - 2025\msvbvm60.dll C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\mscomctl.ocx C:\Users\Admin\AppData\Local\Temp\2025-05-29_404422d6216f51d4af2865176fc3f6cd_amadey_black-basta_elex_luca-stealer.exe N/A
File created C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\system\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\2025-05-29_404422d6216f51d4af2865176fc3f6cd_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
File created C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\mscomctl.ocx C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe C:\Users\Admin\AppData\Local\Temp\2025-05-29_404422d6216f51d4af2865176fc3f6cd_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification C:\Windows\Fonts\The Kazekage.jpg C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Windows\system\mscoree.dll C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\system\msvbvm60.dll C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\ C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Windows\mscomctl.ocx C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\Fonts\The Kazekage.jpg C:\Users\Admin\AppData\Local\Temp\2025-05-29_404422d6216f51d4af2865176fc3f6cd_amadey_black-basta_elex_luca-stealer.exe N/A
File opened for modification C:\Windows\Fonts\The Kazekage.jpg C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
File opened for modification C:\Windows\Fonts\The Kazekage.jpg C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Windows\Fonts\The Kazekage.jpg C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\mscomctl.ocx C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\ C:\Windows\SysWOW64\drivers\Kazekage.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2025-05-29_404422d6216f51d4af2865176fc3f6cd_amadey_black-basta_elex_luca-stealer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\system32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\system32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\system32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\system32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\system32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\system32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A

Modifies Control Panel

defense_evasion
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Control Panel\Screen Saver.Marquee C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Control Panel\Desktop\WallpaperStyle = "2" C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Control Panel\Desktop C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Control Panel\Screen Saver.Marquee\Speed = "4" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Control Panel\Desktop\WallpaperStyle = "2" C:\Users\Admin\AppData\Local\Temp\2025-05-29_404422d6216f51d4af2865176fc3f6cd_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Control Panel\Desktop\WallpaperStyle = "2" C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Control Panel\Screen Saver.Marquee C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Control Panel\Desktop C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Control Panel\Desktop C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Control Panel\Screen Saver.Marquee\Speed = "4" C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Users\Admin\AppData\Local\Temp\2025-05-29_404422d6216f51d4af2865176fc3f6cd_amadey_black-basta_elex_luca-stealer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Control Panel\Desktop C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Control Panel\Desktop\WallpaperStyle = "2" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" C:\Users\Admin\AppData\Local\Temp\2025-05-29_404422d6216f51d4af2865176fc3f6cd_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Control Panel\Desktop\WallpaperStyle = "2" C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Control Panel\Screen Saver.Marquee C:\Users\Admin\AppData\Local\Temp\2025-05-29_404422d6216f51d4af2865176fc3f6cd_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" C:\Users\Admin\AppData\Local\Temp\2025-05-29_404422d6216f51d4af2865176fc3f6cd_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" C:\Users\Admin\AppData\Local\Temp\2025-05-29_404422d6216f51d4af2865176fc3f6cd_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Control Panel\Screen Saver.Marquee\Size = "72" C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Control Panel\Screen Saver.Marquee\Size = "72" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" C:\Users\Admin\AppData\Local\Temp\2025-05-29_404422d6216f51d4af2865176fc3f6cd_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Control Panel\Screen Saver.Marquee\Speed = "4" C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Control Panel\Screen Saver.Marquee C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Control Panel\Desktop C:\Users\Admin\AppData\Local\Temp\2025-05-29_404422d6216f51d4af2865176fc3f6cd_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" C:\Users\Admin\AppData\Local\Temp\2025-05-29_404422d6216f51d4af2865176fc3f6cd_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Control Panel\Screen Saver.Marquee\Size = "72" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Control Panel\Screen Saver.Marquee\Size = "72" C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Control Panel\Screen Saver.Marquee\Speed = "4" C:\Users\Admin\AppData\Local\Temp\2025-05-29_404422d6216f51d4af2865176fc3f6cd_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Software\Microsoft\Internet Explorer\Main C:\Users\Admin\AppData\Local\Temp\2025-05-29_404422d6216f51d4af2865176fc3f6cd_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1245416451-815278583-4285364870-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" C:\Users\Admin\AppData\Local\Temp\2025-05-29_404422d6216f51d4af2865176fc3f6cd_amadey_black-basta_elex_luca-stealer.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command C:\Users\Admin\AppData\Local\Temp\2025-05-29_404422d6216f51d4af2865176fc3f6cd_amadey_black-basta_elex_luca-stealer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command C:\Users\Admin\AppData\Local\Temp\2025-05-29_404422d6216f51d4af2865176fc3f6cd_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" C:\Users\Admin\AppData\Local\Temp\2025-05-29_404422d6216f51d4af2865176fc3f6cd_amadey_black-basta_elex_luca-stealer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command C:\Users\Admin\AppData\Local\Temp\2025-05-29_404422d6216f51d4af2865176fc3f6cd_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" C:\Users\Admin\AppData\Local\Temp\2025-05-29_404422d6216f51d4af2865176fc3f6cd_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" C:\Users\Admin\AppData\Local\Temp\2025-05-29_404422d6216f51d4af2865176fc3f6cd_amadey_black-basta_elex_luca-stealer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command C:\Users\Admin\AppData\Local\Temp\2025-05-29_404422d6216f51d4af2865176fc3f6cd_amadey_black-basta_elex_luca-stealer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" C:\Users\Admin\AppData\Local\Temp\2025-05-29_404422d6216f51d4af2865176fc3f6cd_amadey_black-basta_elex_luca-stealer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-29_404422d6216f51d4af2865176fc3f6cd_amadey_black-basta_elex_luca-stealer.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-29_404422d6216f51d4af2865176fc3f6cd_amadey_black-basta_elex_luca-stealer.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-29_404422d6216f51d4af2865176fc3f6cd_amadey_black-basta_elex_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-29_404422d6216f51d4af2865176fc3f6cd_amadey_black-basta_elex_luca-stealer.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-29_404422d6216f51d4af2865176fc3f6cd_amadey_black-basta_elex_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-29_404422d6216f51d4af2865176fc3f6cd_amadey_black-basta_elex_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-29_404422d6216f51d4af2865176fc3f6cd_amadey_black-basta_elex_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-29_404422d6216f51d4af2865176fc3f6cd_amadey_black-basta_elex_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-29_404422d6216f51d4af2865176fc3f6cd_amadey_black-basta_elex_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-29_404422d6216f51d4af2865176fc3f6cd_amadey_black-basta_elex_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-29_404422d6216f51d4af2865176fc3f6cd_amadey_black-basta_elex_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-29_404422d6216f51d4af2865176fc3f6cd_amadey_black-basta_elex_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-29_404422d6216f51d4af2865176fc3f6cd_amadey_black-basta_elex_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-29_404422d6216f51d4af2865176fc3f6cd_amadey_black-basta_elex_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-29_404422d6216f51d4af2865176fc3f6cd_amadey_black-basta_elex_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-29_404422d6216f51d4af2865176fc3f6cd_amadey_black-basta_elex_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-29_404422d6216f51d4af2865176fc3f6cd_amadey_black-basta_elex_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-29_404422d6216f51d4af2865176fc3f6cd_amadey_black-basta_elex_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-29_404422d6216f51d4af2865176fc3f6cd_amadey_black-basta_elex_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-29_404422d6216f51d4af2865176fc3f6cd_amadey_black-basta_elex_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-29_404422d6216f51d4af2865176fc3f6cd_amadey_black-basta_elex_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-29_404422d6216f51d4af2865176fc3f6cd_amadey_black-basta_elex_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-29_404422d6216f51d4af2865176fc3f6cd_amadey_black-basta_elex_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-29_404422d6216f51d4af2865176fc3f6cd_amadey_black-basta_elex_luca-stealer.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-29_404422d6216f51d4af2865176fc3f6cd_amadey_black-basta_elex_luca-stealer.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3720 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-29_404422d6216f51d4af2865176fc3f6cd_amadey_black-basta_elex_luca-stealer.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe
PID 3720 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-29_404422d6216f51d4af2865176fc3f6cd_amadey_black-basta_elex_luca-stealer.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe
PID 3720 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-29_404422d6216f51d4af2865176fc3f6cd_amadey_black-basta_elex_luca-stealer.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe
PID 2732 wrote to memory of 1288 N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe
PID 2732 wrote to memory of 1288 N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe
PID 2732 wrote to memory of 1288 N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe
PID 2732 wrote to memory of 3424 N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe
PID 2732 wrote to memory of 3424 N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe
PID 2732 wrote to memory of 3424 N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe
PID 3424 wrote to memory of 4960 N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe
PID 3424 wrote to memory of 4960 N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe
PID 3424 wrote to memory of 4960 N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe
PID 3424 wrote to memory of 5072 N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe
PID 3424 wrote to memory of 5072 N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe
PID 3424 wrote to memory of 5072 N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe
PID 3424 wrote to memory of 4952 N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe
PID 3424 wrote to memory of 4952 N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe
PID 3424 wrote to memory of 4952 N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe
PID 4952 wrote to memory of 2460 N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe
PID 4952 wrote to memory of 2460 N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe
PID 4952 wrote to memory of 2460 N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe
PID 4952 wrote to memory of 5324 N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe
PID 4952 wrote to memory of 5324 N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe
PID 4952 wrote to memory of 5324 N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe
PID 4952 wrote to memory of 4712 N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe
PID 4952 wrote to memory of 4712 N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe
PID 4952 wrote to memory of 4712 N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe
PID 4952 wrote to memory of 5852 N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 4952 wrote to memory of 5852 N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 4952 wrote to memory of 5852 N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 5852 wrote to memory of 2320 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe
PID 5852 wrote to memory of 2320 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe
PID 5852 wrote to memory of 2320 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe
PID 5852 wrote to memory of 684 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe
PID 5852 wrote to memory of 684 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe
PID 5852 wrote to memory of 684 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe
PID 5852 wrote to memory of 444 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe
PID 5852 wrote to memory of 444 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe
PID 5852 wrote to memory of 444 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe
PID 5852 wrote to memory of 3208 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 5852 wrote to memory of 3208 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 5852 wrote to memory of 3208 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 5852 wrote to memory of 724 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 5852 wrote to memory of 724 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 5852 wrote to memory of 724 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 724 wrote to memory of 2828 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe
PID 724 wrote to memory of 2828 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe
PID 724 wrote to memory of 2828 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe
PID 724 wrote to memory of 5820 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe
PID 724 wrote to memory of 5820 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe
PID 724 wrote to memory of 5820 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe
PID 724 wrote to memory of 3396 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe
PID 724 wrote to memory of 3396 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe
PID 724 wrote to memory of 3396 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe
PID 724 wrote to memory of 2976 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 724 wrote to memory of 2976 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 724 wrote to memory of 2976 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 724 wrote to memory of 4176 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 724 wrote to memory of 4176 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 724 wrote to memory of 4176 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 4952 wrote to memory of 1548 N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 4952 wrote to memory of 1548 N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 4952 wrote to memory of 1548 N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 3424 wrote to memory of 888 N/A C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe C:\Windows\SysWOW64\drivers\Kazekage.exe

System policy modification

defense_evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\2025-05-29_404422d6216f51d4af2865176fc3f6cd_amadey_black-basta_elex_luca-stealer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\2025-05-29_404422d6216f51d4af2865176fc3f6cd_amadey_black-basta_elex_luca-stealer.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2025-05-29_404422d6216f51d4af2865176fc3f6cd_amadey_black-basta_elex_luca-stealer.exe

"C:\Users\Admin\AppData\Local\Temp\2025-05-29_404422d6216f51d4af2865176fc3f6cd_amadey_black-basta_elex_luca-stealer.exe"

C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe

"C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe"

C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe

"C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe"

C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe

"C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe"

C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe

"C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe"

C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe

"C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe"

C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe

"C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe"

C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe

"C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe"

C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe

"C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe"

C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe

"C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe"

C:\Windows\SysWOW64\drivers\Kazekage.exe

C:\Windows\system32\drivers\Kazekage.exe

C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe

"C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe"

C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe

"C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe"

C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe

"C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe"

C:\Windows\SysWOW64\drivers\Kazekage.exe

C:\Windows\system32\drivers\Kazekage.exe

C:\Windows\SysWOW64\drivers\system32.exe

C:\Windows\system32\drivers\system32.exe

C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe

"C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe"

C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe

"C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe"

C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe

"C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe"

C:\Windows\SysWOW64\drivers\Kazekage.exe

C:\Windows\system32\drivers\Kazekage.exe

C:\Windows\SysWOW64\drivers\system32.exe

C:\Windows\system32\drivers\system32.exe

C:\Windows\SysWOW64\drivers\system32.exe

C:\Windows\system32\drivers\system32.exe

C:\Windows\SysWOW64\drivers\Kazekage.exe

C:\Windows\system32\drivers\Kazekage.exe

C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe

"C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe"

C:\Windows\SysWOW64\drivers\system32.exe

C:\Windows\system32\drivers\system32.exe

C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe

"C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe"

C:\Windows\SysWOW64\drivers\Kazekage.exe

C:\Windows\system32\drivers\Kazekage.exe

C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe

"C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe"

C:\Windows\SysWOW64\drivers\Kazekage.exe

C:\Windows\system32\drivers\Kazekage.exe

C:\Windows\SysWOW64\drivers\system32.exe

C:\Windows\system32\drivers\system32.exe

C:\Windows\SysWOW64\drivers\system32.exe

C:\Windows\system32\drivers\system32.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c Fonts\Admin 29 - 5 - 2025\smss.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c Fonts\Admin 29 - 5 - 2025\Gaara.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c 29-5-2025.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c drivers\csrss.exe

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

Network

Files

memory/3720-0-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe

MD5 404422d6216f51d4af2865176fc3f6cd
SHA1 32681cbb1902ec1d159c34411730a0175e608fba
SHA256 e004dd9f230d14d73324973ae5a9770dfa76faee4d3792e561bb48b519d883e1
SHA512 f972e5984d5df64f066ba6d83668d94437a5dddef8a7d2d305f1daee32d47c20d023eacd2ba61c29e752e8054c922c6ab7e20a8dd801b5f0bf9598c0fec2c157

C:\Windows\System\msvbvm60.dll

MD5 25f62c02619174b35851b0e0455b3d94
SHA1 4e8ee85157f1769f6e3f61c0acbe59072209da71
SHA256 898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2
SHA512 f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

memory/2732-32-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Windows\Fonts\Admin 29 - 5 - 2025\smss.exe

MD5 c4f74a3c27302b2fbd683577802613b5
SHA1 b4790688317be23e9724d75f7f640af59ca7e982
SHA256 01a268fe4f9cf5c33f459419cf48eae47e1566f1cca40537dd919d24e040fa7b
SHA512 e35513f7742431fb5577c68c54ea25af61fbbe03c548171548720a194abcb952528008058de1f871cfed271ba93a8b9e0ac7a5e21c852d91c8a94567acc1ed45

C:\Windows\Fonts\The Kazekage.jpg

MD5 d6b05020d4a0ec2a3a8b687099e335df
SHA1 df239d830ebcd1cde5c68c46a7b76dad49d415f4
SHA256 9824b98dab6af65a9e84c2ea40e9df948f9766ce2096e81feecad7db8dd6080a
SHA512 78fd360faa4d34f5732056d6e9ad7b9930964441c69cf24535845d397de92179553b9377a25649c01eb5ac7d547c29cc964e69ede7f2af9fc677508a99251fff

C:\Windows\SysWOW64\drivers\Kazekage.exe

MD5 d3672cd0480b66fc45d039d89de0b120
SHA1 fec8a021a757dcf7189318d67b650b90c898f456
SHA256 b72d20d2051cd4b1719be91e225f46acc9408e3ad427ac2e729d56e8478077d7
SHA512 5095933ab7c44dcfafb5e04d4a80f7bad5cb33d8439b7a3e1063ad8baa6d84c6fc10f420316777def9d85301c4d838ccd665a11413c0394de56b6f3a28236136

memory/1288-73-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Windows\Fonts\Admin 29 - 5 - 2025\Gaara.exe

MD5 03d907556f6ad6f7f4e8734523382637
SHA1 6e621006fdbc1318aaa2ffd54c0d6185fd082a68
SHA256 85195864f17439baffa0378ad658bf72ebf1b1e59a3fe474f58b13521c0a7923
SHA512 cc3e789efdfeaebf4521b4ead10978b78a6b06b6a953883675ffc303ff135d7825bbd230444bb4e9ce5f2d12f530ed60935e8eaa49a483519e6b5d6080bc64db

memory/3424-78-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Windows\SysWOW64\29-5-2025.exe

MD5 a2228677c7857e7fb2ca98271e2307e3
SHA1 cf5b0dfa15637146126585345c8bac07c2b70e11
SHA256 2626e88d782305a14a78722311eedf587022b160841373157fba41a29a683e33
SHA512 c2b7d44f8c66b05deb36e8e9e08947e9b6efc1cca196cc2eba300fae79e71ac7eb0e137d9c71d910297051462dd48fc427218e4cd4a5e7da251501bd5714f14c

memory/4960-109-0x0000000000400000-0x000000000042A000-memory.dmp

memory/5072-114-0x0000000000400000-0x000000000042A000-memory.dmp

memory/5072-118-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Windows\Fonts\Admin 29 - 5 - 2025\csrss.exe

MD5 c5a643708d6f3b6082769805551637f2
SHA1 b9e78d605ba0b45aa6212f4a6d62df50d98ff350
SHA256 220e8b68e6579afce7655a4de28132b3ae1992159b47a2d8ac3cddd244c74f2e
SHA512 f4a5a6ac24c24f21f5861a200d18ad4cb31030f8df15ecc1e8a1a7a4415f05b7a77fa7b5371e03dfd3d6d3282e03ae6b4aa95c624ae33d8427b08014924c8f1e

memory/4952-122-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Windows\Fonts\The Kazekage.jpg

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/3720-154-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2732-160-0x0000000000400000-0x000000000042A000-memory.dmp

memory/5324-163-0x0000000000400000-0x000000000042A000-memory.dmp

memory/4712-161-0x0000000000400000-0x000000000042A000-memory.dmp

memory/4712-167-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Windows\SysWOW64\drivers\Kazekage.exe

MD5 b66ab2ac2b4c6f78787cd3584130b838
SHA1 075ab33dd583069f31dab9ba0c76a4aed7a85a93
SHA256 0fc537a50a57aaf13479fd4aa282df3efa7dfee5515d170ebc13783f68e6b786
SHA512 77e9486dcd06a96ed1644da234e241a017ff85e322cc06a583eaad7bd0950f0cbeb0fd61edcf9605533bb349579dffebba7c773cb001ab6c95f6b7d708e6d60f

memory/5852-170-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2320-194-0x0000000000400000-0x000000000042A000-memory.dmp

memory/3424-195-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2320-200-0x0000000000400000-0x000000000042A000-memory.dmp

memory/684-206-0x0000000000400000-0x000000000042A000-memory.dmp

memory/444-213-0x0000000000400000-0x000000000042A000-memory.dmp

memory/3208-211-0x0000000000400000-0x000000000042A000-memory.dmp

memory/3208-217-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Windows\SysWOW64\drivers\system32.exe

MD5 ec7df29c634559341bef61fa7b7b7c21
SHA1 4a81f3c5fcc8a2a14aa9c8d54cd154e8e11b2ebb
SHA256 0a77db3771b709a8d14a12e7abc153fabe9daa7317e12837c675a7bda1c37cb9
SHA512 f15bd5d663d3e6dd63a8440de17cb667ea1d45366fb17ee4cc12b13402180295c84d444941b4f2561d4a6327bf8002971832513df8e88980ee5a523c2e44c922

memory/724-222-0x0000000000400000-0x000000000042A000-memory.dmp

memory/4952-221-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Windows\SysWOW64\29-5-2025.exe

MD5 97acb3588c50d0cd48cf0c4fcf6a15b4
SHA1 2552c180af327e1be5b2b01683b29ef3e2aba83b
SHA256 4252dfdca084e6dee44f6033493ee2845ae9c67f77c3ef9ff78d2cb4257591d0
SHA512 32b3dd77d6d1b958e0cf40e23d36423fea4c7838f8f28ca99df173219879d45ecb2378d1a3ab0366f835581aacdd207e1ed4de562106aee3a9ccacfbc6db13c1

memory/5852-247-0x0000000000400000-0x000000000042A000-memory.dmp

memory/5820-249-0x0000000000400000-0x000000000042A000-memory.dmp

memory/3396-253-0x0000000000400000-0x000000000042A000-memory.dmp

memory/4176-256-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2976-258-0x0000000000400000-0x000000000042A000-memory.dmp

memory/4176-261-0x0000000000400000-0x000000000042A000-memory.dmp

memory/1548-268-0x0000000000400000-0x000000000042A000-memory.dmp

memory/724-273-0x0000000000400000-0x000000000042A000-memory.dmp

memory/5312-277-0x0000000000400000-0x000000000042A000-memory.dmp

memory/888-275-0x0000000000400000-0x000000000042A000-memory.dmp

memory/5260-284-0x0000000000400000-0x000000000042A000-memory.dmp

memory/5224-291-0x0000000000400000-0x000000000042A000-memory.dmp

memory/4676-297-0x0000000000400000-0x000000000042A000-memory.dmp

memory/5424-299-0x0000000000400000-0x000000000042A000-memory.dmp

memory/580-303-0x0000000000400000-0x000000000042A000-memory.dmp

memory/3424-304-0x0000000000400000-0x000000000042A000-memory.dmp

memory/4952-305-0x0000000000400000-0x000000000042A000-memory.dmp

memory/5852-306-0x0000000000400000-0x000000000042A000-memory.dmp

memory/724-307-0x0000000000400000-0x000000000042A000-memory.dmp

memory/3720-308-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2732-309-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Autorun.inf

MD5 1564dfe69ffed40950e5cb644e0894d1
SHA1 201b6f7a01cc49bb698bea6d4945a082ed454ce4
SHA256 be114a2dbcc08540b314b01882aa836a772a883322a77b67aab31233e26dc184
SHA512 72df187e39674b657974392cfa268e71ef86dc101ebd2303896381ca56d3c05aa9db3f0ab7d0e428d7436e0108c8f19e94c2013814d30b0b95a23a6b9e341097

C:\Admin Games\Readme.txt

MD5 bb5d6abdf8d0948ac6895ce7fdfbc151
SHA1 9266b7a247a4685892197194d2b9b86c8f6dddbd
SHA256 5db2e0915b5464d32e83484f8ae5e3c73d2c78f238fde5f58f9b40dbb5322de8
SHA512 878444760e8df878d65bb62b4798177e168eb099def58ad3634f4348e96705c83f74324f9fa358f0eff389991976698a233ca53e9b72034ae11c86d42322a76c

memory/3720-369-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2732-411-0x0000000000400000-0x000000000042A000-memory.dmp

memory/3424-412-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Windows\SysWOW64\Desktop.ini

MD5 64acfa7e03b01f48294cf30d201a0026
SHA1 10facd995b38a095f30b4a800fa454c0bcbf8438
SHA256 ba8159d865d106e7b4d0043007a63d1541e1de455dc8d7ff0edd3013bd425c62
SHA512 65a9b2e639de74a2a7faa83463a03f5f5b526495e3c793ec1e144c422ed0b842dd304cd5ff4f8aec3d76d826507030c5916f70a231429cea636ec2d8ab43931a

memory/4952-437-0x0000000000400000-0x000000000042A000-memory.dmp

F:\Admin Games\Kazekage VS Hokage.exe

MD5 7198b4319bf7f4f27ef0a66b19c9271a
SHA1 f55ea950063b9f3ffad340409ab242bb76c000c6
SHA256 d0c4d22ec0d4a794abdeeba1ca6a32da9508bf41e7af35446f0f6e62dca31aa5
SHA512 4f414e80cf634a44205bb094faaac725eebbbd9eccae7ecd196454bfcfa8f5b09cc0aa12be2beb78c5f7e993c5f180cd150608c68a66ef8d31791d97e3626b5b

memory/724-538-0x0000000000400000-0x000000000042A000-memory.dmp

memory/5852-543-0x0000000000400000-0x000000000042A000-memory.dmp