Analysis Overview
SHA256
4b0f66a3e25512e731afce15612fdac23491392468f69d657fb762c0d7e09ace
Threat Level: Known bad
The file 2025-05-19_98be8dfc249df76ae70e841f5963f8a0_amadey_black-basta_elex_hijackloader_luca-stealer was found to be: Known bad.
Malicious Activity Summary
Modifies visibility of file extensions in Explorer
Modifies WinLogon for persistence
UAC bypass
Modifies visiblity of hidden/system files in Explorer
Disables use of System Restore points
Drops file in Drivers directory
Disables RegEdit via registry modification
Event Triggered Execution: Image File Execution Options Injection
Loads dropped DLL
Executes dropped EXE
Enumerates connected drives
Checks whether UAC is enabled
Adds Run key to start application
Drops desktop.ini file(s)
UPX packed file
Drops autorun.inf file
Sets desktop wallpaper using registry
Drops file in System32 directory
Drops file in Windows directory
System Network Configuration Discovery: Internet Connection Discovery
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious behavior: EnumeratesProcesses
Modifies Internet Explorer settings
System policy modification
Modifies registry class
Runs ping.exe
Suspicious use of WriteProcessMemory
Modifies Control Panel
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V16
Analysis: static1
Detonation Overview
Reported
2025-05-19 13:42
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2025-05-19 13:42
Reported
2025-05-19 13:45
Platform
win10v2004-20250502-en
Max time kernel
150s
Max time network
127s
Command Line
Signatures
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" | C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" | C:\Users\Admin\AppData\Local\Temp\2025-05-19_98be8dfc249df76ae70e841f5963f8a0_amadey_black-basta_elex_hijackloader_luca-stealer.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" | C:\Users\Admin\AppData\Local\Temp\2025-05-19_98be8dfc249df76ae70e841f5963f8a0_amadey_black-basta_elex_hijackloader_luca-stealer.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" | C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" | C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" | C:\Windows\SysWOW64\drivers\Kazekage.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" | C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" | C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" | C:\Windows\SysWOW64\drivers\system32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" | C:\Windows\SysWOW64\drivers\system32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" | C:\Windows\SysWOW64\drivers\Kazekage.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" | C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe | N/A |
Modifies visibility of file extensions in Explorer
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\drivers\system32.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Users\Admin\AppData\Local\Temp\2025-05-19_98be8dfc249df76ae70e841f5963f8a0_amadey_black-basta_elex_hijackloader_luca-stealer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\SysWOW64\drivers\Kazekage.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" | C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe | N/A |
Modifies visiblity of hidden/system files in Explorer
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Windows\SysWOW64\drivers\Kazekage.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Windows\SysWOW64\drivers\system32.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Users\Admin\AppData\Local\Temp\2025-05-19_98be8dfc249df76ae70e841f5963f8a0_amadey_black-basta_elex_hijackloader_luca-stealer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe | N/A |
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\2025-05-19_98be8dfc249df76ae70e841f5963f8a0_amadey_black-basta_elex_hijackloader_luca-stealer.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\drivers\Kazekage.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\drivers\system32.exe | N/A |
Disables RegEdit via registry modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Windows\SysWOW64\drivers\system32.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\2025-05-19_98be8dfc249df76ae70e841f5963f8a0_amadey_black-basta_elex_hijackloader_luca-stealer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Windows\SysWOW64\drivers\Kazekage.exe | N/A |
Disables use of System Restore points
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\drivers\system32.exe | C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\drivers\Kazekage.exe | C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\drivers\Kazekage.exe | C:\Windows\SysWOW64\drivers\Kazekage.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\drivers\system32.exe | C:\Windows\SysWOW64\drivers\Kazekage.exe | N/A |
| File created | C:\Windows\SysWOW64\drivers\system32.exe | C:\Windows\SysWOW64\drivers\system32.exe | N/A |
| File created | C:\Windows\SysWOW64\drivers\system32.exe | C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe | N/A |
| File created | C:\Windows\SysWOW64\drivers\system32.exe | C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe | N/A |
| File created | C:\Windows\SysWOW64\drivers\Kazekage.exe | C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\drivers\Kazekage.exe | C:\Users\Admin\AppData\Local\Temp\2025-05-19_98be8dfc249df76ae70e841f5963f8a0_amadey_black-basta_elex_hijackloader_luca-stealer.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\drivers\system32.exe | C:\Users\Admin\AppData\Local\Temp\2025-05-19_98be8dfc249df76ae70e841f5963f8a0_amadey_black-basta_elex_hijackloader_luca-stealer.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\drivers\system32.exe | C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe | N/A |
| File created | C:\Windows\SysWOW64\drivers\Kazekage.exe | C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe | N/A |
| File created | C:\Windows\SysWOW64\drivers\system32.exe | C:\Windows\SysWOW64\drivers\Kazekage.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\drivers\system32.exe | C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\drivers\Kazekage.exe | C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe | N/A |
| File created | C:\Windows\SysWOW64\drivers\Kazekage.exe | C:\Windows\SysWOW64\drivers\system32.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\drivers\Kazekage.exe | C:\Windows\SysWOW64\drivers\system32.exe | N/A |
| File created | C:\Windows\SysWOW64\drivers\Kazekage.exe | C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe | N/A |
| File created | C:\Windows\SysWOW64\drivers\Kazekage.exe | C:\Users\Admin\AppData\Local\Temp\2025-05-19_98be8dfc249df76ae70e841f5963f8a0_amadey_black-basta_elex_hijackloader_luca-stealer.exe | N/A |
| File created | C:\Windows\SysWOW64\drivers\system32.exe | C:\Users\Admin\AppData\Local\Temp\2025-05-19_98be8dfc249df76ae70e841f5963f8a0_amadey_black-basta_elex_hijackloader_luca-stealer.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\drivers\Kazekage.exe | C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\drivers\system32.exe | C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe | N/A |
| File created | C:\Windows\SysWOW64\drivers\Kazekage.exe | C:\Windows\SysWOW64\drivers\Kazekage.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\drivers\system32.exe | C:\Windows\SysWOW64\drivers\system32.exe | N/A |
Event Triggered Execution: Image File Execution Options Injection
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe\Debugger = "cmd.exe /c del" | C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe | C:\Windows\SysWOW64\drivers\system32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com\Debugger = "cmd.exe /c del" | C:\Windows\SysWOW64\drivers\system32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe | C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe | C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe | C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "drivers\\Kazekage.exe" | C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\Debugger = "cmd.exe /c del" | C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe | C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "drivers\\Kazekage.exe" | C:\Windows\SysWOW64\drivers\Kazekage.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "drivers\\Kazekage.exe" | C:\Windows\SysWOW64\drivers\system32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "drivers\\Kazekage.exe" | C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe | C:\Users\Admin\AppData\Local\Temp\2025-05-19_98be8dfc249df76ae70e841f5963f8a0_amadey_black-basta_elex_hijackloader_luca-stealer.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe | C:\Users\Admin\AppData\Local\Temp\2025-05-19_98be8dfc249df76ae70e841f5963f8a0_amadey_black-basta_elex_hijackloader_luca-stealer.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\Debugger = "cmd.exe /c del" | C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe | C:\Windows\SysWOW64\drivers\system32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe\Debugger = "cmd.exe /c del" | C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe | C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger = "drivers\\Kazekage.exe" | C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe\Debugger = "cmd.exe /c del" | C:\Windows\SysWOW64\drivers\system32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe\Debugger = "cmd.exe /c del" | C:\Windows\SysWOW64\drivers\Kazekage.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe | C:\Windows\SysWOW64\drivers\system32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger = "drivers\\Kazekage.exe" | C:\Users\Admin\AppData\Local\Temp\2025-05-19_98be8dfc249df76ae70e841f5963f8a0_amadey_black-basta_elex_hijackloader_luca-stealer.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe\Debugger = "cmd.exe /c del" | C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe | C:\Windows\SysWOW64\drivers\Kazekage.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com\Debugger = "cmd.exe /c del" | C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe | C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "drivers\\Kazekage.exe" | C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\Debugger = "cmd.exe /c del" | C:\Windows\SysWOW64\drivers\system32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "drivers\\Kazekage.exe" | C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe | C:\Windows\SysWOW64\drivers\Kazekage.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe | C:\Windows\SysWOW64\drivers\Kazekage.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe | C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe | C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe | C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe | C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe | C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe\Debugger = "cmd.exe /c del" | C:\Windows\SysWOW64\drivers\Kazekage.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe | C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe\Debugger = "cmd.exe /c del" | C:\Users\Admin\AppData\Local\Temp\2025-05-19_98be8dfc249df76ae70e841f5963f8a0_amadey_black-basta_elex_hijackloader_luca-stealer.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "drivers\\Kazekage.exe" | C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe\Debugger = "drivers\\Kazekage.exe" | C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com\Debugger = "cmd.exe /c del" | C:\Users\Admin\AppData\Local\Temp\2025-05-19_98be8dfc249df76ae70e841f5963f8a0_amadey_black-basta_elex_hijackloader_luca-stealer.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe | C:\Windows\SysWOW64\drivers\Kazekage.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe | C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe | C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "drivers\\Kazekage.exe" | C:\Windows\SysWOW64\drivers\system32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "drivers\\Kazekage.exe" | C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe | C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe\Debugger = "cmd.exe /c del" | C:\Windows\SysWOW64\drivers\Kazekage.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\Debugger = "cmd.exe /c del" | C:\Windows\SysWOW64\drivers\Kazekage.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe | C:\Users\Admin\AppData\Local\Temp\2025-05-19_98be8dfc249df76ae70e841f5963f8a0_amadey_black-basta_elex_hijackloader_luca-stealer.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "drivers\\Kazekage.exe" | C:\Users\Admin\AppData\Local\Temp\2025-05-19_98be8dfc249df76ae70e841f5963f8a0_amadey_black-basta_elex_hijackloader_luca-stealer.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe\Debugger = "drivers\\Kazekage.exe" | C:\Windows\SysWOW64\drivers\Kazekage.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe | C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe | C:\Windows\SysWOW64\drivers\Kazekage.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe\Debugger = "drivers\\Kazekage.exe" | C:\Windows\SysWOW64\drivers\Kazekage.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe\Debugger = "drivers\\Kazekage.exe" | C:\Users\Admin\AppData\Local\Temp\2025-05-19_98be8dfc249df76ae70e841f5963f8a0_amadey_black-basta_elex_hijackloader_luca-stealer.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe | C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe | C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe\Debugger = "cmd.exe /c del" | C:\Windows\SysWOW64\drivers\Kazekage.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "drivers\\Kazekage.exe" | C:\Windows\SysWOW64\drivers\Kazekage.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe | C:\Users\Admin\AppData\Local\Temp\2025-05-19_98be8dfc249df76ae70e841f5963f8a0_amadey_black-basta_elex_hijackloader_luca-stealer.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe | C:\Windows\SysWOW64\drivers\Kazekage.exe | N/A |
Executes dropped EXE
Loads dropped DLL
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "19-5-2025.exe" | C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 19 - 5 - 2025\\smss.exe" | C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 19 - 5 - 2025\\Gaara.exe" | C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 19 - 5 - 2025\\smss.exe" | C:\Windows\SysWOW64\drivers\system32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 19 - 5 - 2025\\Gaara.exe" | C:\Windows\SysWOW64\drivers\system32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" | C:\Windows\SysWOW64\drivers\system32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 19 - 5 - 2025\\Gaara.exe" | C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 19 - 5 - 2025\\smss.exe" | C:\Windows\SysWOW64\drivers\Kazekage.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "19-5-2025.exe" | C:\Windows\SysWOW64\drivers\Kazekage.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 19 - 5 - 2025\\Gaara.exe" | C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 19 - 5 - 2025\\smss.exe" | C:\Users\Admin\AppData\Local\Temp\2025-05-19_98be8dfc249df76ae70e841f5963f8a0_amadey_black-basta_elex_hijackloader_luca-stealer.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 19 - 5 - 2025\\smss.exe" | C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" | C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" | C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" | C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "19-5-2025.exe" | C:\Windows\SysWOW64\drivers\system32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 19 - 5 - 2025\\Gaara.exe" | C:\Users\Admin\AppData\Local\Temp\2025-05-19_98be8dfc249df76ae70e841f5963f8a0_amadey_black-basta_elex_hijackloader_luca-stealer.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "19-5-2025.exe" | C:\Users\Admin\AppData\Local\Temp\2025-05-19_98be8dfc249df76ae70e841f5963f8a0_amadey_black-basta_elex_hijackloader_luca-stealer.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 19 - 5 - 2025\\Gaara.exe" | C:\Windows\SysWOW64\drivers\Kazekage.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" | C:\Windows\SysWOW64\drivers\Kazekage.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 19 - 5 - 2025\\smss.exe" | C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "19-5-2025.exe" | C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" | C:\Users\Admin\AppData\Local\Temp\2025-05-19_98be8dfc249df76ae70e841f5963f8a0_amadey_black-basta_elex_hijackloader_luca-stealer.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "19-5-2025.exe" | C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\drivers\Kazekage.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\drivers\system32.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\2025-05-19_98be8dfc249df76ae70e841f5963f8a0_amadey_black-basta_elex_hijackloader_luca-stealer.exe | N/A |
Drops desktop.ini file(s)
Enumerates connected drives
Drops autorun.inf file
Drops file in System32 directory
Sets desktop wallpaper using registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" | C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" | C:\Windows\SysWOW64\drivers\Kazekage.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" | C:\Windows\SysWOW64\drivers\system32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" | C:\Users\Admin\AppData\Local\Temp\2025-05-19_98be8dfc249df76ae70e841f5963f8a0_amadey_black-basta_elex_hijackloader_luca-stealer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" | C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" | C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Fonts\The Kazekage.jpg | C:\Users\Admin\AppData\Local\Temp\2025-05-19_98be8dfc249df76ae70e841f5963f8a0_amadey_black-basta_elex_hijackloader_luca-stealer.exe | N/A |
| File opened for modification | C:\Windows\msvbvm60.dll | C:\Users\Admin\AppData\Local\Temp\2025-05-19_98be8dfc249df76ae70e841f5963f8a0_amadey_black-basta_elex_hijackloader_luca-stealer.exe | N/A |
| File created | C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe | C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe | N/A |
| File created | C:\Windows\Fonts\Admin 19 - 5 - 2025\msvbvm60.dll | C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe | N/A |
| File opened for modification | C:\Windows\Fonts\The Kazekage.jpg | C:\Windows\SysWOW64\drivers\system32.exe | N/A |
| File opened for modification | C:\Windows\system\mscoree.dll | C:\Windows\SysWOW64\drivers\system32.exe | N/A |
| File created | C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe | C:\Users\Admin\AppData\Local\Temp\2025-05-19_98be8dfc249df76ae70e841f5963f8a0_amadey_black-basta_elex_hijackloader_luca-stealer.exe | N/A |
| File created | C:\Windows\Fonts\Admin 19 - 5 - 2025\msvbvm60.dll | C:\Users\Admin\AppData\Local\Temp\2025-05-19_98be8dfc249df76ae70e841f5963f8a0_amadey_black-basta_elex_hijackloader_luca-stealer.exe | N/A |
| File opened for modification | C:\Windows\system\msvbvm60.dll | C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe | N/A |
| File created | C:\Windows\Fonts\Admin 19 - 5 - 2025\msvbvm60.dll | C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe | N/A |
| File created | C:\Windows\WBEM\msvbvm60.dll | C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe | N/A |
| File created | C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe | C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe | N/A |
| File opened for modification | C:\Windows\Fonts\Admin 19 - 5 - 2025\msvbvm60.dll | C:\Users\Admin\AppData\Local\Temp\2025-05-19_98be8dfc249df76ae70e841f5963f8a0_amadey_black-basta_elex_hijackloader_luca-stealer.exe | N/A |
| File opened for modification | C:\Windows\system\mscoree.dll | C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe | N/A |
| File opened for modification | C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe | C:\Windows\SysWOW64\drivers\system32.exe | N/A |
| File opened for modification | C:\Windows\mscomctl.ocx | C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe | N/A |
| File created | C:\Windows\msvbvm60.dll | C:\Users\Admin\AppData\Local\Temp\2025-05-19_98be8dfc249df76ae70e841f5963f8a0_amadey_black-basta_elex_hijackloader_luca-stealer.exe | N/A |
| File opened for modification | C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe | C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe | N/A |
| File created | C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe | C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe | N/A |
| File created | C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe | C:\Windows\SysWOW64\drivers\Kazekage.exe | N/A |
| File created | C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe | C:\Windows\SysWOW64\drivers\system32.exe | N/A |
| File opened for modification | C:\Windows\mscomctl.ocx | C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe | N/A |
| File opened for modification | C:\Windows\mscomctl.ocx | C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe | N/A |
| File opened for modification | C:\Windows\system\mscoree.dll | C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe | N/A |
| File opened for modification | C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe | C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe | N/A |
| File opened for modification | C:\Windows\Fonts\The Kazekage.jpg | C:\Windows\SysWOW64\drivers\Kazekage.exe | N/A |
| File created | C:\Windows\Fonts\Admin 19 - 5 - 2025\msvbvm60.dll | C:\Windows\SysWOW64\drivers\system32.exe | N/A |
| File opened for modification | C:\Windows\mscomctl.ocx | C:\Windows\SysWOW64\drivers\Kazekage.exe | N/A |
| File created | C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe | C:\Users\Admin\AppData\Local\Temp\2025-05-19_98be8dfc249df76ae70e841f5963f8a0_amadey_black-basta_elex_hijackloader_luca-stealer.exe | N/A |
| File opened for modification | C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe | C:\Users\Admin\AppData\Local\Temp\2025-05-19_98be8dfc249df76ae70e841f5963f8a0_amadey_black-basta_elex_hijackloader_luca-stealer.exe | N/A |
| File opened for modification | C:\Windows\system\msvbvm60.dll | C:\Users\Admin\AppData\Local\Temp\2025-05-19_98be8dfc249df76ae70e841f5963f8a0_amadey_black-basta_elex_hijackloader_luca-stealer.exe | N/A |
| File opened for modification | C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe | C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe | N/A |
| File opened for modification | C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe | C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe | N/A |
| File opened for modification | C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe | C:\Windows\SysWOW64\drivers\Kazekage.exe | N/A |
| File created | C:\Windows\Fonts\Admin 19 - 5 - 2025\msvbvm60.dll | C:\Windows\SysWOW64\drivers\Kazekage.exe | N/A |
| File opened for modification | C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe | C:\Windows\SysWOW64\drivers\system32.exe | N/A |
| File opened for modification | C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe | C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe | N/A |
| File opened for modification | C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe | C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe | N/A |
| File opened for modification | C:\Windows\system\msvbvm60.dll | C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe | N/A |
| File created | C:\Windows\WBEM\msvbvm60.dll | C:\Windows\SysWOW64\drivers\Kazekage.exe | N/A |
| File created | C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe | C:\Windows\SysWOW64\drivers\system32.exe | N/A |
| File opened for modification | C:\Windows\Fonts\The Kazekage.jpg | C:\Users\Admin\AppData\Local\Temp\2025-05-19_98be8dfc249df76ae70e841f5963f8a0_amadey_black-basta_elex_hijackloader_luca-stealer.exe | N/A |
| File opened for modification | C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe | C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe | N/A |
| File created | C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe | C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe | N/A |
| File created | C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe | C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe | N/A |
| File opened for modification | C:\Windows\ | C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe | N/A |
| File opened for modification | C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe | C:\Users\Admin\AppData\Local\Temp\2025-05-19_98be8dfc249df76ae70e841f5963f8a0_amadey_black-basta_elex_hijackloader_luca-stealer.exe | N/A |
| File opened for modification | C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe | C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe | N/A |
| File created | C:\Windows\WBEM\msvbvm60.dll | C:\Users\Admin\AppData\Local\Temp\2025-05-19_98be8dfc249df76ae70e841f5963f8a0_amadey_black-basta_elex_hijackloader_luca-stealer.exe | N/A |
| File opened for modification | C:\Windows\msvbvm60.dll | C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe | N/A |
| File opened for modification | C:\Windows\Fonts\The Kazekage.jpg | C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe | N/A |
| File opened for modification | C:\Windows\system\mscoree.dll | C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe | N/A |
| File opened for modification | C:\Windows\ | C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe | N/A |
| File opened for modification | C:\Windows\mscomctl.ocx | C:\Windows\SysWOW64\drivers\system32.exe | N/A |
| File created | C:\Windows\system\msvbvm60.dll | C:\Users\Admin\AppData\Local\Temp\2025-05-19_98be8dfc249df76ae70e841f5963f8a0_amadey_black-basta_elex_hijackloader_luca-stealer.exe | N/A |
| File created | C:\Windows\Fonts\Admin 19 - 5 - 2025\msvbvm60.dll | C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe | N/A |
| File created | C:\Windows\WBEM\msvbvm60.dll | C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe | N/A |
| File opened for modification | C:\Windows\system\mscoree.dll | C:\Windows\SysWOW64\drivers\Kazekage.exe | N/A |
| File created | C:\Windows\WBEM\msvbvm60.dll | C:\Windows\SysWOW64\drivers\system32.exe | N/A |
| File opened for modification | C:\Windows\mscomctl.ocx | C:\Users\Admin\AppData\Local\Temp\2025-05-19_98be8dfc249df76ae70e841f5963f8a0_amadey_black-basta_elex_hijackloader_luca-stealer.exe | N/A |
| File opened for modification | C:\Windows\ | C:\Windows\SysWOW64\drivers\Kazekage.exe | N/A |
| File created | C:\Windows\WBEM\msvbvm60.dll | C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe | N/A |
| File opened for modification | C:\Windows\msvbvm60.dll | C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe | N/A |
| File opened for modification | C:\Windows\ | C:\Windows\SysWOW64\drivers\system32.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\drivers\Kazekage.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\drivers\system32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\ping.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\ping.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\drivers\Kazekage.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\drivers\system32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\ping.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\ping.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\ping.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\drivers\Kazekage.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\ping.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\ping.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\ping.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\ping.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\drivers\system32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\drivers\Kazekage.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\drivers\system32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\ping.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\2025-05-19_98be8dfc249df76ae70e841f5963f8a0_amadey_black-basta_elex_hijackloader_luca-stealer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\ping.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\ping.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\ping.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\drivers\Kazekage.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\ping.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\ping.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\ping.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\drivers\system32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\ping.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\drivers\Kazekage.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\ping.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\ping.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\ping.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\ping.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\ping.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\ping.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\ping.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\ping.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\ping.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\ping.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\ping.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\ping.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\ping.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\ping.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\ping.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\ping.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\ping.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe | N/A |
System Network Configuration Discovery: Internet Connection Discovery
Modifies Control Panel
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" | C:\Windows\SysWOW64\drivers\Kazekage.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\Control Panel\Screen Saver.Marquee\Size = "72" | C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" | C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\Control Panel\Screen Saver.Marquee\Size = "72" | C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\Control Panel\Screen Saver.Marquee\Speed = "4" | C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" | C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\Control Panel\Desktop\WallpaperStyle = "2" | C:\Users\Admin\AppData\Local\Temp\2025-05-19_98be8dfc249df76ae70e841f5963f8a0_amadey_black-basta_elex_hijackloader_luca-stealer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\Control Panel\Desktop | C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\Control Panel\Desktop | C:\Windows\SysWOW64\drivers\Kazekage.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" | C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\Control Panel\Screen Saver.Marquee\Size = "72" | C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\Control Panel\Screen Saver.Marquee\Speed = "4" | C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\Control Panel\Screen Saver.Marquee\Size = "72" | C:\Windows\SysWOW64\drivers\system32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" | C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\Control Panel\Screen Saver.Marquee\Size = "72" | C:\Windows\SysWOW64\drivers\Kazekage.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" | C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" | C:\Windows\SysWOW64\drivers\system32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" | C:\Windows\SysWOW64\drivers\system32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" | C:\Users\Admin\AppData\Local\Temp\2025-05-19_98be8dfc249df76ae70e841f5963f8a0_amadey_black-basta_elex_hijackloader_luca-stealer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\Control Panel\Desktop | C:\Users\Admin\AppData\Local\Temp\2025-05-19_98be8dfc249df76ae70e841f5963f8a0_amadey_black-basta_elex_hijackloader_luca-stealer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" | C:\Windows\SysWOW64\drivers\Kazekage.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" | C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" | C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" | C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" | C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\Control Panel\Screen Saver.Marquee | C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" | C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\Control Panel\Desktop\WallpaperStyle = "2" | C:\Windows\SysWOW64\drivers\system32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" | C:\Windows\SysWOW64\drivers\Kazekage.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" | C:\Windows\SysWOW64\drivers\Kazekage.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" | C:\Windows\SysWOW64\drivers\Kazekage.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" | C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\Control Panel\Desktop\WallpaperStyle = "2" | C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" | C:\Windows\SysWOW64\drivers\system32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\Control Panel\Screen Saver.Marquee\Speed = "4" | C:\Windows\SysWOW64\drivers\system32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" | C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" | C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\Control Panel\Screen Saver.Marquee\Speed = "4" | C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\Control Panel\Screen Saver.Marquee | C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" | C:\Windows\SysWOW64\drivers\system32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" | C:\Users\Admin\AppData\Local\Temp\2025-05-19_98be8dfc249df76ae70e841f5963f8a0_amadey_black-basta_elex_hijackloader_luca-stealer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\Control Panel\Desktop\WallpaperStyle = "2" | C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" | C:\Windows\SysWOW64\drivers\Kazekage.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\Control Panel\Screen Saver.Marquee | C:\Windows\SysWOW64\drivers\Kazekage.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" | C:\Windows\SysWOW64\drivers\system32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" | C:\Users\Admin\AppData\Local\Temp\2025-05-19_98be8dfc249df76ae70e841f5963f8a0_amadey_black-basta_elex_hijackloader_luca-stealer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" | C:\Windows\SysWOW64\drivers\system32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\Control Panel\Screen Saver.Marquee | C:\Windows\SysWOW64\drivers\system32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" | C:\Windows\SysWOW64\drivers\system32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\Control Panel\Screen Saver.Marquee | C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\Control Panel\Screen Saver.Marquee | C:\Users\Admin\AppData\Local\Temp\2025-05-19_98be8dfc249df76ae70e841f5963f8a0_amadey_black-basta_elex_hijackloader_luca-stealer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" | C:\Users\Admin\AppData\Local\Temp\2025-05-19_98be8dfc249df76ae70e841f5963f8a0_amadey_black-basta_elex_hijackloader_luca-stealer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" | C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\Control Panel\Desktop | C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" | C:\Windows\SysWOW64\drivers\Kazekage.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" | C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" | C:\Windows\SysWOW64\drivers\Kazekage.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\Control Panel\Screen Saver.Marquee\Speed = "4" | C:\Users\Admin\AppData\Local\Temp\2025-05-19_98be8dfc249df76ae70e841f5963f8a0_amadey_black-basta_elex_hijackloader_luca-stealer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" | C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" | C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" | C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" | C:\Users\Admin\AppData\Local\Temp\2025-05-19_98be8dfc249df76ae70e841f5963f8a0_amadey_black-basta_elex_hijackloader_luca-stealer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\Control Panel\Screen Saver.Marquee\Size = "72" | C:\Users\Admin\AppData\Local\Temp\2025-05-19_98be8dfc249df76ae70e841f5963f8a0_amadey_black-basta_elex_hijackloader_luca-stealer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" | C:\Users\Admin\AppData\Local\Temp\2025-05-19_98be8dfc249df76ae70e841f5963f8a0_amadey_black-basta_elex_hijackloader_luca-stealer.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\Software\Microsoft\Internet Explorer\Main | C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\Software\Microsoft\Internet Explorer\Main | C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" | C:\Windows\SysWOW64\drivers\system32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\Software\Microsoft\Internet Explorer\Main | C:\Users\Admin\AppData\Local\Temp\2025-05-19_98be8dfc249df76ae70e841f5963f8a0_amadey_black-basta_elex_hijackloader_luca-stealer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" | C:\Users\Admin\AppData\Local\Temp\2025-05-19_98be8dfc249df76ae70e841f5963f8a0_amadey_black-basta_elex_hijackloader_luca-stealer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\Software\Microsoft\Internet Explorer\Main | C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" | C:\Windows\SysWOW64\drivers\Kazekage.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" | C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" | C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\Software\Microsoft\Internet Explorer\Main | C:\Windows\SysWOW64\drivers\system32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" | C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-343936533-1262634978-1863872812-1000\Software\Microsoft\Internet Explorer\Main | C:\Windows\SysWOW64\drivers\Kazekage.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" | C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" | C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" | C:\Windows\SysWOW64\drivers\system32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command | C:\Windows\SysWOW64\drivers\system32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" | C:\Windows\SysWOW64\drivers\system32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command | C:\Users\Admin\AppData\Local\Temp\2025-05-19_98be8dfc249df76ae70e841f5963f8a0_amadey_black-basta_elex_hijackloader_luca-stealer.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" | C:\Windows\SysWOW64\drivers\Kazekage.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command | C:\Windows\SysWOW64\drivers\Kazekage.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\inffile | C:\Windows\SysWOW64\drivers\Kazekage.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command | C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" | C:\Users\Admin\AppData\Local\Temp\2025-05-19_98be8dfc249df76ae70e841f5963f8a0_amadey_black-basta_elex_hijackloader_luca-stealer.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" | C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command | C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" | C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" | C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command | C:\Windows\SysWOW64\drivers\system32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command | C:\Users\Admin\AppData\Local\Temp\2025-05-19_98be8dfc249df76ae70e841f5963f8a0_amadey_black-basta_elex_hijackloader_luca-stealer.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command | C:\Users\Admin\AppData\Local\Temp\2025-05-19_98be8dfc249df76ae70e841f5963f8a0_amadey_black-basta_elex_hijackloader_luca-stealer.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" | C:\Windows\SysWOW64\drivers\Kazekage.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command | C:\Windows\SysWOW64\drivers\Kazekage.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command | C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" | C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command | C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" | C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" | C:\Windows\SysWOW64\drivers\system32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" | C:\Windows\SysWOW64\drivers\system32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install | C:\Windows\SysWOW64\drivers\Kazekage.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" | C:\Windows\SysWOW64\drivers\Kazekage.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command | C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command | C:\Windows\SysWOW64\drivers\system32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" | C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command | C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" | C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" | C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command | C:\Windows\SysWOW64\drivers\Kazekage.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell | C:\Windows\SysWOW64\drivers\Kazekage.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command | C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command | C:\Windows\SysWOW64\drivers\system32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" | C:\Users\Admin\AppData\Local\Temp\2025-05-19_98be8dfc249df76ae70e841f5963f8a0_amadey_black-basta_elex_hijackloader_luca-stealer.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" | C:\Users\Admin\AppData\Local\Temp\2025-05-19_98be8dfc249df76ae70e841f5963f8a0_amadey_black-basta_elex_hijackloader_luca-stealer.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" | C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command | C:\Windows\SysWOW64\drivers\Kazekage.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" | C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command | C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" | C:\Windows\SysWOW64\drivers\Kazekage.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command | C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" | C:\Users\Admin\AppData\Local\Temp\2025-05-19_98be8dfc249df76ae70e841f5963f8a0_amadey_black-basta_elex_hijackloader_luca-stealer.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command | C:\Users\Admin\AppData\Local\Temp\2025-05-19_98be8dfc249df76ae70e841f5963f8a0_amadey_black-basta_elex_hijackloader_luca-stealer.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command | C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command | C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command | C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe | N/A |
Runs ping.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\drivers\Kazekage.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\2025-05-19_98be8dfc249df76ae70e841f5963f8a0_amadey_black-basta_elex_hijackloader_luca-stealer.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Windows\SysWOW64\drivers\Kazekage.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Windows\SysWOW64\drivers\system32.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\drivers\system32.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\2025-05-19_98be8dfc249df76ae70e841f5963f8a0_amadey_black-basta_elex_hijackloader_luca-stealer.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\2025-05-19_98be8dfc249df76ae70e841f5963f8a0_amadey_black-basta_elex_hijackloader_luca-stealer.exe
"C:\Users\Admin\AppData\Local\Temp\2025-05-19_98be8dfc249df76ae70e841f5963f8a0_amadey_black-basta_elex_hijackloader_luca-stealer.exe"
C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe
"C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe"
C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe
"C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe"
C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe
"C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe"
C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe
"C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe"
C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe
"C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe"
C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe
"C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe"
C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe
"C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe"
C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe
"C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe"
C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe
"C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe"
C:\Windows\SysWOW64\drivers\Kazekage.exe
C:\Windows\system32\drivers\Kazekage.exe
C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe
"C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe"
C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe
"C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe"
C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe
"C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe"
C:\Windows\SysWOW64\drivers\Kazekage.exe
C:\Windows\system32\drivers\Kazekage.exe
C:\Windows\SysWOW64\drivers\system32.exe
C:\Windows\system32\drivers\system32.exe
C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe
"C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe"
C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe
"C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe"
C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe
"C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe"
C:\Windows\SysWOW64\drivers\Kazekage.exe
C:\Windows\system32\drivers\Kazekage.exe
C:\Windows\SysWOW64\drivers\system32.exe
C:\Windows\system32\drivers\system32.exe
C:\Windows\SysWOW64\drivers\system32.exe
C:\Windows\system32\drivers\system32.exe
C:\Windows\SysWOW64\drivers\Kazekage.exe
C:\Windows\system32\drivers\Kazekage.exe
C:\Windows\SysWOW64\drivers\system32.exe
C:\Windows\system32\drivers\system32.exe
C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe
"C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe"
C:\Windows\SysWOW64\drivers\Kazekage.exe
C:\Windows\system32\drivers\Kazekage.exe
C:\Windows\SysWOW64\drivers\system32.exe
C:\Windows\system32\drivers\system32.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c Fonts\Admin 19 - 5 - 2025\smss.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c Fonts\Admin 19 - 5 - 2025\Gaara.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c 19-5-2025.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c drivers\csrss.exe
C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe
"C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe"
C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe
"C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe"
C:\Windows\SysWOW64\drivers\Kazekage.exe
C:\Windows\system32\drivers\Kazekage.exe
C:\Windows\SysWOW64\drivers\system32.exe
C:\Windows\system32\drivers\system32.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\SysWOW64\ping.exe
ping -a -l www.rasasayang.com.my 65500
C:\Windows\SysWOW64\ping.exe
ping -a -l www.duniasex.com 65500
C:\Windows\SysWOW64\ping.exe
ping -a -l www.rasasayang.com.my 65500
C:\Windows\SysWOW64\ping.exe
ping -a -l www.duniasex.com 65500
C:\Windows\SysWOW64\ping.exe
ping -a -l www.rasasayang.com.my 65500
C:\Windows\SysWOW64\ping.exe
ping -a -l www.duniasex.com 65500
C:\Windows\SysWOW64\ping.exe
ping -a -l www.rasasayang.com.my 65500
C:\Windows\SysWOW64\ping.exe
ping -a -l www.duniasex.com 65500
C:\Windows\SysWOW64\ping.exe
ping -a -l www.rasasayang.com.my 65500
C:\Windows\SysWOW64\ping.exe
ping -a -l www.duniasex.com 65500
C:\Windows\SysWOW64\ping.exe
ping -a -l www.rasasayang.com.my 65500
C:\Windows\SysWOW64\ping.exe
ping -a -l www.duniasex.com 65500
C:\Windows\SysWOW64\ping.exe
ping -a -l www.rasasayang.com.my 65500
C:\Windows\SysWOW64\ping.exe
ping -a -l www.duniasex.com 65500
C:\Windows\SysWOW64\ping.exe
ping -a -l www.rasasayang.com.my 65500
C:\Windows\SysWOW64\ping.exe
ping -a -l www.duniasex.com 65500
C:\Windows\SysWOW64\ping.exe
ping -a -l www.rasasayang.com.my 65500
C:\Windows\SysWOW64\ping.exe
ping -a -l www.duniasex.com 65500
C:\Windows\SysWOW64\ping.exe
ping -a -l www.rasasayang.com.my 65500
C:\Windows\SysWOW64\ping.exe
ping -a -l www.duniasex.com 65500
C:\Windows\SysWOW64\ping.exe
ping -a -l www.rasasayang.com.my 65500
C:\Windows\SysWOW64\ping.exe
ping -a -l www.duniasex.com 65500
C:\Windows\SysWOW64\ping.exe
ping -a -l www.rasasayang.com.my 65500
C:\Windows\SysWOW64\ping.exe
ping -a -l www.duniasex.com 65500
C:\Windows\SysWOW64\ping.exe
ping -a -l www.rasasayang.com.my 65500
C:\Windows\SysWOW64\ping.exe
ping -a -l www.duniasex.com 65500
C:\Windows\SysWOW64\ping.exe
ping -a -l www.rasasayang.com.my 65500
C:\Windows\SysWOW64\ping.exe
ping -a -l www.duniasex.com 65500
C:\Windows\SysWOW64\ping.exe
ping -a -l www.rasasayang.com.my 65500
C:\Windows\SysWOW64\ping.exe
ping -a -l www.duniasex.com 65500
C:\Windows\SysWOW64\ping.exe
ping -a -l www.rasasayang.com.my 65500
C:\Windows\SysWOW64\ping.exe
ping -a -l www.duniasex.com 65500
C:\Windows\SysWOW64\ping.exe
ping -a -l www.rasasayang.com.my 65500
C:\Windows\SysWOW64\ping.exe
ping -a -l www.duniasex.com 65500
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.27.10:443 | g.bing.com | tcp |
| US | 150.171.27.10:443 | g.bing.com | tcp |
| DE | 88.221.197.123:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 216.58.201.99:80 | c.pki.goog | tcp |
Files
memory/1440-0-0x0000000000400000-0x000000000042B000-memory.dmp
C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe
| MD5 | 98be8dfc249df76ae70e841f5963f8a0 |
| SHA1 | 3331200a841d5edefe016d6782804b22cc79baad |
| SHA256 | 4b0f66a3e25512e731afce15612fdac23491392468f69d657fb762c0d7e09ace |
| SHA512 | 5f0aba1ac96072526e67e7dee72f7cb042fece8030edadedb7bae71b3864652da02c0a6c482408cbfcf178df403b2cf22f709fb24aca7dd42a1480271faeb8e3 |
C:\Windows\System\msvbvm60.dll
| MD5 | 25f62c02619174b35851b0e0455b3d94 |
| SHA1 | 4e8ee85157f1769f6e3f61c0acbe59072209da71 |
| SHA256 | 898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2 |
| SHA512 | f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a |
memory/3216-33-0x0000000000400000-0x000000000042B000-memory.dmp
C:\Windows\Fonts\Admin 19 - 5 - 2025\smss.exe
| MD5 | 944a8b3cab258876e540d2120192686c |
| SHA1 | f689725c4c2ec14c2163e9f6c511a1107ce8e9bc |
| SHA256 | 5d84ebe10acc5a79e36e69400b1fafd48512c18fedfcdd8251d42b7dd4adea9c |
| SHA512 | cff8f6d5197ae805d820e60a9565def99fe5ce4fd741fedba2df21fe2670aa7cdaa3cfb05a4d69790b383208315bce2d8083825ef273ce3a24edc36eb8a10b4b |
C:\Windows\Fonts\The Kazekage.jpg
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/2748-72-0x0000000000400000-0x000000000042B000-memory.dmp
C:\Windows\Fonts\Admin 19 - 5 - 2025\Gaara.exe
| MD5 | 5780f070bdbfb929e6e2c3eba7323b16 |
| SHA1 | beca553ae33e652a2bc1ed1721f19e7a31d907da |
| SHA256 | 0977f027f2824ab8e9b851f3bac0ecd7ef690fb58980c215863490a8c2e127c8 |
| SHA512 | 38bdcd823c82cdedfad7932750f171250104ad0d4187465331ce5f35365f2b4e70762abb425a21027c31752afa8e350dad9ad8383bb5a51116bcdd73ef3b72c8 |
memory/4408-75-0x0000000000400000-0x000000000042B000-memory.dmp
C:\Windows\Fonts\The Kazekage.jpg
| MD5 | d6b05020d4a0ec2a3a8b687099e335df |
| SHA1 | df239d830ebcd1cde5c68c46a7b76dad49d415f4 |
| SHA256 | 9824b98dab6af65a9e84c2ea40e9df948f9766ce2096e81feecad7db8dd6080a |
| SHA512 | 78fd360faa4d34f5732056d6e9ad7b9930964441c69cf24535845d397de92179553b9377a25649c01eb5ac7d547c29cc964e69ede7f2af9fc677508a99251fff |
memory/3944-108-0x0000000000400000-0x000000000042B000-memory.dmp
memory/4228-114-0x0000000000400000-0x000000000042B000-memory.dmp
memory/3944-111-0x0000000000400000-0x000000000042B000-memory.dmp
memory/4228-117-0x0000000000400000-0x000000000042B000-memory.dmp
C:\Windows\Fonts\Admin 19 - 5 - 2025\csrss.exe
| MD5 | 1640ec06c3257d6ac0cd957580d8045a |
| SHA1 | 92410a6edc4340201bb8e3d2a4618fd8c2be3ab2 |
| SHA256 | 227bda383d7f30dc5868be7cab51d2c9ce719d84c4a836d3067df739bb6f0f17 |
| SHA512 | bd4f377e3797935d6e31d7da32833f10fcb3d36cf1f01a678700583fe907f63a27e53f1f15247595cb43f9b99f6c578cee266ace33c1663066143986ab55cfb8 |
memory/2156-120-0x0000000000400000-0x000000000042B000-memory.dmp
memory/4344-153-0x0000000000400000-0x000000000042B000-memory.dmp
memory/1440-158-0x0000000000400000-0x000000000042B000-memory.dmp
memory/3784-159-0x0000000000400000-0x000000000042B000-memory.dmp
memory/3400-162-0x0000000000400000-0x000000000042B000-memory.dmp
C:\Windows\SysWOW64\drivers\Kazekage.exe
| MD5 | b9503ba7f80c34933496a55221dda4fa |
| SHA1 | 7c2a2bed9a76ceb5a7aca580c514924c9a4c0f76 |
| SHA256 | 2c67ad37e8abf568780f91963ab826717650a0a2c9c95f4c84e5769c360b0a40 |
| SHA512 | 0dd0b267380d6776d2f6102421f499a5eea2c640b41db7e0315b21326c43f980dbfcc42bcfa6b2cfb1ece771ff62d8a8c2466437cbaca305672d02ddcd5e96e5 |
memory/4532-166-0x0000000000400000-0x000000000042B000-memory.dmp
memory/3216-165-0x0000000000400000-0x000000000042B000-memory.dmp
memory/4408-194-0x0000000000400000-0x000000000042B000-memory.dmp
memory/4596-199-0x0000000000400000-0x000000000042B000-memory.dmp
memory/1744-200-0x0000000000400000-0x000000000042B000-memory.dmp
memory/4596-204-0x0000000000400000-0x000000000042B000-memory.dmp
memory/1100-207-0x0000000000400000-0x000000000042B000-memory.dmp
C:\Windows\SysWOW64\drivers\system32.exe
| MD5 | 77f2751ef532807e2086a3bfac025c55 |
| SHA1 | 4809df094c407ef4bd708ac090e11df1663c52b2 |
| SHA256 | d28e7e8292cd4f02eba1b9a9dc2c198bef04f45cb09cc0f569edef0f1108ecae |
| SHA512 | 0d336e58b76dee55605f03c80c07ffd859d616773b19f9c524babe4abb3d620510df813f645c8f9ed9f02f60c8543be2586e5baa9a7c4fa58446d115266acb8e |
memory/2156-210-0x0000000000400000-0x000000000042B000-memory.dmp
memory/2720-211-0x0000000000400000-0x000000000042B000-memory.dmp
memory/2660-234-0x0000000000400000-0x000000000042B000-memory.dmp
memory/536-237-0x0000000000400000-0x000000000042B000-memory.dmp
memory/1980-242-0x0000000000400000-0x000000000042B000-memory.dmp
memory/932-241-0x0000000000400000-0x000000000042B000-memory.dmp
memory/4532-240-0x0000000000400000-0x000000000042B000-memory.dmp
memory/932-245-0x0000000000400000-0x000000000042B000-memory.dmp
memory/4464-251-0x0000000000400000-0x000000000042B000-memory.dmp
memory/3040-252-0x0000000000400000-0x000000000042B000-memory.dmp
memory/4464-256-0x0000000000400000-0x000000000042B000-memory.dmp
memory/3556-258-0x0000000000400000-0x000000000042B000-memory.dmp
memory/2720-261-0x0000000000400000-0x000000000042B000-memory.dmp
memory/4852-264-0x0000000000400000-0x000000000042B000-memory.dmp
memory/2756-267-0x0000000000400000-0x000000000042B000-memory.dmp
memory/752-270-0x0000000000400000-0x000000000042B000-memory.dmp
memory/4072-275-0x0000000000400000-0x000000000042B000-memory.dmp
memory/2688-278-0x0000000000400000-0x000000000042B000-memory.dmp
C:\Admin Games\Readme.txt
| MD5 | bb5d6abdf8d0948ac6895ce7fdfbc151 |
| SHA1 | 9266b7a247a4685892197194d2b9b86c8f6dddbd |
| SHA256 | 5db2e0915b5464d32e83484f8ae5e3c73d2c78f238fde5f58f9b40dbb5322de8 |
| SHA512 | 878444760e8df878d65bb62b4798177e168eb099def58ad3634f4348e96705c83f74324f9fa358f0eff389991976698a233ca53e9b72034ae11c86d42322a76c |
C:\Windows\SysWOW64\Desktop.ini
| MD5 | 64acfa7e03b01f48294cf30d201a0026 |
| SHA1 | 10facd995b38a095f30b4a800fa454c0bcbf8438 |
| SHA256 | ba8159d865d106e7b4d0043007a63d1541e1de455dc8d7ff0edd3013bd425c62 |
| SHA512 | 65a9b2e639de74a2a7faa83463a03f5f5b526495e3c793ec1e144c422ed0b842dd304cd5ff4f8aec3d76d826507030c5916f70a231429cea636ec2d8ab43931a |