Malware Analysis Report

2025-08-10 20:49

Sample ID 250502-jzjppayydz
Target 2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer
SHA256 7bf1fe4359ff9dad74a1d30d2b26a89631450b34a983835a497447df96c50b3e
Tags
upx defense_evasion discovery persistence ransomware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V16

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7bf1fe4359ff9dad74a1d30d2b26a89631450b34a983835a497447df96c50b3e

Threat Level: Known bad

The file 2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer was found to be: Known bad.

Malicious Activity Summary

upx defense_evasion discovery persistence ransomware trojan

Modifies visibility of file extensions in Explorer

Modifies visiblity of hidden/system files in Explorer

UAC bypass

Modifies WinLogon for persistence

Event Triggered Execution: Image File Execution Options Injection

Drops file in Drivers directory

Disables use of System Restore points

Disables RegEdit via registry modification

Loads dropped DLL

Executes dropped EXE

Adds Run key to start application

Enumerates connected drives

Checks whether UAC is enabled

Drops desktop.ini file(s)

UPX packed file

Sets desktop wallpaper using registry

Drops autorun.inf file

Drops file in System32 directory

Drops file in Windows directory

System Location Discovery: System Language Discovery

System Network Configuration Discovery: Internet Connection Discovery

Unsigned PE

Modifies registry class

Runs ping.exe

System policy modification

Modifies Control Panel

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Modifies Internet Explorer settings

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-05-02 08:06

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-05-02 08:06

Reported

2025-05-02 08:08

Platform

win10v2004-20250410-en

Max time kernel

150s

Max time network

139s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A

Modifies visibility of file extensions in Explorer

defense_evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\drivers\system32.exe N/A

Modifies visiblity of hidden/system files in Explorer

defense_evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\drivers\system32.exe N/A

UAC bypass

defense_evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\drivers\system32.exe N/A

Disables RegEdit via registry modification

defense_evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A

Disables use of System Restore points

defense_evasion

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\system32.exe C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File created C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File created C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
File created C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
File created C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe N/A
File created C:\Windows\SysWOW64\drivers\system32.exe C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File created C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A

Event Triggered Execution: Image File Execution Options Injection

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe\Debugger = "cmd.exe /c del" C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe\Debugger = "cmd.exe /c del" C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe\Debugger = "cmd.exe /c del" C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "drivers\\Kazekage.exe" C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 2 - 5 - 2025\\Gaara.exe" C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "2-5-2025.exe" C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 2 - 5 - 2025\\smss.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 2 - 5 - 2025\\smss.exe" C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "2-5-2025.exe" C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "2-5-2025.exe" C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "2-5-2025.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 2 - 5 - 2025\\Gaara.exe" C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 2 - 5 - 2025\\smss.exe" C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 2 - 5 - 2025\\smss.exe" C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 2 - 5 - 2025\\smss.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 2 - 5 - 2025\\Gaara.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 2 - 5 - 2025\\Gaara.exe" C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 2 - 5 - 2025\\Gaara.exe" C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 2 - 5 - 2025\\smss.exe" C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 2 - 5 - 2025\\Gaara.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "2-5-2025.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "2-5-2025.exe" C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe N/A

Checks whether UAC is enabled

defense_evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification \??\S:\Desktop.ini C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\K:\Desktop.ini C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
File opened for modification \??\M:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Desktop.ini C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
File opened for modification D:\Desktop.ini C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
File opened for modification \??\L:\Desktop.ini C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
File opened for modification \??\O:\Desktop.ini C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File opened for modification D:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\R:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\B:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\P:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\I:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification \??\L:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification \??\X:\Desktop.ini C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File opened for modification \??\E:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\Z:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\R:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\Z:\Desktop.ini C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
File opened for modification \??\K:\Desktop.ini C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File opened for modification \??\E:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification \??\U:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification \??\P:\Desktop.ini C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\X:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification \??\R:\Desktop.ini C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\U:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\V:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification \??\U:\Desktop.ini C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File opened for modification C:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\V:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\N:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\T:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\W:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\E:\Desktop.ini C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
File opened for modification \??\J:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification \??\I:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\T:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\O:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\S:\Desktop.ini C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
File opened for modification \??\L:\Desktop.ini C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File opened for modification \??\K:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification \??\Y:\Desktop.ini C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File opened for modification \??\O:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification \??\Q:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\N:\Desktop.ini C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
File opened for modification \??\M:\Desktop.ini C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File opened for modification \??\M:\Desktop.ini C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\V:\Desktop.ini C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\A:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification \??\B:\Desktop.ini C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File opened for modification \??\I:\Desktop.ini C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File opened for modification \??\G:\Desktop.ini C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\J:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\Y:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\I:\Desktop.ini C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
File opened for modification \??\P:\Desktop.ini C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File opened for modification F:\Desktop.ini C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\Y:\Desktop.ini C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\K:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\H:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\Q:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\P:\Desktop.ini C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
File opened for modification \??\H:\Desktop.ini C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\J:\Desktop.ini C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\Y:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\Y: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\X: C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
File opened (read-only) \??\A: C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\A: C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
File opened (read-only) \??\I: C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File opened (read-only) \??\M: C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\O: C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File opened (read-only) \??\P: C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\R: C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
File opened (read-only) \??\N: C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File opened (read-only) \??\E: C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File opened (read-only) \??\V: C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
File opened (read-only) \??\P: C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\X: C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File opened (read-only) \??\Y: C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened (read-only) \??\W: C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File opened (read-only) \??\P: C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
File opened (read-only) \??\G: C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File opened (read-only) \??\H: C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\O: C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
File opened (read-only) \??\R: C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\K: C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened (read-only) \??\T: C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
File opened (read-only) \??\K: C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened (read-only) \??\I: C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\J: C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\E: C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
File opened (read-only) \??\H: C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
File opened (read-only) \??\Z: C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened (read-only) \??\W: C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened (read-only) \??\V: C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\Z: C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File opened (read-only) \??\S: C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File created \??\U:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File created \??\Y:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File created \??\W:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe N/A
File created \??\M:\Autorun.inf C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File created \??\K:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created \??\L:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created \??\T:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File created \??\T:\Autorun.inf C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\Y:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe N/A
File created \??\H:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification \??\B:\Autorun.inf C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
File opened for modification \??\Q:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\Z:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created \??\M:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\H:\Autorun.inf C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File opened for modification \??\P:\Autorun.inf C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\Z:\Autorun.inf C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\K:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\J:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification \??\B:\Autorun.inf C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File created \??\J:\Autorun.inf C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File opened for modification \??\Y:\Autorun.inf C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
File opened for modification \??\E:\Autorun.inf C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File created \??\E:\Autorun.inf C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File opened for modification D:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\E:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File created \??\M:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification \??\R:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification \??\H:\Autorun.inf C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
File opened for modification \??\S:\Autorun.inf C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
File created \??\W:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\I:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File created \??\K:\Autorun.inf C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
File created \??\T:\Autorun.inf C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
File created \??\W:\Autorun.inf C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
File opened for modification \??\Z:\Autorun.inf C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
File created \??\R:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification F:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File created \??\W:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File created \??\A:\Autorun.inf C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File opened for modification D:\Autorun.inf C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File created \??\Z:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\B:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\U:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File created \??\B:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe N/A
File created \??\S:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification \??\J:\Autorun.inf C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File created \??\S:\Autorun.inf C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File created D:\Autorun.inf C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\N:\Autorun.inf C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File created \??\J:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification \??\V:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification C:\Autorun.inf C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File opened for modification \??\W:\Autorun.inf C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File opened for modification \??\R:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\X:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created \??\X:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\N:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File created \??\K:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe N/A
File created \??\L:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe N/A
File created \??\H:\Autorun.inf C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File opened for modification \??\R:\Autorun.inf C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File opened for modification \??\H:\Autorun.inf C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File created \??\H:\Autorun.inf C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\ C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File created C:\Windows\SysWOW64\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification C:\Windows\SysWOW64\mscomctl.ocx C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\SysWOW64\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification C:\Windows\SysWOW64\mscomctl.ocx C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\Desktop.ini C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\2-5-2025.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\SysWOW64\2-5-2025.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\SysWOW64\mscomctl.ocx C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File opened for modification C:\Windows\SysWOW64\mscomctl.ocx C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\SysWOW64\2-5-2025.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\mscomctl.ocx C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\SysWOW64\mscomctl.ocx C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\SysWOW64\Desktop.ini C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\2-5-2025.exe C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification C:\Windows\SysWOW64\2-5-2025.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File opened for modification C:\Windows\SysWOW64\2-5-2025.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\SysWOW64\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe N/A
File created C:\Windows\SysWOW64\mscomctl.ocx C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification C:\Windows\SysWOW64\Desktop.ini C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\SysWOW64\2-5-2025.exe C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\drivers\system32.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\SysWOW64\drivers\system32.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\system\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
File created C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\system\mscoree.dll C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\system\mscoree.dll C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File created C:\Windows\Fonts\Admin 2 - 5 - 2025\msvbvm60.dll C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Windows\mscomctl.ocx C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe N/A
File created C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\ C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\system\mscoree.dll C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File opened for modification C:\Windows\mscomctl.ocx C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\system\msvbvm60.dll C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File opened for modification C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File created C:\Windows\Fonts\Admin 2 - 5 - 2025\msvbvm60.dll C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File opened for modification C:\Windows\system\msvbvm60.dll C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File opened for modification C:\Windows\Fonts\The Kazekage.jpg C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
File created C:\Windows\WBEM\msvbvm60.dll C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification C:\Windows\Fonts\The Kazekage.jpg C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\system\msvbvm60.dll C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\Fonts\The Kazekage.jpg C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\Fonts\Admin 2 - 5 - 2025\msvbvm60.dll C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File opened for modification C:\Windows\ C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\WBEM\msvbvm60.dll C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File created C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Windows\Fonts\The Kazekage.jpg C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\ C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe N/A
File created C:\Windows\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe N/A
File created C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\mscomctl.ocx C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Windows\ C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe N/A
File created C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe N/A
File created C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Windows\system\msvbvm60.dll C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\WBEM\msvbvm60.dll C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\mscomctl.ocx C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File opened for modification C:\Windows\ C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification C:\Windows\system\mscoree.dll C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File created C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File created C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File created C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File created C:\Windows\WBEM\msvbvm60.dll C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File opened for modification C:\Windows\system\mscoree.dll C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
File created C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File created C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe N/A
File created C:\Windows\Fonts\Admin 2 - 5 - 2025\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\system32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\system32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\system32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\system32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\system32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A

Modifies Control Panel

defense_evasion
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Screen Saver.Marquee\Size = "72" C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Screen Saver.Marquee\Speed = "4" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Desktop C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Screen Saver.Marquee\Speed = "4" C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Desktop C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Desktop C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Screen Saver.Marquee\Size = "72" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Desktop\WallpaperStyle = "2" C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Desktop\WallpaperStyle = "2" C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Desktop C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Desktop\WallpaperStyle = "2" C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Screen Saver.Marquee\Speed = "4" C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Screen Saver.Marquee\Size = "72" C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Screen Saver.Marquee\Size = "72" C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Desktop\WallpaperStyle = "2" C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Desktop\WallpaperStyle = "2" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Screen Saver.Marquee C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Screen Saver.Marquee C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Screen Saver.Marquee C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Screen Saver.Marquee C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Desktop\WallpaperStyle = "2" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Screen Saver.Marquee C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Screen Saver.Marquee\Speed = "4" C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Screen Saver.Marquee\Size = "72" C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" C:\Windows\SysWOW64\drivers\system32.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Software\Microsoft\Internet Explorer\Main C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" C:\Windows\SysWOW64\drivers\system32.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" C:\Windows\SysWOW64\drivers\system32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3564 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe
PID 3564 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe
PID 3564 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe
PID 2644 wrote to memory of 4760 N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe
PID 2644 wrote to memory of 4760 N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe
PID 2644 wrote to memory of 4760 N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe
PID 2644 wrote to memory of 4916 N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe
PID 2644 wrote to memory of 4916 N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe
PID 2644 wrote to memory of 4916 N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe
PID 4916 wrote to memory of 832 N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe
PID 4916 wrote to memory of 832 N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe
PID 4916 wrote to memory of 832 N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe
PID 4916 wrote to memory of 3280 N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe
PID 4916 wrote to memory of 3280 N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe
PID 4916 wrote to memory of 3280 N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe
PID 4916 wrote to memory of 456 N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe
PID 4916 wrote to memory of 456 N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe
PID 4916 wrote to memory of 456 N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe
PID 456 wrote to memory of 3552 N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe
PID 456 wrote to memory of 3552 N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe
PID 456 wrote to memory of 3552 N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe
PID 3564 wrote to memory of 572 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe
PID 3564 wrote to memory of 572 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe
PID 3564 wrote to memory of 572 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe
PID 456 wrote to memory of 5488 N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe
PID 456 wrote to memory of 5488 N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe
PID 456 wrote to memory of 5488 N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe
PID 3564 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe
PID 3564 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe
PID 3564 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe
PID 456 wrote to memory of 3492 N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe
PID 456 wrote to memory of 3492 N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe
PID 456 wrote to memory of 3492 N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe
PID 3564 wrote to memory of 1092 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 3564 wrote to memory of 1092 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 3564 wrote to memory of 1092 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 456 wrote to memory of 3896 N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 456 wrote to memory of 3896 N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 456 wrote to memory of 3896 N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 4916 wrote to memory of 3036 N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 4916 wrote to memory of 3036 N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 4916 wrote to memory of 3036 N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 1092 wrote to memory of 2892 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe
PID 1092 wrote to memory of 2892 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe
PID 1092 wrote to memory of 2892 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe
PID 2644 wrote to memory of 5856 N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe
PID 2644 wrote to memory of 5856 N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe
PID 2644 wrote to memory of 5856 N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe
PID 1092 wrote to memory of 3344 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe
PID 1092 wrote to memory of 3344 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe
PID 1092 wrote to memory of 3344 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe
PID 4916 wrote to memory of 2292 N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 4916 wrote to memory of 2292 N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 4916 wrote to memory of 2292 N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 2644 wrote to memory of 1036 N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 2644 wrote to memory of 1036 N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 2644 wrote to memory of 1036 N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 1092 wrote to memory of 2880 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe
PID 1092 wrote to memory of 2880 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe
PID 1092 wrote to memory of 2880 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe
PID 2644 wrote to memory of 4372 N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 2644 wrote to memory of 4372 N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 2644 wrote to memory of 4372 N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 1092 wrote to memory of 1352 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\Kazekage.exe

System policy modification

defense_evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe

"C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe"

C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe

"C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe"

C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe

"C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe"

C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe

"C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe"

C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe

"C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe"

C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe

"C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe"

C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe

"C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe"

C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe

"C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe"

C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe

"C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe"

C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe

"C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe"

C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe

"C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe"

C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe

"C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe"

C:\Windows\SysWOW64\drivers\Kazekage.exe

C:\Windows\system32\drivers\Kazekage.exe

C:\Windows\SysWOW64\drivers\Kazekage.exe

C:\Windows\system32\drivers\Kazekage.exe

C:\Windows\SysWOW64\drivers\Kazekage.exe

C:\Windows\system32\drivers\Kazekage.exe

C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe

"C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe"

C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe

"C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe"

C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe

"C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe"

C:\Windows\SysWOW64\drivers\system32.exe

C:\Windows\system32\drivers\system32.exe

C:\Windows\SysWOW64\drivers\Kazekage.exe

C:\Windows\system32\drivers\Kazekage.exe

C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe

"C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe"

C:\Windows\SysWOW64\drivers\system32.exe

C:\Windows\system32\drivers\system32.exe

C:\Windows\SysWOW64\drivers\Kazekage.exe

C:\Windows\system32\drivers\Kazekage.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\smss.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\Gaara.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c 2-5-2025.exe

C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe

"C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c drivers\csrss.exe

C:\Windows\SysWOW64\drivers\system32.exe

C:\Windows\system32\drivers\system32.exe

C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe

"C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe"

C:\Windows\SysWOW64\drivers\system32.exe

C:\Windows\system32\drivers\system32.exe

C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe

"C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe"

C:\Windows\SysWOW64\drivers\Kazekage.exe

C:\Windows\system32\drivers\Kazekage.exe

C:\Windows\SysWOW64\drivers\system32.exe

C:\Windows\system32\drivers\system32.exe

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

Network

Country Destination Domain Proto
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 c.pki.goog udp
DE 142.250.185.131:80 c.pki.goog tcp

Files

memory/3564-0-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe

MD5 de01a22e6c425a183ea1cf5d4885fc00
SHA1 497a9d42f0399808ca69d3e85f21abb4b21607fd
SHA256 7bf1fe4359ff9dad74a1d30d2b26a89631450b34a983835a497447df96c50b3e
SHA512 dd3a43126bb0ad9007a2ee947ea84c492fb8c8bce254fa2910f9202cf9141af716ac884f8297918e4d45778d05d6e8e736d2a4571fae4cb6124d309fc37a0a86

C:\Windows\System\msvbvm60.dll

MD5 25f62c02619174b35851b0e0455b3d94
SHA1 4e8ee85157f1769f6e3f61c0acbe59072209da71
SHA256 898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2
SHA512 f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe

MD5 105462f0cc9624a7d3a8954e1bef074e
SHA1 4900ee9d9c40bd0157ef355665431d0e987ad625
SHA256 c2f9161be86dc7a1699cb758c8ca9073e1f2f9895374d4e09c3515311d4f9439
SHA512 62940241117d7d91356844a788b00b44b4236e8f5dc83bc28895d5c3b8a76b7dddd7750957c80a71c307598358efa961f2f03b154cce5645d5374f6a80bfa460

memory/2644-32-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Windows\Fonts\The Kazekage.jpg

MD5 d6b05020d4a0ec2a3a8b687099e335df
SHA1 df239d830ebcd1cde5c68c46a7b76dad49d415f4
SHA256 9824b98dab6af65a9e84c2ea40e9df948f9766ce2096e81feecad7db8dd6080a
SHA512 78fd360faa4d34f5732056d6e9ad7b9930964441c69cf24535845d397de92179553b9377a25649c01eb5ac7d547c29cc964e69ede7f2af9fc677508a99251fff

C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe

MD5 4c6ff0e39475772cb51de926e7dc951a
SHA1 8a57b2fcccf2a498076602be828df04c46e42581
SHA256 017e3b1ff2644b3654b576cdc6650b13482cdd8ff7b1212aa5f5c66aad853e83
SHA512 d09908275866df02b4a39b8711e44a00e310d2c695dd0248eb824f2fb57e6ff8288f7573c365162ccc6f0f713a1ffe0d3a404d1e8409ea930ec6a6a0cf4a33ed

C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe

MD5 6a138074a24bed3c47df6e189c461a1a
SHA1 872707d537eb340f8d5844718eba41aa247c3073
SHA256 e38c0edb0195c602735007e07fbcf242f9eba3902ee52602c1cb4c5345a3854f
SHA512 c2f6e6690d6272391eadb9872ca830233eb49b5bd691c147faf52eb9b6e6928ae550101ca44535e2c3e662925fe2e837875b9d82ca992d50519b3753e399891f

C:\Windows\SysWOW64\2-5-2025.exe

MD5 3bd791cdf1e08b73263a32ff31f966fa
SHA1 959813a9cbf6dcfcec2347273358581caff9a761
SHA256 5a56266c61bd8f73fddc040f4f8ded83947eb62e741e7d86779c6678bd4c6eee
SHA512 a653c82a449c984a790bbf58c88b891d7a148b95336b2acfc8de0f3609e0b338bb9547020432d365c14a9f045d22654c6d975abc9c12ed6d03bd6d0b7ef2968a

memory/4760-70-0x0000000000400000-0x000000000042A000-memory.dmp

memory/4916-79-0x0000000000400000-0x000000000042A000-memory.dmp

memory/4760-76-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Windows\SysWOW64\2-5-2025.exe

MD5 ff42cf5d60ec7aa7cfe7c64454a899f4
SHA1 750b80f723a575ef400bb6753ad8cfbd9eb722ac
SHA256 64db9cc5aba5e04a44d39716cf94104d5b7511d21832fa73e2d11952e84ad68b
SHA512 6b1e466d4a83b96ebbbe2f761e5ca66fee955c2ce9093976a190799d8782a8aac0d827d6240b8ab36bc98708d638739e4ed312da176458499d27ae27063f4344

C:\Windows\SysWOW64\drivers\Kazekage.exe

MD5 7747bb9f1f9d8be7f907775df7744343
SHA1 5f620c0bd93bc393559ef5035bc1702275c439f3
SHA256 346de0dfb31b3ab0321fd35de768e8117307c889186e3fd0c89b2a59148cb152
SHA512 4e45c0ea642106002ea2d08b84525e5c4264756eadf600c0f12bfb93abcf39249e8ceb9aeb0a66a233a5d8ddb6f35d36242f685e9dbabf978f5811a44b47b89f

memory/3564-114-0x0000000000400000-0x000000000042A000-memory.dmp

memory/3280-115-0x0000000000400000-0x000000000042A000-memory.dmp

memory/3280-120-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe

MD5 1aa1f8240bf8e1df0f8e9dce622b9686
SHA1 0ed29905c0a29c5c83f593a8da7931c77c4b5190
SHA256 5e0a0ade22beb780ad78d27d635caf5bf534c2fe36a155ee8201f2d2e850bb9a
SHA512 3b5b02fa42890da22d7eb157c4d64cb6a96b47761ffb0fa22b811d98f59b75671ee6f2bda067271a7e3a14afc10161bf345c43937fb2734641bff72807cd5e1e

memory/2644-123-0x0000000000400000-0x000000000042A000-memory.dmp

memory/456-124-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Windows\SysWOW64\drivers\Kazekage.exe

MD5 ff1ab89e3f95ace6b4777aa56ad9ae52
SHA1 710ad910384744f501b0885c1acafcaf7fe252b3
SHA256 48d0c293d2b738fa2951da82a2cc2784a49bfb768f80664050907759b2277b9c
SHA512 b09685df633606a21c007b1329f081fea063bed68c3cf2ded66572b29c80391571aff3aaf128cd683b74154bd9810b624d35a4ccbf2a7dc0ea762974439caba5

C:\Windows\SysWOW64\drivers\system32.exe

MD5 c6134451ed6e3d7c112a3651738887be
SHA1 cc3deaae30ff455cf8312ead59029573a3822dd8
SHA256 08ad58e2c678cf948f57acbea0ee1729e9e7b4685858a71396be60a07dae8eb3
SHA512 8ffed3508b9c45502b8b724fb977a87c969d6f99a9632eecf411ffe3007d57aab76fe005c3f6cb5a16a91eb9143db854ed54f7a9acfe3623d5dce078f935dc99

memory/4916-159-0x0000000000400000-0x000000000042A000-memory.dmp

memory/3552-166-0x0000000000400000-0x000000000042A000-memory.dmp

memory/1796-170-0x0000000000400000-0x000000000042A000-memory.dmp

memory/572-174-0x0000000000400000-0x000000000042A000-memory.dmp

memory/5488-179-0x0000000000400000-0x000000000042A000-memory.dmp

memory/1796-183-0x0000000000400000-0x000000000042A000-memory.dmp

memory/1092-188-0x0000000000400000-0x000000000042A000-memory.dmp

memory/3896-192-0x0000000000400000-0x000000000042A000-memory.dmp

memory/3492-185-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Windows\SysWOW64\2-5-2025.exe

MD5 03b6d04a3e927f853ccc3f7be503a491
SHA1 ef68546dfb792be3d08a238adcc34d335986b834
SHA256 35143657f4b273dbb7cbd674df426c6adf458275b50e5bbe7044ee93ecaf111a
SHA512 6dde569c854286ba74b525a78aeb70a62e1fd5585e20adf10c12995e1220862db006d8b747adf5c64dc2afb1e1ecf23f24a594caad2e0478acc39b1f44bc09ca

memory/456-216-0x0000000000400000-0x000000000042A000-memory.dmp

memory/3896-218-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Windows\SysWOW64\drivers\system32.exe

MD5 9e113edcf4b68e6947b988a1c17018a4
SHA1 016b3a4f2a1e2a298156599549dd45f513ee20f7
SHA256 ae3084c7d7661ce95e4a5341145f1f222189eec58e22e996fac5b6e75db3a091
SHA512 ec8ff20594070069b1583ee757e447f77a220ec03b2ad64b9facf23c790ff1a7641f5ea158cb6f358abc27dd50b671879a0a0d1939432c5e74a696e822479feb

memory/2292-238-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2892-239-0x0000000000400000-0x000000000042A000-memory.dmp

memory/3036-241-0x0000000000400000-0x000000000042A000-memory.dmp

memory/1036-244-0x0000000000400000-0x000000000042A000-memory.dmp

memory/5856-246-0x0000000000400000-0x000000000042A000-memory.dmp

memory/3344-250-0x0000000000400000-0x000000000042A000-memory.dmp

memory/1036-261-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Windows\SysWOW64\2-5-2025.exe

MD5 5771672322fe0916002efdd011b2e32b
SHA1 3bb48d6e8ce7e6aebbb6a5d5bc42ea948b5f2e6e
SHA256 d0fed84b30b1a20ebae414b98b7602e4fd68b8d7b8bcf6101882b4e37fac9bbf
SHA512 e0eea0fee9d87ebc1d1e35c94888e6ec97f5da35763cbdbf3307f87f9cfc8f9a9d8afab67975ce31f97306e713b12956de8b14d434f2dda02bbb741287cdcc5b

memory/4372-259-0x0000000000400000-0x000000000042A000-memory.dmp

memory/1092-258-0x0000000000400000-0x000000000042A000-memory.dmp

memory/456-257-0x0000000000400000-0x000000000042A000-memory.dmp

memory/5656-276-0x0000000000400000-0x000000000042A000-memory.dmp

memory/1352-278-0x0000000000400000-0x000000000042A000-memory.dmp

memory/4372-283-0x0000000000400000-0x000000000042A000-memory.dmp

memory/5656-288-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2644-290-0x0000000000400000-0x000000000042A000-memory.dmp

memory/5960-292-0x0000000000400000-0x000000000042A000-memory.dmp

memory/6020-296-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2292-297-0x0000000000400000-0x000000000042A000-memory.dmp

memory/3044-302-0x0000000000400000-0x000000000042A000-memory.dmp

memory/4084-305-0x0000000000400000-0x000000000042A000-memory.dmp

memory/4916-306-0x0000000000400000-0x000000000042A000-memory.dmp

memory/1092-307-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2292-308-0x0000000000400000-0x000000000042A000-memory.dmp

memory/3564-309-0x0000000000400000-0x000000000042A000-memory.dmp

memory/456-310-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2644-311-0x0000000000400000-0x000000000042A000-memory.dmp

memory/3564-341-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Autorun.inf

MD5 1564dfe69ffed40950e5cb644e0894d1
SHA1 201b6f7a01cc49bb698bea6d4945a082ed454ce4
SHA256 be114a2dbcc08540b314b01882aa836a772a883322a77b67aab31233e26dc184
SHA512 72df187e39674b657974392cfa268e71ef86dc101ebd2303896381ca56d3c05aa9db3f0ab7d0e428d7436e0108c8f19e94c2013814d30b0b95a23a6b9e341097

C:\Admin Games\Readme.txt

MD5 bb5d6abdf8d0948ac6895ce7fdfbc151
SHA1 9266b7a247a4685892197194d2b9b86c8f6dddbd
SHA256 5db2e0915b5464d32e83484f8ae5e3c73d2c78f238fde5f58f9b40dbb5322de8
SHA512 878444760e8df878d65bb62b4798177e168eb099def58ad3634f4348e96705c83f74324f9fa358f0eff389991976698a233ca53e9b72034ae11c86d42322a76c

memory/2644-390-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Windows\SysWOW64\Desktop.ini

MD5 64acfa7e03b01f48294cf30d201a0026
SHA1 10facd995b38a095f30b4a800fa454c0bcbf8438
SHA256 ba8159d865d106e7b4d0043007a63d1541e1de455dc8d7ff0edd3013bd425c62
SHA512 65a9b2e639de74a2a7faa83463a03f5f5b526495e3c793ec1e144c422ed0b842dd304cd5ff4f8aec3d76d826507030c5916f70a231429cea636ec2d8ab43931a

memory/4916-538-0x0000000000400000-0x000000000042A000-memory.dmp

memory/456-581-0x0000000000400000-0x000000000042A000-memory.dmp

memory/1092-584-0x0000000000400000-0x000000000042A000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2025-05-02 08:06

Reported

2025-05-02 08:08

Platform

win11-20250410-en

Max time kernel

150s

Max time network

133s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A

Modifies visibility of file extensions in Explorer

defense_evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe N/A

Modifies visiblity of hidden/system files in Explorer

defense_evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A

UAC bypass

defense_evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A

Disables RegEdit via registry modification

defense_evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A

Disables use of System Restore points

defense_evasion

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File created C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
File created C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\SysWOW64\drivers\system32.exe C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\system32.exe C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
File created C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File created C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File created C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File created C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A

Event Triggered Execution: Image File Execution Options Injection

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe\Debugger = "drivers\\Kazekage.exe" C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe\Debugger = "cmd.exe /c del" C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com\Debugger = "cmd.exe /c del" C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe\Debugger = "drivers\\Kazekage.exe" C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger = "drivers\\Kazekage.exe" C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "drivers\\Kazekage.exe" C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe\Debugger = "cmd.exe /c del" C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe\Debugger = "cmd.exe /c del" C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe\Debugger = "cmd.exe /c del" C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 2 - 5 - 2025\\Gaara.exe" C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 2 - 5 - 2025\\smss.exe" C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "2-5-2025.exe" C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 2 - 5 - 2025\\smss.exe" C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 2 - 5 - 2025\\Gaara.exe" C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "2-5-2025.exe" C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 2 - 5 - 2025\\Gaara.exe" C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "2-5-2025.exe" C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 2 - 5 - 2025\\Gaara.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "2-5-2025.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "2-5-2025.exe" C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 2 - 5 - 2025\\smss.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 2 - 5 - 2025\\smss.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 2 - 5 - 2025\\Gaara.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "2-5-2025.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 2 - 5 - 2025\\Gaara.exe" C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 2 - 5 - 2025\\smss.exe" C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 2 - 5 - 2025\\smss.exe" C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A

Checks whether UAC is enabled

defense_evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification \??\M:\Desktop.ini C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
File opened for modification \??\U:\Desktop.ini C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
File opened for modification \??\T:\Desktop.ini C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File opened for modification \??\O:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification \??\E:\Desktop.ini C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File opened for modification \??\U:\Desktop.ini C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File opened for modification \??\B:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\A:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification \??\H:\Desktop.ini C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
File opened for modification \??\B:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\X:\Desktop.ini C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\G:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\J:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\N:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\J:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification \??\N:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification \??\T:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification \??\L:\Desktop.ini C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
File opened for modification \??\N:\Desktop.ini C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File opened for modification \??\V:\Desktop.ini C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
File opened for modification \??\U:\Desktop.ini C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\X:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification F:\Desktop.ini C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File opened for modification \??\O:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\Y:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\U:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\W:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification \??\J:\Desktop.ini C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
File opened for modification \??\P:\Desktop.ini C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
File opened for modification \??\J:\Desktop.ini C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\A:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification F:\Desktop.ini C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
File opened for modification \??\H:\Desktop.ini C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File opened for modification \??\M:\Desktop.ini C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File opened for modification \??\S:\Desktop.ini C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File opened for modification \??\W:\Desktop.ini C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File opened for modification \??\B:\Desktop.ini C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\H:\Desktop.ini C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File opened for modification C:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification \??\B:\Desktop.ini C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File opened for modification \??\K:\Desktop.ini C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File opened for modification \??\P:\Desktop.ini C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File opened for modification \??\W:\Desktop.ini C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
File opened for modification \??\V:\Desktop.ini C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File opened for modification \??\A:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification F:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification \??\P:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification \??\Y:\Desktop.ini C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
File opened for modification \??\V:\Desktop.ini C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\R:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\S:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\Z:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\J:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\Q:\Desktop.ini C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
File opened for modification \??\Z:\Desktop.ini C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
File opened for modification \??\O:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\S:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\T:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\X:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification D:\Desktop.ini C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File opened for modification \??\X:\Desktop.ini C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File opened for modification \??\U:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\K:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\V:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\X: C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened (read-only) \??\W: C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File opened (read-only) \??\Z: C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File opened (read-only) \??\B: C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened (read-only) \??\A: C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File opened (read-only) \??\B: C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
File opened (read-only) \??\G: C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
File opened (read-only) \??\H: C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File opened (read-only) \??\V: C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened (read-only) \??\V: C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File opened (read-only) \??\Y: C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File opened (read-only) \??\Z: C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
File opened (read-only) \??\W: C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File opened (read-only) \??\E: C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\J: C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened (read-only) \??\A: C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
File opened (read-only) \??\K: C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
File opened (read-only) \??\T: C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
File opened (read-only) \??\O: C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened (read-only) \??\M: C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
File opened (read-only) \??\R: C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\J: C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
File opened (read-only) \??\Q: C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened (read-only) \??\S: C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File opened (read-only) \??\V: C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened (read-only) \??\O: C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened (read-only) \??\M: C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File opened (read-only) \??\P: C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
File opened (read-only) \??\A: C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File opened (read-only) \??\S: C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened (read-only) \??\L: C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
File opened (read-only) \??\O: C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
File opened (read-only) \??\Q: C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File opened (read-only) \??\T: C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File opened (read-only) \??\I: C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification \??\L:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\G:\Autorun.inf C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
File created D:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\N:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File created \??\L:\Autorun.inf C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\U:\Autorun.inf C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File created \??\L:\Autorun.inf C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
File created \??\M:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe N/A
File created \??\E:\Autorun.inf C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\O:\Autorun.inf C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\V:\Autorun.inf C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
File opened for modification \??\H:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification \??\T:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe N/A
File created \??\E:\Autorun.inf C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File opened for modification \??\G:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\I:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\U:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File created \??\L:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe N/A
File created \??\Z:\Autorun.inf C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
File opened for modification \??\Z:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\S:\Autorun.inf C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File opened for modification C:\Autorun.inf C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File created \??\P:\Autorun.inf C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File opened for modification \??\S:\Autorun.inf C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File created \??\W:\Autorun.inf C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File created \??\V:\Autorun.inf C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
File created \??\B:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification \??\R:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification \??\E:\Autorun.inf C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
File created \??\W:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification D:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\M:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification D:\Autorun.inf C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
File opened for modification \??\I:\Autorun.inf C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File created \??\A:\Autorun.inf C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File created \??\P:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification \??\Y:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe N/A
File created D:\Autorun.inf C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File created \??\G:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe N/A
File created \??\I:\Autorun.inf C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File opened for modification \??\Q:\Autorun.inf C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File created \??\U:\Autorun.inf C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
File created \??\H:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\G:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification \??\L:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created \??\J:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\Z:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe N/A
File created \??\K:\Autorun.inf C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File created \??\N:\Autorun.inf C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
File created \??\O:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File created \??\V:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\N:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification \??\V:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe N/A
File created \??\Z:\Autorun.inf C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File opened for modification D:\Autorun.inf C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\T:\Autorun.inf C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File created \??\E:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification \??\Y:\Autorun.inf C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File created \??\G:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\N:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created \??\R:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created \??\I:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File created \??\W:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\X:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\2-5-2025.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\SysWOW64\Desktop.ini C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\Desktop.ini C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\SysWOW64\2-5-2025.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File opened for modification C:\Windows\SysWOW64\mscomctl.ocx C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\mscomctl.ocx C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification C:\Windows\SysWOW64\Desktop.ini C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\2-5-2025.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\SysWOW64\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\SysWOW64\mscomctl.ocx C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\SysWOW64\2-5-2025.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File opened for modification C:\Windows\SysWOW64\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe N/A
File created C:\Windows\SysWOW64\mscomctl.ocx C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\mscomctl.ocx C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File opened for modification C:\Windows\SysWOW64\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\SysWOW64\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe N/A
File created C:\Windows\SysWOW64\2-5-2025.exe C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification C:\Windows\SysWOW64\2-5-2025.exe C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification C:\Windows\SysWOW64\2-5-2025.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\SysWOW64\mscomctl.ocx C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification C:\Windows\SysWOW64\mscomctl.ocx C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe N/A
File created C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File created C:\Windows\Fonts\Admin 2 - 5 - 2025\msvbvm60.dll C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File opened for modification C:\Windows\system\mscoree.dll C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\system\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\Fonts\The Kazekage.jpg C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe N/A
File created C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe N/A
File created C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\ C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File created C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\mscomctl.ocx C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File opened for modification C:\Windows\mscomctl.ocx C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\Fonts\Admin 2 - 5 - 2025\msvbvm60.dll C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Windows\system\mscoree.dll C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\system\msvbvm60.dll C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\ C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File opened for modification C:\Windows\Fonts\The Kazekage.jpg C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File opened for modification C:\Windows\system\mscoree.dll C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe N/A
File created C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File opened for modification C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Windows\mscomctl.ocx C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\Fonts\The Kazekage.jpg C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File created C:\Windows\WBEM\msvbvm60.dll C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File created C:\Windows\Fonts\Admin 2 - 5 - 2025\msvbvm60.dll C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\ C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\system\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe N/A
File created C:\Windows\WBEM\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
File created C:\Windows\WBEM\msvbvm60.dll C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Windows\ C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification C:\Windows\mscomctl.ocx C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Windows\Fonts\The Kazekage.jpg C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\Fonts\The Kazekage.jpg C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\mscomctl.ocx C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification C:\Windows\system\msvbvm60.dll C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File created C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
File created C:\Windows\Fonts\Admin 2 - 5 - 2025\msvbvm60.dll C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File created C:\Windows\WBEM\msvbvm60.dll C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File created C:\Windows\Fonts\The Kazekage.jpg C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File created C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe N/A
File created C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\WBEM\msvbvm60.dll C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\Fonts\Admin 2 - 5 - 2025\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe N/A
File created C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File opened for modification C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\system\msvbvm60.dll C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\WBEM\msvbvm60.dll C:\Windows\SysWOW64\drivers\Kazekage.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\system32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\system32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\system32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\system32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\system32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\system32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A

Modifies Control Panel

defense_evasion
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Control Panel\Desktop C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Control Panel\Screen Saver.Marquee C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Control Panel\Screen Saver.Marquee C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Control Panel\Desktop C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Control Panel\Desktop C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Control Panel\Desktop\WallpaperStyle = "2" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Control Panel\Screen Saver.Marquee\Size = "72" C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Control Panel\Screen Saver.Marquee\Speed = "4" C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Control Panel\Screen Saver.Marquee\Speed = "4" C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Control Panel\Screen Saver.Marquee\Size = "72" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Control Panel\Desktop\WallpaperStyle = "2" C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Control Panel\Desktop\WallpaperStyle = "2" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Control Panel\Screen Saver.Marquee\Speed = "4" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Control Panel\Screen Saver.Marquee\Speed = "4" C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Control Panel\Screen Saver.Marquee C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Control Panel\Desktop\WallpaperStyle = "2" C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Control Panel\Screen Saver.Marquee\Speed = "4" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Control Panel\Screen Saver.Marquee\Size = "72" C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Control Panel\Desktop C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Control Panel\Desktop\WallpaperStyle = "2" C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" C:\Windows\SysWOW64\drivers\system32.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Software\Microsoft\Internet Explorer\Main C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2211465213-323295031-1970282057-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\drivers\system32.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command C:\Windows\SysWOW64\drivers\system32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1664 wrote to memory of 5476 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe
PID 1664 wrote to memory of 5476 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe
PID 1664 wrote to memory of 5476 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe
PID 5476 wrote to memory of 3488 N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe
PID 5476 wrote to memory of 3488 N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe
PID 5476 wrote to memory of 3488 N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe
PID 5476 wrote to memory of 4868 N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe
PID 5476 wrote to memory of 4868 N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe
PID 5476 wrote to memory of 4868 N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe
PID 4868 wrote to memory of 4436 N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe
PID 4868 wrote to memory of 4436 N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe
PID 4868 wrote to memory of 4436 N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe
PID 4868 wrote to memory of 4936 N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe
PID 4868 wrote to memory of 4936 N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe
PID 4868 wrote to memory of 4936 N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe
PID 4868 wrote to memory of 5928 N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe
PID 4868 wrote to memory of 5928 N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe
PID 4868 wrote to memory of 5928 N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe
PID 5928 wrote to memory of 5036 N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe
PID 5928 wrote to memory of 5036 N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe
PID 5928 wrote to memory of 5036 N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe
PID 5928 wrote to memory of 1556 N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe
PID 5928 wrote to memory of 1556 N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe
PID 5928 wrote to memory of 1556 N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe
PID 5928 wrote to memory of 5460 N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe
PID 5928 wrote to memory of 5460 N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe
PID 5928 wrote to memory of 5460 N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe
PID 5928 wrote to memory of 3860 N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 5928 wrote to memory of 3860 N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 5928 wrote to memory of 3860 N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 3860 wrote to memory of 3900 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe
PID 3860 wrote to memory of 3900 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe
PID 3860 wrote to memory of 3900 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe
PID 3860 wrote to memory of 6040 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe
PID 3860 wrote to memory of 6040 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe
PID 3860 wrote to memory of 6040 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe
PID 3860 wrote to memory of 1984 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe
PID 3860 wrote to memory of 1984 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe
PID 3860 wrote to memory of 1984 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe
PID 3860 wrote to memory of 992 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 3860 wrote to memory of 992 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 3860 wrote to memory of 992 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 3860 wrote to memory of 5968 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 3860 wrote to memory of 5968 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 3860 wrote to memory of 5968 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 1664 wrote to memory of 5344 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe
PID 1664 wrote to memory of 5344 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe
PID 1664 wrote to memory of 5344 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe
PID 1664 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe
PID 1664 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe
PID 1664 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe
PID 1664 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 1664 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 1664 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 5968 wrote to memory of 4492 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe
PID 5968 wrote to memory of 4492 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe
PID 5968 wrote to memory of 4492 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe
PID 5968 wrote to memory of 232 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe
PID 5968 wrote to memory of 232 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe
PID 5968 wrote to memory of 232 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe
PID 1664 wrote to memory of 248 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 1664 wrote to memory of 248 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 1664 wrote to memory of 248 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 5968 wrote to memory of 2040 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe

System policy modification

defense_evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe

"C:\Users\Admin\AppData\Local\Temp\2025-05-02_de01a22e6c425a183ea1cf5d4885fc00_black-basta_elex_hijackloader_luca-stealer.exe"

C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe

"C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe"

C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe

"C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe"

C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe

"C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe"

C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe

"C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe"

C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe

"C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe"

C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe

"C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe"

C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe

"C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe"

C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe

"C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe"

C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe

"C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe"

C:\Windows\SysWOW64\drivers\Kazekage.exe

C:\Windows\system32\drivers\Kazekage.exe

C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe

"C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe"

C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe

"C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe"

C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe

"C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe"

C:\Windows\SysWOW64\drivers\Kazekage.exe

C:\Windows\system32\drivers\Kazekage.exe

C:\Windows\SysWOW64\drivers\system32.exe

C:\Windows\system32\drivers\system32.exe

C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe

"C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe"

C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe

"C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe"

C:\Windows\SysWOW64\drivers\Kazekage.exe

C:\Windows\system32\drivers\Kazekage.exe

C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe

"C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe"

C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe

"C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe"

C:\Windows\SysWOW64\drivers\system32.exe

C:\Windows\system32\drivers\system32.exe

C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe

"C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe"

C:\Windows\SysWOW64\drivers\Kazekage.exe

C:\Windows\system32\drivers\Kazekage.exe

C:\Windows\SysWOW64\drivers\system32.exe

C:\Windows\system32\drivers\system32.exe

C:\Windows\SysWOW64\drivers\system32.exe

C:\Windows\system32\drivers\system32.exe

C:\Windows\SysWOW64\drivers\Kazekage.exe

C:\Windows\system32\drivers\Kazekage.exe

C:\Windows\SysWOW64\drivers\system32.exe

C:\Windows\system32\drivers\system32.exe

C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe

"C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\smss.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\Gaara.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c 2-5-2025.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c drivers\csrss.exe

C:\Windows\SysWOW64\drivers\Kazekage.exe

C:\Windows\system32\drivers\Kazekage.exe

C:\Windows\SysWOW64\drivers\system32.exe

C:\Windows\system32\drivers\system32.exe

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

Network

Files

memory/1664-0-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe

MD5 de01a22e6c425a183ea1cf5d4885fc00
SHA1 497a9d42f0399808ca69d3e85f21abb4b21607fd
SHA256 7bf1fe4359ff9dad74a1d30d2b26a89631450b34a983835a497447df96c50b3e
SHA512 dd3a43126bb0ad9007a2ee947ea84c492fb8c8bce254fa2910f9202cf9141af716ac884f8297918e4d45778d05d6e8e736d2a4571fae4cb6124d309fc37a0a86

C:\Windows\System\msvbvm60.dll

MD5 25f62c02619174b35851b0e0455b3d94
SHA1 4e8ee85157f1769f6e3f61c0acbe59072209da71
SHA256 898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2
SHA512 f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe

MD5 105462f0cc9624a7d3a8954e1bef074e
SHA1 4900ee9d9c40bd0157ef355665431d0e987ad625
SHA256 c2f9161be86dc7a1699cb758c8ca9073e1f2f9895374d4e09c3515311d4f9439
SHA512 62940241117d7d91356844a788b00b44b4236e8f5dc83bc28895d5c3b8a76b7dddd7750957c80a71c307598358efa961f2f03b154cce5645d5374f6a80bfa460

memory/5476-32-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Windows\Fonts\The Kazekage.jpg

MD5 d6b05020d4a0ec2a3a8b687099e335df
SHA1 df239d830ebcd1cde5c68c46a7b76dad49d415f4
SHA256 9824b98dab6af65a9e84c2ea40e9df948f9766ce2096e81feecad7db8dd6080a
SHA512 78fd360faa4d34f5732056d6e9ad7b9930964441c69cf24535845d397de92179553b9377a25649c01eb5ac7d547c29cc964e69ede7f2af9fc677508a99251fff

C:\Windows\SysWOW64\2-5-2025.exe

MD5 7c8af5baf04f82294c4b21727cd9a924
SHA1 d24d06a40680c4365961cdb5a028512300f6bca1
SHA256 f29ffd973846670038f5b4f7ffa84599cf94fb1c8991e0488f344dae88b6a67b
SHA512 8aa1229b4dffd0ae2d5171ea3466645dd1470f6acb5ed50ea43bd20f611e17189730f7dff95e4e44fb80b24089fe1a36b347130bb0e5c671563f40ef5d3274f4

C:\Windows\SysWOW64\drivers\system32.exe

MD5 7a448750e015d73a2baae3c9de505473
SHA1 aaeed90eaa4e1b33428e15f38eb08d6fcba9ad8f
SHA256 52b2374ae77e23494d77d786a07b0c49d04ec65b2f2a2c3c5db5f1feeb505c25
SHA512 c771699209c6241dc9eca3c2cdfdf7607ba5ab88ab37e34d3b561e1c8738e8e0e24ea4905efa026222105d8597a8ae42b3d3fe5c23acce54e8a9d8e4792982e6

memory/3488-73-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe

MD5 4c6ff0e39475772cb51de926e7dc951a
SHA1 8a57b2fcccf2a498076602be828df04c46e42581
SHA256 017e3b1ff2644b3654b576cdc6650b13482cdd8ff7b1212aa5f5c66aad853e83
SHA512 d09908275866df02b4a39b8711e44a00e310d2c695dd0248eb824f2fb57e6ff8288f7573c365162ccc6f0f713a1ffe0d3a404d1e8409ea930ec6a6a0cf4a33ed

memory/4868-76-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe

MD5 31f6bd5b8e01dd18d1770bcc82f4b901
SHA1 7c66eeb149308d34eacdee93184c509142e1bb3d
SHA256 989485107c467ef0d1d9db750921e37f9e1fc4b3ad9bdbbbeda6c097312e3c85
SHA512 efb9e179d2a9061f442f793cbadca9a6a8c0293b3595861d964e7ef50598ecba6737149d0bcfeae8d38c10aec566769c6ff9c9e9946f072eb09ff8ff3ad50aed

C:\Windows\SysWOW64\2-5-2025.exe

MD5 36d819a13e0067357b8f1bda0c75105c
SHA1 af3c7b7aadc0d2d6028f7aef43481cb5f1534f87
SHA256 22b8b27424631e77dc037d027f2ed8d72a986df58a3861af646186921a081a6e
SHA512 4856b60c93ea6f801c0d3015618c99c0725ed44c9d0d4fdc5daf983923fac5d5fc3b05da88be1e1514ebcf8ab7cc8693259616be133ede9e6a54a852435815d6

C:\Windows\SysWOW64\drivers\Kazekage.exe

MD5 cbd7c9a8e1c6dd64090f54576c3524a6
SHA1 ace8d6fe59d3f712efa5827ae01a277971f6425c
SHA256 a33d244706eacf3d6cd2ed65ac376ee5b8fe0ebf8f0fb06db97ca425392f506b
SHA512 3dca3b8ab7e4509abd055c5b71ded6d20966a2fa39657a7445c2d5fb16b54d3a73d33147aa33cfdff1900f4e84bb3ed67b14e7dc922720a84e32ef5a9efd42e7

memory/4436-109-0x0000000000400000-0x000000000042A000-memory.dmp

memory/4436-113-0x0000000000400000-0x000000000042A000-memory.dmp

memory/4936-119-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe

MD5 4ec11353ba2c2146e1370c3e985178b8
SHA1 95a6c183b78a70079734b4bc91f277d4c399a6e1
SHA256 4b8ecf36a7fd4660e613e19824ad05c5673c243110a815a873a2213f0235cd29
SHA512 df68f151bfafc749d858ac878709f514d84dec1832ac15db73564325f387ce604528401356de649f2a1dafb29318cdb35c7bfd92490717346583751573a0dd3a

memory/5928-122-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Windows\Fonts\The Kazekage.jpg

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/5036-152-0x0000000000400000-0x000000000042A000-memory.dmp

memory/1664-151-0x0000000000400000-0x000000000042A000-memory.dmp

memory/5036-159-0x0000000000400000-0x000000000042A000-memory.dmp

memory/5476-156-0x0000000000400000-0x000000000042A000-memory.dmp

memory/1556-164-0x0000000000400000-0x000000000042A000-memory.dmp

memory/5460-169-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Windows\SysWOW64\drivers\Kazekage.exe

MD5 3d7d7a4e83b7cb04d458c1068c2f85e0
SHA1 03203464fa8b8335c7db7605d2b5e84b7d0da7df
SHA256 1043e3dccdada63ebab8cc501089562a10744630341f19eb984e822477953802
SHA512 1fd2de0c29ccd9bd4ed32ab9e8efbf1d9466ba131ccbe8dca2f92bbda9a088406e16c4193c0fc140ceb102331eaaadb6c2224606b3a2f6409a8b1b2ad485f0bd

memory/3860-172-0x0000000000400000-0x000000000042A000-memory.dmp

memory/4868-196-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Windows\SysWOW64\drivers\system32.exe

MD5 2085b3fb7abb3fa8b5586e4de1ba6954
SHA1 0e9a60796353207b55b08db5229b13717372a366
SHA256 50a37e8c040e531bc1e338aa27a5ef1a852db4c8c62a3848ce3aafe6cccde9ee
SHA512 659fd3223eb01f6c68cf7ec0b6aa095f44be37cc9988067a86fe0177cf0f5842185b683c7ec81da41481dd77e0b83144c51b3865f04e462efc82ed05e8d402ad

memory/6040-202-0x0000000000400000-0x000000000042A000-memory.dmp

memory/6040-208-0x0000000000400000-0x000000000042A000-memory.dmp

memory/992-214-0x0000000000400000-0x000000000042A000-memory.dmp

memory/1984-216-0x0000000000400000-0x000000000042A000-memory.dmp

memory/992-220-0x0000000000400000-0x000000000042A000-memory.dmp

memory/5968-224-0x0000000000400000-0x000000000042A000-memory.dmp

memory/5928-223-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Windows\SysWOW64\2-5-2025.exe

MD5 7a2d54b38882118e13b48cce09830c7b
SHA1 201203e080bcd5a6126571cf37e802794ec8bd16
SHA256 f7fcbfe06c14150ab7e8b66f939bdfb14a0a47a79ca920051a44ba1183cf6894
SHA512 4e7b280c075a4da4df7daad0708ba3a52aa61bc2c265f9b20db7ad803486cac8adfe423ddd6aa9d010ab5263b2ee5cfe698245170d2426a51785fa12d2482caf

memory/2036-242-0x0000000000400000-0x000000000042A000-memory.dmp

memory/5344-241-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2140-258-0x0000000000400000-0x000000000042A000-memory.dmp

memory/4492-260-0x0000000000400000-0x000000000042A000-memory.dmp

memory/248-256-0x0000000000400000-0x000000000042A000-memory.dmp

memory/3860-255-0x0000000000400000-0x000000000042A000-memory.dmp

memory/232-266-0x0000000000400000-0x000000000042A000-memory.dmp

memory/248-270-0x0000000000400000-0x000000000042A000-memory.dmp

memory/5968-277-0x0000000000400000-0x000000000042A000-memory.dmp

memory/1084-279-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2000-283-0x0000000000400000-0x000000000042A000-memory.dmp

memory/5616-288-0x0000000000400000-0x000000000042A000-memory.dmp

memory/3668-292-0x0000000000400000-0x000000000042A000-memory.dmp

memory/1892-296-0x0000000000400000-0x000000000042A000-memory.dmp

memory/4672-303-0x0000000000400000-0x000000000042A000-memory.dmp

memory/3540-307-0x0000000000400000-0x000000000042A000-memory.dmp

memory/5928-308-0x0000000000400000-0x000000000042A000-memory.dmp

memory/3860-309-0x0000000000400000-0x000000000042A000-memory.dmp

memory/1664-310-0x0000000000400000-0x000000000042A000-memory.dmp

memory/5968-312-0x0000000000400000-0x000000000042A000-memory.dmp

memory/5476-311-0x0000000000400000-0x000000000042A000-memory.dmp

memory/4868-313-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Autorun.inf

MD5 1564dfe69ffed40950e5cb644e0894d1
SHA1 201b6f7a01cc49bb698bea6d4945a082ed454ce4
SHA256 be114a2dbcc08540b314b01882aa836a772a883322a77b67aab31233e26dc184
SHA512 72df187e39674b657974392cfa268e71ef86dc101ebd2303896381ca56d3c05aa9db3f0ab7d0e428d7436e0108c8f19e94c2013814d30b0b95a23a6b9e341097

C:\Admin Games\Readme.txt

MD5 bb5d6abdf8d0948ac6895ce7fdfbc151
SHA1 9266b7a247a4685892197194d2b9b86c8f6dddbd
SHA256 5db2e0915b5464d32e83484f8ae5e3c73d2c78f238fde5f58f9b40dbb5322de8
SHA512 878444760e8df878d65bb62b4798177e168eb099def58ad3634f4348e96705c83f74324f9fa358f0eff389991976698a233ca53e9b72034ae11c86d42322a76c

memory/1664-371-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Windows\SysWOW64\Desktop.ini

MD5 64acfa7e03b01f48294cf30d201a0026
SHA1 10facd995b38a095f30b4a800fa454c0bcbf8438
SHA256 ba8159d865d106e7b4d0043007a63d1541e1de455dc8d7ff0edd3013bd425c62
SHA512 65a9b2e639de74a2a7faa83463a03f5f5b526495e3c793ec1e144c422ed0b842dd304cd5ff4f8aec3d76d826507030c5916f70a231429cea636ec2d8ab43931a

memory/4868-456-0x0000000000400000-0x000000000042A000-memory.dmp

memory/5476-542-0x0000000000400000-0x000000000042A000-memory.dmp

memory/5968-584-0x0000000000400000-0x000000000042A000-memory.dmp

memory/5928-586-0x0000000000400000-0x000000000042A000-memory.dmp

memory/3860-587-0x0000000000400000-0x000000000042A000-memory.dmp