Malware Analysis Report

2025-08-10 20:49

Sample ID 250502-lp49rasl19
Target 2025-05-02_49f1577e79f6873e329523c91f10eb72_black-basta_elex_hijackloader_luca-stealer
SHA256 ddff1b4eaef1930d730ab8a38bf204c8a1ae5275bb190f97118c6a4df1045237
Tags
defense_evasion discovery persistence ransomware trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V16

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ddff1b4eaef1930d730ab8a38bf204c8a1ae5275bb190f97118c6a4df1045237

Threat Level: Known bad

The file 2025-05-02_49f1577e79f6873e329523c91f10eb72_black-basta_elex_hijackloader_luca-stealer was found to be: Known bad.

Malicious Activity Summary

defense_evasion discovery persistence ransomware trojan upx

Modifies visibility of file extensions in Explorer

Modifies WinLogon for persistence

Modifies visiblity of hidden/system files in Explorer

UAC bypass

Disables RegEdit via registry modification

Drops file in Drivers directory

Event Triggered Execution: Image File Execution Options Injection

Disables use of System Restore points

Executes dropped EXE

Loads dropped DLL

Drops desktop.ini file(s)

Checks whether UAC is enabled

Adds Run key to start application

Enumerates connected drives

Drops file in System32 directory

UPX packed file

Sets desktop wallpaper using registry

Drops autorun.inf file

Drops file in Windows directory

System Network Configuration Discovery: Internet Connection Discovery

System Location Discovery: System Language Discovery

Unsigned PE

Runs ping.exe

Modifies registry class

System policy modification

Suspicious use of WriteProcessMemory

Modifies Internet Explorer settings

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Modifies Control Panel

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-05-02 09:43

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2025-05-02 09:43

Reported

2025-05-02 09:46

Platform

win11-20250410-en

Max time kernel

150s

Max time network

134s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2025-05-02_49f1577e79f6873e329523c91f10eb72_black-basta_elex_hijackloader_luca-stealer.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" C:\Users\Admin\AppData\Local\Temp\2025-05-02_49f1577e79f6873e329523c91f10eb72_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" C:\Users\Admin\AppData\Local\Temp\2025-05-02_49f1577e79f6873e329523c91f10eb72_black-basta_elex_hijackloader_luca-stealer.exe N/A

Modifies visibility of file extensions in Explorer

defense_evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Users\Admin\AppData\Local\Temp\2025-05-02_49f1577e79f6873e329523c91f10eb72_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A

Modifies visiblity of hidden/system files in Explorer

defense_evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\AppData\Local\Temp\2025-05-02_49f1577e79f6873e329523c91f10eb72_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A

UAC bypass

defense_evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\2025-05-02_49f1577e79f6873e329523c91f10eb72_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A

Disables RegEdit via registry modification

defense_evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\2025-05-02_49f1577e79f6873e329523c91f10eb72_black-basta_elex_hijackloader_luca-stealer.exe N/A

Disables use of System Restore points

defense_evasion

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File created C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File created C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Users\Admin\AppData\Local\Temp\2025-05-02_49f1577e79f6873e329523c91f10eb72_black-basta_elex_hijackloader_luca-stealer.exe N/A
File created C:\Windows\SysWOW64\drivers\system32.exe C:\Users\Admin\AppData\Local\Temp\2025-05-02_49f1577e79f6873e329523c91f10eb72_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\system32.exe C:\Users\Admin\AppData\Local\Temp\2025-05-02_49f1577e79f6873e329523c91f10eb72_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
File created C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
File created C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Users\Admin\AppData\Local\Temp\2025-05-02_49f1577e79f6873e329523c91f10eb72_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File created C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A

Event Triggered Execution: Image File Execution Options Injection

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe C:\Users\Admin\AppData\Local\Temp\2025-05-02_49f1577e79f6873e329523c91f10eb72_black-basta_elex_hijackloader_luca-stealer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe C:\Users\Admin\AppData\Local\Temp\2025-05-02_49f1577e79f6873e329523c91f10eb72_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe\Debugger = "cmd.exe /c del" C:\Users\Admin\AppData\Local\Temp\2025-05-02_49f1577e79f6873e329523c91f10eb72_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe\Debugger = "cmd.exe /c del" C:\Users\Admin\AppData\Local\Temp\2025-05-02_49f1577e79f6873e329523c91f10eb72_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe C:\Users\Admin\AppData\Local\Temp\2025-05-02_49f1577e79f6873e329523c91f10eb72_black-basta_elex_hijackloader_luca-stealer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe C:\Users\Admin\AppData\Local\Temp\2025-05-02_49f1577e79f6873e329523c91f10eb72_black-basta_elex_hijackloader_luca-stealer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe C:\Users\Admin\AppData\Local\Temp\2025-05-02_49f1577e79f6873e329523c91f10eb72_black-basta_elex_hijackloader_luca-stealer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe C:\Users\Admin\AppData\Local\Temp\2025-05-02_49f1577e79f6873e329523c91f10eb72_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe C:\Users\Admin\AppData\Local\Temp\2025-05-02_49f1577e79f6873e329523c91f10eb72_black-basta_elex_hijackloader_luca-stealer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 2 - 5 - 2025\\Gaara.exe" C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "2-5-2025.exe" C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "2-5-2025.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "2-5-2025.exe" C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 2 - 5 - 2025\\smss.exe" C:\Users\Admin\AppData\Local\Temp\2025-05-02_49f1577e79f6873e329523c91f10eb72_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "2-5-2025.exe" C:\Users\Admin\AppData\Local\Temp\2025-05-02_49f1577e79f6873e329523c91f10eb72_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "2-5-2025.exe" C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 2 - 5 - 2025\\Gaara.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 2 - 5 - 2025\\Gaara.exe" C:\Users\Admin\AppData\Local\Temp\2025-05-02_49f1577e79f6873e329523c91f10eb72_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 2 - 5 - 2025\\smss.exe" C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 2 - 5 - 2025\\smss.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 2 - 5 - 2025\\smss.exe" C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 2 - 5 - 2025\\Gaara.exe" C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 2 - 5 - 2025\\Gaara.exe" C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 2 - 5 - 2025\\Gaara.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 2 - 5 - 2025\\smss.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 2 - 5 - 2025\\smss.exe" C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" C:\Users\Admin\AppData\Local\Temp\2025-05-02_49f1577e79f6873e329523c91f10eb72_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "2-5-2025.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A

Checks whether UAC is enabled

defense_evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\2025-05-02_49f1577e79f6873e329523c91f10eb72_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification \??\P:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-02_49f1577e79f6873e329523c91f10eb72_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification \??\Z:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-02_49f1577e79f6873e329523c91f10eb72_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification \??\V:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\Y:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\J:\Desktop.ini C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
File opened for modification \??\I:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-02_49f1577e79f6873e329523c91f10eb72_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification \??\K:\Desktop.ini C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\N:\Desktop.ini C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\Z:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\I:\Desktop.ini C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File opened for modification \??\Q:\Desktop.ini C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File opened for modification \??\V:\Desktop.ini C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File opened for modification \??\L:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\Y:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-02_49f1577e79f6873e329523c91f10eb72_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification \??\E:\Desktop.ini C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File opened for modification \??\T:\Desktop.ini C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File opened for modification \??\R:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-02_49f1577e79f6873e329523c91f10eb72_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification \??\V:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-02_49f1577e79f6873e329523c91f10eb72_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification \??\X:\Desktop.ini C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\P:\Desktop.ini C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File opened for modification \??\P:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\Y:\Desktop.ini C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
File opened for modification \??\M:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-02_49f1577e79f6873e329523c91f10eb72_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification \??\R:\Desktop.ini C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\E:\Desktop.ini C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\G:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\B:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification D:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\L:\Desktop.ini C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File opened for modification \??\B:\Desktop.ini C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
File opened for modification \??\L:\Desktop.ini C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
File opened for modification \??\B:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\H:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-02_49f1577e79f6873e329523c91f10eb72_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification \??\P:\Desktop.ini C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\S:\Desktop.ini C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\O:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\W:\Desktop.ini C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\P:\Desktop.ini C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\E:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\T:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-02_49f1577e79f6873e329523c91f10eb72_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification \??\U:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\E:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\O:\Desktop.ini C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File opened for modification \??\R:\Desktop.ini C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File opened for modification \??\W:\Desktop.ini C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Desktop.ini C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\T:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\K:\Desktop.ini C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
File opened for modification \??\U:\Desktop.ini C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
File opened for modification F:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-02_49f1577e79f6873e329523c91f10eb72_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification \??\I:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\M:\Desktop.ini C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File opened for modification \??\I:\Desktop.ini C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
File opened for modification \??\S:\Desktop.ini C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-02_49f1577e79f6873e329523c91f10eb72_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification \??\X:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-02_49f1577e79f6873e329523c91f10eb72_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification \??\T:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Desktop.ini C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File opened for modification \??\H:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\I:\Desktop.ini C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\J:\Desktop.ini C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\J:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\A:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\Q: C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File opened (read-only) \??\S: C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\Z: C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
File opened (read-only) \??\K: C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\T: C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\2025-05-02_49f1577e79f6873e329523c91f10eb72_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\2025-05-02_49f1577e79f6873e329523c91f10eb72_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\E: C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File opened (read-only) \??\J: C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File opened (read-only) \??\U: C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\2025-05-02_49f1577e79f6873e329523c91f10eb72_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened (read-only) \??\H: C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\B: C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
File opened (read-only) \??\J: C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\2025-05-02_49f1577e79f6873e329523c91f10eb72_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened (read-only) \??\T: C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File opened (read-only) \??\N: C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\2025-05-02_49f1577e79f6873e329523c91f10eb72_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened (read-only) \??\T: C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File opened (read-only) \??\N: C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
File opened (read-only) \??\R: C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\2025-05-02_49f1577e79f6873e329523c91f10eb72_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened (read-only) \??\I: C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\A: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\K: C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
File opened (read-only) \??\S: C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
File opened (read-only) \??\W: C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
File opened (read-only) \??\O: C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File opened (read-only) \??\M: C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\L: C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
File opened (read-only) \??\P: C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
File opened (read-only) \??\Q: C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
File opened (read-only) \??\X: C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\U: C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
File opened (read-only) \??\N: C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File opened (read-only) \??\Y: C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\2025-05-02_49f1577e79f6873e329523c91f10eb72_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\V: C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File opened (read-only) \??\G: C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\2025-05-02_49f1577e79f6873e329523c91f10eb72_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened (read-only) \??\A: C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File opened (read-only) \??\X: C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
File opened (read-only) \??\H: C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File opened (read-only) \??\I: C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\2025-05-02_49f1577e79f6873e329523c91f10eb72_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\drivers\system32.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File created \??\B:\Autorun.inf C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File created \??\E:\Autorun.inf C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\S:\Autorun.inf C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
File created \??\U:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\H:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2025-05-02_49f1577e79f6873e329523c91f10eb72_black-basta_elex_hijackloader_luca-stealer.exe N/A
File created \??\B:\Autorun.inf C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File created \??\I:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\L:\Autorun.inf C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File created \??\V:\Autorun.inf C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
File created \??\H:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created \??\I:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\R:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\O:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\T:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2025-05-02_49f1577e79f6873e329523c91f10eb72_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification \??\R:\Autorun.inf C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\P:\Autorun.inf C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
File created \??\E:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification F:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File created \??\Y:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Autorun.inf C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File opened for modification \??\H:\Autorun.inf C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
File opened for modification \??\Y:\Autorun.inf C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File created \??\N:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2025-05-02_49f1577e79f6873e329523c91f10eb72_black-basta_elex_hijackloader_luca-stealer.exe N/A
File created \??\S:\Autorun.inf C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File created \??\U:\Autorun.inf C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File created \??\A:\Autorun.inf C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
File created \??\Z:\Autorun.inf C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
File created \??\K:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created \??\A:\Autorun.inf C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File opened for modification F:\Autorun.inf C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\K:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created \??\Q:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File created \??\Q:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2025-05-02_49f1577e79f6873e329523c91f10eb72_black-basta_elex_hijackloader_luca-stealer.exe N/A
File created D:\Autorun.inf C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File opened for modification C:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\S:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2025-05-02_49f1577e79f6873e329523c91f10eb72_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification \??\S:\Autorun.inf C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\P:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created \??\K:\Autorun.inf C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File opened for modification \??\Y:\Autorun.inf C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File created \??\Y:\Autorun.inf C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File created \??\J:\Autorun.inf C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
File created \??\S:\Autorun.inf C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
File opened for modification \??\X:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File created \??\X:\Autorun.inf C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File created \??\E:\Autorun.inf C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
File created \??\J:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2025-05-02_49f1577e79f6873e329523c91f10eb72_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification \??\S:\Autorun.inf C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File opened for modification \??\I:\Autorun.inf C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\V:\Autorun.inf C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\Y:\Autorun.inf C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
File opened for modification \??\A:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File created \??\X:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\Y:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2025-05-02_49f1577e79f6873e329523c91f10eb72_black-basta_elex_hijackloader_luca-stealer.exe N/A
File created \??\G:\Autorun.inf C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File opened for modification \??\N:\Autorun.inf C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
File opened for modification \??\J:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created \??\P:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created \??\Y:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2025-05-02_49f1577e79f6873e329523c91f10eb72_black-basta_elex_hijackloader_luca-stealer.exe N/A
File created \??\O:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2025-05-02_49f1577e79f6873e329523c91f10eb72_black-basta_elex_hijackloader_luca-stealer.exe N/A
File created \??\T:\Autorun.inf C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\W:\Autorun.inf C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\M:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\Desktop.ini C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\2-5-2025.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\2-5-2025.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File opened for modification C:\Windows\SysWOW64\2-5-2025.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\SysWOW64\mscomctl.ocx C:\Users\Admin\AppData\Local\Temp\2025-05-02_49f1577e79f6873e329523c91f10eb72_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\2025-05-02_49f1577e79f6873e329523c91f10eb72_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Users\Admin\AppData\Local\Temp\2025-05-02_49f1577e79f6873e329523c91f10eb72_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification C:\Windows\SysWOW64\mscomctl.ocx C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\SysWOW64\2-5-2025.exe C:\Users\Admin\AppData\Local\Temp\2025-05-02_49f1577e79f6873e329523c91f10eb72_black-basta_elex_hijackloader_luca-stealer.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\2-5-2025.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\2025-05-02_49f1577e79f6873e329523c91f10eb72_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification C:\Windows\SysWOW64\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\SysWOW64\mscomctl.ocx C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\2-5-2025.exe C:\Users\Admin\AppData\Local\Temp\2025-05-02_49f1577e79f6873e329523c91f10eb72_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification C:\Windows\SysWOW64\2-5-2025.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\SysWOW64\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-02_49f1577e79f6873e329523c91f10eb72_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification C:\Windows\SysWOW64\mscomctl.ocx C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File opened for modification C:\Windows\SysWOW64\Desktop.ini C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\mscomctl.ocx C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\SysWOW64\mscomctl.ocx C:\Users\Admin\AppData\Local\Temp\2025-05-02_49f1577e79f6873e329523c91f10eb72_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification C:\Windows\SysWOW64\Desktop.ini C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\SysWOW64\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-02_49f1577e79f6873e329523c91f10eb72_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification C:\Windows\SysWOW64\mscomctl.ocx C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Users\Admin\AppData\Local\Temp\2025-05-02_49f1577e79f6873e329523c91f10eb72_black-basta_elex_hijackloader_luca-stealer.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe C:\Users\Admin\AppData\Local\Temp\2025-05-02_49f1577e79f6873e329523c91f10eb72_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification C:\Windows\Fonts\The Kazekage.jpg C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File created C:\Windows\Fonts\Admin 2 - 5 - 2025\msvbvm60.dll C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File opened for modification C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\2025-05-02_49f1577e79f6873e329523c91f10eb72_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File opened for modification C:\Windows\system\msvbvm60.dll C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Windows\system\mscoree.dll C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\system\msvbvm60.dll C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\Fonts\Admin 2 - 5 - 2025\msvbvm60.dll C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\system\msvbvm60.dll C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File created C:\Windows\WBEM\msvbvm60.dll C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\system\mscoree.dll C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File opened for modification C:\Windows\system\mscoree.dll C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Windows\Fonts\The Kazekage.jpg C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\mscomctl.ocx C:\Users\Admin\AppData\Local\Temp\2025-05-02_49f1577e79f6873e329523c91f10eb72_black-basta_elex_hijackloader_luca-stealer.exe N/A
File created C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File created C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\system\mscoree.dll C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\ C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Windows\mscomctl.ocx C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\mscomctl.ocx C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File opened for modification C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
File created C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\Fonts\Admin 2 - 5 - 2025\msvbvm60.dll C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\Fonts\The Kazekage.jpg C:\Users\Admin\AppData\Local\Temp\2025-05-02_49f1577e79f6873e329523c91f10eb72_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe C:\Users\Admin\AppData\Local\Temp\2025-05-02_49f1577e79f6873e329523c91f10eb72_black-basta_elex_hijackloader_luca-stealer.exe N/A
File created C:\Windows\Fonts\Admin 2 - 5 - 2025\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\2025-05-02_49f1577e79f6873e329523c91f10eb72_black-basta_elex_hijackloader_luca-stealer.exe N/A
File created C:\Windows\Fonts\Admin 2 - 5 - 2025\msvbvm60.dll C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File created C:\Windows\WBEM\msvbvm60.dll C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\ C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\system\mscoree.dll C:\Users\Admin\AppData\Local\Temp\2025-05-02_49f1577e79f6873e329523c91f10eb72_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification C:\Windows\system\msvbvm60.dll C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File opened for modification C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
File created C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\WBEM\msvbvm60.dll C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File created C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File opened for modification C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Windows\ C:\Users\Admin\AppData\Local\Temp\2025-05-02_49f1577e79f6873e329523c91f10eb72_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification C:\Windows\mscomctl.ocx C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
File created C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe C:\Users\Admin\AppData\Local\Temp\2025-05-02_49f1577e79f6873e329523c91f10eb72_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe C:\Users\Admin\AppData\Local\Temp\2025-05-02_49f1577e79f6873e329523c91f10eb72_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File created C:\Windows\WBEM\msvbvm60.dll C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
File created C:\Windows\mscomctl.ocx C:\Users\Admin\AppData\Local\Temp\2025-05-02_49f1577e79f6873e329523c91f10eb72_black-basta_elex_hijackloader_luca-stealer.exe N/A
File created C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\ C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\Fonts\The Kazekage.jpg C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\mscomctl.ocx C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\system32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2025-05-02_49f1577e79f6873e329523c91f10eb72_black-basta_elex_hijackloader_luca-stealer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\system32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\system32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\system32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\system32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\system32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A

Modifies Control Panel

defense_evasion
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Control Panel\Desktop C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" C:\Users\Admin\AppData\Local\Temp\2025-05-02_49f1577e79f6873e329523c91f10eb72_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Control Panel\Screen Saver.Marquee\Size = "72" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Control Panel\Screen Saver.Marquee\Speed = "4" C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" C:\Users\Admin\AppData\Local\Temp\2025-05-02_49f1577e79f6873e329523c91f10eb72_black-basta_elex_hijackloader_luca-stealer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Control Panel\Screen Saver.Marquee C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Control Panel\Desktop\WallpaperStyle = "2" C:\Users\Admin\AppData\Local\Temp\2025-05-02_49f1577e79f6873e329523c91f10eb72_black-basta_elex_hijackloader_luca-stealer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Control Panel\Desktop C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Control Panel\Desktop\WallpaperStyle = "2" C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Control Panel\Desktop\WallpaperStyle = "2" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Control Panel\Screen Saver.Marquee\Size = "72" C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Control Panel\Screen Saver.Marquee C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Control Panel\Screen Saver.Marquee\Speed = "4" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Control Panel\Desktop C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" C:\Users\Admin\AppData\Local\Temp\2025-05-02_49f1577e79f6873e329523c91f10eb72_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Control Panel\Screen Saver.Marquee\Size = "72" C:\Users\Admin\AppData\Local\Temp\2025-05-02_49f1577e79f6873e329523c91f10eb72_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Control Panel\Screen Saver.Marquee\Speed = "4" C:\Users\Admin\AppData\Local\Temp\2025-05-02_49f1577e79f6873e329523c91f10eb72_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Control Panel\Screen Saver.Marquee\Speed = "4" C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Control Panel\Screen Saver.Marquee\Speed = "4" C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Control Panel\Desktop C:\Users\Admin\AppData\Local\Temp\2025-05-02_49f1577e79f6873e329523c91f10eb72_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" C:\Users\Admin\AppData\Local\Temp\2025-05-02_49f1577e79f6873e329523c91f10eb72_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Control Panel\Screen Saver.Marquee C:\Users\Admin\AppData\Local\Temp\2025-05-02_49f1577e79f6873e329523c91f10eb72_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Control Panel\Desktop C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" C:\Users\Admin\AppData\Local\Temp\2025-05-02_49f1577e79f6873e329523c91f10eb72_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" C:\Users\Admin\AppData\Local\Temp\2025-05-02_49f1577e79f6873e329523c91f10eb72_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Control Panel\Screen Saver.Marquee\Size = "72" C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" C:\Users\Admin\AppData\Local\Temp\2025-05-02_49f1577e79f6873e329523c91f10eb72_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Control Panel\Screen Saver.Marquee\Size = "72" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Control Panel\Desktop\WallpaperStyle = "2" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Software\Microsoft\Internet Explorer\Main C:\Users\Admin\AppData\Local\Temp\2025-05-02_49f1577e79f6873e329523c91f10eb72_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" C:\Users\Admin\AppData\Local\Temp\2025-05-02_49f1577e79f6873e329523c91f10eb72_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3582532709-2637047242-3508314386-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command C:\Users\Admin\AppData\Local\Temp\2025-05-02_49f1577e79f6873e329523c91f10eb72_black-basta_elex_hijackloader_luca-stealer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command C:\Users\Admin\AppData\Local\Temp\2025-05-02_49f1577e79f6873e329523c91f10eb72_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" C:\Users\Admin\AppData\Local\Temp\2025-05-02_49f1577e79f6873e329523c91f10eb72_black-basta_elex_hijackloader_luca-stealer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" C:\Users\Admin\AppData\Local\Temp\2025-05-02_49f1577e79f6873e329523c91f10eb72_black-basta_elex_hijackloader_luca-stealer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command C:\Users\Admin\AppData\Local\Temp\2025-05-02_49f1577e79f6873e329523c91f10eb72_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" C:\Users\Admin\AppData\Local\Temp\2025-05-02_49f1577e79f6873e329523c91f10eb72_black-basta_elex_hijackloader_luca-stealer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command C:\Users\Admin\AppData\Local\Temp\2025-05-02_49f1577e79f6873e329523c91f10eb72_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" C:\Users\Admin\AppData\Local\Temp\2025-05-02_49f1577e79f6873e329523c91f10eb72_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_49f1577e79f6873e329523c91f10eb72_black-basta_elex_hijackloader_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_49f1577e79f6873e329523c91f10eb72_black-basta_elex_hijackloader_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_49f1577e79f6873e329523c91f10eb72_black-basta_elex_hijackloader_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_49f1577e79f6873e329523c91f10eb72_black-basta_elex_hijackloader_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_49f1577e79f6873e329523c91f10eb72_black-basta_elex_hijackloader_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_49f1577e79f6873e329523c91f10eb72_black-basta_elex_hijackloader_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_49f1577e79f6873e329523c91f10eb72_black-basta_elex_hijackloader_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_49f1577e79f6873e329523c91f10eb72_black-basta_elex_hijackloader_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_49f1577e79f6873e329523c91f10eb72_black-basta_elex_hijackloader_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_49f1577e79f6873e329523c91f10eb72_black-basta_elex_hijackloader_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_49f1577e79f6873e329523c91f10eb72_black-basta_elex_hijackloader_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_49f1577e79f6873e329523c91f10eb72_black-basta_elex_hijackloader_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_49f1577e79f6873e329523c91f10eb72_black-basta_elex_hijackloader_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_49f1577e79f6873e329523c91f10eb72_black-basta_elex_hijackloader_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_49f1577e79f6873e329523c91f10eb72_black-basta_elex_hijackloader_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_49f1577e79f6873e329523c91f10eb72_black-basta_elex_hijackloader_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_49f1577e79f6873e329523c91f10eb72_black-basta_elex_hijackloader_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_49f1577e79f6873e329523c91f10eb72_black-basta_elex_hijackloader_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_49f1577e79f6873e329523c91f10eb72_black-basta_elex_hijackloader_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_49f1577e79f6873e329523c91f10eb72_black-basta_elex_hijackloader_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_49f1577e79f6873e329523c91f10eb72_black-basta_elex_hijackloader_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_49f1577e79f6873e329523c91f10eb72_black-basta_elex_hijackloader_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_49f1577e79f6873e329523c91f10eb72_black-basta_elex_hijackloader_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_49f1577e79f6873e329523c91f10eb72_black-basta_elex_hijackloader_luca-stealer.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_49f1577e79f6873e329523c91f10eb72_black-basta_elex_hijackloader_luca-stealer.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3000 wrote to memory of 4576 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_49f1577e79f6873e329523c91f10eb72_black-basta_elex_hijackloader_luca-stealer.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe
PID 3000 wrote to memory of 4576 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_49f1577e79f6873e329523c91f10eb72_black-basta_elex_hijackloader_luca-stealer.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe
PID 3000 wrote to memory of 4576 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_49f1577e79f6873e329523c91f10eb72_black-basta_elex_hijackloader_luca-stealer.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe
PID 4576 wrote to memory of 3404 N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe
PID 4576 wrote to memory of 3404 N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe
PID 4576 wrote to memory of 3404 N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe
PID 4576 wrote to memory of 5628 N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe
PID 4576 wrote to memory of 5628 N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe
PID 4576 wrote to memory of 5628 N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe
PID 5628 wrote to memory of 1636 N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe
PID 5628 wrote to memory of 1636 N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe
PID 5628 wrote to memory of 1636 N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe
PID 5628 wrote to memory of 2264 N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe
PID 5628 wrote to memory of 2264 N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe
PID 5628 wrote to memory of 2264 N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe
PID 5628 wrote to memory of 4628 N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe
PID 5628 wrote to memory of 4628 N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe
PID 5628 wrote to memory of 4628 N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe
PID 4628 wrote to memory of 4536 N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe
PID 4628 wrote to memory of 4536 N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe
PID 4628 wrote to memory of 4536 N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe
PID 4628 wrote to memory of 2512 N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe
PID 4628 wrote to memory of 2512 N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe
PID 4628 wrote to memory of 2512 N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe
PID 4628 wrote to memory of 4132 N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe
PID 4628 wrote to memory of 4132 N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe
PID 4628 wrote to memory of 4132 N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe
PID 4628 wrote to memory of 940 N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 4628 wrote to memory of 940 N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 4628 wrote to memory of 940 N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 940 wrote to memory of 768 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe
PID 940 wrote to memory of 768 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe
PID 940 wrote to memory of 768 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe
PID 940 wrote to memory of 3288 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe
PID 940 wrote to memory of 3288 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe
PID 940 wrote to memory of 3288 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe
PID 940 wrote to memory of 716 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe
PID 940 wrote to memory of 716 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe
PID 940 wrote to memory of 716 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe
PID 3000 wrote to memory of 3400 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_49f1577e79f6873e329523c91f10eb72_black-basta_elex_hijackloader_luca-stealer.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe
PID 3000 wrote to memory of 3400 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_49f1577e79f6873e329523c91f10eb72_black-basta_elex_hijackloader_luca-stealer.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe
PID 3000 wrote to memory of 3400 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_49f1577e79f6873e329523c91f10eb72_black-basta_elex_hijackloader_luca-stealer.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe
PID 940 wrote to memory of 3884 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 940 wrote to memory of 3884 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 940 wrote to memory of 3884 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 3000 wrote to memory of 640 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_49f1577e79f6873e329523c91f10eb72_black-basta_elex_hijackloader_luca-stealer.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe
PID 3000 wrote to memory of 640 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_49f1577e79f6873e329523c91f10eb72_black-basta_elex_hijackloader_luca-stealer.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe
PID 3000 wrote to memory of 640 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_49f1577e79f6873e329523c91f10eb72_black-basta_elex_hijackloader_luca-stealer.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe
PID 3000 wrote to memory of 4860 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_49f1577e79f6873e329523c91f10eb72_black-basta_elex_hijackloader_luca-stealer.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 3000 wrote to memory of 4860 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_49f1577e79f6873e329523c91f10eb72_black-basta_elex_hijackloader_luca-stealer.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 3000 wrote to memory of 4860 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_49f1577e79f6873e329523c91f10eb72_black-basta_elex_hijackloader_luca-stealer.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 940 wrote to memory of 3328 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 940 wrote to memory of 3328 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 940 wrote to memory of 3328 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 3000 wrote to memory of 856 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_49f1577e79f6873e329523c91f10eb72_black-basta_elex_hijackloader_luca-stealer.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 3000 wrote to memory of 856 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_49f1577e79f6873e329523c91f10eb72_black-basta_elex_hijackloader_luca-stealer.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 3000 wrote to memory of 856 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_49f1577e79f6873e329523c91f10eb72_black-basta_elex_hijackloader_luca-stealer.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 3328 wrote to memory of 968 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe
PID 3328 wrote to memory of 968 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe
PID 3328 wrote to memory of 968 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe
PID 3328 wrote to memory of 2732 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe
PID 3328 wrote to memory of 2732 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe
PID 3328 wrote to memory of 2732 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe
PID 3328 wrote to memory of 5324 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe

System policy modification

defense_evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\2025-05-02_49f1577e79f6873e329523c91f10eb72_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\2025-05-02_49f1577e79f6873e329523c91f10eb72_black-basta_elex_hijackloader_luca-stealer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2025-05-02_49f1577e79f6873e329523c91f10eb72_black-basta_elex_hijackloader_luca-stealer.exe

"C:\Users\Admin\AppData\Local\Temp\2025-05-02_49f1577e79f6873e329523c91f10eb72_black-basta_elex_hijackloader_luca-stealer.exe"

C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe

"C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe"

C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe

"C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe"

C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe

"C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe"

C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe

"C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe"

C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe

"C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe"

C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe

"C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe"

C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe

"C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe"

C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe

"C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe"

C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe

"C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe"

C:\Windows\SysWOW64\drivers\Kazekage.exe

C:\Windows\system32\drivers\Kazekage.exe

C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe

"C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe"

C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe

"C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe"

C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe

"C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe"

C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe

"C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe"

C:\Windows\SysWOW64\drivers\Kazekage.exe

C:\Windows\system32\drivers\Kazekage.exe

C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe

"C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe"

C:\Windows\SysWOW64\drivers\Kazekage.exe

C:\Windows\system32\drivers\Kazekage.exe

C:\Windows\SysWOW64\drivers\system32.exe

C:\Windows\system32\drivers\system32.exe

C:\Windows\SysWOW64\drivers\system32.exe

C:\Windows\system32\drivers\system32.exe

C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe

"C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe"

C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe

"C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe"

C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe

"C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe"

C:\Windows\SysWOW64\drivers\Kazekage.exe

C:\Windows\system32\drivers\Kazekage.exe

C:\Windows\SysWOW64\drivers\system32.exe

C:\Windows\system32\drivers\system32.exe

C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe

"C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe"

C:\Windows\SysWOW64\drivers\system32.exe

C:\Windows\system32\drivers\system32.exe

C:\Windows\SysWOW64\drivers\Kazekage.exe

C:\Windows\system32\drivers\Kazekage.exe

C:\Windows\SysWOW64\drivers\Kazekage.exe

C:\Windows\system32\drivers\Kazekage.exe

C:\Windows\SysWOW64\drivers\system32.exe

C:\Windows\system32\drivers\system32.exe

C:\Windows\SysWOW64\drivers\system32.exe

C:\Windows\system32\drivers\system32.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\smss.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\Gaara.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c 2-5-2025.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c drivers\csrss.exe

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

Network

Files

memory/3000-0-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe

MD5 49f1577e79f6873e329523c91f10eb72
SHA1 751e1ce9b791394c7a7f2cb70f1c23cc53105345
SHA256 ddff1b4eaef1930d730ab8a38bf204c8a1ae5275bb190f97118c6a4df1045237
SHA512 861997adb3e3337e713da816b467f73582754da151f9fc8fb6e25fc81f4dd852d9bcf4965ba3e406bd65e736ffc45e2299ec794cdb9c6d45d8813f787b640082

C:\Windows\System\msvbvm60.dll

MD5 25f62c02619174b35851b0e0455b3d94
SHA1 4e8ee85157f1769f6e3f61c0acbe59072209da71
SHA256 898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2
SHA512 f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe

MD5 94a87c260f8717f723e5d6856b6c8565
SHA1 fac009b779b693aa829d080bc40a890f20d3deeb
SHA256 7b7d87bb8c0f81a592fed8b2d34a4c5d83962ec4e30438e2846c98c99668f571
SHA512 8425e7ac7305944c2b35410c63db4033b77c98e5a2d9b0f5e5d86f4acba60dcbdde8aad629264b5e87d0138fff66b1a5d2431dc531d1c5d63b262172625a0136

memory/4576-32-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Windows\Fonts\The Kazekage.jpg

MD5 d6b05020d4a0ec2a3a8b687099e335df
SHA1 df239d830ebcd1cde5c68c46a7b76dad49d415f4
SHA256 9824b98dab6af65a9e84c2ea40e9df948f9766ce2096e81feecad7db8dd6080a
SHA512 78fd360faa4d34f5732056d6e9ad7b9930964441c69cf24535845d397de92179553b9377a25649c01eb5ac7d547c29cc964e69ede7f2af9fc677508a99251fff

memory/3404-70-0x0000000000400000-0x000000000042B000-memory.dmp

memory/3404-73-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Windows\SysWOW64\drivers\system32.exe

MD5 ad6e2c3da88d4539a42e8f1267b95ac8
SHA1 5f58e302a449e57608a13e00f0d384a8994f6920
SHA256 e75f4959677bf53ff04b967881032d64047b0b96a5cba1925f57ada96c413ef6
SHA512 e0ce25db10d383889fd332060c233ae29c9e41873bfd3ba248a5c8f6638780d7b32b3d3d8fb1b150f226565c28a2741381f0ed2dda7b29c70896dd1d3601afc2

memory/5628-78-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe

MD5 ddb83507d6fda0ad3503562980d7fffd
SHA1 a644ce2487dd4b7f90da49249e002e03d4c47b5a
SHA256 92f0816593d3d7a17b8471a9276f8ee1d0028d4ed31e9f720d8329c1e958c1e5
SHA512 b886457a2fdfe172e9a1c8f5bdf0c3a07e1da4bd4bb16acefff9c52b6f548d3d2a8dee9e796bca8e39d2b635638a1111205d8559079198367faeda821bff63a1

C:\Windows\SysWOW64\2-5-2025.exe

MD5 b1022e909b908bb08bc419ffcfb829a1
SHA1 dd6ddf08f7d2db12b8e9e4114d97d1466178d3d2
SHA256 411a9670c0de62eb3b3ae8ff349801e510df6889faaa7d1bc862785b0bb2956d
SHA512 c10aec44998a043330a895e5b75a5b9c42e26188036189cc5041b4e2027e399751b00067f307142fa0d1a3929522ab0e496149c3f066b3eecc0d337987f14a31

C:\Windows\msvbvm60.dll

MD5 48381372e81cd12b5789c18aae3da765
SHA1 48651625020deb8de195debb4315eaac0c2c8ce4
SHA256 13a45f821672d42d1fcb109b6626877395d5b931f0169376f64a6253fe7c0e3c
SHA512 ed7b03f141d1954715638ec7980aea2836d0b63b900dc3fd483c96fffabcc9efe9e063c25174c1209c7d3cbe15605166911ebbd2a50bbd9581c0c4eccaa0ae97

C:\Windows\system\msvbvm60.dll

MD5 10461a2b86b0e0e2e411716a56bf40ee
SHA1 0ab83d15d6cd19fd2feb4c53b9ac71563e54de9f
SHA256 86aef17f4b96dcc0ee127095ff4af304dee88374e397eb44479f5527667e2045
SHA512 0fbf23694c4dcc4b82affe68c955090ef5a74c7c8f56e7b041b3cf3b240a470d3835a26c02553aae36f536c953d0c1f7ebb8db1ba1472c3abcfe33fe47d60274

memory/1636-114-0x0000000000400000-0x000000000042B000-memory.dmp

memory/2264-113-0x0000000000400000-0x000000000042B000-memory.dmp

memory/2264-117-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe

MD5 fd397052c5d704cc2d9ea7e0fc566352
SHA1 ef55851feeaa8e9cfebecef369d7b7236dd0801a
SHA256 92af4227ac393d340ea5b9c9c8c3ec9927c0007379961406364f3742be3c28df
SHA512 179587ce5dfe3a966047aecb499126357f279160c7e81d4e0ed9704ed56274c1247c68e78f9395eef87d650d3106b15df41749c0804c9060d8dbac32c80f1faa

memory/4628-120-0x0000000000400000-0x000000000042B000-memory.dmp

memory/3000-135-0x0000000000400000-0x000000000042B000-memory.dmp

memory/4576-150-0x0000000000400000-0x000000000042B000-memory.dmp

memory/4536-153-0x0000000000400000-0x000000000042B000-memory.dmp

memory/2512-158-0x0000000000400000-0x000000000042B000-memory.dmp

memory/4132-161-0x0000000000400000-0x000000000042B000-memory.dmp

memory/4132-164-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Windows\SysWOW64\drivers\Kazekage.exe

MD5 db061382506633b222350d08a0e7ebc3
SHA1 f81a32e11fe5f12f61cd6bdfdb24ab2efad348b2
SHA256 f643ff545265abd53cdf0381803eac1bd5a08f5947a9c20c72c42dbc3e216680
SHA512 ddbc8549d88649e65d56e6c905bb770e409f480da61e4e7f073bb315908c75d39e63cea4c1210251c307a358961cc879045081a804862626c89991e3cf9b6a18

memory/940-168-0x0000000000400000-0x000000000042B000-memory.dmp

memory/5628-167-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Windows\SysWOW64\2-5-2025.exe

MD5 c95d8d4e37d9df5ddfc97715f3264456
SHA1 edd1656c13b421e18a56af934333918b11366bda
SHA256 365d14f2f98919006c133c2ee2578c5f8bb9a594628d7ee803a3ae4c9e82d1e9
SHA512 b2d3095f93abf1e8d614a4940728be51db608a84b0fd74da4442454c90ad30a33cc412c686ce770dd3aaf5df3941ce7bed500182fb5b31761ff658e6b751ae1a

memory/3288-200-0x0000000000400000-0x000000000042B000-memory.dmp

memory/4628-205-0x0000000000400000-0x000000000042B000-memory.dmp

memory/3884-209-0x0000000000400000-0x000000000042B000-memory.dmp

memory/716-210-0x0000000000400000-0x000000000042B000-memory.dmp

memory/3400-215-0x0000000000400000-0x000000000042B000-memory.dmp

memory/3884-219-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Windows\SysWOW64\drivers\system32.exe

MD5 b4623e413c95cc5edc837e5820b35066
SHA1 319db352abcff6bf8a645d18bb2324c05cb52c28
SHA256 534dca7de3d0b63944e745e0bf39037235c7e3932b7c3098b68963c7755cb004
SHA512 f673219a74b3d9a9742efe63a4d8f219eb30b045b554af00caf127c0d59a0d43c7bfe57c02a719682ddd287632c155c1ea01bf24591d2083ba799147922fdf24

memory/3328-225-0x0000000000400000-0x000000000042B000-memory.dmp

memory/4860-231-0x0000000000400000-0x000000000042B000-memory.dmp

memory/940-230-0x0000000000400000-0x000000000042B000-memory.dmp

memory/856-234-0x0000000000400000-0x000000000042B000-memory.dmp

memory/968-247-0x0000000000400000-0x000000000042B000-memory.dmp

memory/2732-251-0x0000000000400000-0x000000000042B000-memory.dmp

memory/5324-254-0x0000000000400000-0x000000000042B000-memory.dmp

memory/2996-257-0x0000000000400000-0x000000000042B000-memory.dmp

memory/892-258-0x0000000000400000-0x000000000042B000-memory.dmp

memory/2996-262-0x0000000000400000-0x000000000042B000-memory.dmp

memory/1416-266-0x0000000000400000-0x000000000042B000-memory.dmp

memory/3328-267-0x0000000000400000-0x000000000042B000-memory.dmp

memory/3684-272-0x0000000000400000-0x000000000042B000-memory.dmp

memory/2076-273-0x0000000000400000-0x000000000042B000-memory.dmp

memory/5396-278-0x0000000000400000-0x000000000042B000-memory.dmp

memory/6104-279-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Autorun.inf

MD5 1564dfe69ffed40950e5cb644e0894d1
SHA1 201b6f7a01cc49bb698bea6d4945a082ed454ce4
SHA256 be114a2dbcc08540b314b01882aa836a772a883322a77b67aab31233e26dc184
SHA512 72df187e39674b657974392cfa268e71ef86dc101ebd2303896381ca56d3c05aa9db3f0ab7d0e428d7436e0108c8f19e94c2013814d30b0b95a23a6b9e341097

C:\Admin Games\Readme.txt

MD5 bb5d6abdf8d0948ac6895ce7fdfbc151
SHA1 9266b7a247a4685892197194d2b9b86c8f6dddbd
SHA256 5db2e0915b5464d32e83484f8ae5e3c73d2c78f238fde5f58f9b40dbb5322de8
SHA512 878444760e8df878d65bb62b4798177e168eb099def58ad3634f4348e96705c83f74324f9fa358f0eff389991976698a233ca53e9b72034ae11c86d42322a76c

C:\Windows\SysWOW64\Desktop.ini

MD5 64acfa7e03b01f48294cf30d201a0026
SHA1 10facd995b38a095f30b4a800fa454c0bcbf8438
SHA256 ba8159d865d106e7b4d0043007a63d1541e1de455dc8d7ff0edd3013bd425c62
SHA512 65a9b2e639de74a2a7faa83463a03f5f5b526495e3c793ec1e144c422ed0b842dd304cd5ff4f8aec3d76d826507030c5916f70a231429cea636ec2d8ab43931a

Analysis: behavioral1

Detonation Overview

Submitted

2025-05-02 09:43

Reported

2025-05-02 09:46

Platform

win10v2004-20250314-en

Max time kernel

149s

Max time network

144s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2025-05-02_49f1577e79f6873e329523c91f10eb72_black-basta_elex_hijackloader_luca-stealer.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" C:\Users\Admin\AppData\Local\Temp\2025-05-02_49f1577e79f6873e329523c91f10eb72_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" C:\Users\Admin\AppData\Local\Temp\2025-05-02_49f1577e79f6873e329523c91f10eb72_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A

Modifies visibility of file extensions in Explorer

defense_evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Users\Admin\AppData\Local\Temp\2025-05-02_49f1577e79f6873e329523c91f10eb72_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\drivers\system32.exe N/A

Modifies visiblity of hidden/system files in Explorer

defense_evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\AppData\Local\Temp\2025-05-02_49f1577e79f6873e329523c91f10eb72_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A

UAC bypass

defense_evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\2025-05-02_49f1577e79f6873e329523c91f10eb72_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A

Disables RegEdit via registry modification

defense_evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\2025-05-02_49f1577e79f6873e329523c91f10eb72_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A

Disables use of System Restore points

defense_evasion

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File created C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Users\Admin\AppData\Local\Temp\2025-05-02_49f1577e79f6873e329523c91f10eb72_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
File created C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
File created C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Users\Admin\AppData\Local\Temp\2025-05-02_49f1577e79f6873e329523c91f10eb72_black-basta_elex_hijackloader_luca-stealer.exe N/A
File created C:\Windows\SysWOW64\drivers\system32.exe C:\Users\Admin\AppData\Local\Temp\2025-05-02_49f1577e79f6873e329523c91f10eb72_black-basta_elex_hijackloader_luca-stealer.exe N/A
File created C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File created C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\system32.exe C:\Users\Admin\AppData\Local\Temp\2025-05-02_49f1577e79f6873e329523c91f10eb72_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A

Event Triggered Execution: Image File Execution Options Injection

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe C:\Users\Admin\AppData\Local\Temp\2025-05-02_49f1577e79f6873e329523c91f10eb72_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe\Debugger = "cmd.exe /c del" C:\Users\Admin\AppData\Local\Temp\2025-05-02_49f1577e79f6873e329523c91f10eb72_black-basta_elex_hijackloader_luca-stealer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "drivers\\Kazekage.exe" C:\Users\Admin\AppData\Local\Temp\2025-05-02_49f1577e79f6873e329523c91f10eb72_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com C:\Users\Admin\AppData\Local\Temp\2025-05-02_49f1577e79f6873e329523c91f10eb72_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "drivers\\Kazekage.exe" C:\Users\Admin\AppData\Local\Temp\2025-05-02_49f1577e79f6873e329523c91f10eb72_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe\Debugger = "drivers\\Kazekage.exe" C:\Users\Admin\AppData\Local\Temp\2025-05-02_49f1577e79f6873e329523c91f10eb72_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe\Debugger = "cmd.exe /c del" C:\Users\Admin\AppData\Local\Temp\2025-05-02_49f1577e79f6873e329523c91f10eb72_black-basta_elex_hijackloader_luca-stealer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe C:\Users\Admin\AppData\Local\Temp\2025-05-02_49f1577e79f6873e329523c91f10eb72_black-basta_elex_hijackloader_luca-stealer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe C:\Users\Admin\AppData\Local\Temp\2025-05-02_49f1577e79f6873e329523c91f10eb72_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 2 - 5 - 2025\\smss.exe" C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 2 - 5 - 2025\\smss.exe" C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 2 - 5 - 2025\\Gaara.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "2-5-2025.exe" C:\Users\Admin\AppData\Local\Temp\2025-05-02_49f1577e79f6873e329523c91f10eb72_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "2-5-2025.exe" C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 2 - 5 - 2025\\Gaara.exe" C:\Users\Admin\AppData\Local\Temp\2025-05-02_49f1577e79f6873e329523c91f10eb72_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" C:\Users\Admin\AppData\Local\Temp\2025-05-02_49f1577e79f6873e329523c91f10eb72_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 2 - 5 - 2025\\Gaara.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 2 - 5 - 2025\\Gaara.exe" C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 2 - 5 - 2025\\Gaara.exe" C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 2 - 5 - 2025\\Gaara.exe" C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "2-5-2025.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 2 - 5 - 2025\\smss.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "2-5-2025.exe" C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "2-5-2025.exe" C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 2 - 5 - 2025\\smss.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 2 - 5 - 2025\\smss.exe" C:\Users\Admin\AppData\Local\Temp\2025-05-02_49f1577e79f6873e329523c91f10eb72_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "2-5-2025.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 2 - 5 - 2025\\smss.exe" C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A

Checks whether UAC is enabled

defense_evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\2025-05-02_49f1577e79f6873e329523c91f10eb72_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification \??\Z:\Desktop.ini C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File opened for modification C:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\J:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-02_49f1577e79f6873e329523c91f10eb72_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification \??\T:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\H:\Desktop.ini C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
File opened for modification \??\R:\Desktop.ini C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
File opened for modification \??\Q:\Desktop.ini C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File opened for modification \??\B:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-02_49f1577e79f6873e329523c91f10eb72_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification \??\N:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-02_49f1577e79f6873e329523c91f10eb72_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification \??\R:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-02_49f1577e79f6873e329523c91f10eb72_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification \??\E:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\L:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\R:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\X:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-02_49f1577e79f6873e329523c91f10eb72_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification \??\W:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\Y:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification F:\Desktop.ini C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
File opened for modification \??\E:\Desktop.ini C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File opened for modification F:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\I:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\W:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Desktop.ini C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\A:\Desktop.ini C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Desktop.ini C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File opened for modification \??\I:\Desktop.ini C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\J:\Desktop.ini C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\M:\Desktop.ini C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\T:\Desktop.ini C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File opened for modification F:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification D:\Desktop.ini C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
File opened for modification \??\M:\Desktop.ini C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File opened for modification \??\N:\Desktop.ini C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\G:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Desktop.ini C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
File opened for modification \??\I:\Desktop.ini C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
File opened for modification \??\B:\Desktop.ini C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File opened for modification C:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-02_49f1577e79f6873e329523c91f10eb72_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification \??\E:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-02_49f1577e79f6873e329523c91f10eb72_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification \??\M:\Desktop.ini C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
File opened for modification \??\W:\Desktop.ini C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\K:\Desktop.ini C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
File opened for modification \??\N:\Desktop.ini C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
File opened for modification \??\X:\Desktop.ini C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
File opened for modification \??\L:\Desktop.ini C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File opened for modification \??\Y:\Desktop.ini C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\T:\Desktop.ini C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
File opened for modification \??\G:\Desktop.ini C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File opened for modification \??\X:\Desktop.ini C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File opened for modification \??\Y:\Desktop.ini C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File opened for modification \??\S:\Desktop.ini C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\A:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-02_49f1577e79f6873e329523c91f10eb72_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification \??\G:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-02_49f1577e79f6873e329523c91f10eb72_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification \??\N:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\R:\Desktop.ini C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File opened for modification \??\S:\Desktop.ini C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File opened for modification \??\L:\Desktop.ini C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\B:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification F:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-02_49f1577e79f6873e329523c91f10eb72_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification \??\U:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-02_49f1577e79f6873e329523c91f10eb72_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification \??\K:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\Z:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\H:\Desktop.ini C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File opened for modification D:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-02_49f1577e79f6873e329523c91f10eb72_black-basta_elex_hijackloader_luca-stealer.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\N: C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File opened (read-only) \??\W: C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File opened (read-only) \??\S: C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\2025-05-02_49f1577e79f6873e329523c91f10eb72_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\2025-05-02_49f1577e79f6873e329523c91f10eb72_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\T: C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\2025-05-02_49f1577e79f6873e329523c91f10eb72_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\2025-05-02_49f1577e79f6873e329523c91f10eb72_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\2025-05-02_49f1577e79f6873e329523c91f10eb72_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\2025-05-02_49f1577e79f6873e329523c91f10eb72_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\K: C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File opened (read-only) \??\L: C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\U: C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
File opened (read-only) \??\Q: C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File opened (read-only) \??\E: C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
File opened (read-only) \??\G: C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\2025-05-02_49f1577e79f6873e329523c91f10eb72_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\X: C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File opened (read-only) \??\X: C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File opened (read-only) \??\Y: C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\A: C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\2025-05-02_49f1577e79f6873e329523c91f10eb72_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\2025-05-02_49f1577e79f6873e329523c91f10eb72_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\T: C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
File opened (read-only) \??\R: C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\2025-05-02_49f1577e79f6873e329523c91f10eb72_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\M: C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
File opened (read-only) \??\E: C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File opened (read-only) \??\J: C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File opened (read-only) \??\P: C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\R: C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\2025-05-02_49f1577e79f6873e329523c91f10eb72_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened (read-only) \??\B: C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
File opened (read-only) \??\L: C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
File opened (read-only) \??\U: C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File opened (read-only) \??\W: C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\A: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\I: C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
File opened (read-only) \??\K: C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File opened (read-only) \??\M: C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File opened (read-only) \??\R: C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
File opened (read-only) \??\Y: C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
File opened (read-only) \??\P: C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File opened (read-only) \??\H: C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\2025-05-02_49f1577e79f6873e329523c91f10eb72_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\K: C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\2025-05-02_49f1577e79f6873e329523c91f10eb72_black-basta_elex_hijackloader_luca-stealer.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification \??\O:\Autorun.inf C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File created \??\O:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created \??\X:\Autorun.inf C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File created \??\O:\Autorun.inf C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File opened for modification F:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\G:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File created \??\I:\Autorun.inf C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File opened for modification \??\G:\Autorun.inf C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File created \??\Q:\Autorun.inf C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\L:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created \??\O:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File created \??\V:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File created \??\U:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2025-05-02_49f1577e79f6873e329523c91f10eb72_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification \??\Q:\Autorun.inf C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File opened for modification \??\R:\Autorun.inf C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File created \??\T:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\H:\Autorun.inf C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File opened for modification \??\S:\Autorun.inf C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File created \??\T:\Autorun.inf C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File created \??\G:\Autorun.inf C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
File opened for modification \??\B:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2025-05-02_49f1577e79f6873e329523c91f10eb72_black-basta_elex_hijackloader_luca-stealer.exe N/A
File created \??\K:\Autorun.inf C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File created F:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2025-05-02_49f1577e79f6873e329523c91f10eb72_black-basta_elex_hijackloader_luca-stealer.exe N/A
File created \??\Z:\Autorun.inf C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File created \??\S:\Autorun.inf C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
File created \??\T:\Autorun.inf C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
File opened for modification F:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created \??\G:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File created \??\Y:\Autorun.inf C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File opened for modification \??\Z:\Autorun.inf C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File opened for modification \??\Z:\Autorun.inf C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
File opened for modification \??\O:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\S:\Autorun.inf C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File opened for modification \??\I:\Autorun.inf C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File created \??\M:\Autorun.inf C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\T:\Autorun.inf C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
File created \??\A:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\T:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2025-05-02_49f1577e79f6873e329523c91f10eb72_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification \??\Y:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2025-05-02_49f1577e79f6873e329523c91f10eb72_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification \??\L:\Autorun.inf C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\H:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\U:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\X:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\H:\Autorun.inf C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File created \??\H:\Autorun.inf C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\W:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\J:\Autorun.inf C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File opened for modification \??\N:\Autorun.inf C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\P:\Autorun.inf C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\I:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\M:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\E:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File created \??\E:\Autorun.inf C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File created \??\A:\Autorun.inf C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File created \??\Z:\Autorun.inf C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File opened for modification D:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created \??\N:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\B:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\P:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\T:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\U:\Autorun.inf C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File created \??\Y:\Autorun.inf C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File created \??\K:\Autorun.inf C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
File opened for modification \??\W:\Autorun.inf C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\ C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\SysWOW64\2-5-2025.exe C:\Users\Admin\AppData\Local\Temp\2025-05-02_49f1577e79f6873e329523c91f10eb72_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification C:\Windows\SysWOW64\2-5-2025.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\2025-05-02_49f1577e79f6873e329523c91f10eb72_black-basta_elex_hijackloader_luca-stealer.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\SysWOW64\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-02_49f1577e79f6873e329523c91f10eb72_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification C:\Windows\SysWOW64\mscomctl.ocx C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File opened for modification C:\Windows\SysWOW64\Desktop.ini C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\SysWOW64\2-5-2025.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\SysWOW64\mscomctl.ocx C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\SysWOW64\2-5-2025.exe C:\Users\Admin\AppData\Local\Temp\2025-05-02_49f1577e79f6873e329523c91f10eb72_black-basta_elex_hijackloader_luca-stealer.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File opened for modification C:\Windows\SysWOW64\2-5-2025.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\Desktop.ini C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File created C:\Windows\SysWOW64\mscomctl.ocx C:\Users\Admin\AppData\Local\Temp\2025-05-02_49f1577e79f6873e329523c91f10eb72_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Users\Admin\AppData\Local\Temp\2025-05-02_49f1577e79f6873e329523c91f10eb72_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\SysWOW64\mscomctl.ocx C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\SysWOW64\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-02_49f1577e79f6873e329523c91f10eb72_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\Desktop.ini C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File opened for modification C:\Windows\SysWOW64\mscomctl.ocx C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\2025-05-02_49f1577e79f6873e329523c91f10eb72_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification C:\Windows\SysWOW64\2-5-2025.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File opened for modification C:\Windows\SysWOW64\2-5-2025.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\mscomctl.ocx C:\Users\Admin\AppData\Local\Temp\2025-05-02_49f1577e79f6873e329523c91f10eb72_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification C:\Windows\SysWOW64\mscomctl.ocx C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Users\Admin\AppData\Local\Temp\2025-05-02_49f1577e79f6873e329523c91f10eb72_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\SysWOW64\drivers\system32.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\mscomctl.ocx C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe C:\Users\Admin\AppData\Local\Temp\2025-05-02_49f1577e79f6873e329523c91f10eb72_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe C:\Users\Admin\AppData\Local\Temp\2025-05-02_49f1577e79f6873e329523c91f10eb72_black-basta_elex_hijackloader_luca-stealer.exe N/A
File created C:\Windows\WBEM\msvbvm60.dll C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
File created C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\Fonts\Admin 2 - 5 - 2025\msvbvm60.dll C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\Fonts\The Kazekage.jpg C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File opened for modification C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\mscomctl.ocx C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File opened for modification C:\Windows\system\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\2025-05-02_49f1577e79f6873e329523c91f10eb72_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\mscomctl.ocx C:\Users\Admin\AppData\Local\Temp\2025-05-02_49f1577e79f6873e329523c91f10eb72_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification C:\Windows\ C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\system\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\2025-05-02_49f1577e79f6873e329523c91f10eb72_black-basta_elex_hijackloader_luca-stealer.exe N/A
File created C:\Windows\Fonts\Admin 2 - 5 - 2025\msvbvm60.dll C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File created C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File opened for modification C:\Windows\system\msvbvm60.dll C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
File created C:\Windows\WBEM\msvbvm60.dll C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\system\msvbvm60.dll C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\Fonts\The Kazekage.jpg C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File created C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File created C:\Windows\WBEM\msvbvm60.dll C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File opened for modification C:\Windows\system\mscoree.dll C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
File created C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\ C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File created C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe C:\Users\Admin\AppData\Local\Temp\2025-05-02_49f1577e79f6873e329523c91f10eb72_black-basta_elex_hijackloader_luca-stealer.exe N/A
File created C:\Windows\Fonts\Admin 2 - 5 - 2025\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\2025-05-02_49f1577e79f6873e329523c91f10eb72_black-basta_elex_hijackloader_luca-stealer.exe N/A
File created C:\Windows\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\2025-05-02_49f1577e79f6873e329523c91f10eb72_black-basta_elex_hijackloader_luca-stealer.exe N/A
File created C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File opened for modification C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Windows\Fonts\The Kazekage.jpg C:\Users\Admin\AppData\Local\Temp\2025-05-02_49f1577e79f6873e329523c91f10eb72_black-basta_elex_hijackloader_luca-stealer.exe N/A
File created C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe C:\Users\Admin\AppData\Local\Temp\2025-05-02_49f1577e79f6873e329523c91f10eb72_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\Fonts\The Kazekage.jpg C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\system\mscoree.dll C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\WBEM\msvbvm60.dll C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\ C:\Users\Admin\AppData\Local\Temp\2025-05-02_49f1577e79f6873e329523c91f10eb72_black-basta_elex_hijackloader_luca-stealer.exe N/A
File created C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe C:\Users\Admin\AppData\Local\Temp\2025-05-02_49f1577e79f6873e329523c91f10eb72_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\system\mscoree.dll C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\system\msvbvm60.dll C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\Fonts\The Kazekage.jpg C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Windows\system\msvbvm60.dll C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\mscomctl.ocx C:\Users\Admin\AppData\Local\Temp\2025-05-02_49f1577e79f6873e329523c91f10eb72_black-basta_elex_hijackloader_luca-stealer.exe N/A
File created C:\Windows\WBEM\msvbvm60.dll C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File created C:\Windows\Fonts\Admin 2 - 5 - 2025\msvbvm60.dll C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Windows\ C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\mscomctl.ocx C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\system\mscoree.dll C:\Users\Admin\AppData\Local\Temp\2025-05-02_49f1577e79f6873e329523c91f10eb72_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification C:\Windows\Fonts\The Kazekage.jpg C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\system32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\system32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2025-05-02_49f1577e79f6873e329523c91f10eb72_black-basta_elex_hijackloader_luca-stealer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\system32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\system32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\system32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\system32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A

Modifies Control Panel

defense_evasion
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\Screen Saver.Marquee\Size = "72" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\Screen Saver.Marquee\Size = "72" C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" C:\Users\Admin\AppData\Local\Temp\2025-05-02_49f1577e79f6873e329523c91f10eb72_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Users\Admin\AppData\Local\Temp\2025-05-02_49f1577e79f6873e329523c91f10eb72_black-basta_elex_hijackloader_luca-stealer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\Desktop C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\Desktop\WallpaperStyle = "2" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\Screen Saver.Marquee\Speed = "4" C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" C:\Users\Admin\AppData\Local\Temp\2025-05-02_49f1577e79f6873e329523c91f10eb72_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" C:\Users\Admin\AppData\Local\Temp\2025-05-02_49f1577e79f6873e329523c91f10eb72_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\Screen Saver.Marquee\Speed = "4" C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\Desktop C:\Users\Admin\AppData\Local\Temp\2025-05-02_49f1577e79f6873e329523c91f10eb72_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\Desktop\WallpaperStyle = "2" C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\Screen Saver.Marquee C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" C:\Users\Admin\AppData\Local\Temp\2025-05-02_49f1577e79f6873e329523c91f10eb72_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\Screen Saver.Marquee\Size = "72" C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\Screen Saver.Marquee\Size = "72" C:\Users\Admin\AppData\Local\Temp\2025-05-02_49f1577e79f6873e329523c91f10eb72_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\Screen Saver.Marquee\Speed = "4" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\Screen Saver.Marquee C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\Screen Saver.Marquee\Size = "72" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" C:\Users\Admin\AppData\Local\Temp\2025-05-02_49f1577e79f6873e329523c91f10eb72_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\Desktop\WallpaperStyle = "2" C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" C:\Users\Admin\AppData\Local\Temp\2025-05-02_49f1577e79f6873e329523c91f10eb72_black-basta_elex_hijackloader_luca-stealer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\Desktop C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\Screen Saver.Marquee\Size = "72" C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\Screen Saver.Marquee C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\Screen Saver.Marquee C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\Screen Saver.Marquee C:\Users\Admin\AppData\Local\Temp\2025-05-02_49f1577e79f6873e329523c91f10eb72_black-basta_elex_hijackloader_luca-stealer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\Desktop C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" C:\Users\Admin\AppData\Local\Temp\2025-05-02_49f1577e79f6873e329523c91f10eb72_black-basta_elex_hijackloader_luca-stealer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\Screen Saver.Marquee C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\Desktop C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Software\Microsoft\Internet Explorer\Main C:\Users\Admin\AppData\Local\Temp\2025-05-02_49f1577e79f6873e329523c91f10eb72_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" C:\Users\Admin\AppData\Local\Temp\2025-05-02_49f1577e79f6873e329523c91f10eb72_black-basta_elex_hijackloader_luca-stealer.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" C:\Users\Admin\AppData\Local\Temp\2025-05-02_49f1577e79f6873e329523c91f10eb72_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command C:\Users\Admin\AppData\Local\Temp\2025-05-02_49f1577e79f6873e329523c91f10eb72_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" C:\Users\Admin\AppData\Local\Temp\2025-05-02_49f1577e79f6873e329523c91f10eb72_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" C:\Users\Admin\AppData\Local\Temp\2025-05-02_49f1577e79f6873e329523c91f10eb72_black-basta_elex_hijackloader_luca-stealer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command C:\Users\Admin\AppData\Local\Temp\2025-05-02_49f1577e79f6873e329523c91f10eb72_black-basta_elex_hijackloader_luca-stealer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command C:\Users\Admin\AppData\Local\Temp\2025-05-02_49f1577e79f6873e329523c91f10eb72_black-basta_elex_hijackloader_luca-stealer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command C:\Users\Admin\AppData\Local\Temp\2025-05-02_49f1577e79f6873e329523c91f10eb72_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" C:\Users\Admin\AppData\Local\Temp\2025-05-02_49f1577e79f6873e329523c91f10eb72_black-basta_elex_hijackloader_luca-stealer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_49f1577e79f6873e329523c91f10eb72_black-basta_elex_hijackloader_luca-stealer.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5316 wrote to memory of 3676 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_49f1577e79f6873e329523c91f10eb72_black-basta_elex_hijackloader_luca-stealer.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe
PID 5316 wrote to memory of 3676 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_49f1577e79f6873e329523c91f10eb72_black-basta_elex_hijackloader_luca-stealer.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe
PID 5316 wrote to memory of 3676 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_49f1577e79f6873e329523c91f10eb72_black-basta_elex_hijackloader_luca-stealer.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe
PID 3676 wrote to memory of 1012 N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe
PID 3676 wrote to memory of 1012 N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe
PID 3676 wrote to memory of 1012 N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe
PID 3676 wrote to memory of 3764 N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe
PID 3676 wrote to memory of 3764 N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe
PID 3676 wrote to memory of 3764 N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe
PID 3764 wrote to memory of 3512 N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe
PID 3764 wrote to memory of 3512 N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe
PID 3764 wrote to memory of 3512 N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe
PID 3764 wrote to memory of 5736 N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe
PID 3764 wrote to memory of 5736 N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe
PID 3764 wrote to memory of 5736 N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe
PID 3764 wrote to memory of 928 N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe
PID 3764 wrote to memory of 928 N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe
PID 3764 wrote to memory of 928 N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe
PID 928 wrote to memory of 4472 N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe
PID 928 wrote to memory of 4472 N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe
PID 928 wrote to memory of 4472 N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe
PID 928 wrote to memory of 4576 N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe
PID 928 wrote to memory of 4576 N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe
PID 928 wrote to memory of 4576 N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe
PID 928 wrote to memory of 4464 N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe
PID 928 wrote to memory of 4464 N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe
PID 928 wrote to memory of 4464 N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe
PID 928 wrote to memory of 4628 N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 928 wrote to memory of 4628 N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 928 wrote to memory of 4628 N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 4628 wrote to memory of 4828 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe
PID 4628 wrote to memory of 4828 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe
PID 4628 wrote to memory of 4828 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe
PID 4628 wrote to memory of 4812 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe
PID 4628 wrote to memory of 4812 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe
PID 4628 wrote to memory of 4812 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe
PID 4628 wrote to memory of 3140 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe
PID 4628 wrote to memory of 3140 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe
PID 4628 wrote to memory of 3140 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe
PID 4628 wrote to memory of 3584 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 4628 wrote to memory of 3584 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 4628 wrote to memory of 3584 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 4628 wrote to memory of 5700 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 4628 wrote to memory of 5700 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 4628 wrote to memory of 5700 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 5700 wrote to memory of 3952 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe
PID 5700 wrote to memory of 3952 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe
PID 5700 wrote to memory of 3952 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe
PID 5700 wrote to memory of 5428 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe
PID 5700 wrote to memory of 5428 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe
PID 5700 wrote to memory of 5428 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe
PID 5316 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_49f1577e79f6873e329523c91f10eb72_black-basta_elex_hijackloader_luca-stealer.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe
PID 5316 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_49f1577e79f6873e329523c91f10eb72_black-basta_elex_hijackloader_luca-stealer.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe
PID 5316 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_49f1577e79f6873e329523c91f10eb72_black-basta_elex_hijackloader_luca-stealer.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe
PID 5700 wrote to memory of 4244 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe
PID 5700 wrote to memory of 4244 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe
PID 5700 wrote to memory of 4244 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe
PID 5316 wrote to memory of 3528 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_49f1577e79f6873e329523c91f10eb72_black-basta_elex_hijackloader_luca-stealer.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe
PID 5316 wrote to memory of 3528 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_49f1577e79f6873e329523c91f10eb72_black-basta_elex_hijackloader_luca-stealer.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe
PID 5316 wrote to memory of 3528 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_49f1577e79f6873e329523c91f10eb72_black-basta_elex_hijackloader_luca-stealer.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe
PID 5700 wrote to memory of 1448 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 5700 wrote to memory of 1448 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 5700 wrote to memory of 1448 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 5316 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_49f1577e79f6873e329523c91f10eb72_black-basta_elex_hijackloader_luca-stealer.exe C:\Windows\SysWOW64\drivers\Kazekage.exe

System policy modification

defense_evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\2025-05-02_49f1577e79f6873e329523c91f10eb72_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\2025-05-02_49f1577e79f6873e329523c91f10eb72_black-basta_elex_hijackloader_luca-stealer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\drivers\system32.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2025-05-02_49f1577e79f6873e329523c91f10eb72_black-basta_elex_hijackloader_luca-stealer.exe

"C:\Users\Admin\AppData\Local\Temp\2025-05-02_49f1577e79f6873e329523c91f10eb72_black-basta_elex_hijackloader_luca-stealer.exe"

C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe

"C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe"

C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe

"C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe"

C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe

"C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe"

C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe

"C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe"

C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe

"C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe"

C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe

"C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe"

C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe

"C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe"

C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe

"C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe"

C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe

"C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe"

C:\Windows\SysWOW64\drivers\Kazekage.exe

C:\Windows\system32\drivers\Kazekage.exe

C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe

"C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe"

C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe

"C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe"

C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe

"C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe"

C:\Windows\SysWOW64\drivers\Kazekage.exe

C:\Windows\system32\drivers\Kazekage.exe

C:\Windows\SysWOW64\drivers\system32.exe

C:\Windows\system32\drivers\system32.exe

C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe

"C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe"

C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe

"C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe"

C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe

"C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe"

C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe

"C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe"

C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe

"C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe"

C:\Windows\SysWOW64\drivers\Kazekage.exe

C:\Windows\system32\drivers\Kazekage.exe

C:\Windows\SysWOW64\drivers\Kazekage.exe

C:\Windows\system32\drivers\Kazekage.exe

C:\Windows\SysWOW64\drivers\system32.exe

C:\Windows\system32\drivers\system32.exe

C:\Windows\SysWOW64\drivers\system32.exe

C:\Windows\system32\drivers\system32.exe

C:\Windows\SysWOW64\drivers\system32.exe

C:\Windows\system32\drivers\system32.exe

C:\Windows\SysWOW64\drivers\Kazekage.exe

C:\Windows\system32\drivers\Kazekage.exe

C:\Windows\SysWOW64\drivers\system32.exe

C:\Windows\system32\drivers\system32.exe

C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe

"C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe"

C:\Windows\SysWOW64\drivers\Kazekage.exe

C:\Windows\system32\drivers\Kazekage.exe

C:\Windows\SysWOW64\drivers\system32.exe

C:\Windows\system32\drivers\system32.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\smss.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\Gaara.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c 2-5-2025.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c drivers\csrss.exe

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

Network

Country Destination Domain Proto
US 8.8.8.8:53 c.pki.goog udp
DE 142.250.185.131:80 c.pki.goog tcp

Files

memory/5316-0-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe

MD5 49f1577e79f6873e329523c91f10eb72
SHA1 751e1ce9b791394c7a7f2cb70f1c23cc53105345
SHA256 ddff1b4eaef1930d730ab8a38bf204c8a1ae5275bb190f97118c6a4df1045237
SHA512 861997adb3e3337e713da816b467f73582754da151f9fc8fb6e25fc81f4dd852d9bcf4965ba3e406bd65e736ffc45e2299ec794cdb9c6d45d8813f787b640082

C:\Windows\System\msvbvm60.dll

MD5 25f62c02619174b35851b0e0455b3d94
SHA1 4e8ee85157f1769f6e3f61c0acbe59072209da71
SHA256 898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2
SHA512 f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe

MD5 94a87c260f8717f723e5d6856b6c8565
SHA1 fac009b779b693aa829d080bc40a890f20d3deeb
SHA256 7b7d87bb8c0f81a592fed8b2d34a4c5d83962ec4e30438e2846c98c99668f571
SHA512 8425e7ac7305944c2b35410c63db4033b77c98e5a2d9b0f5e5d86f4acba60dcbdde8aad629264b5e87d0138fff66b1a5d2431dc531d1c5d63b262172625a0136

memory/3676-32-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Windows\Fonts\The Kazekage.jpg

MD5 d6b05020d4a0ec2a3a8b687099e335df
SHA1 df239d830ebcd1cde5c68c46a7b76dad49d415f4
SHA256 9824b98dab6af65a9e84c2ea40e9df948f9766ce2096e81feecad7db8dd6080a
SHA512 78fd360faa4d34f5732056d6e9ad7b9930964441c69cf24535845d397de92179553b9377a25649c01eb5ac7d547c29cc964e69ede7f2af9fc677508a99251fff

C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe

MD5 2f3dc43d5371bb5482611a0b8d98aba3
SHA1 bde30456d9a36f780eb9ebd3f1ec03b2c4f8b07a
SHA256 1466080dbd9c562044a700aace6b81fd4acef24ba2f6fda22b8ef3f1e5bd0777
SHA512 00cb119a2a0f8ecaaabc76354bcffae864f927d4c14c2edd241328358857f06411a43af2a5fdd1dd2fd36e7f8e7092f508fbdbf82a5ecd1d59d9248cc888e49a

C:\Windows\SysWOW64\drivers\Kazekage.exe

MD5 9d99e7c33cc58eb1caf9f4fea54bb1c1
SHA1 ad9c639dd196737e3ea7e84b290d6919175aee3d
SHA256 148b7ce0c81673b0d89408cd150df04a82fbfafbedf8a139a3b52b52357a3eea
SHA512 d68797a53f71cab6840f1c6bc697a13918e999244f85b0c0898465fe56cf753e46d591d050cf86892807116117a85f95f765722909eabee7b3a8dc1eda6e21c1

memory/1012-70-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Windows\SysWOW64\drivers\system32.exe

MD5 653e5b2cfd5db6769817cb3c43dcee4c
SHA1 716da676dc23fb296bb2c2d61f303767a3b9df4a
SHA256 bf4151ff05d031ddf985b2e999e24ae9ff58954718b89686a0ad272422cf3483
SHA512 31d5c9672b05668f8e3d02b95b7b924562c541f92c6cf713000c27f5bdd211877ec79ad359f341c37540c7107278c58fc468b154b028e0baf63f11f061d73118

memory/3764-77-0x0000000000400000-0x000000000042B000-memory.dmp

memory/1012-78-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe

MD5 8c64b4a4a22f39c864015716cfea6422
SHA1 fd114c878219a15f6f69a690540c4969c60dc0ff
SHA256 faf964fc69cb3365082706b8926185b378b0bd6e69a8403f144468abf15367b1
SHA512 f394eb3ca01be35b7c4e02d1fd76d1b3b1f54e26fae21e08eda874409c1408a9713789484c640a74717db3ab2bf59502b5def90e9e8dea76bdab6ec84971f1bd

C:\Windows\SysWOW64\2-5-2025.exe

MD5 21fa69d08c1d819b839028d3078351ad
SHA1 843d8af3d998a83f7336aac929faf5eafcac52be
SHA256 60270c99d9604bab039ea81d09f18ca2ea0db392bb17e27f76b7875eece1c8ac
SHA512 122d1a3a01bcd9afe7be7dc81ade41b41fb6c933d76a40738ab25b3900c94462c1279f9e9bf29a4f285834759fc6c5213ae93f3f9f5d3669fbce07c1b3c0ac49

C:\Windows\SysWOW64\drivers\Kazekage.exe

MD5 a3f7747e3be7040fbc7cf31b986585d7
SHA1 39e06c93fd9fa08e0896efdf316b863fd1bcfbc4
SHA256 dd02548455dac494c9f72f21d2ca6b75107e353befd8843e9192f1ad13b39f7b
SHA512 f81c22ead9b97b498d6bdb3f73c5bafd76ca352b0a1c1491bb9b77fffaef6a2e92baec84947bf5de65919a8df92c23c1136de16c0df69347a0080f63712d7d9c

C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe

MD5 588b710c1c587abe546c5d3c3f04f84f
SHA1 59e966df23a8f52541e89b6ceaac2931018fd5d2
SHA256 1d5b6d63d6adc2bc1b496bb0cb48787fbf43bdc533255167e8abd85cf1b53ea4
SHA512 cf65e429f4a4fcffe328f8de29ac22cfbcafeaddebbd5d451de529aff7f45b442c87cd3d999e3d4cefc01aca7b07a324e08d6de7cc09ff282447687702dc7070

memory/5736-113-0x0000000000400000-0x000000000042B000-memory.dmp

memory/3512-114-0x0000000000400000-0x000000000042B000-memory.dmp

memory/5736-117-0x0000000000400000-0x000000000042B000-memory.dmp

memory/928-120-0x0000000000400000-0x000000000042B000-memory.dmp

memory/5316-153-0x0000000000400000-0x000000000042B000-memory.dmp

memory/4576-159-0x0000000000400000-0x000000000042B000-memory.dmp

memory/3676-157-0x0000000000400000-0x000000000042B000-memory.dmp

memory/4464-162-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Windows\SysWOW64\drivers\Kazekage.exe

MD5 265965991fa9ad39cdd5a80920199ea0
SHA1 bd60ff5e183683216e551f2131ce15510a5165cd
SHA256 90848af759fa3b0601cc040e43d731c7b5dc39797fe0e4aadebe6c59a84db4fc
SHA512 34a81b8dedd9258c485d13b12d5d5da4d5bb3813dd728ce960cb62ceeda690e029ec6c85f56823ce6ec39a47ccbd9973c24b79a028799871730792f22f27cae4

memory/4628-165-0x0000000000400000-0x000000000042B000-memory.dmp

memory/3764-193-0x0000000000400000-0x000000000042B000-memory.dmp

memory/4828-194-0x0000000000400000-0x000000000042B000-memory.dmp

memory/4812-199-0x0000000000400000-0x000000000042B000-memory.dmp

memory/3584-205-0x0000000000400000-0x000000000042B000-memory.dmp

memory/5700-209-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Windows\SysWOW64\drivers\system32.exe

MD5 3b4e3f2a45f979dceed7a7eaf3779f5e
SHA1 86ec90a5a608c7726102451072064daeeb20b037
SHA256 fbf9cff3ebdd7b9942ce8e9d73f0f03ff4d5a8cea30b9b9930882ba1413a7043
SHA512 6c38dece2e40ac1eb49121e8b77f93bce947f0a5966a1ef07cdf335252aec509a55b8141c9490127b4b7286764f55c9cd9eb312ec94d0a05a01f81c610fd0823

C:\Windows\Fonts\The Kazekage.jpg

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/928-227-0x0000000000400000-0x000000000042B000-memory.dmp

memory/3952-230-0x0000000000400000-0x000000000042B000-memory.dmp

memory/5428-235-0x0000000000400000-0x000000000042B000-memory.dmp

memory/4628-238-0x0000000000400000-0x000000000042B000-memory.dmp

memory/2828-239-0x0000000000400000-0x000000000042B000-memory.dmp

memory/4244-244-0x0000000000400000-0x000000000042B000-memory.dmp

memory/3528-246-0x0000000000400000-0x000000000042B000-memory.dmp

memory/1448-242-0x0000000000400000-0x000000000042B000-memory.dmp

memory/2452-249-0x0000000000400000-0x000000000042B000-memory.dmp

memory/1448-250-0x0000000000400000-0x000000000042B000-memory.dmp

memory/1284-254-0x0000000000400000-0x000000000042B000-memory.dmp

memory/5700-256-0x0000000000400000-0x000000000042B000-memory.dmp

memory/2452-258-0x0000000000400000-0x000000000042B000-memory.dmp

memory/3192-263-0x0000000000400000-0x000000000042B000-memory.dmp

memory/3408-265-0x0000000000400000-0x000000000042B000-memory.dmp

memory/4264-267-0x0000000000400000-0x000000000042B000-memory.dmp

memory/2608-270-0x0000000000400000-0x000000000042B000-memory.dmp

memory/3396-273-0x0000000000400000-0x000000000042B000-memory.dmp

memory/4196-276-0x0000000000400000-0x000000000042B000-memory.dmp

memory/5604-279-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Autorun.inf

MD5 1564dfe69ffed40950e5cb644e0894d1
SHA1 201b6f7a01cc49bb698bea6d4945a082ed454ce4
SHA256 be114a2dbcc08540b314b01882aa836a772a883322a77b67aab31233e26dc184
SHA512 72df187e39674b657974392cfa268e71ef86dc101ebd2303896381ca56d3c05aa9db3f0ab7d0e428d7436e0108c8f19e94c2013814d30b0b95a23a6b9e341097

C:\Admin Games\Readme.txt

MD5 bb5d6abdf8d0948ac6895ce7fdfbc151
SHA1 9266b7a247a4685892197194d2b9b86c8f6dddbd
SHA256 5db2e0915b5464d32e83484f8ae5e3c73d2c78f238fde5f58f9b40dbb5322de8
SHA512 878444760e8df878d65bb62b4798177e168eb099def58ad3634f4348e96705c83f74324f9fa358f0eff389991976698a233ca53e9b72034ae11c86d42322a76c

C:\Windows\SysWOW64\Desktop.ini

MD5 64acfa7e03b01f48294cf30d201a0026
SHA1 10facd995b38a095f30b4a800fa454c0bcbf8438
SHA256 ba8159d865d106e7b4d0043007a63d1541e1de455dc8d7ff0edd3013bd425c62
SHA512 65a9b2e639de74a2a7faa83463a03f5f5b526495e3c793ec1e144c422ed0b842dd304cd5ff4f8aec3d76d826507030c5916f70a231429cea636ec2d8ab43931a

C:\Windows\SysWOW64\2-5-2025.exe

MD5 59c4a41214c10292e0c1486c29405db5
SHA1 2ce87916895c7de97b6bde5423bc9d33aaf543b4
SHA256 f03c8ad29119598a7010edd0e9e471295e8341481016108342c9b53da1344ba3
SHA512 0e8decab5dc8c4467c3ff0dbd3cbb395aaa07da965683dd788ae85338d2160be17b5622a7b238d17ae2767825cdfff10a948ff337c8643b19d2ababa19d892e9