Malware Analysis Report

2025-08-10 20:49

Sample ID 250502-m6eabsbn9x
Target 2025-05-02_081190a3c71c8f5fe364a40716b00ad5_black-basta_elex_luca-stealer
SHA256 085a996485968c9eaaf71ad895c7f01c72f9e3ffb3579b546a8a0ceab6236f89
Tags
upx defense_evasion discovery persistence ransomware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V16

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

085a996485968c9eaaf71ad895c7f01c72f9e3ffb3579b546a8a0ceab6236f89

Threat Level: Known bad

The file 2025-05-02_081190a3c71c8f5fe364a40716b00ad5_black-basta_elex_luca-stealer was found to be: Known bad.

Malicious Activity Summary

upx defense_evasion discovery persistence ransomware trojan

Modifies WinLogon for persistence

UAC bypass

Modifies visiblity of hidden/system files in Explorer

Modifies visibility of file extensions in Explorer

Drops file in Drivers directory

Disables use of System Restore points

Event Triggered Execution: Image File Execution Options Injection

Disables RegEdit via registry modification

Executes dropped EXE

Loads dropped DLL

Drops desktop.ini file(s)

Adds Run key to start application

Enumerates connected drives

Checks whether UAC is enabled

Drops autorun.inf file

Sets desktop wallpaper using registry

Drops file in System32 directory

UPX packed file

Drops file in Windows directory

System Location Discovery: System Language Discovery

Unsigned PE

System Network Configuration Discovery: Internet Connection Discovery

Suspicious use of WriteProcessMemory

Modifies registry class

Suspicious use of SetWindowsHookEx

Modifies Control Panel

Suspicious behavior: EnumeratesProcesses

Runs ping.exe

System policy modification

Modifies Internet Explorer settings

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-05-02 11:04

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-05-02 11:04

Reported

2025-05-02 11:06

Platform

win10v2004-20250410-en

Max time kernel

150s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2025-05-02_081190a3c71c8f5fe364a40716b00ad5_black-basta_elex_luca-stealer.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" C:\Users\Admin\AppData\Local\Temp\2025-05-02_081190a3c71c8f5fe364a40716b00ad5_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" C:\Users\Admin\AppData\Local\Temp\2025-05-02_081190a3c71c8f5fe364a40716b00ad5_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A

Modifies visibility of file extensions in Explorer

defense_evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Users\Admin\AppData\Local\Temp\2025-05-02_081190a3c71c8f5fe364a40716b00ad5_black-basta_elex_luca-stealer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A

Modifies visiblity of hidden/system files in Explorer

defense_evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\AppData\Local\Temp\2025-05-02_081190a3c71c8f5fe364a40716b00ad5_black-basta_elex_luca-stealer.exe N/A

UAC bypass

defense_evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\2025-05-02_081190a3c71c8f5fe364a40716b00ad5_black-basta_elex_luca-stealer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A

Disables RegEdit via registry modification

defense_evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\2025-05-02_081190a3c71c8f5fe364a40716b00ad5_black-basta_elex_luca-stealer.exe N/A

Disables use of System Restore points

defense_evasion

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
File created C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File created C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File created C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File created C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File created C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Users\Admin\AppData\Local\Temp\2025-05-02_081190a3c71c8f5fe364a40716b00ad5_black-basta_elex_luca-stealer.exe N/A
File created C:\Windows\SysWOW64\drivers\system32.exe C:\Users\Admin\AppData\Local\Temp\2025-05-02_081190a3c71c8f5fe364a40716b00ad5_black-basta_elex_luca-stealer.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\system32.exe C:\Users\Admin\AppData\Local\Temp\2025-05-02_081190a3c71c8f5fe364a40716b00ad5_black-basta_elex_luca-stealer.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
File created C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File created C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Users\Admin\AppData\Local\Temp\2025-05-02_081190a3c71c8f5fe364a40716b00ad5_black-basta_elex_luca-stealer.exe N/A

Event Triggered Execution: Image File Execution Options Injection

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\Debugger = "cmd.exe /c del" C:\Users\Admin\AppData\Local\Temp\2025-05-02_081190a3c71c8f5fe364a40716b00ad5_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com\Debugger = "cmd.exe /c del" C:\Users\Admin\AppData\Local\Temp\2025-05-02_081190a3c71c8f5fe364a40716b00ad5_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger = "drivers\\Kazekage.exe" C:\Users\Admin\AppData\Local\Temp\2025-05-02_081190a3c71c8f5fe364a40716b00ad5_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "drivers\\Kazekage.exe" C:\Users\Admin\AppData\Local\Temp\2025-05-02_081190a3c71c8f5fe364a40716b00ad5_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "drivers\\Kazekage.exe" C:\Users\Admin\AppData\Local\Temp\2025-05-02_081190a3c71c8f5fe364a40716b00ad5_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe\Debugger = "drivers\\Kazekage.exe" C:\Users\Admin\AppData\Local\Temp\2025-05-02_081190a3c71c8f5fe364a40716b00ad5_black-basta_elex_luca-stealer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe C:\Users\Admin\AppData\Local\Temp\2025-05-02_081190a3c71c8f5fe364a40716b00ad5_black-basta_elex_luca-stealer.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 2 - 5 - 2025\\Gaara.exe" C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "2-5-2025.exe" C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 2 - 5 - 2025\\Gaara.exe" C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 2 - 5 - 2025\\Gaara.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "2-5-2025.exe" C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 2 - 5 - 2025\\Gaara.exe" C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 2 - 5 - 2025\\smss.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "2-5-2025.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "2-5-2025.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 2 - 5 - 2025\\smss.exe" C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 2 - 5 - 2025\\Gaara.exe" C:\Users\Admin\AppData\Local\Temp\2025-05-02_081190a3c71c8f5fe364a40716b00ad5_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 2 - 5 - 2025\\smss.exe" C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 2 - 5 - 2025\\smss.exe" C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "2-5-2025.exe" C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 2 - 5 - 2025\\smss.exe" C:\Users\Admin\AppData\Local\Temp\2025-05-02_081190a3c71c8f5fe364a40716b00ad5_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "2-5-2025.exe" C:\Users\Admin\AppData\Local\Temp\2025-05-02_081190a3c71c8f5fe364a40716b00ad5_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" C:\Users\Admin\AppData\Local\Temp\2025-05-02_081190a3c71c8f5fe364a40716b00ad5_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 2 - 5 - 2025\\Gaara.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 2 - 5 - 2025\\smss.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A

Checks whether UAC is enabled

defense_evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\2025-05-02_081190a3c71c8f5fe364a40716b00ad5_black-basta_elex_luca-stealer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification \??\S:\Desktop.ini C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
File opened for modification \??\N:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Desktop.ini C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File opened for modification \??\H:\Desktop.ini C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\G:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-02_081190a3c71c8f5fe364a40716b00ad5_black-basta_elex_luca-stealer.exe N/A
File opened for modification \??\N:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-02_081190a3c71c8f5fe364a40716b00ad5_black-basta_elex_luca-stealer.exe N/A
File opened for modification \??\U:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-02_081190a3c71c8f5fe364a40716b00ad5_black-basta_elex_luca-stealer.exe N/A
File opened for modification \??\B:\Desktop.ini C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File opened for modification F:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-02_081190a3c71c8f5fe364a40716b00ad5_black-basta_elex_luca-stealer.exe N/A
File opened for modification \??\X:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\N:\Desktop.ini C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File opened for modification \??\H:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-02_081190a3c71c8f5fe364a40716b00ad5_black-basta_elex_luca-stealer.exe N/A
File opened for modification \??\Y:\Desktop.ini C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
File opened for modification \??\J:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\H:\Desktop.ini C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File opened for modification \??\V:\Desktop.ini C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File opened for modification F:\Desktop.ini C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\E:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\P:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\A:\Desktop.ini C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
File opened for modification \??\H:\Desktop.ini C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
File opened for modification \??\U:\Desktop.ini C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\X:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-02_081190a3c71c8f5fe364a40716b00ad5_black-basta_elex_luca-stealer.exe N/A
File opened for modification \??\G:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\O:\Desktop.ini C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File opened for modification \??\P:\Desktop.ini C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\V:\Desktop.ini C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\V:\Desktop.ini C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
File opened for modification \??\N:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\X:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\W:\Desktop.ini C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File opened for modification \??\A:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-02_081190a3c71c8f5fe364a40716b00ad5_black-basta_elex_luca-stealer.exe N/A
File opened for modification C:\Desktop.ini C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\Q:\Desktop.ini C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\M:\Desktop.ini C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
File opened for modification \??\V:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-02_081190a3c71c8f5fe364a40716b00ad5_black-basta_elex_luca-stealer.exe N/A
File opened for modification \??\R:\Desktop.ini C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
File opened for modification \??\U:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\J:\Desktop.ini C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File opened for modification \??\A:\Desktop.ini C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\B:\Desktop.ini C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
File opened for modification \??\R:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-02_081190a3c71c8f5fe364a40716b00ad5_black-basta_elex_luca-stealer.exe N/A
File opened for modification \??\H:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification D:\Desktop.ini C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\G:\Desktop.ini C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
File opened for modification \??\S:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-02_081190a3c71c8f5fe364a40716b00ad5_black-basta_elex_luca-stealer.exe N/A
File opened for modification \??\N:\Desktop.ini C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
File opened for modification F:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\L:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\M:\Desktop.ini C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File opened for modification \??\R:\Desktop.ini C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File opened for modification \??\T:\Desktop.ini C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File opened for modification \??\E:\Desktop.ini C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
File opened for modification \??\S:\Desktop.ini C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\W:\Desktop.ini C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\A:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\Z:\Desktop.ini C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\I:\Desktop.ini C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File opened for modification \??\T:\Desktop.ini C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
File opened for modification \??\I:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\T:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification D:\Desktop.ini C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File opened for modification \??\P:\Desktop.ini C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\V: C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File opened (read-only) \??\X: C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File opened (read-only) \??\Y: C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\T: C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File opened (read-only) \??\K: C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\R: C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\2025-05-02_081190a3c71c8f5fe364a40716b00ad5_black-basta_elex_luca-stealer.exe N/A
File opened (read-only) \??\S: C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File opened (read-only) \??\U: C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File opened (read-only) \??\G: C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\2025-05-02_081190a3c71c8f5fe364a40716b00ad5_black-basta_elex_luca-stealer.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\E: C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\2025-05-02_081190a3c71c8f5fe364a40716b00ad5_black-basta_elex_luca-stealer.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\B: C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File opened (read-only) \??\Y: C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File opened (read-only) \??\L: C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
File opened (read-only) \??\B: C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\2025-05-02_081190a3c71c8f5fe364a40716b00ad5_black-basta_elex_luca-stealer.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\H: C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File opened (read-only) \??\I: C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File opened (read-only) \??\Q: C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\2025-05-02_081190a3c71c8f5fe364a40716b00ad5_black-basta_elex_luca-stealer.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\N: C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File opened (read-only) \??\P: C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File opened (read-only) \??\W: C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\2025-05-02_081190a3c71c8f5fe364a40716b00ad5_black-basta_elex_luca-stealer.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\2025-05-02_081190a3c71c8f5fe364a40716b00ad5_black-basta_elex_luca-stealer.exe N/A
File opened (read-only) \??\W: C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File opened (read-only) \??\U: C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
File opened (read-only) \??\Z: C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File opened (read-only) \??\G: C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\2025-05-02_081190a3c71c8f5fe364a40716b00ad5_black-basta_elex_luca-stealer.exe N/A
File opened (read-only) \??\Z: C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\E: C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File opened (read-only) \??\K: C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File opened (read-only) \??\M: C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File opened (read-only) \??\A: C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\2025-05-02_081190a3c71c8f5fe364a40716b00ad5_black-basta_elex_luca-stealer.exe N/A
File opened (read-only) \??\M: C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File opened (read-only) \??\A: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\2025-05-02_081190a3c71c8f5fe364a40716b00ad5_black-basta_elex_luca-stealer.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\X: C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
File opened (read-only) \??\A: C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\2025-05-02_081190a3c71c8f5fe364a40716b00ad5_black-basta_elex_luca-stealer.exe N/A
File opened (read-only) \??\U: C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\Z: C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File created D:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created \??\H:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2025-05-02_081190a3c71c8f5fe364a40716b00ad5_black-basta_elex_luca-stealer.exe N/A
File opened for modification \??\Q:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2025-05-02_081190a3c71c8f5fe364a40716b00ad5_black-basta_elex_luca-stealer.exe N/A
File created \??\N:\Autorun.inf C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File opened for modification \??\V:\Autorun.inf C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File created \??\G:\Autorun.inf C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File created \??\K:\Autorun.inf C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\U:\Autorun.inf C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File created \??\P:\Autorun.inf C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\B:\Autorun.inf C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
File created \??\S:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\N:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\N:\Autorun.inf C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
File opened for modification \??\O:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\M:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2025-05-02_081190a3c71c8f5fe364a40716b00ad5_black-basta_elex_luca-stealer.exe N/A
File created \??\K:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\P:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\S:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification D:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2025-05-02_081190a3c71c8f5fe364a40716b00ad5_black-basta_elex_luca-stealer.exe N/A
File created \??\I:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2025-05-02_081190a3c71c8f5fe364a40716b00ad5_black-basta_elex_luca-stealer.exe N/A
File opened for modification \??\S:\Autorun.inf C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File created \??\I:\Autorun.inf C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
File opened for modification \??\R:\Autorun.inf C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
File opened for modification \??\Z:\Autorun.inf C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
File created \??\X:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File created \??\L:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2025-05-02_081190a3c71c8f5fe364a40716b00ad5_black-basta_elex_luca-stealer.exe N/A
File opened for modification \??\N:\Autorun.inf C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File created \??\E:\Autorun.inf C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
File opened for modification \??\E:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created \??\R:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created \??\Z:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\R:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File created \??\E:\Autorun.inf C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File created \??\V:\Autorun.inf C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\M:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\P:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File created \??\S:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File created \??\B:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2025-05-02_081190a3c71c8f5fe364a40716b00ad5_black-basta_elex_luca-stealer.exe N/A
File created \??\S:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2025-05-02_081190a3c71c8f5fe364a40716b00ad5_black-basta_elex_luca-stealer.exe N/A
File opened for modification \??\R:\Autorun.inf C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File created \??\H:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\L:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created \??\B:\Autorun.inf C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File opened for modification D:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\T:\Autorun.inf C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File created \??\Q:\Autorun.inf C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
File created \??\H:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File created \??\J:\Autorun.inf C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File created \??\S:\Autorun.inf C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File created \??\H:\Autorun.inf C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\V:\Autorun.inf C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\T:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2025-05-02_081190a3c71c8f5fe364a40716b00ad5_black-basta_elex_luca-stealer.exe N/A
File opened for modification \??\I:\Autorun.inf C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File opened for modification \??\K:\Autorun.inf C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File created \??\U:\Autorun.inf C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File created D:\Autorun.inf C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\K:\Autorun.inf C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
File created \??\N:\Autorun.inf C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
File created \??\Y:\Autorun.inf C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2025-05-02_081190a3c71c8f5fe364a40716b00ad5_black-basta_elex_luca-stealer.exe N/A
File opened for modification \??\Q:\Autorun.inf C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File created \??\P:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\B:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\P:\Autorun.inf C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Users\Admin\AppData\Local\Temp\2025-05-02_081190a3c71c8f5fe364a40716b00ad5_black-basta_elex_luca-stealer.exe N/A
File opened for modification C:\Windows\SysWOW64\mscomctl.ocx C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\SysWOW64\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\SysWOW64\mscomctl.ocx C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\SysWOW64\mscomctl.ocx C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\mscomctl.ocx C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\SysWOW64\2-5-2025.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File created C:\Windows\SysWOW64\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-02_081190a3c71c8f5fe364a40716b00ad5_black-basta_elex_luca-stealer.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\Desktop.ini C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
File created C:\Windows\SysWOW64\mscomctl.ocx C:\Users\Admin\AppData\Local\Temp\2025-05-02_081190a3c71c8f5fe364a40716b00ad5_black-basta_elex_luca-stealer.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\2025-05-02_081190a3c71c8f5fe364a40716b00ad5_black-basta_elex_luca-stealer.exe N/A
File opened for modification C:\Windows\SysWOW64\mscomctl.ocx C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File opened for modification C:\Windows\SysWOW64\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\SysWOW64\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-02_081190a3c71c8f5fe364a40716b00ad5_black-basta_elex_luca-stealer.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\2025-05-02_081190a3c71c8f5fe364a40716b00ad5_black-basta_elex_luca-stealer.exe N/A
File opened for modification C:\Windows\SysWOW64\2-5-2025.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\2-5-2025.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\SysWOW64\mscomctl.ocx C:\Users\Admin\AppData\Local\Temp\2025-05-02_081190a3c71c8f5fe364a40716b00ad5_black-basta_elex_luca-stealer.exe N/A
File opened for modification C:\Windows\SysWOW64\Desktop.ini C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File opened for modification C:\Windows\SysWOW64\Desktop.ini C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
File created C:\Windows\SysWOW64\2-5-2025.exe C:\Users\Admin\AppData\Local\Temp\2025-05-02_081190a3c71c8f5fe364a40716b00ad5_black-basta_elex_luca-stealer.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File opened for modification C:\Windows\SysWOW64\2-5-2025.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\SysWOW64\2-5-2025.exe C:\Users\Admin\AppData\Local\Temp\2025-05-02_081190a3c71c8f5fe364a40716b00ad5_black-basta_elex_luca-stealer.exe N/A
File opened for modification C:\Windows\SysWOW64\2-5-2025.exe C:\Windows\SysWOW64\drivers\system32.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Users\Admin\AppData\Local\Temp\2025-05-02_081190a3c71c8f5fe364a40716b00ad5_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\SysWOW64\drivers\system32.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\mscomctl.ocx C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\2025-05-02_081190a3c71c8f5fe364a40716b00ad5_black-basta_elex_luca-stealer.exe N/A
File created C:\Windows\WBEM\msvbvm60.dll C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\Fonts\The Kazekage.jpg C:\Users\Admin\AppData\Local\Temp\2025-05-02_081190a3c71c8f5fe364a40716b00ad5_black-basta_elex_luca-stealer.exe N/A
File created C:\Windows\Fonts\Admin 2 - 5 - 2025\msvbvm60.dll C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Windows\mscomctl.ocx C:\Users\Admin\AppData\Local\Temp\2025-05-02_081190a3c71c8f5fe364a40716b00ad5_black-basta_elex_luca-stealer.exe N/A
File opened for modification C:\Windows\mscomctl.ocx C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\ C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Windows\mscomctl.ocx C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe C:\Users\Admin\AppData\Local\Temp\2025-05-02_081190a3c71c8f5fe364a40716b00ad5_black-basta_elex_luca-stealer.exe N/A
File created C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe C:\Users\Admin\AppData\Local\Temp\2025-05-02_081190a3c71c8f5fe364a40716b00ad5_black-basta_elex_luca-stealer.exe N/A
File opened for modification C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe C:\Users\Admin\AppData\Local\Temp\2025-05-02_081190a3c71c8f5fe364a40716b00ad5_black-basta_elex_luca-stealer.exe N/A
File created C:\Windows\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\2025-05-02_081190a3c71c8f5fe364a40716b00ad5_black-basta_elex_luca-stealer.exe N/A
File created C:\Windows\system\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\2025-05-02_081190a3c71c8f5fe364a40716b00ad5_black-basta_elex_luca-stealer.exe N/A
File opened for modification C:\Windows\Fonts\The Kazekage.jpg C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\system\mscoree.dll C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
File created C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\ C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\system\mscoree.dll C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File created C:\Windows\WBEM\msvbvm60.dll C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File opened for modification C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\mscomctl.ocx C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Windows\system\msvbvm60.dll C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\system\msvbvm60.dll C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe C:\Users\Admin\AppData\Local\Temp\2025-05-02_081190a3c71c8f5fe364a40716b00ad5_black-basta_elex_luca-stealer.exe N/A
File opened for modification C:\Windows\system\mscoree.dll C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File created C:\Windows\Fonts\Admin 2 - 5 - 2025\msvbvm60.dll C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File created C:\Windows\WBEM\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\2025-05-02_081190a3c71c8f5fe364a40716b00ad5_black-basta_elex_luca-stealer.exe N/A
File created C:\Windows\Fonts\Admin 2 - 5 - 2025\msvbvm60.dll C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
File created C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\Fonts\The Kazekage.jpg C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\Fonts\The Kazekage.jpg C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File created C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File opened for modification C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File opened for modification C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Windows\system\msvbvm60.dll C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\Fonts\The Kazekage.jpg C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe C:\Users\Admin\AppData\Local\Temp\2025-05-02_081190a3c71c8f5fe364a40716b00ad5_black-basta_elex_luca-stealer.exe N/A
File opened for modification C:\Windows\Fonts\Admin 2 - 5 - 2025\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\2025-05-02_081190a3c71c8f5fe364a40716b00ad5_black-basta_elex_luca-stealer.exe N/A
File opened for modification C:\Windows\system\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\2025-05-02_081190a3c71c8f5fe364a40716b00ad5_black-basta_elex_luca-stealer.exe N/A
File opened for modification C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\Fonts\Admin 2 - 5 - 2025\msvbvm60.dll C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\WBEM\msvbvm60.dll C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe C:\Users\Admin\AppData\Local\Temp\2025-05-02_081190a3c71c8f5fe364a40716b00ad5_black-basta_elex_luca-stealer.exe N/A
File opened for modification C:\Windows\Fonts\The Kazekage.jpg C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
File created C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\mscomctl.ocx C:\Users\Admin\AppData\Local\Temp\2025-05-02_081190a3c71c8f5fe364a40716b00ad5_black-basta_elex_luca-stealer.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\system32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\system32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2025-05-02_081190a3c71c8f5fe364a40716b00ad5_black-basta_elex_luca-stealer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\system32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\system32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\system32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A

Modifies Control Panel

defense_evasion
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Desktop\WallpaperStyle = "2" C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" C:\Users\Admin\AppData\Local\Temp\2025-05-02_081190a3c71c8f5fe364a40716b00ad5_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Screen Saver.Marquee\Speed = "4" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Desktop C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Screen Saver.Marquee\Size = "72" C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" C:\Users\Admin\AppData\Local\Temp\2025-05-02_081190a3c71c8f5fe364a40716b00ad5_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Desktop\WallpaperStyle = "2" C:\Users\Admin\AppData\Local\Temp\2025-05-02_081190a3c71c8f5fe364a40716b00ad5_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" C:\Users\Admin\AppData\Local\Temp\2025-05-02_081190a3c71c8f5fe364a40716b00ad5_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Desktop\WallpaperStyle = "2" C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Desktop\WallpaperStyle = "2" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Screen Saver.Marquee\Size = "72" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Desktop\WallpaperStyle = "2" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Screen Saver.Marquee\Speed = "4" C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Screen Saver.Marquee C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Screen Saver.Marquee\Speed = "4" C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" C:\Users\Admin\AppData\Local\Temp\2025-05-02_081190a3c71c8f5fe364a40716b00ad5_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Screen Saver.Marquee\Speed = "4" C:\Users\Admin\AppData\Local\Temp\2025-05-02_081190a3c71c8f5fe364a40716b00ad5_black-basta_elex_luca-stealer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Screen Saver.Marquee C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Screen Saver.Marquee\Speed = "4" C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Screen Saver.Marquee C:\Users\Admin\AppData\Local\Temp\2025-05-02_081190a3c71c8f5fe364a40716b00ad5_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Screen Saver.Marquee C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Desktop C:\Users\Admin\AppData\Local\Temp\2025-05-02_081190a3c71c8f5fe364a40716b00ad5_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Users\Admin\AppData\Local\Temp\2025-05-02_081190a3c71c8f5fe364a40716b00ad5_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Screen Saver.Marquee\Size = "72" C:\Users\Admin\AppData\Local\Temp\2025-05-02_081190a3c71c8f5fe364a40716b00ad5_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Desktop C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Screen Saver.Marquee\Speed = "4" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\Desktop C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Software\Microsoft\Internet Explorer\Main C:\Users\Admin\AppData\Local\Temp\2025-05-02_081190a3c71c8f5fe364a40716b00ad5_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" C:\Users\Admin\AppData\Local\Temp\2025-05-02_081190a3c71c8f5fe364a40716b00ad5_black-basta_elex_luca-stealer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\drivers\system32.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command C:\Users\Admin\AppData\Local\Temp\2025-05-02_081190a3c71c8f5fe364a40716b00ad5_black-basta_elex_luca-stealer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command C:\Users\Admin\AppData\Local\Temp\2025-05-02_081190a3c71c8f5fe364a40716b00ad5_black-basta_elex_luca-stealer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command C:\Users\Admin\AppData\Local\Temp\2025-05-02_081190a3c71c8f5fe364a40716b00ad5_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" C:\Users\Admin\AppData\Local\Temp\2025-05-02_081190a3c71c8f5fe364a40716b00ad5_black-basta_elex_luca-stealer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" C:\Users\Admin\AppData\Local\Temp\2025-05-02_081190a3c71c8f5fe364a40716b00ad5_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" C:\Users\Admin\AppData\Local\Temp\2025-05-02_081190a3c71c8f5fe364a40716b00ad5_black-basta_elex_luca-stealer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" C:\Users\Admin\AppData\Local\Temp\2025-05-02_081190a3c71c8f5fe364a40716b00ad5_black-basta_elex_luca-stealer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command C:\Users\Admin\AppData\Local\Temp\2025-05-02_081190a3c71c8f5fe364a40716b00ad5_black-basta_elex_luca-stealer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_081190a3c71c8f5fe364a40716b00ad5_black-basta_elex_luca-stealer.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1760 wrote to memory of 5496 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_081190a3c71c8f5fe364a40716b00ad5_black-basta_elex_luca-stealer.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe
PID 1760 wrote to memory of 5496 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_081190a3c71c8f5fe364a40716b00ad5_black-basta_elex_luca-stealer.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe
PID 1760 wrote to memory of 5496 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_081190a3c71c8f5fe364a40716b00ad5_black-basta_elex_luca-stealer.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe
PID 5496 wrote to memory of 4592 N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe
PID 5496 wrote to memory of 4592 N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe
PID 5496 wrote to memory of 4592 N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe
PID 5496 wrote to memory of 4688 N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe
PID 5496 wrote to memory of 4688 N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe
PID 5496 wrote to memory of 4688 N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe
PID 4688 wrote to memory of 3200 N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe
PID 4688 wrote to memory of 3200 N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe
PID 4688 wrote to memory of 3200 N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe
PID 4688 wrote to memory of 4668 N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe
PID 4688 wrote to memory of 4668 N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe
PID 4688 wrote to memory of 4668 N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe
PID 4688 wrote to memory of 4780 N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe
PID 4688 wrote to memory of 4780 N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe
PID 4688 wrote to memory of 4780 N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe
PID 4780 wrote to memory of 5056 N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe
PID 4780 wrote to memory of 5056 N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe
PID 4780 wrote to memory of 5056 N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe
PID 4780 wrote to memory of 1620 N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe
PID 4780 wrote to memory of 1620 N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe
PID 4780 wrote to memory of 1620 N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe
PID 1760 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_081190a3c71c8f5fe364a40716b00ad5_black-basta_elex_luca-stealer.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe
PID 1760 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_081190a3c71c8f5fe364a40716b00ad5_black-basta_elex_luca-stealer.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe
PID 1760 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_081190a3c71c8f5fe364a40716b00ad5_black-basta_elex_luca-stealer.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe
PID 4780 wrote to memory of 3956 N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe
PID 4780 wrote to memory of 3956 N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe
PID 4780 wrote to memory of 3956 N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe
PID 1760 wrote to memory of 4028 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_081190a3c71c8f5fe364a40716b00ad5_black-basta_elex_luca-stealer.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe
PID 1760 wrote to memory of 4028 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_081190a3c71c8f5fe364a40716b00ad5_black-basta_elex_luca-stealer.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe
PID 1760 wrote to memory of 4028 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_081190a3c71c8f5fe364a40716b00ad5_black-basta_elex_luca-stealer.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe
PID 1760 wrote to memory of 5864 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_081190a3c71c8f5fe364a40716b00ad5_black-basta_elex_luca-stealer.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 1760 wrote to memory of 5864 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_081190a3c71c8f5fe364a40716b00ad5_black-basta_elex_luca-stealer.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 1760 wrote to memory of 5864 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_081190a3c71c8f5fe364a40716b00ad5_black-basta_elex_luca-stealer.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 4780 wrote to memory of 4696 N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 4780 wrote to memory of 4696 N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 4780 wrote to memory of 4696 N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 5864 wrote to memory of 4540 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe
PID 5864 wrote to memory of 4540 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe
PID 5864 wrote to memory of 4540 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe
PID 4780 wrote to memory of 1920 N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 4780 wrote to memory of 1920 N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 4780 wrote to memory of 1920 N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 5496 wrote to memory of 6008 N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe
PID 5496 wrote to memory of 6008 N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe
PID 5496 wrote to memory of 6008 N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe
PID 5864 wrote to memory of 4252 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe
PID 5864 wrote to memory of 4252 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe
PID 5864 wrote to memory of 4252 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe
PID 5496 wrote to memory of 3236 N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 5496 wrote to memory of 3236 N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 5496 wrote to memory of 3236 N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 1920 wrote to memory of 3748 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe
PID 1920 wrote to memory of 3748 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe
PID 1920 wrote to memory of 3748 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe
PID 5864 wrote to memory of 372 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe
PID 5864 wrote to memory of 372 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe
PID 5864 wrote to memory of 372 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe
PID 5496 wrote to memory of 4076 N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 5496 wrote to memory of 4076 N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 5496 wrote to memory of 4076 N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 1920 wrote to memory of 2708 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe

System policy modification

defense_evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\2025-05-02_081190a3c71c8f5fe364a40716b00ad5_black-basta_elex_luca-stealer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\2025-05-02_081190a3c71c8f5fe364a40716b00ad5_black-basta_elex_luca-stealer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2025-05-02_081190a3c71c8f5fe364a40716b00ad5_black-basta_elex_luca-stealer.exe

"C:\Users\Admin\AppData\Local\Temp\2025-05-02_081190a3c71c8f5fe364a40716b00ad5_black-basta_elex_luca-stealer.exe"

C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe

"C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe"

C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe

"C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe"

C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe

"C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe"

C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe

"C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe"

C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe

"C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe"

C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe

"C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe"

C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe

"C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe"

C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe

"C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe"

C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe

"C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe"

C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe

"C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe"

C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe

"C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe"

C:\Windows\SysWOW64\drivers\Kazekage.exe

C:\Windows\system32\drivers\Kazekage.exe

C:\Windows\SysWOW64\drivers\Kazekage.exe

C:\Windows\system32\drivers\Kazekage.exe

C:\Windows\SysWOW64\drivers\system32.exe

C:\Windows\system32\drivers\system32.exe

C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe

"C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe"

C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe

"C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe"

C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe

"C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe"

C:\Windows\SysWOW64\drivers\Kazekage.exe

C:\Windows\system32\drivers\Kazekage.exe

C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe

"C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe"

C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe

"C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe"

C:\Windows\SysWOW64\drivers\system32.exe

C:\Windows\system32\drivers\system32.exe

C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe

"C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe"

C:\Windows\SysWOW64\drivers\Kazekage.exe

C:\Windows\system32\drivers\Kazekage.exe

C:\Windows\SysWOW64\drivers\system32.exe

C:\Windows\system32\drivers\system32.exe

C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe

"C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe"

C:\Windows\SysWOW64\drivers\Kazekage.exe

C:\Windows\system32\drivers\Kazekage.exe

C:\Windows\SysWOW64\drivers\system32.exe

C:\Windows\system32\drivers\system32.exe

C:\Windows\SysWOW64\drivers\Kazekage.exe

C:\Windows\system32\drivers\Kazekage.exe

C:\Windows\SysWOW64\drivers\system32.exe

C:\Windows\system32\drivers\system32.exe

C:\Windows\SysWOW64\drivers\system32.exe

C:\Windows\system32\drivers\system32.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\smss.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\Gaara.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c 2-5-2025.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c drivers\csrss.exe

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

Network

Country Destination Domain Proto
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 c.pki.goog udp
DE 142.250.185.131:80 c.pki.goog tcp

Files

memory/1760-0-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe

MD5 081190a3c71c8f5fe364a40716b00ad5
SHA1 c1e9d8023a841bd9ca95eeed58908a8611fdd98e
SHA256 085a996485968c9eaaf71ad895c7f01c72f9e3ffb3579b546a8a0ceab6236f89
SHA512 ab259952d9bb3e9135c0887b1a2278be4d6cb4d278f053ff2bc5ce44551cc76e4d1d7edb113bad60a88234197954260ad02e5fd067c69a994e5d783017b2e9ff

C:\Windows\System\msvbvm60.dll

MD5 25f62c02619174b35851b0e0455b3d94
SHA1 4e8ee85157f1769f6e3f61c0acbe59072209da71
SHA256 898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2
SHA512 f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe

MD5 ea472b9e8c3abf7692b14dc75708825c
SHA1 82e2832a16bdd434a611b2aea52c3c8e775d8f82
SHA256 94a41e1676b7157b63cfb0edf059b3c99a039e1433ae873f74259e551f70be17
SHA512 f1c2001276d719e5681c8024991a01ee9726a16fd03ee8be9b7d829db9acc17112cd9809cb64aa594eb1002fc08945c3372679cece82dd40d4d2fe90750a5723

memory/5496-34-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Windows\Fonts\The Kazekage.jpg

MD5 d6b05020d4a0ec2a3a8b687099e335df
SHA1 df239d830ebcd1cde5c68c46a7b76dad49d415f4
SHA256 9824b98dab6af65a9e84c2ea40e9df948f9766ce2096e81feecad7db8dd6080a
SHA512 78fd360faa4d34f5732056d6e9ad7b9930964441c69cf24535845d397de92179553b9377a25649c01eb5ac7d547c29cc964e69ede7f2af9fc677508a99251fff

C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe

MD5 a0324b42ffca8d2f9ba7468b264215d5
SHA1 f00e2501daabbd71e459579558cc4451c1abf92a
SHA256 a4d01eaf7a9242bb837033404e01f04e514298bfcda8e58264afc884e0a2a4f5
SHA512 1c4b5289bf9c47d3dbc4d3105b748d248ec899930f7ee75de4f0d928b58ec161cb52605de7d9302e581d4e011bfaef3804a5d1db8e27051d09d271a16c6f024f

C:\Windows\SysWOW64\2-5-2025.exe

MD5 e110ce870a1e9221406cece0a88127c0
SHA1 4e6469e1c596411961b735b1535aede307e52c80
SHA256 5671e714f453d94e48054e669b8762ed2a85fe4d9a78b24fe237bf2fa9ceda8a
SHA512 6d9bdaa23b1db8c3dcc79883a7bc0df76d5855a90fdd2410287104e04dd20bc35d2e33d8fbfd9d4b9af6f7f226c48b5351294cd0413006c824472ff5ddc2cae4

C:\Windows\SysWOW64\drivers\system32.exe

MD5 536f876fc9f2662fc082b5c2754525f8
SHA1 f17db351640511725eb3a0aeec4109129fee264b
SHA256 0faf746cfec8607f6d142cc2d217ad0aac77d6655d5966eee24c37da9074293a
SHA512 0c5c58b8efd35052cf1bb01ddbaf40ab896d2990df0cf195b1a76de01b6241ff37ccc76672c48248fd0c5e3be467095b46c2efe3e981ac31007148145a718881

memory/4592-70-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe

MD5 3f5cdaddfe8e342e24609c33a3b7b9f7
SHA1 436a969fc65cf39b5f57cab570ec3aac539d0ba6
SHA256 fc4c2dd926701e227c4612bdba4bdf15bfe17d54bb2b36390f934b6190d610e9
SHA512 3fff8c45815683458fe8cbf8ad4fa1ed4dd30b8f0a3cec767a502fa24cc6c2f338a09ca691c9f5c0b12b3c1afab0c108e1885711d998423613f5d4288ac272ec

memory/4688-77-0x0000000000400000-0x000000000042A000-memory.dmp

memory/4592-79-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe

MD5 279959b071f8ab03c5da5f0b17b60360
SHA1 74eb7b218dad08e0947dd1274d2b1fa0eab15266
SHA256 c902c3f41be2e92dd06fe0c8161df29d7afb0ed0686c90a1e527b95986298829
SHA512 8c22a64a07a7752deaffef264dc04375f4b6b07c2041e51554867550e3e6fede6bc8dbd3cfb3a92ffc16a9b6f142409aa29ea85f08aec7239ef25220adc87adc

memory/3200-110-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Windows\SysWOW64\drivers\system32.exe

MD5 e26c0b5fba9b65271f228998d6cc003e
SHA1 434b7a5c1654f3c6cdb56084bfd9a348d6993751
SHA256 120da64e3ca241813055b0b09a8702863329835f77dcaa994e5451a745591d78
SHA512 5802226228c4caaa5705eed975d64543cc44012edfaedef64adbd92323560b21f7fd1b3e034025c2647d6f61102a7a747dce3910addba7f472474df0252b7d30

C:\Windows\SysWOW64\drivers\Kazekage.exe

MD5 0c3bcdc53ec15fd4441a0c8ebcc891db
SHA1 e40cbe921b6921ae16bc788c5b7d3e3c0553108b
SHA256 90cacb716912ff16f126e182a5a42e6f35d617c52e9c7a76440a797510903e34
SHA512 3504aa98f37a38629f8fc39dcc1568f89b40b5497c3bce67ec1682a9ac850671ab3a8f39cf8ea443db1f661ee843da8650d6923b413d01ed648709daf436fc3c

C:\Windows\SysWOW64\2-5-2025.exe

MD5 476bdca2fdf8ef8a12e2da9409b79dab
SHA1 b3a3a6fc12ef2b947ccfe0217dd7fda0b884a583
SHA256 d69bba6efa1b5af86b093e0a059eadc34049dfcefa72d8b41159374ff0284423
SHA512 cfbe2000924829dc94c267ee23dbfd3283e68aef138649f5ead9d9979b70216e94d5672bdd4275b7c8dd8acaf3a5894927821adbefa0f59bef3af4d91a8cef94

memory/4668-115-0x0000000000400000-0x000000000042A000-memory.dmp

memory/3200-117-0x0000000000400000-0x000000000042A000-memory.dmp

memory/4668-121-0x0000000000400000-0x000000000042A000-memory.dmp

memory/4780-124-0x0000000000400000-0x000000000042A000-memory.dmp

memory/1760-139-0x0000000000400000-0x000000000042A000-memory.dmp

memory/1620-160-0x0000000000400000-0x000000000042A000-memory.dmp

memory/5496-159-0x0000000000400000-0x000000000042A000-memory.dmp

memory/4028-173-0x0000000000400000-0x000000000042A000-memory.dmp

memory/1620-176-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2336-178-0x0000000000400000-0x000000000042A000-memory.dmp

memory/3956-172-0x0000000000400000-0x000000000042A000-memory.dmp

memory/4688-174-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Windows\SysWOW64\drivers\Kazekage.exe

MD5 0e2f8f584b36b20eb5f9965b398268a8
SHA1 3d14f37af772307744ec3061fe691a171b2bdf31
SHA256 d4db9dcf4ec4f2f72b218bf404c86db95a77d4d9d483d912752de50ea261edec
SHA512 18592d4766a858c0c4cc3c1e25cdb9ca81f73422c7194c60de6452724ffd39468c776df9b7208c3ccf7a510317799cf6ed535421ca4aeea30b6489906a0c5559

memory/5864-189-0x0000000000400000-0x000000000042A000-memory.dmp

memory/4028-185-0x0000000000400000-0x000000000042A000-memory.dmp

memory/4696-193-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Windows\SysWOW64\2-5-2025.exe

MD5 1a13536dba976062e64686e14f6a628e
SHA1 fc1b66783f19a27aebc923ecd47b5f10a9472b19
SHA256 d8424cbba9a01863994c3b5bfc4d9c4ad3f49534233d1eabfb132132fde36960
SHA512 cf4462b3e3e5eeded2239da806e6ab055ba386a6787e28d68fe2f42235e323cd34d379d2a3a424bf0aa8123617809d4273003d5b5d28a47c7e561fab52b52a23

C:\Windows\SysWOW64\drivers\system32.exe

MD5 2707983b096a6ef11dc8d64499461c56
SHA1 3e9eceac2a7d5bc0a41734535f5b6dcf52c9652e
SHA256 31819dbbe8453bdc8e99f844436764a07ba34b973345d3f47bd051f556e0a1e6
SHA512 1682536e516384f9a523e63272a0baf5b9a94abfbac9524de1e9c3adfda0d2408ce09bf987b7903b18a220811501009a77e669d5b52171ee322d8322b6e02cbc

memory/4780-213-0x0000000000400000-0x000000000042A000-memory.dmp

memory/4696-216-0x0000000000400000-0x000000000042A000-memory.dmp

memory/1920-222-0x0000000000400000-0x000000000042A000-memory.dmp

memory/3236-233-0x0000000000400000-0x000000000042A000-memory.dmp

memory/3748-248-0x0000000000400000-0x000000000042A000-memory.dmp

memory/4252-251-0x0000000000400000-0x000000000042A000-memory.dmp

memory/4076-258-0x0000000000400000-0x000000000042A000-memory.dmp

memory/5864-257-0x0000000000400000-0x000000000042A000-memory.dmp

memory/3236-259-0x0000000000400000-0x000000000042A000-memory.dmp

memory/3748-262-0x0000000000400000-0x000000000042A000-memory.dmp

memory/4076-269-0x0000000000400000-0x000000000042A000-memory.dmp

memory/1400-275-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2708-277-0x0000000000400000-0x000000000042A000-memory.dmp

memory/1920-273-0x0000000000400000-0x000000000042A000-memory.dmp

memory/6068-284-0x0000000000400000-0x000000000042A000-memory.dmp

memory/812-285-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2528-287-0x0000000000400000-0x000000000042A000-memory.dmp

memory/6068-297-0x0000000000400000-0x000000000042A000-memory.dmp

memory/812-301-0x0000000000400000-0x000000000042A000-memory.dmp

memory/5632-299-0x0000000000400000-0x000000000042A000-memory.dmp

memory/4376-305-0x0000000000400000-0x000000000042A000-memory.dmp

memory/1760-306-0x0000000000400000-0x000000000042A000-memory.dmp

memory/5496-307-0x0000000000400000-0x000000000042A000-memory.dmp

memory/5864-308-0x0000000000400000-0x000000000042A000-memory.dmp

memory/4688-309-0x0000000000400000-0x000000000042A000-memory.dmp

memory/1920-310-0x0000000000400000-0x000000000042A000-memory.dmp

memory/4780-311-0x0000000000400000-0x000000000042A000-memory.dmp

memory/1760-312-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Autorun.inf

MD5 1564dfe69ffed40950e5cb644e0894d1
SHA1 201b6f7a01cc49bb698bea6d4945a082ed454ce4
SHA256 be114a2dbcc08540b314b01882aa836a772a883322a77b67aab31233e26dc184
SHA512 72df187e39674b657974392cfa268e71ef86dc101ebd2303896381ca56d3c05aa9db3f0ab7d0e428d7436e0108c8f19e94c2013814d30b0b95a23a6b9e341097

C:\Admin Games\Readme.txt

MD5 bb5d6abdf8d0948ac6895ce7fdfbc151
SHA1 9266b7a247a4685892197194d2b9b86c8f6dddbd
SHA256 5db2e0915b5464d32e83484f8ae5e3c73d2c78f238fde5f58f9b40dbb5322de8
SHA512 878444760e8df878d65bb62b4798177e168eb099def58ad3634f4348e96705c83f74324f9fa358f0eff389991976698a233ca53e9b72034ae11c86d42322a76c

memory/1760-367-0x0000000000400000-0x000000000042A000-memory.dmp

memory/5496-368-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Windows\SysWOW64\Desktop.ini

MD5 64acfa7e03b01f48294cf30d201a0026
SHA1 10facd995b38a095f30b4a800fa454c0bcbf8438
SHA256 ba8159d865d106e7b4d0043007a63d1541e1de455dc8d7ff0edd3013bd425c62
SHA512 65a9b2e639de74a2a7faa83463a03f5f5b526495e3c793ec1e144c422ed0b842dd304cd5ff4f8aec3d76d826507030c5916f70a231429cea636ec2d8ab43931a

F:\Admin Games\Kazekage VS Hokage.exe

MD5 e54889208b440bdca12d16d1d21ac060
SHA1 87e74a72abec0dbd3bf78e92a9da2d392072f701
SHA256 f61b30973645df0a678288a94d7ae0d9456446eb8d2de1b6d1a40e5ab17a7cd8
SHA512 a74f5bde51ba7b18c7b683a8e62980c5a9ae6a64b38bdf288b18bf09f73d45f044a478a747424ad0c49d3e2ec415c205ffa41ea5185408ca08ff524bb0f6dc93

memory/4688-452-0x0000000000400000-0x000000000042A000-memory.dmp

memory/4780-475-0x0000000000400000-0x000000000042A000-memory.dmp

memory/5864-498-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Windows\mscomctl.ocx

MD5 7bc9a2abbb0656acfdf8165c0b2f20af
SHA1 59e381f8cbd2bbe1c8bfd1db8221e71f055e7753
SHA256 75a09b81502c684682726ba6a13f5004bc90ea613f67c9a5e5c4e096e1d6434c
SHA512 a2474634ce83fe64dd7dfd2762ab5178da6316ff4b1e021f4d8e019a42cd4d12c13ec5e53023fce8bd990ce14f3297b3a9c8b614917c8f13fddde6f36cb51d3f

memory/1920-588-0x0000000000400000-0x000000000042A000-memory.dmp