Analysis Overview
SHA256
d3a27726dc0bb86302b1830eb39506907b1740570100b31185173a7c1eeb1b2b
Threat Level: Known bad
The file 2025-05-02_09eb34f6a42e70c1d038f9bef0d5c4d8_black-basta_elex_hijackloader_luca-stealer was found to be: Known bad.
Malicious Activity Summary
Modifies visiblity of hidden/system files in Explorer
UAC bypass
Modifies visibility of file extensions in Explorer
Modifies WinLogon for persistence
Disables RegEdit via registry modification
Drops file in Drivers directory
Event Triggered Execution: Image File Execution Options Injection
Disables use of System Restore points
Executes dropped EXE
Loads dropped DLL
Drops desktop.ini file(s)
Enumerates connected drives
Checks whether UAC is enabled
Adds Run key to start application
Drops autorun.inf file
UPX packed file
Drops file in System32 directory
Sets desktop wallpaper using registry
Drops file in Windows directory
System Location Discovery: System Language Discovery
System Network Configuration Discovery: Internet Connection Discovery
Unsigned PE
Modifies Control Panel
Suspicious use of SetWindowsHookEx
Suspicious behavior: EnumeratesProcesses
Runs ping.exe
System policy modification
Modifies registry class
Modifies Internet Explorer settings
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V16
Analysis: static1
Detonation Overview
Reported
2025-05-02 10:46
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2025-05-02 10:46
Reported
2025-05-02 10:49
Platform
win10v2004-20250410-en
Max time kernel
148s
Max time network
121s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" | C:\Users\Admin\AppData\Local\Temp\2025-05-02_09eb34f6a42e70c1d038f9bef0d5c4d8_black-basta_elex_hijackloader_luca-stealer.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" | C:\Windows\SysWOW64\drivers\system32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" | C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" | C:\Windows\SysWOW64\drivers\Kazekage.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" | C:\Windows\SysWOW64\drivers\Kazekage.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" | C:\Users\Admin\AppData\Local\Temp\2025-05-02_09eb34f6a42e70c1d038f9bef0d5c4d8_black-basta_elex_hijackloader_luca-stealer.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" | C:\Windows\SysWOW64\drivers\system32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" | C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" | C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" | C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" | C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" | C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe | N/A |
Modifies visibility of file extensions in Explorer
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\drivers\Kazekage.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Users\Admin\AppData\Local\Temp\2025-05-02_09eb34f6a42e70c1d038f9bef0d5c4d8_black-basta_elex_hijackloader_luca-stealer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\drivers\system32.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe | N/A |
Modifies visiblity of hidden/system files in Explorer
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Windows\SysWOW64\drivers\Kazekage.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\AppData\Local\Temp\2025-05-02_09eb34f6a42e70c1d038f9bef0d5c4d8_black-basta_elex_hijackloader_luca-stealer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Windows\SysWOW64\drivers\system32.exe | N/A |
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\drivers\Kazekage.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\2025-05-02_09eb34f6a42e70c1d038f9bef0d5c4d8_black-basta_elex_hijackloader_luca-stealer.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\drivers\system32.exe | N/A |
Disables RegEdit via registry modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Windows\SysWOW64\drivers\Kazekage.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\2025-05-02_09eb34f6a42e70c1d038f9bef0d5c4d8_black-basta_elex_hijackloader_luca-stealer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Windows\SysWOW64\drivers\system32.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe | N/A |
Disables use of System Restore points
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\drivers\Kazekage.exe | C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\drivers\system32.exe | C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe | N/A |
| File created | C:\Windows\SysWOW64\drivers\Kazekage.exe | C:\Windows\SysWOW64\drivers\system32.exe | N/A |
| File created | C:\Windows\SysWOW64\drivers\system32.exe | C:\Windows\SysWOW64\drivers\system32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\drivers\Kazekage.exe | C:\Users\Admin\AppData\Local\Temp\2025-05-02_09eb34f6a42e70c1d038f9bef0d5c4d8_black-basta_elex_hijackloader_luca-stealer.exe | N/A |
| File created | C:\Windows\SysWOW64\drivers\system32.exe | C:\Users\Admin\AppData\Local\Temp\2025-05-02_09eb34f6a42e70c1d038f9bef0d5c4d8_black-basta_elex_hijackloader_luca-stealer.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\drivers\system32.exe | C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\drivers\system32.exe | C:\Windows\SysWOW64\drivers\Kazekage.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\drivers\Kazekage.exe | C:\Windows\SysWOW64\drivers\system32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\drivers\system32.exe | C:\Windows\SysWOW64\drivers\system32.exe | N/A |
| File created | C:\Windows\SysWOW64\drivers\system32.exe | C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe | N/A |
| File created | C:\Windows\SysWOW64\drivers\Kazekage.exe | C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe | N/A |
| File created | C:\Windows\SysWOW64\drivers\Kazekage.exe | C:\Windows\SysWOW64\drivers\Kazekage.exe | N/A |
| File created | C:\Windows\SysWOW64\drivers\Kazekage.exe | C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe | N/A |
| File created | C:\Windows\SysWOW64\drivers\system32.exe | C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe | N/A |
| File created | C:\Windows\SysWOW64\drivers\Kazekage.exe | C:\Users\Admin\AppData\Local\Temp\2025-05-02_09eb34f6a42e70c1d038f9bef0d5c4d8_black-basta_elex_hijackloader_luca-stealer.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\drivers\Kazekage.exe | C:\Windows\SysWOW64\drivers\Kazekage.exe | N/A |
| File created | C:\Windows\SysWOW64\drivers\Kazekage.exe | C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe | N/A |
| File created | C:\Windows\SysWOW64\drivers\system32.exe | C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe | N/A |
| File created | C:\Windows\SysWOW64\drivers\system32.exe | C:\Windows\SysWOW64\drivers\Kazekage.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\drivers\system32.exe | C:\Users\Admin\AppData\Local\Temp\2025-05-02_09eb34f6a42e70c1d038f9bef0d5c4d8_black-basta_elex_hijackloader_luca-stealer.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\drivers\Kazekage.exe | C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\drivers\Kazekage.exe | C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\drivers\system32.exe | C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe | N/A |
Event Triggered Execution: Image File Execution Options Injection
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe | C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe\Debugger = "cmd.exe /c del" | C:\Users\Admin\AppData\Local\Temp\2025-05-02_09eb34f6a42e70c1d038f9bef0d5c4d8_black-basta_elex_hijackloader_luca-stealer.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe\Debugger = "cmd.exe /c del" | C:\Users\Admin\AppData\Local\Temp\2025-05-02_09eb34f6a42e70c1d038f9bef0d5c4d8_black-basta_elex_hijackloader_luca-stealer.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe | C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe | C:\Users\Admin\AppData\Local\Temp\2025-05-02_09eb34f6a42e70c1d038f9bef0d5c4d8_black-basta_elex_hijackloader_luca-stealer.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe | C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe\Debugger = "drivers\\Kazekage.exe" | C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com | C:\Windows\SysWOW64\drivers\Kazekage.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe | C:\Users\Admin\AppData\Local\Temp\2025-05-02_09eb34f6a42e70c1d038f9bef0d5c4d8_black-basta_elex_hijackloader_luca-stealer.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe\Debugger = "cmd.exe /c del" | C:\Users\Admin\AppData\Local\Temp\2025-05-02_09eb34f6a42e70c1d038f9bef0d5c4d8_black-basta_elex_hijackloader_luca-stealer.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "drivers\\Kazekage.exe" | C:\Users\Admin\AppData\Local\Temp\2025-05-02_09eb34f6a42e70c1d038f9bef0d5c4d8_black-basta_elex_hijackloader_luca-stealer.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe | C:\Users\Admin\AppData\Local\Temp\2025-05-02_09eb34f6a42e70c1d038f9bef0d5c4d8_black-basta_elex_hijackloader_luca-stealer.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe\Debugger = "cmd.exe /c del" | C:\Windows\SysWOW64\drivers\system32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe | C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe | C:\Users\Admin\AppData\Local\Temp\2025-05-02_09eb34f6a42e70c1d038f9bef0d5c4d8_black-basta_elex_hijackloader_luca-stealer.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe\Debugger = "cmd.exe /c del" | C:\Windows\SysWOW64\drivers\system32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe\Debugger = "cmd.exe /c del" | C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe | C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "drivers\\Kazekage.exe" | C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe\Debugger = "cmd.exe /c del" | C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe | C:\Windows\SysWOW64\drivers\Kazekage.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe\Debugger = "cmd.exe /c del" | C:\Windows\SysWOW64\drivers\Kazekage.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe\Debugger = "cmd.exe /c del" | C:\Windows\SysWOW64\drivers\Kazekage.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe\Debugger = "drivers\\Kazekage.exe" | C:\Windows\SysWOW64\drivers\Kazekage.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com | C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe\Debugger = "drivers\\Kazekage.exe" | C:\Windows\SysWOW64\drivers\Kazekage.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe\Debugger = "cmd.exe /c del" | C:\Windows\SysWOW64\drivers\system32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com\Debugger = "cmd.exe /c del" | C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe | C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe | C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe\Debugger = "cmd.exe /c del" | C:\Windows\SysWOW64\drivers\Kazekage.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger = "drivers\\Kazekage.exe" | C:\Windows\SysWOW64\drivers\Kazekage.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "drivers\\Kazekage.exe" | C:\Windows\SysWOW64\drivers\system32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe\Debugger = "cmd.exe /c del" | C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe\Debugger = "cmd.exe /c del" | C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe\Debugger = "cmd.exe /c del" | C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com\Debugger = "cmd.exe /c del" | C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe\Debugger = "cmd.exe /c del" | C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe | C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe | C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe | C:\Users\Admin\AppData\Local\Temp\2025-05-02_09eb34f6a42e70c1d038f9bef0d5c4d8_black-basta_elex_hijackloader_luca-stealer.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\Debugger = "cmd.exe /c del" | C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe\Debugger = "cmd.exe /c del" | C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe\Debugger = "drivers\\Kazekage.exe" | C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe | C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe\Debugger = "cmd.exe /c del" | C:\Users\Admin\AppData\Local\Temp\2025-05-02_09eb34f6a42e70c1d038f9bef0d5c4d8_black-basta_elex_hijackloader_luca-stealer.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "drivers\\Kazekage.exe" | C:\Windows\SysWOW64\drivers\system32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe\Debugger = "cmd.exe /c del" | C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe\Debugger = "cmd.exe /c del" | C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe\Debugger = "cmd.exe /c del" | C:\Windows\SysWOW64\drivers\Kazekage.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe\Debugger = "cmd.exe /c del" | C:\Windows\SysWOW64\drivers\system32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\Debugger = "cmd.exe /c del" | C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe | C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe | C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "drivers\\Kazekage.exe" | C:\Windows\SysWOW64\drivers\Kazekage.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe | C:\Windows\SysWOW64\drivers\system32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe | C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe | C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe\Debugger = "cmd.exe /c del" | C:\Users\Admin\AppData\Local\Temp\2025-05-02_09eb34f6a42e70c1d038f9bef0d5c4d8_black-basta_elex_hijackloader_luca-stealer.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe\Debugger = "cmd.exe /c del" | C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe\Debugger = "cmd.exe /c del" | C:\Windows\SysWOW64\drivers\Kazekage.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe | C:\Windows\SysWOW64\drivers\Kazekage.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe | C:\Users\Admin\AppData\Local\Temp\2025-05-02_09eb34f6a42e70c1d038f9bef0d5c4d8_black-basta_elex_hijackloader_luca-stealer.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe | C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe | N/A |
Executes dropped EXE
Loads dropped DLL
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 2 - 5 - 2025\\Gaara.exe" | C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" | C:\Windows\SysWOW64\drivers\Kazekage.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" | C:\Users\Admin\AppData\Local\Temp\2025-05-02_09eb34f6a42e70c1d038f9bef0d5c4d8_black-basta_elex_hijackloader_luca-stealer.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "2-5-2025.exe" | C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" | C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 2 - 5 - 2025\\smss.exe" | C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" | C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" | C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 2 - 5 - 2025\\smss.exe" | C:\Windows\SysWOW64\drivers\Kazekage.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 2 - 5 - 2025\\Gaara.exe" | C:\Windows\SysWOW64\drivers\Kazekage.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "2-5-2025.exe" | C:\Windows\SysWOW64\drivers\Kazekage.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 2 - 5 - 2025\\smss.exe" | C:\Users\Admin\AppData\Local\Temp\2025-05-02_09eb34f6a42e70c1d038f9bef0d5c4d8_black-basta_elex_hijackloader_luca-stealer.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "2-5-2025.exe" | C:\Users\Admin\AppData\Local\Temp\2025-05-02_09eb34f6a42e70c1d038f9bef0d5c4d8_black-basta_elex_hijackloader_luca-stealer.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 2 - 5 - 2025\\Gaara.exe" | C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "2-5-2025.exe" | C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 2 - 5 - 2025\\smss.exe" | C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "2-5-2025.exe" | C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 2 - 5 - 2025\\smss.exe" | C:\Windows\SysWOW64\drivers\system32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 2 - 5 - 2025\\Gaara.exe" | C:\Windows\SysWOW64\drivers\system32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" | C:\Windows\SysWOW64\drivers\system32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 2 - 5 - 2025\\Gaara.exe" | C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 2 - 5 - 2025\\Gaara.exe" | C:\Users\Admin\AppData\Local\Temp\2025-05-02_09eb34f6a42e70c1d038f9bef0d5c4d8_black-basta_elex_hijackloader_luca-stealer.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "2-5-2025.exe" | C:\Windows\SysWOW64\drivers\system32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 2 - 5 - 2025\\smss.exe" | C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\drivers\Kazekage.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\2025-05-02_09eb34f6a42e70c1d038f9bef0d5c4d8_black-basta_elex_hijackloader_luca-stealer.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\drivers\system32.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe | N/A |
Drops desktop.ini file(s)
Enumerates connected drives
Drops autorun.inf file
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\msvbvm60.dll | C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ | C:\Users\Admin\AppData\Local\Temp\2025-05-02_09eb34f6a42e70c1d038f9bef0d5c4d8_black-basta_elex_hijackloader_luca-stealer.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Desktop.ini | C:\Windows\SysWOW64\drivers\Kazekage.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\mscomctl.ocx | C:\Windows\SysWOW64\drivers\system32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ | C:\Windows\SysWOW64\drivers\system32.exe | N/A |
| File created | C:\Windows\SysWOW64\msvbvm60.dll | C:\Users\Admin\AppData\Local\Temp\2025-05-02_09eb34f6a42e70c1d038f9bef0d5c4d8_black-basta_elex_hijackloader_luca-stealer.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\2025-05-02_09eb34f6a42e70c1d038f9bef0d5c4d8_black-basta_elex_hijackloader_luca-stealer.exe | N/A |
| File created | C:\Windows\SysWOW64\mscomctl.ocx | C:\Users\Admin\AppData\Local\Temp\2025-05-02_09eb34f6a42e70c1d038f9bef0d5c4d8_black-basta_elex_hijackloader_luca-stealer.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\msvbvm60.dll | C:\Users\Admin\AppData\Local\Temp\2025-05-02_09eb34f6a42e70c1d038f9bef0d5c4d8_black-basta_elex_hijackloader_luca-stealer.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\2-5-2025.exe | C:\Users\Admin\AppData\Local\Temp\2025-05-02_09eb34f6a42e70c1d038f9bef0d5c4d8_black-basta_elex_hijackloader_luca-stealer.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\2-5-2025.exe | C:\Windows\SysWOW64\drivers\Kazekage.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Desktop.ini | C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ | C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\mscomctl.ocx | C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ | C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Desktop.ini | C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\mscomctl.ocx | C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe | N/A |
| File created | C:\Windows\SysWOW64\msvbvm60.dll | C:\Windows\SysWOW64\drivers\Kazekage.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\mscomctl.ocx | C:\Users\Admin\AppData\Local\Temp\2025-05-02_09eb34f6a42e70c1d038f9bef0d5c4d8_black-basta_elex_hijackloader_luca-stealer.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\mscomctl.ocx | C:\Windows\SysWOW64\drivers\Kazekage.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ | C:\Windows\SysWOW64\drivers\Kazekage.exe | N/A |
| File created | C:\Windows\SysWOW64\msvbvm60.dll | C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe | N/A |
| File created | C:\Windows\SysWOW64\msvbvm60.dll | C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe | N/A |
| File created | C:\Windows\SysWOW64\Desktop.ini | C:\Users\Admin\AppData\Local\Temp\2025-05-02_09eb34f6a42e70c1d038f9bef0d5c4d8_black-basta_elex_hijackloader_luca-stealer.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\mscomctl.ocx | C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\msvbvm60.dll | C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\msvbvm60.dll | C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\2-5-2025.exe | C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Desktop.ini | C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\msvbvm60.dll | C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\Desktop.ini | C:\Windows\SysWOW64\drivers\system32.exe | N/A |
| File created | C:\Windows\SysWOW64\msvbvm60.dll | C:\Windows\SysWOW64\drivers\system32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\2-5-2025.exe | C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\2-5-2025.exe | C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\2-5-2025.exe | C:\Windows\SysWOW64\drivers\system32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\ | C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\msvbvm60.dll | C:\Windows\SysWOW64\drivers\Kazekage.exe | N/A |
| File created | C:\Windows\SysWOW64\2-5-2025.exe | C:\Users\Admin\AppData\Local\Temp\2025-05-02_09eb34f6a42e70c1d038f9bef0d5c4d8_black-basta_elex_hijackloader_luca-stealer.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\msvbvm60.dll | C:\Windows\SysWOW64\drivers\system32.exe | N/A |
Sets desktop wallpaper using registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" | C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" | C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" | C:\Windows\SysWOW64\drivers\Kazekage.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" | C:\Windows\SysWOW64\drivers\system32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" | C:\Users\Admin\AppData\Local\Temp\2025-05-02_09eb34f6a42e70c1d038f9bef0d5c4d8_black-basta_elex_hijackloader_luca-stealer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" | C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe | C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe | N/A |
| File opened for modification | C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe | C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe | N/A |
| File created | C:\Windows\WBEM\msvbvm60.dll | C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe | N/A |
| File created | C:\Windows\Fonts\Admin 2 - 5 - 2025\msvbvm60.dll | C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe | N/A |
| File opened for modification | C:\Windows\Fonts\The Kazekage.jpg | C:\Windows\SysWOW64\drivers\Kazekage.exe | N/A |
| File opened for modification | C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe | C:\Windows\SysWOW64\drivers\system32.exe | N/A |
| File created | C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe | C:\Windows\SysWOW64\drivers\system32.exe | N/A |
| File opened for modification | C:\Windows\ | C:\Users\Admin\AppData\Local\Temp\2025-05-02_09eb34f6a42e70c1d038f9bef0d5c4d8_black-basta_elex_hijackloader_luca-stealer.exe | N/A |
| File created | C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe | C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe | N/A |
| File opened for modification | C:\Windows\mscomctl.ocx | C:\Windows\SysWOW64\drivers\system32.exe | N/A |
| File opened for modification | C:\Windows\system\msvbvm60.dll | C:\Users\Admin\AppData\Local\Temp\2025-05-02_09eb34f6a42e70c1d038f9bef0d5c4d8_black-basta_elex_hijackloader_luca-stealer.exe | N/A |
| File created | C:\Windows\system\msvbvm60.dll | C:\Users\Admin\AppData\Local\Temp\2025-05-02_09eb34f6a42e70c1d038f9bef0d5c4d8_black-basta_elex_hijackloader_luca-stealer.exe | N/A |
| File opened for modification | C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe | C:\Users\Admin\AppData\Local\Temp\2025-05-02_09eb34f6a42e70c1d038f9bef0d5c4d8_black-basta_elex_hijackloader_luca-stealer.exe | N/A |
| File opened for modification | C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe | C:\Users\Admin\AppData\Local\Temp\2025-05-02_09eb34f6a42e70c1d038f9bef0d5c4d8_black-basta_elex_hijackloader_luca-stealer.exe | N/A |
| File created | C:\Windows\msvbvm60.dll | C:\Users\Admin\AppData\Local\Temp\2025-05-02_09eb34f6a42e70c1d038f9bef0d5c4d8_black-basta_elex_hijackloader_luca-stealer.exe | N/A |
| File created | C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe | C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe | N/A |
| File opened for modification | C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe | C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe | N/A |
| File created | C:\Windows\WBEM\msvbvm60.dll | C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe | N/A |
| File created | C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe | C:\Users\Admin\AppData\Local\Temp\2025-05-02_09eb34f6a42e70c1d038f9bef0d5c4d8_black-basta_elex_hijackloader_luca-stealer.exe | N/A |
| File opened for modification | C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe | C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe | N/A |
| File opened for modification | C:\Windows\system\msvbvm60.dll | C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe | N/A |
| File created | C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe | C:\Windows\SysWOW64\drivers\Kazekage.exe | N/A |
| File opened for modification | C:\Windows\system\msvbvm60.dll | C:\Windows\SysWOW64\drivers\Kazekage.exe | N/A |
| File opened for modification | C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe | C:\Windows\SysWOW64\drivers\system32.exe | N/A |
| File created | C:\Windows\mscomctl.ocx | C:\Users\Admin\AppData\Local\Temp\2025-05-02_09eb34f6a42e70c1d038f9bef0d5c4d8_black-basta_elex_hijackloader_luca-stealer.exe | N/A |
| File opened for modification | C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe | C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe | N/A |
| File created | C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe | C:\Windows\SysWOW64\drivers\system32.exe | N/A |
| File opened for modification | C:\Windows\Fonts\Admin 2 - 5 - 2025\msvbvm60.dll | C:\Users\Admin\AppData\Local\Temp\2025-05-02_09eb34f6a42e70c1d038f9bef0d5c4d8_black-basta_elex_hijackloader_luca-stealer.exe | N/A |
| File created | C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe | C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe | N/A |
| File created | C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe | C:\Windows\SysWOW64\drivers\Kazekage.exe | N/A |
| File opened for modification | C:\Windows\mscomctl.ocx | C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe | N/A |
| File created | C:\Windows\WBEM\msvbvm60.dll | C:\Users\Admin\AppData\Local\Temp\2025-05-02_09eb34f6a42e70c1d038f9bef0d5c4d8_black-basta_elex_hijackloader_luca-stealer.exe | N/A |
| File opened for modification | C:\Windows\system\mscoree.dll | C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe | N/A |
| File created | C:\Windows\Fonts\The Kazekage.jpg | C:\Users\Admin\AppData\Local\Temp\2025-05-02_09eb34f6a42e70c1d038f9bef0d5c4d8_black-basta_elex_hijackloader_luca-stealer.exe | N/A |
| File opened for modification | C:\Windows\msvbvm60.dll | C:\Users\Admin\AppData\Local\Temp\2025-05-02_09eb34f6a42e70c1d038f9bef0d5c4d8_black-basta_elex_hijackloader_luca-stealer.exe | N/A |
| File created | C:\Windows\Fonts\Admin 2 - 5 - 2025\msvbvm60.dll | C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe | N/A |
| File opened for modification | C:\Windows\system\mscoree.dll | C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe | N/A |
| File created | C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe | C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe | N/A |
| File opened for modification | C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe | C:\Windows\SysWOW64\drivers\Kazekage.exe | N/A |
| File opened for modification | C:\Windows\system\msvbvm60.dll | C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe | N/A |
| File opened for modification | C:\Windows\Fonts\The Kazekage.jpg | C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe | N/A |
| File created | C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe | C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe | N/A |
| File created | C:\Windows\WBEM\msvbvm60.dll | C:\Windows\SysWOW64\drivers\system32.exe | N/A |
| File created | C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe | C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe | N/A |
| File opened for modification | C:\Windows\ | C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe | N/A |
| File opened for modification | C:\Windows\Fonts\The Kazekage.jpg | C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe | N/A |
| File created | C:\Windows\WBEM\msvbvm60.dll | C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe | N/A |
| File opened for modification | C:\Windows\Fonts\The Kazekage.jpg | C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe | N/A |
| File created | C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe | C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe | N/A |
| File opened for modification | C:\Windows\system\mscoree.dll | C:\Windows\SysWOW64\drivers\Kazekage.exe | N/A |
| File opened for modification | C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe | C:\Windows\SysWOW64\drivers\Kazekage.exe | N/A |
| File created | C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe | C:\Windows\SysWOW64\drivers\Kazekage.exe | N/A |
| File opened for modification | C:\Windows\system\msvbvm60.dll | C:\Windows\SysWOW64\drivers\system32.exe | N/A |
| File opened for modification | C:\Windows\system\mscoree.dll | C:\Users\Admin\AppData\Local\Temp\2025-05-02_09eb34f6a42e70c1d038f9bef0d5c4d8_black-basta_elex_hijackloader_luca-stealer.exe | N/A |
| File created | C:\Windows\Fonts\Admin 2 - 5 - 2025\msvbvm60.dll | C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe | N/A |
| File opened for modification | C:\Windows\msvbvm60.dll | C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe | N/A |
| File created | C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe | C:\Windows\SysWOW64\drivers\system32.exe | N/A |
| File opened for modification | C:\Windows\mscomctl.ocx | C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe | N/A |
| File opened for modification | C:\Windows\mscomctl.ocx | C:\Windows\SysWOW64\drivers\Kazekage.exe | N/A |
| File opened for modification | C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe | C:\Users\Admin\AppData\Local\Temp\2025-05-02_09eb34f6a42e70c1d038f9bef0d5c4d8_black-basta_elex_hijackloader_luca-stealer.exe | N/A |
| File created | C:\Windows\Fonts\Admin 2 - 5 - 2025\msvbvm60.dll | C:\Users\Admin\AppData\Local\Temp\2025-05-02_09eb34f6a42e70c1d038f9bef0d5c4d8_black-basta_elex_hijackloader_luca-stealer.exe | N/A |
| File opened for modification | C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe | C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe | N/A |
| File opened for modification | C:\Windows\msvbvm60.dll | C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe | N/A |
| File created | C:\Windows\WBEM\msvbvm60.dll | C:\Windows\SysWOW64\drivers\Kazekage.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\ping.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\ping.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\ping.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\ping.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\ping.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\ping.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\drivers\system32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\drivers\Kazekage.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\drivers\system32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\ping.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\ping.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2025-05-02_09eb34f6a42e70c1d038f9bef0d5c4d8_black-basta_elex_hijackloader_luca-stealer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\drivers\Kazekage.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\drivers\system32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\ping.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\ping.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\ping.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\drivers\system32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\ping.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\ping.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\ping.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\ping.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\ping.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\ping.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\ping.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\ping.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\ping.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\ping.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\ping.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\drivers\system32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\ping.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\ping.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\drivers\Kazekage.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\ping.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\ping.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\ping.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\drivers\Kazekage.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\drivers\system32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\drivers\Kazekage.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\ping.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\drivers\Kazekage.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\ping.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\ping.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\ping.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\ping.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\ping.exe | N/A |
System Network Configuration Discovery: Internet Connection Discovery
Modifies Control Panel
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" | C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\Desktop\WallpaperStyle = "2" | C:\Users\Admin\AppData\Local\Temp\2025-05-02_09eb34f6a42e70c1d038f9bef0d5c4d8_black-basta_elex_hijackloader_luca-stealer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" | C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\Screen Saver.Marquee\Speed = "4" | C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" | C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" | C:\Users\Admin\AppData\Local\Temp\2025-05-02_09eb34f6a42e70c1d038f9bef0d5c4d8_black-basta_elex_hijackloader_luca-stealer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\Desktop | C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\Screen Saver.Marquee\Size = "72" | C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" | C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" | C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" | C:\Users\Admin\AppData\Local\Temp\2025-05-02_09eb34f6a42e70c1d038f9bef0d5c4d8_black-basta_elex_hijackloader_luca-stealer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" | C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" | C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" | C:\Windows\SysWOW64\drivers\Kazekage.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" | C:\Windows\SysWOW64\drivers\Kazekage.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" | C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\Desktop\WallpaperStyle = "2" | C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\Screen Saver.Marquee | C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" | C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" | C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" | C:\Windows\SysWOW64\drivers\Kazekage.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\Screen Saver.Marquee\Speed = "4" | C:\Users\Admin\AppData\Local\Temp\2025-05-02_09eb34f6a42e70c1d038f9bef0d5c4d8_black-basta_elex_hijackloader_luca-stealer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\Screen Saver.Marquee\Size = "72" | C:\Windows\SysWOW64\drivers\system32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\Desktop\WallpaperStyle = "2" | C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" | C:\Windows\SysWOW64\drivers\system32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" | C:\Windows\SysWOW64\drivers\system32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" | C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\Desktop\WallpaperStyle = "2" | C:\Windows\SysWOW64\drivers\Kazekage.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" | C:\Users\Admin\AppData\Local\Temp\2025-05-02_09eb34f6a42e70c1d038f9bef0d5c4d8_black-basta_elex_hijackloader_luca-stealer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" | C:\Users\Admin\AppData\Local\Temp\2025-05-02_09eb34f6a42e70c1d038f9bef0d5c4d8_black-basta_elex_hijackloader_luca-stealer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" | C:\Windows\SysWOW64\drivers\system32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" | C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\Desktop | C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" | C:\Windows\SysWOW64\drivers\Kazekage.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\Screen Saver.Marquee | C:\Users\Admin\AppData\Local\Temp\2025-05-02_09eb34f6a42e70c1d038f9bef0d5c4d8_black-basta_elex_hijackloader_luca-stealer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\Screen Saver.Marquee\Size = "72" | C:\Users\Admin\AppData\Local\Temp\2025-05-02_09eb34f6a42e70c1d038f9bef0d5c4d8_black-basta_elex_hijackloader_luca-stealer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\Screen Saver.Marquee\Speed = "4" | C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" | C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\Screen Saver.Marquee\Size = "72" | C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" | C:\Windows\SysWOW64\drivers\Kazekage.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" | C:\Windows\SysWOW64\drivers\Kazekage.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" | C:\Windows\SysWOW64\drivers\system32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\Screen Saver.Marquee\Speed = "4" | C:\Windows\SysWOW64\drivers\system32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" | C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\Desktop | C:\Windows\SysWOW64\drivers\system32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" | C:\Users\Admin\AppData\Local\Temp\2025-05-02_09eb34f6a42e70c1d038f9bef0d5c4d8_black-basta_elex_hijackloader_luca-stealer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\Screen Saver.Marquee | C:\Windows\SysWOW64\drivers\system32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" | C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\Screen Saver.Marquee | C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" | C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\Desktop | C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" | C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" | C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" | C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" | C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\Desktop\WallpaperStyle = "2" | C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\Desktop | C:\Windows\SysWOW64\drivers\Kazekage.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" | C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" | C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" | C:\Windows\SysWOW64\drivers\Kazekage.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\Screen Saver.Marquee\Size = "72" | C:\Windows\SysWOW64\drivers\Kazekage.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\Screen Saver.Marquee\Speed = "4" | C:\Windows\SysWOW64\drivers\Kazekage.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\Screen Saver.Marquee\Size = "72" | C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" | C:\Users\Admin\AppData\Local\Temp\2025-05-02_09eb34f6a42e70c1d038f9bef0d5c4d8_black-basta_elex_hijackloader_luca-stealer.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" | C:\Windows\SysWOW64\drivers\Kazekage.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Software\Microsoft\Internet Explorer\Main | C:\Windows\SysWOW64\drivers\system32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" | C:\Windows\SysWOW64\drivers\system32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Software\Microsoft\Internet Explorer\Main | C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" | C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" | C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Software\Microsoft\Internet Explorer\Main | C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Software\Microsoft\Internet Explorer\Main | C:\Users\Admin\AppData\Local\Temp\2025-05-02_09eb34f6a42e70c1d038f9bef0d5c4d8_black-basta_elex_hijackloader_luca-stealer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" | C:\Users\Admin\AppData\Local\Temp\2025-05-02_09eb34f6a42e70c1d038f9bef0d5c4d8_black-basta_elex_hijackloader_luca-stealer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Software\Microsoft\Internet Explorer\Main | C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" | C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3833542908-3750648139-3436651901-1000\Software\Microsoft\Internet Explorer\Main | C:\Windows\SysWOW64\drivers\Kazekage.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command | C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" | C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command | C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command | C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command | C:\Windows\SysWOW64\drivers\system32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" | C:\Windows\SysWOW64\drivers\system32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command | C:\Windows\SysWOW64\drivers\system32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" | C:\Windows\SysWOW64\drivers\system32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command | C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command | C:\Windows\SysWOW64\drivers\Kazekage.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command | C:\Users\Admin\AppData\Local\Temp\2025-05-02_09eb34f6a42e70c1d038f9bef0d5c4d8_black-basta_elex_hijackloader_luca-stealer.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" | C:\Windows\SysWOW64\drivers\system32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" | C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command | C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command | C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\inffile | C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" | C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" | C:\Users\Admin\AppData\Local\Temp\2025-05-02_09eb34f6a42e70c1d038f9bef0d5c4d8_black-basta_elex_hijackloader_luca-stealer.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command | C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" | C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command | C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" | C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command | C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command | C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command | C:\Windows\SysWOW64\drivers\Kazekage.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" | C:\Windows\SysWOW64\drivers\Kazekage.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" | C:\Users\Admin\AppData\Local\Temp\2025-05-02_09eb34f6a42e70c1d038f9bef0d5c4d8_black-basta_elex_hijackloader_luca-stealer.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" | C:\Windows\SysWOW64\drivers\system32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command | C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" | C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" | C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" | C:\Windows\SysWOW64\drivers\Kazekage.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" | C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell | C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" | C:\Users\Admin\AppData\Local\Temp\2025-05-02_09eb34f6a42e70c1d038f9bef0d5c4d8_black-basta_elex_hijackloader_luca-stealer.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" | C:\Users\Admin\AppData\Local\Temp\2025-05-02_09eb34f6a42e70c1d038f9bef0d5c4d8_black-basta_elex_hijackloader_luca-stealer.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install | C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command | C:\Windows\SysWOW64\drivers\Kazekage.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" | C:\Windows\SysWOW64\drivers\Kazekage.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command | C:\Windows\SysWOW64\drivers\Kazekage.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command | C:\Users\Admin\AppData\Local\Temp\2025-05-02_09eb34f6a42e70c1d038f9bef0d5c4d8_black-basta_elex_hijackloader_luca-stealer.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command | C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" | C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" | C:\Windows\SysWOW64\drivers\Kazekage.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command | C:\Users\Admin\AppData\Local\Temp\2025-05-02_09eb34f6a42e70c1d038f9bef0d5c4d8_black-basta_elex_hijackloader_luca-stealer.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" | C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" | C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" | C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command | C:\Users\Admin\AppData\Local\Temp\2025-05-02_09eb34f6a42e70c1d038f9bef0d5c4d8_black-basta_elex_hijackloader_luca-stealer.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command | C:\Windows\SysWOW64\drivers\system32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command | C:\Windows\SysWOW64\drivers\system32.exe | N/A |
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Windows\SysWOW64\drivers\Kazekage.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\drivers\Kazekage.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\2025-05-02_09eb34f6a42e70c1d038f9bef0d5c4d8_black-basta_elex_hijackloader_luca-stealer.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\2025-05-02_09eb34f6a42e70c1d038f9bef0d5c4d8_black-basta_elex_hijackloader_luca-stealer.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Windows\SysWOW64\drivers\system32.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\drivers\system32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\2025-05-02_09eb34f6a42e70c1d038f9bef0d5c4d8_black-basta_elex_hijackloader_luca-stealer.exe
"C:\Users\Admin\AppData\Local\Temp\2025-05-02_09eb34f6a42e70c1d038f9bef0d5c4d8_black-basta_elex_hijackloader_luca-stealer.exe"
C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe
"C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe"
C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe
"C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe"
C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe
"C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe"
C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe
"C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe"
C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe
"C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe"
C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe
"C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe"
C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe
"C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe"
C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe
"C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe"
C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe
"C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe"
C:\Windows\SysWOW64\drivers\Kazekage.exe
C:\Windows\system32\drivers\Kazekage.exe
C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe
"C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe"
C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe
"C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe"
C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe
"C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe"
C:\Windows\SysWOW64\drivers\Kazekage.exe
C:\Windows\system32\drivers\Kazekage.exe
C:\Windows\SysWOW64\drivers\system32.exe
C:\Windows\system32\drivers\system32.exe
C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe
"C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe"
C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe
"C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe"
C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe
"C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe"
C:\Windows\SysWOW64\drivers\Kazekage.exe
C:\Windows\system32\drivers\Kazekage.exe
C:\Windows\SysWOW64\drivers\system32.exe
C:\Windows\system32\drivers\system32.exe
C:\Windows\SysWOW64\drivers\system32.exe
C:\Windows\system32\drivers\system32.exe
C:\Windows\SysWOW64\drivers\Kazekage.exe
C:\Windows\system32\drivers\Kazekage.exe
C:\Windows\SysWOW64\drivers\system32.exe
C:\Windows\system32\drivers\system32.exe
C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe
"C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe"
C:\Windows\SysWOW64\drivers\Kazekage.exe
C:\Windows\system32\drivers\Kazekage.exe
C:\Windows\SysWOW64\drivers\system32.exe
C:\Windows\system32\drivers\system32.exe
C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe
"C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe"
C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe
"C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe"
C:\Windows\SysWOW64\drivers\Kazekage.exe
C:\Windows\system32\drivers\Kazekage.exe
C:\Windows\SysWOW64\drivers\system32.exe
C:\Windows\system32\drivers\system32.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\smss.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\Gaara.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c 2-5-2025.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c drivers\csrss.exe
C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1
C:\Windows\SysWOW64\ping.exe
ping -a -l www.rasasayang.com.my 65500
C:\Windows\SysWOW64\ping.exe
ping -a -l www.duniasex.com 65500
C:\Windows\SysWOW64\ping.exe
ping -a -l www.rasasayang.com.my 65500
C:\Windows\SysWOW64\ping.exe
ping -a -l www.duniasex.com 65500
C:\Windows\SysWOW64\ping.exe
ping -a -l www.rasasayang.com.my 65500
C:\Windows\SysWOW64\ping.exe
ping -a -l www.duniasex.com 65500
C:\Windows\SysWOW64\ping.exe
ping -a -l www.rasasayang.com.my 65500
C:\Windows\SysWOW64\ping.exe
ping -a -l www.duniasex.com 65500
C:\Windows\SysWOW64\ping.exe
ping -a -l www.rasasayang.com.my 65500
C:\Windows\SysWOW64\ping.exe
ping -a -l www.duniasex.com 65500
C:\Windows\SysWOW64\ping.exe
ping -a -l www.rasasayang.com.my 65500
C:\Windows\SysWOW64\ping.exe
ping -a -l www.duniasex.com 65500
C:\Windows\SysWOW64\ping.exe
ping -a -l www.rasasayang.com.my 65500
C:\Windows\SysWOW64\ping.exe
ping -a -l www.duniasex.com 65500
C:\Windows\SysWOW64\ping.exe
ping -a -l www.rasasayang.com.my 65500
C:\Windows\SysWOW64\ping.exe
ping -a -l www.duniasex.com 65500
C:\Windows\SysWOW64\ping.exe
ping -a -l www.rasasayang.com.my 65500
C:\Windows\SysWOW64\ping.exe
ping -a -l www.duniasex.com 65500
C:\Windows\SysWOW64\ping.exe
ping -a -l www.rasasayang.com.my 65500
C:\Windows\SysWOW64\ping.exe
ping -a -l www.duniasex.com 65500
C:\Windows\SysWOW64\ping.exe
ping -a -l www.rasasayang.com.my 65500
C:\Windows\SysWOW64\ping.exe
ping -a -l www.duniasex.com 65500
C:\Windows\SysWOW64\ping.exe
ping -a -l www.rasasayang.com.my 65500
C:\Windows\SysWOW64\ping.exe
ping -a -l www.duniasex.com 65500
C:\Windows\SysWOW64\ping.exe
ping -a -l www.rasasayang.com.my 65500
C:\Windows\SysWOW64\ping.exe
ping -a -l www.duniasex.com 65500
C:\Windows\SysWOW64\ping.exe
ping -a -l www.rasasayang.com.my 65500
C:\Windows\SysWOW64\ping.exe
ping -a -l www.duniasex.com 65500
C:\Windows\SysWOW64\ping.exe
ping -a -l www.rasasayang.com.my 65500
C:\Windows\SysWOW64\ping.exe
ping -a -l www.duniasex.com 65500
C:\Windows\SysWOW64\ping.exe
ping -a -l www.rasasayang.com.my 65500
C:\Windows\SysWOW64\ping.exe
ping -a -l www.duniasex.com 65500
C:\Windows\SysWOW64\ping.exe
ping -a -l www.rasasayang.com.my 65500
C:\Windows\SysWOW64\ping.exe
ping -a -l www.duniasex.com 65500
C:\Windows\SysWOW64\ping.exe
ping -a -l www.rasasayang.com.my 65500
C:\Windows\SysWOW64\ping.exe
ping -a -l www.duniasex.com 65500
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| GB | 88.221.135.50:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| DE | 142.250.185.131:80 | c.pki.goog | tcp |
Files
memory/4916-0-0x0000000000400000-0x000000000042B000-memory.dmp
C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe
| MD5 | 604ce903ca8e64c684ab5f369b6ee578 |
| SHA1 | a6361cba0d6e249c6a4de50e31d9eab8d10876ad |
| SHA256 | c63a18aa4b4017cf2a2d8692cd2df9bb52bb749f64136c345be4962e4294143e |
| SHA512 | 4586b8c5c9161dfb9777ca72d66d64c744cdcd48adabf4aa9eea61da4a527c123bd129cc8192675c764f21ad08e40dcac5e49cbae0a83602863700dac615637e |
C:\Windows\System\msvbvm60.dll
| MD5 | 25f62c02619174b35851b0e0455b3d94 |
| SHA1 | 4e8ee85157f1769f6e3f61c0acbe59072209da71 |
| SHA256 | 898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2 |
| SHA512 | f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a |
C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe
| MD5 | 2f8b6390cda2250aebc4ee498ac95449 |
| SHA1 | fdcf643613352c4da0fc99557775f2f08a790996 |
| SHA256 | c16a33d3edd5985bf06b981bc8d2d2773f4e1245f51e45b932ac99b0cff22857 |
| SHA512 | ec1d135d141416c5e13c3991a6342d9782897863d7af1f6c5ebea74758906f11ecd416930b166886c3304819cffa528738a1551fb2e2fe9277a6be9dcf7c0118 |
memory/212-32-0x0000000000400000-0x000000000042B000-memory.dmp
C:\Windows\Fonts\The Kazekage.jpg
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Windows\SysWOW64\drivers\Kazekage.exe
| MD5 | 48ef7a0b8276c561006b5415f4f022de |
| SHA1 | edd5a84cf3fb1a71c8b045766f20f8301d4d5a40 |
| SHA256 | 520f13d98f3b3092819bcb6345547ca3de89bda8f6f74c5ec6d82e0696067b2b |
| SHA512 | 742ef88d276b945317e139ccc458835c9c9e2862837e60619dcd5eade58975269111116724be5ba658ae67a7f4afda46b47f07f2d1eb6ede040725c2c056e624 |
memory/4300-70-0x0000000000400000-0x000000000042B000-memory.dmp
C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe
| MD5 | d94bef6f7c32a4c67c78117054ea0f11 |
| SHA1 | e76d712245bda8dc382cfc03aaecf3996c3adfcf |
| SHA256 | beeb1fe2e65cd390ccdc5aac7da23896ce8562494344d421c241472d5618dbb0 |
| SHA512 | 9498cd25715eeb52b8b3b52a3c38c86af8b9f56a7d20ee162b1773e57f3c994d1301ed314f101a02b2a1ef2028b312603e986417f6ce52f6f903095b4a475cf1 |
memory/2780-78-0x0000000000400000-0x000000000042B000-memory.dmp
memory/4300-74-0x0000000000400000-0x000000000042B000-memory.dmp
C:\Windows\Fonts\The Kazekage.jpg
| MD5 | d6b05020d4a0ec2a3a8b687099e335df |
| SHA1 | df239d830ebcd1cde5c68c46a7b76dad49d415f4 |
| SHA256 | 9824b98dab6af65a9e84c2ea40e9df948f9766ce2096e81feecad7db8dd6080a |
| SHA512 | 78fd360faa4d34f5732056d6e9ad7b9930964441c69cf24535845d397de92179553b9377a25649c01eb5ac7d547c29cc964e69ede7f2af9fc677508a99251fff |
C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe
| MD5 | 42ae1c30888e67ba5f2a48b9de384f45 |
| SHA1 | 2844661d2a99a394d6f16d781759c2494c7a561b |
| SHA256 | 8a37e1acf4973d1a371e1f8a62788cd5dbed2519baae50402cfc41837e0f3341 |
| SHA512 | dfb5eaf5e729e81c8c9ebbbf54ae07dc8cd547b5c9f5030ff03f19e8ff8f81fcea36017e8bcfb41fb1e68569c4f63afe64883aa0381ad9f5dbfc30f701195d0d |
C:\Windows\SysWOW64\2-5-2025.exe
| MD5 | 5897d349c237909cdbcadaddef271830 |
| SHA1 | df43ff0cba1046776ce945371eaa7104a96bf6f3 |
| SHA256 | 8aded03bd1757b7897c0ebf0a2f590e8e884baac8ffadb78b0eb45e4c0537e14 |
| SHA512 | 36a0453368a4b8fde80ef5400ef85dff736a4e7065892d466621f41a604a922ab12af1e583924dbfabe9f38e30203d7bbfd4b7129eda423ba4fb3aec70afaa8f |
C:\Windows\SysWOW64\drivers\Kazekage.exe
| MD5 | 7079bd85baac02b03be3fff938b1e054 |
| SHA1 | 56c9abc57ebfe9da3b50d179d2630e7d88f05f22 |
| SHA256 | 8ba33683e0f735cc5d816ae9b1dfd3bcdafbcfdb05d39dc82997c6c3c1d6c81f |
| SHA512 | 87d34eaa4ef1a06bff451f070675051e50f7232af056ab6d636f95b8d6019c5c5ed6f3e1b9d1ca3d2dabc4e1646ed46e913efd497d53989a79304eeae142b07c |
memory/4788-115-0x0000000000400000-0x000000000042B000-memory.dmp
memory/3656-120-0x0000000000400000-0x000000000042B000-memory.dmp
memory/2756-158-0x0000000000400000-0x000000000042B000-memory.dmp
memory/212-186-0x0000000000400000-0x000000000042B000-memory.dmp
memory/2780-196-0x0000000000400000-0x000000000042B000-memory.dmp
C:\Windows\SysWOW64\drivers\Kazekage.exe
| MD5 | fc8a3ca4c77f9502142c22f5bc417158 |
| SHA1 | 1b910d1635b0d2fb3c83ba419fa5285da7cffbba |
| SHA256 | 5fdf066c132e5bd7ae1ef3ecfa5ea89128ffa0d5997df4c1e105510e87cdf638 |
| SHA512 | f46248075dd4c8202a2eb65663c365323b16633a39405d4d32540c8bbd3b978ed4e9c2905ee4110fcc65c0b4271886a184c39666b4354d1812def5ce12a3be60 |
memory/4980-206-0x0000000000400000-0x000000000042B000-memory.dmp
memory/3656-224-0x0000000000400000-0x000000000042B000-memory.dmp
memory/1028-267-0x0000000000400000-0x000000000042B000-memory.dmp
memory/2404-270-0x0000000000400000-0x000000000042B000-memory.dmp
memory/3536-262-0x0000000000400000-0x000000000042B000-memory.dmp
memory/624-259-0x0000000000400000-0x000000000042B000-memory.dmp
memory/3644-256-0x0000000000400000-0x000000000042B000-memory.dmp
memory/4980-253-0x0000000000400000-0x000000000042B000-memory.dmp
memory/1996-250-0x0000000000400000-0x000000000042B000-memory.dmp
memory/3568-244-0x0000000000400000-0x000000000042B000-memory.dmp
memory/2764-241-0x0000000000400000-0x000000000042B000-memory.dmp
memory/4552-238-0x0000000000400000-0x000000000042B000-memory.dmp
memory/1080-235-0x0000000000400000-0x000000000042B000-memory.dmp
memory/4936-234-0x0000000000400000-0x000000000042B000-memory.dmp
memory/3232-229-0x0000000000400000-0x000000000042B000-memory.dmp
C:\Windows\SysWOW64\2-5-2025.exe
| MD5 | 908983b6a9d4a7cbab879c126d10d40d |
| SHA1 | 4b7812486e9a688a6b474f1ace346953a2b94eb0 |
| SHA256 | 1120430fbb3550a207c2482429e4981b8a02f9fb7a437a1102e8efa4c80fe337 |
| SHA512 | 9aa2fc6f23ba3c7599aaf8c8e5518fedb720f0f2812bdbd44d492f5b2c613c3537053072e01cf43249c1602e8cf420fd33ddad79f586776684b836ea9e0c8c52 |
C:\Windows\SysWOW64\drivers\system32.exe
| MD5 | 29d1dc45498e71cb8231ca354d14ec84 |
| SHA1 | f6ccc428407268489fceab6178b0fa8b877c442b |
| SHA256 | da671e6c68d1fa93380c57c6db9caa60f7bafb2a373bc74054503622a5f7fa03 |
| SHA512 | b4bcb3e7da4ebaf60dd53ac56d3efe3ea3a6b87bb52a08dcd3c723f22af445dd5ef8e5038642693dfb7b4aabd8727d03fcac91059508dd93973c2dbe16422ec5 |
memory/4032-202-0x0000000000400000-0x000000000042B000-memory.dmp
memory/3796-195-0x0000000000400000-0x000000000042B000-memory.dmp
C:\Windows\SysWOW64\2-5-2025.exe
| MD5 | b01430ee74eb6a74fc35ee6525ef7914 |
| SHA1 | df4f29b0295b203551e6f6b795d6c7fddb3bfdf2 |
| SHA256 | 3b79f10d4bddd4e58f1baeebcac76ef7730325a178c7c83667e0701c697dc46c |
| SHA512 | 087902da42ba65347a8d3b292bfa25918bc029ff16bfcdb00abc23627b09c6d0e09ec35c21f121a42343e69e0f3e290b94c8704b67ca62bf51f2e50b7d3abc0c |
memory/1080-163-0x0000000000400000-0x000000000042B000-memory.dmp
memory/4916-162-0x0000000000400000-0x000000000042B000-memory.dmp
memory/2768-155-0x0000000000400000-0x000000000042B000-memory.dmp
C:\Windows\SysWOW64\drivers\system32.exe
| MD5 | 10d9fc78172f52f286ec52ce3afb552a |
| SHA1 | ea7ce3fabce42bb0a16c47a3077b518eda3df1cb |
| SHA256 | 61cc6a5c0661d41096cfa7999f778d01bea1826996840a91b5c326dcb504ce11 |
| SHA512 | 2cc292888f72248f3421f17dcba56fb4f372e6539741282e7fbfad48073f83110574adf6a28626611df3b93b7143106b2c443fa22d9cd6fd055628264b1a5321 |
C:\Windows\SysWOW64\2-5-2025.exe
| MD5 | e95a95e03cdd50cbcef54bf72e7cbda5 |
| SHA1 | 372f9eda0bbbb5283c8297e70378bacb5ce9eb24 |
| SHA256 | 1432575d88b911f181a26be5ce151e113b7674772bbbdc986412db8735a81cf4 |
| SHA512 | c2b0fa2dacac0ceee3e5705be2dabc73a45c0533ed4a1708388b43d63d55a12091e6117ee25145c3c7062dbc76aacd1c788c3d4864b64ae8c4ab553da3a8b50f |
C:\Windows\SysWOW64\drivers\system32.exe
| MD5 | dc1eef2251191ea457a5040102ff9fed |
| SHA1 | 46a451589ba12e41ad8d7c809c19966fec964f7a |
| SHA256 | fca1a2a898d68cdaf839b75e5131a6f12609f26b9ec2af01514765b30cd4d25e |
| SHA512 | 4d9e3c6e84475a3246efb909b63392c4a0b3d72f2a1c3be2f88ba37690931493173283e6123ee10088281cba59a2d0eb1e674b0e15f8dc740ad56c287ed54aa3 |
C:\Autorun.inf
| MD5 | 1564dfe69ffed40950e5cb644e0894d1 |
| SHA1 | 201b6f7a01cc49bb698bea6d4945a082ed454ce4 |
| SHA256 | be114a2dbcc08540b314b01882aa836a772a883322a77b67aab31233e26dc184 |
| SHA512 | 72df187e39674b657974392cfa268e71ef86dc101ebd2303896381ca56d3c05aa9db3f0ab7d0e428d7436e0108c8f19e94c2013814d30b0b95a23a6b9e341097 |
C:\Admin Games\Readme.txt
| MD5 | bb5d6abdf8d0948ac6895ce7fdfbc151 |
| SHA1 | 9266b7a247a4685892197194d2b9b86c8f6dddbd |
| SHA256 | 5db2e0915b5464d32e83484f8ae5e3c73d2c78f238fde5f58f9b40dbb5322de8 |
| SHA512 | 878444760e8df878d65bb62b4798177e168eb099def58ad3634f4348e96705c83f74324f9fa358f0eff389991976698a233ca53e9b72034ae11c86d42322a76c |
C:\Windows\SysWOW64\Desktop.ini
| MD5 | 64acfa7e03b01f48294cf30d201a0026 |
| SHA1 | 10facd995b38a095f30b4a800fa454c0bcbf8438 |
| SHA256 | ba8159d865d106e7b4d0043007a63d1541e1de455dc8d7ff0edd3013bd425c62 |
| SHA512 | 65a9b2e639de74a2a7faa83463a03f5f5b526495e3c793ec1e144c422ed0b842dd304cd5ff4f8aec3d76d826507030c5916f70a231429cea636ec2d8ab43931a |
C:\Admin Games\Hokage-Sampit (Nothing).exe
| MD5 | 85e3ea1c0907c93c4fc01f2a9a723a6a |
| SHA1 | 6fa7df52ee22295ca9319339593db5e0fdd2fba6 |
| SHA256 | eafb9905920fe8748346b8ea561f95946c66b662aba6d8fa205e50b49241117e |
| SHA512 | 98c57525fdbac529dc0d66ca79e40244e41556da1506e4c6102e992c03dfa9b559fc5de5592a0ff31390727de64c6c8b5c3d143e5e5031041637bdf84ff50a2d |