Analysis Overview
SHA256
c9bce23cd71da05bf8c5fda6ee18d7d389916035ea5456a1e52c7632b4326797
Threat Level: Known bad
The file 2025-05-02_43334a7043505d6ddbff13cd13568e4a_black-basta_elex_hijackloader_luca-stealer was found to be: Known bad.
Malicious Activity Summary
Modifies visiblity of hidden/system files in Explorer
Modifies visibility of file extensions in Explorer
Modifies WinLogon for persistence
UAC bypass
Disables use of System Restore points
Drops file in Drivers directory
Event Triggered Execution: Image File Execution Options Injection
Disables RegEdit via registry modification
Executes dropped EXE
Loads dropped DLL
Adds Run key to start application
Drops desktop.ini file(s)
Enumerates connected drives
Checks whether UAC is enabled
Drops autorun.inf file
Drops file in System32 directory
UPX packed file
Sets desktop wallpaper using registry
Drops file in Windows directory
System Network Configuration Discovery: Internet Connection Discovery
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious behavior: EnumeratesProcesses
Modifies Control Panel
Runs ping.exe
Suspicious use of WriteProcessMemory
Modifies Internet Explorer settings
System policy modification
Modifies registry class
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V16
Analysis: static1
Detonation Overview
Reported
2025-05-02 09:42
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2025-05-02 09:42
Reported
2025-05-02 09:44
Platform
win10v2004-20250410-en
Max time kernel
149s
Max time network
144s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" | C:\Users\Admin\AppData\Local\Temp\2025-05-02_43334a7043505d6ddbff13cd13568e4a_black-basta_elex_hijackloader_luca-stealer.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" | C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" | C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" | C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" | C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" | C:\Windows\SysWOW64\drivers\system32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" | C:\Windows\SysWOW64\drivers\Kazekage.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" | C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" | C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" | C:\Windows\SysWOW64\drivers\system32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" | C:\Windows\SysWOW64\drivers\Kazekage.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" | C:\Users\Admin\AppData\Local\Temp\2025-05-02_43334a7043505d6ddbff13cd13568e4a_black-basta_elex_hijackloader_luca-stealer.exe | N/A |
Modifies visibility of file extensions in Explorer
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\drivers\Kazekage.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Users\Admin\AppData\Local\Temp\2025-05-02_43334a7043505d6ddbff13cd13568e4a_black-basta_elex_hijackloader_luca-stealer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\drivers\system32.exe | N/A |
Modifies visiblity of hidden/system files in Explorer
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Windows\SysWOW64\drivers\system32.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Windows\SysWOW64\drivers\Kazekage.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\AppData\Local\Temp\2025-05-02_43334a7043505d6ddbff13cd13568e4a_black-basta_elex_hijackloader_luca-stealer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe | N/A |
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\drivers\system32.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\drivers\Kazekage.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\2025-05-02_43334a7043505d6ddbff13cd13568e4a_black-basta_elex_hijackloader_luca-stealer.exe | N/A |
Disables RegEdit via registry modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Windows\SysWOW64\drivers\system32.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Windows\SysWOW64\drivers\Kazekage.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\2025-05-02_43334a7043505d6ddbff13cd13568e4a_black-basta_elex_hijackloader_luca-stealer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe | N/A |
Disables use of System Restore points
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\drivers\system32.exe | C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\drivers\Kazekage.exe | C:\Windows\SysWOW64\drivers\Kazekage.exe | N/A |
| File created | C:\Windows\SysWOW64\drivers\system32.exe | C:\Windows\SysWOW64\drivers\system32.exe | N/A |
| File created | C:\Windows\SysWOW64\drivers\system32.exe | C:\Windows\SysWOW64\drivers\Kazekage.exe | N/A |
| File created | C:\Windows\SysWOW64\drivers\Kazekage.exe | C:\Users\Admin\AppData\Local\Temp\2025-05-02_43334a7043505d6ddbff13cd13568e4a_black-basta_elex_hijackloader_luca-stealer.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\drivers\Kazekage.exe | C:\Users\Admin\AppData\Local\Temp\2025-05-02_43334a7043505d6ddbff13cd13568e4a_black-basta_elex_hijackloader_luca-stealer.exe | N/A |
| File created | C:\Windows\SysWOW64\drivers\Kazekage.exe | C:\Windows\SysWOW64\drivers\system32.exe | N/A |
| File created | C:\Windows\SysWOW64\drivers\Kazekage.exe | C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe | N/A |
| File created | C:\Windows\SysWOW64\drivers\Kazekage.exe | C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe | N/A |
| File created | C:\Windows\SysWOW64\drivers\system32.exe | C:\Users\Admin\AppData\Local\Temp\2025-05-02_43334a7043505d6ddbff13cd13568e4a_black-basta_elex_hijackloader_luca-stealer.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\drivers\system32.exe | C:\Users\Admin\AppData\Local\Temp\2025-05-02_43334a7043505d6ddbff13cd13568e4a_black-basta_elex_hijackloader_luca-stealer.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\drivers\Kazekage.exe | C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\drivers\Kazekage.exe | C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\drivers\system32.exe | C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe | N/A |
| File created | C:\Windows\SysWOW64\drivers\Kazekage.exe | C:\Windows\SysWOW64\drivers\Kazekage.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\drivers\system32.exe | C:\Windows\SysWOW64\drivers\Kazekage.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\drivers\system32.exe | C:\Windows\SysWOW64\drivers\system32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\drivers\Kazekage.exe | C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\drivers\Kazekage.exe | C:\Windows\SysWOW64\drivers\system32.exe | N/A |
| File created | C:\Windows\SysWOW64\drivers\system32.exe | C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe | N/A |
| File created | C:\Windows\SysWOW64\drivers\Kazekage.exe | C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe | N/A |
| File created | C:\Windows\SysWOW64\drivers\system32.exe | C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe | N/A |
| File created | C:\Windows\SysWOW64\drivers\system32.exe | C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\drivers\system32.exe | C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe | N/A |
Event Triggered Execution: Image File Execution Options Injection
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe | C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger = "drivers\\Kazekage.exe" | C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "drivers\\Kazekage.exe" | C:\Windows\SysWOW64\drivers\system32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe | C:\Users\Admin\AppData\Local\Temp\2025-05-02_43334a7043505d6ddbff13cd13568e4a_black-basta_elex_hijackloader_luca-stealer.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe | C:\Users\Admin\AppData\Local\Temp\2025-05-02_43334a7043505d6ddbff13cd13568e4a_black-basta_elex_hijackloader_luca-stealer.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com | C:\Windows\SysWOW64\drivers\system32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe | C:\Users\Admin\AppData\Local\Temp\2025-05-02_43334a7043505d6ddbff13cd13568e4a_black-basta_elex_hijackloader_luca-stealer.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe | C:\Users\Admin\AppData\Local\Temp\2025-05-02_43334a7043505d6ddbff13cd13568e4a_black-basta_elex_hijackloader_luca-stealer.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe\Debugger = "cmd.exe /c del" | C:\Windows\SysWOW64\drivers\Kazekage.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe | C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com | C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe | C:\Windows\SysWOW64\drivers\Kazekage.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe\Debugger = "drivers\\Kazekage.exe" | C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "drivers\\Kazekage.exe" | C:\Windows\SysWOW64\drivers\Kazekage.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\Debugger = "cmd.exe /c del" | C:\Windows\SysWOW64\drivers\Kazekage.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe | C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe | C:\Windows\SysWOW64\drivers\system32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe\Debugger = "cmd.exe /c del" | C:\Users\Admin\AppData\Local\Temp\2025-05-02_43334a7043505d6ddbff13cd13568e4a_black-basta_elex_hijackloader_luca-stealer.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe\Debugger = "cmd.exe /c del" | C:\Users\Admin\AppData\Local\Temp\2025-05-02_43334a7043505d6ddbff13cd13568e4a_black-basta_elex_hijackloader_luca-stealer.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe | C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe | C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe | C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe | C:\Windows\SysWOW64\drivers\system32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe\Debugger = "drivers\\Kazekage.exe" | C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe | C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe | C:\Users\Admin\AppData\Local\Temp\2025-05-02_43334a7043505d6ddbff13cd13568e4a_black-basta_elex_hijackloader_luca-stealer.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe | C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "drivers\\Kazekage.exe" | C:\Windows\SysWOW64\drivers\system32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe\Debugger = "cmd.exe /c del" | C:\Windows\SysWOW64\drivers\Kazekage.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "drivers\\Kazekage.exe" | C:\Windows\SysWOW64\drivers\Kazekage.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe | C:\Windows\SysWOW64\drivers\Kazekage.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "drivers\\Kazekage.exe" | C:\Users\Admin\AppData\Local\Temp\2025-05-02_43334a7043505d6ddbff13cd13568e4a_black-basta_elex_hijackloader_luca-stealer.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe | C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe\Debugger = "cmd.exe /c del" | C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe\Debugger = "cmd.exe /c del" | C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe | C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe\Debugger = "cmd.exe /c del" | C:\Windows\SysWOW64\drivers\system32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe\Debugger = "cmd.exe /c del" | C:\Users\Admin\AppData\Local\Temp\2025-05-02_43334a7043505d6ddbff13cd13568e4a_black-basta_elex_hijackloader_luca-stealer.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe\Debugger = "cmd.exe /c del" | C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "drivers\\Kazekage.exe" | C:\Windows\SysWOW64\drivers\system32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe | C:\Windows\SysWOW64\drivers\Kazekage.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe\Debugger = "cmd.exe /c del" | C:\Windows\SysWOW64\drivers\Kazekage.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "drivers\\Kazekage.exe" | C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe | C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe | C:\Windows\SysWOW64\drivers\Kazekage.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe | C:\Users\Admin\AppData\Local\Temp\2025-05-02_43334a7043505d6ddbff13cd13568e4a_black-basta_elex_hijackloader_luca-stealer.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe | C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe | C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe | C:\Windows\SysWOW64\drivers\system32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger = "drivers\\Kazekage.exe" | C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe | C:\Users\Admin\AppData\Local\Temp\2025-05-02_43334a7043505d6ddbff13cd13568e4a_black-basta_elex_hijackloader_luca-stealer.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe\Debugger = "drivers\\Kazekage.exe" | C:\Windows\SysWOW64\drivers\system32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe | C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe\Debugger = "cmd.exe /c del" | C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "drivers\\Kazekage.exe" | C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "drivers\\Kazekage.exe" | C:\Users\Admin\AppData\Local\Temp\2025-05-02_43334a7043505d6ddbff13cd13568e4a_black-basta_elex_hijackloader_luca-stealer.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe | C:\Windows\SysWOW64\drivers\system32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe\Debugger = "cmd.exe /c del" | C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe\Debugger = "cmd.exe /c del" | C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com | C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com\Debugger = "cmd.exe /c del" | C:\Windows\SysWOW64\drivers\system32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe | C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe | C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe | C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe | N/A |
Executes dropped EXE
Loads dropped DLL
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "2-5-2025.exe" | C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" | C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 2 - 5 - 2025\\Gaara.exe" | C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 2 - 5 - 2025\\smss.exe" | C:\Windows\SysWOW64\drivers\system32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 2 - 5 - 2025\\Gaara.exe" | C:\Windows\SysWOW64\drivers\system32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "2-5-2025.exe" | C:\Windows\SysWOW64\drivers\system32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 2 - 5 - 2025\\smss.exe" | C:\Windows\SysWOW64\drivers\Kazekage.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 2 - 5 - 2025\\Gaara.exe" | C:\Windows\SysWOW64\drivers\Kazekage.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 2 - 5 - 2025\\Gaara.exe" | C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 2 - 5 - 2025\\smss.exe" | C:\Users\Admin\AppData\Local\Temp\2025-05-02_43334a7043505d6ddbff13cd13568e4a_black-basta_elex_hijackloader_luca-stealer.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 2 - 5 - 2025\\Gaara.exe" | C:\Users\Admin\AppData\Local\Temp\2025-05-02_43334a7043505d6ddbff13cd13568e4a_black-basta_elex_hijackloader_luca-stealer.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "2-5-2025.exe" | C:\Users\Admin\AppData\Local\Temp\2025-05-02_43334a7043505d6ddbff13cd13568e4a_black-basta_elex_hijackloader_luca-stealer.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 2 - 5 - 2025\\smss.exe" | C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 2 - 5 - 2025\\Gaara.exe" | C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 2 - 5 - 2025\\smss.exe" | C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 2 - 5 - 2025\\smss.exe" | C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" | C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" | C:\Windows\SysWOW64\drivers\system32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "2-5-2025.exe" | C:\Windows\SysWOW64\drivers\Kazekage.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" | C:\Windows\SysWOW64\drivers\Kazekage.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" | C:\Users\Admin\AppData\Local\Temp\2025-05-02_43334a7043505d6ddbff13cd13568e4a_black-basta_elex_hijackloader_luca-stealer.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "2-5-2025.exe" | C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "2-5-2025.exe" | C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" | C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\drivers\system32.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\drivers\Kazekage.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\2025-05-02_43334a7043505d6ddbff13cd13568e4a_black-basta_elex_hijackloader_luca-stealer.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe | N/A |
Drops desktop.ini file(s)
Enumerates connected drives
Drops autorun.inf file
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\Desktop.ini | C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\msvbvm60.dll | C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ | C:\Windows\SysWOW64\drivers\Kazekage.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\msvbvm60.dll | C:\Windows\SysWOW64\drivers\Kazekage.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Desktop.ini | C:\Windows\SysWOW64\drivers\system32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ | C:\Windows\SysWOW64\drivers\system32.exe | N/A |
| File created | C:\Windows\SysWOW64\msvbvm60.dll | C:\Users\Admin\AppData\Local\Temp\2025-05-02_43334a7043505d6ddbff13cd13568e4a_black-basta_elex_hijackloader_luca-stealer.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\2-5-2025.exe | C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\2-5-2025.exe | C:\Windows\SysWOW64\drivers\Kazekage.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\2025-05-02_43334a7043505d6ddbff13cd13568e4a_black-basta_elex_hijackloader_luca-stealer.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Desktop.ini | C:\Windows\SysWOW64\drivers\Kazekage.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ | C:\Users\Admin\AppData\Local\Temp\2025-05-02_43334a7043505d6ddbff13cd13568e4a_black-basta_elex_hijackloader_luca-stealer.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Desktop.ini | C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\mscomctl.ocx | C:\Windows\SysWOW64\drivers\Kazekage.exe | N/A |
| File created | C:\Windows\SysWOW64\msvbvm60.dll | C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe | N/A |
| File created | C:\Windows\SysWOW64\msvbvm60.dll | C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ | C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\msvbvm60.dll | C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe | N/A |
| File created | C:\Windows\SysWOW64\2-5-2025.exe | C:\Users\Admin\AppData\Local\Temp\2025-05-02_43334a7043505d6ddbff13cd13568e4a_black-basta_elex_hijackloader_luca-stealer.exe | N/A |
| File created | C:\Windows\SysWOW64\msvbvm60.dll | C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\2-5-2025.exe | C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\2-5-2025.exe | C:\Windows\SysWOW64\drivers\system32.exe | N/A |
| File created | C:\Windows\SysWOW64\msvbvm60.dll | C:\Windows\SysWOW64\drivers\system32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\mscomctl.ocx | C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\msvbvm60.dll | C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\msvbvm60.dll | C:\Windows\SysWOW64\drivers\system32.exe | N/A |
| File created | C:\Windows\SysWOW64\mscomctl.ocx | C:\Users\Admin\AppData\Local\Temp\2025-05-02_43334a7043505d6ddbff13cd13568e4a_black-basta_elex_hijackloader_luca-stealer.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\mscomctl.ocx | C:\Users\Admin\AppData\Local\Temp\2025-05-02_43334a7043505d6ddbff13cd13568e4a_black-basta_elex_hijackloader_luca-stealer.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\msvbvm60.dll | C:\Users\Admin\AppData\Local\Temp\2025-05-02_43334a7043505d6ddbff13cd13568e4a_black-basta_elex_hijackloader_luca-stealer.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ | C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\2-5-2025.exe | C:\Users\Admin\AppData\Local\Temp\2025-05-02_43334a7043505d6ddbff13cd13568e4a_black-basta_elex_hijackloader_luca-stealer.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\2-5-2025.exe | C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe | N/A |
| File created | C:\Windows\SysWOW64\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\2025-05-02_43334a7043505d6ddbff13cd13568e4a_black-basta_elex_hijackloader_luca-stealer.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Desktop.ini | C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\mscomctl.ocx | C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ | C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\mscomctl.ocx | C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\mscomctl.ocx | C:\Windows\SysWOW64\drivers\system32.exe | N/A |
| File created | C:\Windows\SysWOW64\msvbvm60.dll | C:\Windows\SysWOW64\drivers\Kazekage.exe | N/A |
Sets desktop wallpaper using registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" | C:\Users\Admin\AppData\Local\Temp\2025-05-02_43334a7043505d6ddbff13cd13568e4a_black-basta_elex_hijackloader_luca-stealer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" | C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" | C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" | C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" | C:\Windows\SysWOW64\drivers\Kazekage.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" | C:\Windows\SysWOW64\drivers\system32.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe | C:\Users\Admin\AppData\Local\Temp\2025-05-02_43334a7043505d6ddbff13cd13568e4a_black-basta_elex_hijackloader_luca-stealer.exe | N/A |
| File opened for modification | C:\Windows\Fonts\The Kazekage.jpg | C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe | N/A |
| File created | C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe | C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe | N/A |
| File created | C:\Windows\WBEM\msvbvm60.dll | C:\Windows\SysWOW64\drivers\system32.exe | N/A |
| File opened for modification | C:\Windows\ | C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe | N/A |
| File opened for modification | C:\Windows\ | C:\Windows\SysWOW64\drivers\Kazekage.exe | N/A |
| File opened for modification | C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe | C:\Users\Admin\AppData\Local\Temp\2025-05-02_43334a7043505d6ddbff13cd13568e4a_black-basta_elex_hijackloader_luca-stealer.exe | N/A |
| File opened for modification | C:\Windows\msvbvm60.dll | C:\Users\Admin\AppData\Local\Temp\2025-05-02_43334a7043505d6ddbff13cd13568e4a_black-basta_elex_hijackloader_luca-stealer.exe | N/A |
| File opened for modification | C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe | C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe | N/A |
| File created | C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe | C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe | N/A |
| File opened for modification | C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe | C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe | N/A |
| File created | C:\Windows\WBEM\msvbvm60.dll | C:\Windows\SysWOW64\drivers\Kazekage.exe | N/A |
| File created | C:\Windows\mscomctl.ocx | C:\Users\Admin\AppData\Local\Temp\2025-05-02_43334a7043505d6ddbff13cd13568e4a_black-basta_elex_hijackloader_luca-stealer.exe | N/A |
| File created | C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe | C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe | N/A |
| File created | C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe | C:\Users\Admin\AppData\Local\Temp\2025-05-02_43334a7043505d6ddbff13cd13568e4a_black-basta_elex_hijackloader_luca-stealer.exe | N/A |
| File opened for modification | C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe | C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe | N/A |
| File opened for modification | C:\Windows\system\mscoree.dll | C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe | N/A |
| File opened for modification | C:\Windows\Fonts\The Kazekage.jpg | C:\Windows\SysWOW64\drivers\Kazekage.exe | N/A |
| File opened for modification | C:\Windows\mscomctl.ocx | C:\Windows\SysWOW64\drivers\Kazekage.exe | N/A |
| File opened for modification | C:\Windows\mscomctl.ocx | C:\Windows\SysWOW64\drivers\system32.exe | N/A |
| File opened for modification | C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe | C:\Windows\SysWOW64\drivers\system32.exe | N/A |
| File opened for modification | C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe | C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe | N/A |
| File created | C:\Windows\WBEM\msvbvm60.dll | C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe | N/A |
| File opened for modification | C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe | C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe | N/A |
| File opened for modification | C:\Windows\system\msvbvm60.dll | C:\Windows\SysWOW64\drivers\system32.exe | N/A |
| File opened for modification | C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe | C:\Windows\SysWOW64\drivers\Kazekage.exe | N/A |
| File created | C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe | C:\Windows\SysWOW64\drivers\Kazekage.exe | N/A |
| File opened for modification | C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe | C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe | N/A |
| File created | C:\Windows\Fonts\Admin 2 - 5 - 2025\msvbvm60.dll | C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe | N/A |
| File opened for modification | C:\Windows\msvbvm60.dll | C:\Windows\SysWOW64\drivers\Kazekage.exe | N/A |
| File opened for modification | C:\Windows\ | C:\Users\Admin\AppData\Local\Temp\2025-05-02_43334a7043505d6ddbff13cd13568e4a_black-basta_elex_hijackloader_luca-stealer.exe | N/A |
| File created | C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe | C:\Users\Admin\AppData\Local\Temp\2025-05-02_43334a7043505d6ddbff13cd13568e4a_black-basta_elex_hijackloader_luca-stealer.exe | N/A |
| File created | C:\Windows\msvbvm60.dll | C:\Users\Admin\AppData\Local\Temp\2025-05-02_43334a7043505d6ddbff13cd13568e4a_black-basta_elex_hijackloader_luca-stealer.exe | N/A |
| File opened for modification | C:\Windows\system\msvbvm60.dll | C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe | N/A |
| File opened for modification | C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe | C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe | N/A |
| File created | C:\Windows\Fonts\Admin 2 - 5 - 2025\msvbvm60.dll | C:\Windows\SysWOW64\drivers\system32.exe | N/A |
| File opened for modification | C:\Windows\mscomctl.ocx | C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe | N/A |
| File created | C:\Windows\Fonts\Admin 2 - 5 - 2025\msvbvm60.dll | C:\Users\Admin\AppData\Local\Temp\2025-05-02_43334a7043505d6ddbff13cd13568e4a_black-basta_elex_hijackloader_luca-stealer.exe | N/A |
| File created | C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe | C:\Windows\SysWOW64\drivers\Kazekage.exe | N/A |
| File created | C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe | C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe | N/A |
| File opened for modification | C:\Windows\ | C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe | N/A |
| File opened for modification | C:\Windows\mscomctl.ocx | C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe | N/A |
| File created | C:\Windows\WBEM\msvbvm60.dll | C:\Users\Admin\AppData\Local\Temp\2025-05-02_43334a7043505d6ddbff13cd13568e4a_black-basta_elex_hijackloader_luca-stealer.exe | N/A |
| File opened for modification | C:\Windows\system\msvbvm60.dll | C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe | N/A |
| File created | C:\Windows\Fonts\Admin 2 - 5 - 2025\msvbvm60.dll | C:\Windows\SysWOW64\drivers\Kazekage.exe | N/A |
| File opened for modification | C:\Windows\mscomctl.ocx | C:\Users\Admin\AppData\Local\Temp\2025-05-02_43334a7043505d6ddbff13cd13568e4a_black-basta_elex_hijackloader_luca-stealer.exe | N/A |
| File opened for modification | C:\Windows\ | C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe | N/A |
| File created | C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe | C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe | N/A |
| File opened for modification | C:\Windows\mscomctl.ocx | C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe | N/A |
| File opened for modification | C:\Windows\Fonts\Admin 2 - 5 - 2025\msvbvm60.dll | C:\Users\Admin\AppData\Local\Temp\2025-05-02_43334a7043505d6ddbff13cd13568e4a_black-basta_elex_hijackloader_luca-stealer.exe | N/A |
| File opened for modification | C:\Windows\msvbvm60.dll | C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe | N/A |
| File opened for modification | C:\Windows\system\msvbvm60.dll | C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe | N/A |
| File opened for modification | C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe | C:\Windows\SysWOW64\drivers\Kazekage.exe | N/A |
| File opened for modification | C:\Windows\system\msvbvm60.dll | C:\Windows\SysWOW64\drivers\Kazekage.exe | N/A |
| File created | C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe | C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe | N/A |
| File opened for modification | C:\Windows\Fonts\The Kazekage.jpg | C:\Users\Admin\AppData\Local\Temp\2025-05-02_43334a7043505d6ddbff13cd13568e4a_black-basta_elex_hijackloader_luca-stealer.exe | N/A |
| File created | C:\Windows\Fonts\Admin 2 - 5 - 2025\msvbvm60.dll | C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe | N/A |
| File opened for modification | C:\Windows\system\mscoree.dll | C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe | N/A |
| File opened for modification | C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe | C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe | N/A |
| File opened for modification | C:\Windows\Fonts\The Kazekage.jpg | C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe | N/A |
| File created | C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe | C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe | N/A |
| File created | C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe | C:\Windows\SysWOW64\drivers\Kazekage.exe | N/A |
| File opened for modification | C:\Windows\system\mscoree.dll | C:\Windows\SysWOW64\drivers\system32.exe | N/A |
| File created | C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe | C:\Windows\SysWOW64\drivers\system32.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\ping.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\ping.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\ping.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\drivers\system32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\ping.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\ping.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\ping.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\ping.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\drivers\Kazekage.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\drivers\system32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\ping.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\ping.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\drivers\system32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\ping.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\ping.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2025-05-02_43334a7043505d6ddbff13cd13568e4a_black-basta_elex_hijackloader_luca-stealer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\drivers\Kazekage.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\drivers\Kazekage.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\ping.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\ping.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\ping.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\ping.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\ping.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\ping.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\ping.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\ping.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\ping.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\ping.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\ping.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\ping.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\drivers\Kazekage.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\drivers\Kazekage.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\drivers\Kazekage.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\ping.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\ping.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\ping.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\ping.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\ping.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\drivers\system32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\drivers\system32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\ping.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\ping.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\ping.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\ping.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\ping.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\ping.exe | N/A |
System Network Configuration Discovery: Internet Connection Discovery
Modifies Control Panel
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" | C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" | C:\Windows\SysWOW64\drivers\system32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Control Panel\Screen Saver.Marquee\Speed = "4" | C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Control Panel\Screen Saver.Marquee | C:\Windows\SysWOW64\drivers\system32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Control Panel\Screen Saver.Marquee\Size = "72" | C:\Windows\SysWOW64\drivers\Kazekage.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Control Panel\Screen Saver.Marquee\Speed = "4" | C:\Users\Admin\AppData\Local\Temp\2025-05-02_43334a7043505d6ddbff13cd13568e4a_black-basta_elex_hijackloader_luca-stealer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" | C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Control Panel\Screen Saver.Marquee\Speed = "4" | C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" | C:\Windows\SysWOW64\drivers\system32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" | C:\Windows\SysWOW64\drivers\Kazekage.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" | C:\Windows\SysWOW64\drivers\Kazekage.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" | C:\Windows\SysWOW64\drivers\Kazekage.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" | C:\Users\Admin\AppData\Local\Temp\2025-05-02_43334a7043505d6ddbff13cd13568e4a_black-basta_elex_hijackloader_luca-stealer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" | C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Control Panel\Desktop\WallpaperStyle = "2" | C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Control Panel\Screen Saver.Marquee | C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" | C:\Users\Admin\AppData\Local\Temp\2025-05-02_43334a7043505d6ddbff13cd13568e4a_black-basta_elex_hijackloader_luca-stealer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" | C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" | C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" | C:\Windows\SysWOW64\drivers\system32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" | C:\Windows\SysWOW64\drivers\system32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Control Panel\Desktop | C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" | C:\Windows\SysWOW64\drivers\system32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Control Panel\Screen Saver.Marquee\Speed = "4" | C:\Windows\SysWOW64\drivers\system32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" | C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Control Panel\Desktop | C:\Windows\SysWOW64\drivers\Kazekage.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" | C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Control Panel\Screen Saver.Marquee | C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" | C:\Windows\SysWOW64\drivers\system32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" | C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Control Panel\Screen Saver.Marquee\Size = "72" | C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" | C:\Windows\SysWOW64\drivers\Kazekage.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" | C:\Users\Admin\AppData\Local\Temp\2025-05-02_43334a7043505d6ddbff13cd13568e4a_black-basta_elex_hijackloader_luca-stealer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" | C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" | C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" | C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Control Panel\Screen Saver.Marquee\Size = "72" | C:\Windows\SysWOW64\drivers\system32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" | C:\Windows\SysWOW64\drivers\system32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Control Panel\Screen Saver.Marquee\Speed = "4" | C:\Windows\SysWOW64\drivers\Kazekage.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Control Panel\Screen Saver.Marquee | C:\Users\Admin\AppData\Local\Temp\2025-05-02_43334a7043505d6ddbff13cd13568e4a_black-basta_elex_hijackloader_luca-stealer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" | C:\Users\Admin\AppData\Local\Temp\2025-05-02_43334a7043505d6ddbff13cd13568e4a_black-basta_elex_hijackloader_luca-stealer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" | C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Control Panel\Desktop\WallpaperStyle = "2" | C:\Windows\SysWOW64\drivers\Kazekage.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Control Panel\Desktop | C:\Windows\SysWOW64\drivers\system32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Control Panel\Screen Saver.Marquee | C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" | C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" | C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Control Panel\Desktop | C:\Users\Admin\AppData\Local\Temp\2025-05-02_43334a7043505d6ddbff13cd13568e4a_black-basta_elex_hijackloader_luca-stealer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Control Panel\Desktop\WallpaperStyle = "2" | C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" | C:\Windows\SysWOW64\drivers\Kazekage.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Control Panel\Desktop\WallpaperStyle = "2" | C:\Users\Admin\AppData\Local\Temp\2025-05-02_43334a7043505d6ddbff13cd13568e4a_black-basta_elex_hijackloader_luca-stealer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" | C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" | C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" | C:\Windows\SysWOW64\drivers\system32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" | C:\Users\Admin\AppData\Local\Temp\2025-05-02_43334a7043505d6ddbff13cd13568e4a_black-basta_elex_hijackloader_luca-stealer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" | C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" | C:\Users\Admin\AppData\Local\Temp\2025-05-02_43334a7043505d6ddbff13cd13568e4a_black-basta_elex_hijackloader_luca-stealer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" | C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Control Panel\Desktop\WallpaperStyle = "2" | C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" | C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" | C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" | C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" | C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" | C:\Windows\SysWOW64\drivers\system32.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" | C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Software\Microsoft\Internet Explorer\Main | C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" | C:\Windows\SysWOW64\drivers\system32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" | C:\Windows\SysWOW64\drivers\Kazekage.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Software\Microsoft\Internet Explorer\Main | C:\Users\Admin\AppData\Local\Temp\2025-05-02_43334a7043505d6ddbff13cd13568e4a_black-basta_elex_hijackloader_luca-stealer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" | C:\Users\Admin\AppData\Local\Temp\2025-05-02_43334a7043505d6ddbff13cd13568e4a_black-basta_elex_hijackloader_luca-stealer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Software\Microsoft\Internet Explorer\Main | C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" | C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" | C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Software\Microsoft\Internet Explorer\Main | C:\Windows\SysWOW64\drivers\system32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Software\Microsoft\Internet Explorer\Main | C:\Windows\SysWOW64\drivers\Kazekage.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Software\Microsoft\Internet Explorer\Main | C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" | C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell | C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command | C:\Windows\SysWOW64\drivers\system32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" | C:\Windows\SysWOW64\drivers\system32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" | C:\Windows\SysWOW64\drivers\system32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" | C:\Users\Admin\AppData\Local\Temp\2025-05-02_43334a7043505d6ddbff13cd13568e4a_black-basta_elex_hijackloader_luca-stealer.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command | C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" | C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" | C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command | C:\Windows\SysWOW64\drivers\system32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command | C:\Windows\SysWOW64\drivers\Kazekage.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" | C:\Windows\SysWOW64\drivers\Kazekage.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" | C:\Users\Admin\AppData\Local\Temp\2025-05-02_43334a7043505d6ddbff13cd13568e4a_black-basta_elex_hijackloader_luca-stealer.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" | C:\Users\Admin\AppData\Local\Temp\2025-05-02_43334a7043505d6ddbff13cd13568e4a_black-basta_elex_hijackloader_luca-stealer.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command | C:\Users\Admin\AppData\Local\Temp\2025-05-02_43334a7043505d6ddbff13cd13568e4a_black-basta_elex_hijackloader_luca-stealer.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command | C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" | C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" | C:\Windows\SysWOW64\drivers\system32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" | C:\Windows\SysWOW64\drivers\system32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" | C:\Windows\SysWOW64\drivers\Kazekage.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command | C:\Users\Admin\AppData\Local\Temp\2025-05-02_43334a7043505d6ddbff13cd13568e4a_black-basta_elex_hijackloader_luca-stealer.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" | C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command | C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command | C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command | C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command | C:\Windows\SysWOW64\drivers\Kazekage.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command | C:\Users\Admin\AppData\Local\Temp\2025-05-02_43334a7043505d6ddbff13cd13568e4a_black-basta_elex_hijackloader_luca-stealer.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command | C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" | C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" | C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command | C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command | C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command | C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" | C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command | C:\Windows\SysWOW64\drivers\Kazekage.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" | C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\inffile | C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install | C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command | C:\Windows\SysWOW64\drivers\Kazekage.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command | C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" | C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" | C:\Windows\SysWOW64\drivers\Kazekage.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" | C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command | C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command | C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command | C:\Windows\SysWOW64\drivers\system32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command | C:\Windows\SysWOW64\drivers\system32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" | C:\Windows\SysWOW64\drivers\Kazekage.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command | C:\Users\Admin\AppData\Local\Temp\2025-05-02_43334a7043505d6ddbff13cd13568e4a_black-basta_elex_hijackloader_luca-stealer.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" | C:\Users\Admin\AppData\Local\Temp\2025-05-02_43334a7043505d6ddbff13cd13568e4a_black-basta_elex_hijackloader_luca-stealer.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" | C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe | N/A |
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Windows\SysWOW64\drivers\system32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\drivers\system32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Windows\SysWOW64\drivers\Kazekage.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\drivers\Kazekage.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\2025-05-02_43334a7043505d6ddbff13cd13568e4a_black-basta_elex_hijackloader_luca-stealer.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\2025-05-02_43334a7043505d6ddbff13cd13568e4a_black-basta_elex_hijackloader_luca-stealer.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\2025-05-02_43334a7043505d6ddbff13cd13568e4a_black-basta_elex_hijackloader_luca-stealer.exe
"C:\Users\Admin\AppData\Local\Temp\2025-05-02_43334a7043505d6ddbff13cd13568e4a_black-basta_elex_hijackloader_luca-stealer.exe"
C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe
"C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe"
C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe
"C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe"
C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe
"C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe"
C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe
"C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe"
C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe
"C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe"
C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe
"C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe"
C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe
"C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe"
C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe
"C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe"
C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe
"C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe"
C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe
"C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe"
C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe
"C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe"
C:\Windows\SysWOW64\drivers\Kazekage.exe
C:\Windows\system32\drivers\Kazekage.exe
C:\Windows\SysWOW64\drivers\Kazekage.exe
C:\Windows\system32\drivers\Kazekage.exe
C:\Windows\SysWOW64\drivers\Kazekage.exe
C:\Windows\system32\drivers\Kazekage.exe
C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe
"C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe"
C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe
"C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe"
C:\Windows\SysWOW64\drivers\Kazekage.exe
C:\Windows\system32\drivers\Kazekage.exe
C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe
"C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe"
C:\Windows\SysWOW64\drivers\system32.exe
C:\Windows\system32\drivers\system32.exe
C:\Windows\SysWOW64\drivers\system32.exe
C:\Windows\system32\drivers\system32.exe
C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe
"C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\smss.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\Gaara.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c 2-5-2025.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c drivers\csrss.exe
C:\Windows\SysWOW64\drivers\Kazekage.exe
C:\Windows\system32\drivers\Kazekage.exe
C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe
"C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe"
C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe
"C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe"
C:\Windows\SysWOW64\drivers\system32.exe
C:\Windows\system32\drivers\system32.exe
C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe
"C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe"
C:\Windows\SysWOW64\drivers\system32.exe
C:\Windows\system32\drivers\system32.exe
C:\Windows\SysWOW64\drivers\Kazekage.exe
C:\Windows\system32\drivers\Kazekage.exe
C:\Windows\SysWOW64\drivers\system32.exe
C:\Windows\system32\drivers\system32.exe
C:\Windows\SysWOW64\ping.exe
ping -a -l www.rasasayang.com.my 65500
C:\Windows\SysWOW64\ping.exe
ping -a -l www.duniasex.com 65500
C:\Windows\SysWOW64\ping.exe
ping -a -l www.rasasayang.com.my 65500
C:\Windows\SysWOW64\ping.exe
ping -a -l www.duniasex.com 65500
C:\Windows\SysWOW64\ping.exe
ping -a -l www.rasasayang.com.my 65500
C:\Windows\SysWOW64\ping.exe
ping -a -l www.duniasex.com 65500
C:\Windows\SysWOW64\ping.exe
ping -a -l www.rasasayang.com.my 65500
C:\Windows\SysWOW64\ping.exe
ping -a -l www.duniasex.com 65500
C:\Windows\SysWOW64\ping.exe
ping -a -l www.rasasayang.com.my 65500
C:\Windows\SysWOW64\ping.exe
ping -a -l www.duniasex.com 65500
C:\Windows\SysWOW64\ping.exe
ping -a -l www.rasasayang.com.my 65500
C:\Windows\SysWOW64\ping.exe
ping -a -l www.duniasex.com 65500
C:\Windows\SysWOW64\ping.exe
ping -a -l www.rasasayang.com.my 65500
C:\Windows\SysWOW64\ping.exe
ping -a -l www.duniasex.com 65500
C:\Windows\SysWOW64\ping.exe
ping -a -l www.rasasayang.com.my 65500
C:\Windows\SysWOW64\ping.exe
ping -a -l www.duniasex.com 65500
C:\Windows\SysWOW64\ping.exe
ping -a -l www.rasasayang.com.my 65500
C:\Windows\SysWOW64\ping.exe
ping -a -l www.duniasex.com 65500
C:\Windows\SysWOW64\ping.exe
ping -a -l www.rasasayang.com.my 65500
C:\Windows\SysWOW64\ping.exe
ping -a -l www.duniasex.com 65500
C:\Windows\SysWOW64\ping.exe
ping -a -l www.rasasayang.com.my 65500
C:\Windows\SysWOW64\ping.exe
ping -a -l www.duniasex.com 65500
C:\Windows\SysWOW64\ping.exe
ping -a -l www.rasasayang.com.my 65500
C:\Windows\SysWOW64\ping.exe
ping -a -l www.duniasex.com 65500
C:\Windows\SysWOW64\ping.exe
ping -a -l www.rasasayang.com.my 65500
C:\Windows\SysWOW64\ping.exe
ping -a -l www.duniasex.com 65500
C:\Windows\SysWOW64\ping.exe
ping -a -l www.rasasayang.com.my 65500
C:\Windows\SysWOW64\ping.exe
ping -a -l www.duniasex.com 65500
C:\Windows\SysWOW64\ping.exe
ping -a -l www.rasasayang.com.my 65500
C:\Windows\SysWOW64\ping.exe
ping -a -l www.duniasex.com 65500
C:\Windows\SysWOW64\ping.exe
ping -a -l www.rasasayang.com.my 65500
C:\Windows\SysWOW64\ping.exe
ping -a -l www.duniasex.com 65500
C:\Windows\SysWOW64\ping.exe
ping -a -l www.rasasayang.com.my 65500
C:\Windows\SysWOW64\ping.exe
ping -a -l www.duniasex.com 65500
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.27.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| DE | 142.250.185.131:80 | c.pki.goog | tcp |
Files
memory/1152-0-0x0000000000400000-0x000000000042B000-memory.dmp
C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe
| MD5 | 43334a7043505d6ddbff13cd13568e4a |
| SHA1 | 86bfea6e01e10a46af5f60ccc1eab48304bd274e |
| SHA256 | c9bce23cd71da05bf8c5fda6ee18d7d389916035ea5456a1e52c7632b4326797 |
| SHA512 | c7887e6d4ba3ab7417bd2449f3b3dfd55f6a9005072bcc76df3ed9e3085c0564a112d6f3174cf8fcd433b5af615386970a5b08d77c506762ea3e75452f701929 |
C:\Windows\System\msvbvm60.dll
| MD5 | 25f62c02619174b35851b0e0455b3d94 |
| SHA1 | 4e8ee85157f1769f6e3f61c0acbe59072209da71 |
| SHA256 | 898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2 |
| SHA512 | f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a |
memory/2616-34-0x0000000000400000-0x000000000042B000-memory.dmp
C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe
| MD5 | fe2bd8462313af76e19a25086a860e45 |
| SHA1 | b713bbc1a816f9698b0c0af6f0e2e99b41c5e8c2 |
| SHA256 | ca196a861b0486d4ac64abd016cec623c30670d2f33e07c6fff958750b4db718 |
| SHA512 | 908057cb2bdc0c7d699179e961bce75e3ac92d3517413b2c748992e657c23d8cdff353ab2046ae5ec1eff6a5d40d45c83ee7f88a0c05c41035df04c760e0c0cb |
C:\Windows\Fonts\The Kazekage.jpg
| MD5 | d6b05020d4a0ec2a3a8b687099e335df |
| SHA1 | df239d830ebcd1cde5c68c46a7b76dad49d415f4 |
| SHA256 | 9824b98dab6af65a9e84c2ea40e9df948f9766ce2096e81feecad7db8dd6080a |
| SHA512 | 78fd360faa4d34f5732056d6e9ad7b9930964441c69cf24535845d397de92179553b9377a25649c01eb5ac7d547c29cc964e69ede7f2af9fc677508a99251fff |
C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe
| MD5 | b761eed788286951e7fd602195eda319 |
| SHA1 | b9c28d479bf5e73c4cfdb6d96b091ab9fbe5ad38 |
| SHA256 | 0a6fb1c9aae734f548b9ecf93420c2ceee40354142b82fb3bdd2ad8140e1f86d |
| SHA512 | 9e79f35bd48a338f392b3598f4856ef300a04c8c39b2f1042b6f218c1871049e49f6836ec01a21ca0bfbc3b6f1c4fa185eee99bfb492437ce5f5d5d4496518e0 |
C:\Windows\SysWOW64\drivers\system32.exe
| MD5 | 4c666f09276d13a4ffb2e2df15304282 |
| SHA1 | b374b130cf82b6150d3744bab60281cf8ea81a71 |
| SHA256 | 17493d55c7ba944479f0d5abbec7c85a20b33d2c8338ad6330f248bf3b948b21 |
| SHA512 | 798bcf62fc4f4d5902f1528ddc75e883c3e78d193f9f0a99954f8c819c7e587956f6283fc8c3a4ac2d94c16d02bbf0d1a307471ab1fae48e12eb432c62903cee |
memory/5472-70-0x0000000000400000-0x000000000042B000-memory.dmp
memory/5472-74-0x0000000000400000-0x000000000042B000-memory.dmp
memory/4900-78-0x0000000000400000-0x000000000042B000-memory.dmp
C:\Windows\SysWOW64\drivers\system32.exe
| MD5 | 6910528972eadb723f9859da239de91a |
| SHA1 | 44ac178c646b54820782b825b8231f68f4365b95 |
| SHA256 | 7f8a2f666291989f30a5f2eccbe1035fb24e71e7b89cc35b3d4c77bc649d8f39 |
| SHA512 | 673f4b4881f2fa7025353694ce4039d20af1ebc847d106a30cdd2117f23c02e3c7836e9670b2624264e29b8d39b793cc222a027e15f9797156e8cca2a844866b |
C:\Windows\SysWOW64\drivers\Kazekage.exe
| MD5 | a3848c3573728eaf6be9dc05fb13707f |
| SHA1 | 231237c75a386b194d4af3411483da5fb0a1c40c |
| SHA256 | c7ecda76bee6852bf23b71c05ad01029ca22ce26e29648c44f1a38ae818888cf |
| SHA512 | 8d56d8e3ecf950a84490ab89d5adbacf57e32b080f9d71211bf2676a4a7ccb61782d14e3b7bdf029a3cc4429abf5cf7093f40762a76a56f1e8bf4776427cce62 |
C:\Windows\SysWOW64\2-5-2025.exe
| MD5 | e799a73ffdb77511a0628a5271b24b9f |
| SHA1 | e3b35e38b31079b6e63383abacd0a68d428e91b4 |
| SHA256 | 8a97bc7af6c86835752e8305cd54747505610e5bcd0c885e08c3d6c0ec9e9d9d |
| SHA512 | 1aca39f79723ebf452e48c8182850e1a21d4cf6769bd9d53e33f31667fe5cd778f10d0fa4ed51a4e52cb0ac506973be4051708841b1b69d5fea61529cf96caf4 |
memory/3916-113-0x0000000000400000-0x000000000042B000-memory.dmp
memory/3916-116-0x0000000000400000-0x000000000042B000-memory.dmp
C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe
| MD5 | 08d51cd548ae1c1410ac360291b52f92 |
| SHA1 | f8ff7af484156645ec02346a2c157f7cfe6802d3 |
| SHA256 | 29d1135782bd768059540da35bfd1228c15c3e02fbe1022fbe274411547fece4 |
| SHA512 | 4c61cb533a54dd2fe62283e224f5cfa1abed4ae38564b5cc73990a3882de05b888928b83381ed709e2f20d3b7d107a233f6a2dc6db59756b083b4b7b90923a13 |
memory/3696-119-0x0000000000400000-0x000000000042B000-memory.dmp
memory/1152-127-0x0000000000400000-0x000000000042B000-memory.dmp
C:\Windows\SysWOW64\drivers\Kazekage.exe
| MD5 | dac84a6cc1ec533e1ccda6f6c0efdfdd |
| SHA1 | 8d3743b4202e65e0f2e64f1650a9b013c0c61f93 |
| SHA256 | 03e6fd83ee32cdcc1786ff8b5916206f31abb8c7b5d6d1980a225e7f6b581ca7 |
| SHA512 | d6a1789b86ee3df6cd04cf79167643fbb91029146a71053f19bede521347d2f77074643fd970e2c274ad9484885f5a4d8f08f8143b41dc4c95e120c929e6d621 |
memory/2616-139-0x0000000000400000-0x000000000042B000-memory.dmp
memory/4900-159-0x0000000000400000-0x000000000042B000-memory.dmp
memory/6068-161-0x0000000000400000-0x000000000042B000-memory.dmp
memory/3652-168-0x0000000000400000-0x000000000042B000-memory.dmp
memory/3456-169-0x0000000000400000-0x000000000042B000-memory.dmp
memory/1612-170-0x0000000000400000-0x000000000042B000-memory.dmp
memory/1960-176-0x0000000000400000-0x000000000042B000-memory.dmp
memory/3696-177-0x0000000000400000-0x000000000042B000-memory.dmp
memory/3456-182-0x0000000000400000-0x000000000042B000-memory.dmp
C:\Windows\SysWOW64\2-5-2025.exe
| MD5 | b9a7acfd55442696f9a32cd924e289e3 |
| SHA1 | 2725caa7d05b9259b72782cd6af806aad2314be4 |
| SHA256 | 7aed92010844b8531a016bd7680e8537942b2803b7f41d4487fa1b3c058777e9 |
| SHA512 | e89a8e8c7051fc8f5e66bcec760392797e2fcb97cb73e2673b930bb2ad8e6e02a30acf15061c2d8776f8dbed0d29c9a3cd425a2d41a00162876e6dd8ec7e8289 |
memory/732-204-0x0000000000400000-0x000000000042B000-memory.dmp
memory/5204-203-0x0000000000400000-0x000000000042B000-memory.dmp
C:\Windows\SysWOW64\drivers\system32.exe
| MD5 | 5e7008a098750c4015d547727695c538 |
| SHA1 | 061a83e48302d9de5e30548bf5206239c54f632b |
| SHA256 | 73bf07ae250bf316f501f51b7722f3f6d435c55dd2ec789adf90a443c002c256 |
| SHA512 | 372473605be6f0de1c1117375a2520968488ef90c12c85f1001a40abd22f5ca2b63fe3fd3a2e53a88c30ebd8ae7a9cada0d00c984b63900a6176e3b43a2187e1 |
memory/1472-229-0x0000000000400000-0x000000000042B000-memory.dmp
memory/1960-230-0x0000000000400000-0x000000000042B000-memory.dmp
memory/1028-228-0x0000000000400000-0x000000000042B000-memory.dmp
memory/5204-225-0x0000000000400000-0x000000000042B000-memory.dmp
memory/5416-236-0x0000000000400000-0x000000000042B000-memory.dmp
memory/3012-238-0x0000000000400000-0x000000000042B000-memory.dmp
memory/1384-241-0x0000000000400000-0x000000000042B000-memory.dmp
memory/368-255-0x0000000000400000-0x000000000042B000-memory.dmp
memory/6096-257-0x0000000000400000-0x000000000042B000-memory.dmp
memory/6124-260-0x0000000000400000-0x000000000042B000-memory.dmp
memory/6096-262-0x0000000000400000-0x000000000042B000-memory.dmp
memory/1136-266-0x0000000000400000-0x000000000042B000-memory.dmp
memory/1472-269-0x0000000000400000-0x000000000042B000-memory.dmp
memory/2340-270-0x0000000000400000-0x000000000042B000-memory.dmp
memory/4376-273-0x0000000000400000-0x000000000042B000-memory.dmp
C:\Admin Games\Readme.txt
| MD5 | bb5d6abdf8d0948ac6895ce7fdfbc151 |
| SHA1 | 9266b7a247a4685892197194d2b9b86c8f6dddbd |
| SHA256 | 5db2e0915b5464d32e83484f8ae5e3c73d2c78f238fde5f58f9b40dbb5322de8 |
| SHA512 | 878444760e8df878d65bb62b4798177e168eb099def58ad3634f4348e96705c83f74324f9fa358f0eff389991976698a233ca53e9b72034ae11c86d42322a76c |
C:\Autorun.inf
| MD5 | 1564dfe69ffed40950e5cb644e0894d1 |
| SHA1 | 201b6f7a01cc49bb698bea6d4945a082ed454ce4 |
| SHA256 | be114a2dbcc08540b314b01882aa836a772a883322a77b67aab31233e26dc184 |
| SHA512 | 72df187e39674b657974392cfa268e71ef86dc101ebd2303896381ca56d3c05aa9db3f0ab7d0e428d7436e0108c8f19e94c2013814d30b0b95a23a6b9e341097 |
C:\Windows\SysWOW64\Desktop.ini
| MD5 | 64acfa7e03b01f48294cf30d201a0026 |
| SHA1 | 10facd995b38a095f30b4a800fa454c0bcbf8438 |
| SHA256 | ba8159d865d106e7b4d0043007a63d1541e1de455dc8d7ff0edd3013bd425c62 |
| SHA512 | 65a9b2e639de74a2a7faa83463a03f5f5b526495e3c793ec1e144c422ed0b842dd304cd5ff4f8aec3d76d826507030c5916f70a231429cea636ec2d8ab43931a |