Malware Analysis Report

2025-08-10 20:49

Sample ID 250502-m8faeabp31
Target 2025-05-02_d6e4413c1010ef7b120dde43e7653bb9_black-basta_elex_luca-stealer
SHA256 ad05adca0ff65c0c5c77e9abdfedc22c13554614686ea56c68c452ecec6f8419
Tags
upx defense_evasion discovery persistence ransomware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V16

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ad05adca0ff65c0c5c77e9abdfedc22c13554614686ea56c68c452ecec6f8419

Threat Level: Known bad

The file 2025-05-02_d6e4413c1010ef7b120dde43e7653bb9_black-basta_elex_luca-stealer was found to be: Known bad.

Malicious Activity Summary

upx defense_evasion discovery persistence ransomware trojan

UAC bypass

Modifies visiblity of hidden/system files in Explorer

Modifies WinLogon for persistence

Modifies visibility of file extensions in Explorer

Disables use of System Restore points

Drops file in Drivers directory

Event Triggered Execution: Image File Execution Options Injection

Disables RegEdit via registry modification

Executes dropped EXE

Loads dropped DLL

Checks whether UAC is enabled

Adds Run key to start application

Drops desktop.ini file(s)

Enumerates connected drives

UPX packed file

Sets desktop wallpaper using registry

Drops autorun.inf file

Drops file in System32 directory

Drops file in Windows directory

System Location Discovery: System Language Discovery

System Network Configuration Discovery: Internet Connection Discovery

Unsigned PE

System policy modification

Modifies Internet Explorer settings

Suspicious behavior: EnumeratesProcesses

Modifies registry class

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Modifies Control Panel

Runs ping.exe

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-05-02 11:07

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-05-02 11:07

Reported

2025-05-02 11:10

Platform

win10v2004-20250314-en

Max time kernel

150s

Max time network

144s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2025-05-02_d6e4413c1010ef7b120dde43e7653bb9_black-basta_elex_luca-stealer.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" C:\Users\Admin\AppData\Local\Temp\2025-05-02_d6e4413c1010ef7b120dde43e7653bb9_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" C:\Users\Admin\AppData\Local\Temp\2025-05-02_d6e4413c1010ef7b120dde43e7653bb9_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A

Modifies visibility of file extensions in Explorer

defense_evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Users\Admin\AppData\Local\Temp\2025-05-02_d6e4413c1010ef7b120dde43e7653bb9_black-basta_elex_luca-stealer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A

Modifies visiblity of hidden/system files in Explorer

defense_evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\AppData\Local\Temp\2025-05-02_d6e4413c1010ef7b120dde43e7653bb9_black-basta_elex_luca-stealer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A

UAC bypass

defense_evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\2025-05-02_d6e4413c1010ef7b120dde43e7653bb9_black-basta_elex_luca-stealer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A

Disables RegEdit via registry modification

defense_evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\2025-05-02_d6e4413c1010ef7b120dde43e7653bb9_black-basta_elex_luca-stealer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A

Disables use of System Restore points

defense_evasion

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\system32.exe C:\Users\Admin\AppData\Local\Temp\2025-05-02_d6e4413c1010ef7b120dde43e7653bb9_black-basta_elex_luca-stealer.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Users\Admin\AppData\Local\Temp\2025-05-02_d6e4413c1010ef7b120dde43e7653bb9_black-basta_elex_luca-stealer.exe N/A
File created C:\Windows\SysWOW64\drivers\system32.exe C:\Users\Admin\AppData\Local\Temp\2025-05-02_d6e4413c1010ef7b120dde43e7653bb9_black-basta_elex_luca-stealer.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File created C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File created C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File created C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File created C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File created C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Users\Admin\AppData\Local\Temp\2025-05-02_d6e4413c1010ef7b120dde43e7653bb9_black-basta_elex_luca-stealer.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A

Event Triggered Execution: Image File Execution Options Injection

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe C:\Users\Admin\AppData\Local\Temp\2025-05-02_d6e4413c1010ef7b120dde43e7653bb9_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe\Debugger = "cmd.exe /c del" C:\Users\Admin\AppData\Local\Temp\2025-05-02_d6e4413c1010ef7b120dde43e7653bb9_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe\Debugger = "cmd.exe /c del" C:\Users\Admin\AppData\Local\Temp\2025-05-02_d6e4413c1010ef7b120dde43e7653bb9_black-basta_elex_luca-stealer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe\Debugger = "cmd.exe /c del" C:\Users\Admin\AppData\Local\Temp\2025-05-02_d6e4413c1010ef7b120dde43e7653bb9_black-basta_elex_luca-stealer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe C:\Users\Admin\AppData\Local\Temp\2025-05-02_d6e4413c1010ef7b120dde43e7653bb9_black-basta_elex_luca-stealer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "drivers\\Kazekage.exe" C:\Users\Admin\AppData\Local\Temp\2025-05-02_d6e4413c1010ef7b120dde43e7653bb9_black-basta_elex_luca-stealer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe\Debugger = "cmd.exe /c del" C:\Users\Admin\AppData\Local\Temp\2025-05-02_d6e4413c1010ef7b120dde43e7653bb9_black-basta_elex_luca-stealer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe C:\Users\Admin\AppData\Local\Temp\2025-05-02_d6e4413c1010ef7b120dde43e7653bb9_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger = "drivers\\Kazekage.exe" C:\Users\Admin\AppData\Local\Temp\2025-05-02_d6e4413c1010ef7b120dde43e7653bb9_black-basta_elex_luca-stealer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe C:\Users\Admin\AppData\Local\Temp\2025-05-02_d6e4413c1010ef7b120dde43e7653bb9_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe\Debugger = "cmd.exe /c del" C:\Users\Admin\AppData\Local\Temp\2025-05-02_d6e4413c1010ef7b120dde43e7653bb9_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe\Debugger = "drivers\\Kazekage.exe" C:\Users\Admin\AppData\Local\Temp\2025-05-02_d6e4413c1010ef7b120dde43e7653bb9_black-basta_elex_luca-stealer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "2-5-2025.exe" C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" C:\Users\Admin\AppData\Local\Temp\2025-05-02_d6e4413c1010ef7b120dde43e7653bb9_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "2-5-2025.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 2 - 5 - 2025\\smss.exe" C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 2 - 5 - 2025\\smss.exe" C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 2 - 5 - 2025\\smss.exe" C:\Users\Admin\AppData\Local\Temp\2025-05-02_d6e4413c1010ef7b120dde43e7653bb9_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 2 - 5 - 2025\\Gaara.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 2 - 5 - 2025\\smss.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 2 - 5 - 2025\\Gaara.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 2 - 5 - 2025\\smss.exe" C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 2 - 5 - 2025\\Gaara.exe" C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 2 - 5 - 2025\\Gaara.exe" C:\Users\Admin\AppData\Local\Temp\2025-05-02_d6e4413c1010ef7b120dde43e7653bb9_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 2 - 5 - 2025\\smss.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 2 - 5 - 2025\\Gaara.exe" C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "2-5-2025.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "2-5-2025.exe" C:\Users\Admin\AppData\Local\Temp\2025-05-02_d6e4413c1010ef7b120dde43e7653bb9_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 2 - 5 - 2025\\Gaara.exe" C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "2-5-2025.exe" C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "2-5-2025.exe" C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A

Checks whether UAC is enabled

defense_evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\2025-05-02_d6e4413c1010ef7b120dde43e7653bb9_black-basta_elex_luca-stealer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification \??\W:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\V:\Desktop.ini C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
File opened for modification \??\B:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-02_d6e4413c1010ef7b120dde43e7653bb9_black-basta_elex_luca-stealer.exe N/A
File opened for modification \??\W:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\O:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\U:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification F:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification F:\Desktop.ini C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File opened for modification \??\I:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-02_d6e4413c1010ef7b120dde43e7653bb9_black-basta_elex_luca-stealer.exe N/A
File opened for modification \??\N:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\Z:\Desktop.ini C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\A:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\A:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-02_d6e4413c1010ef7b120dde43e7653bb9_black-basta_elex_luca-stealer.exe N/A
File opened for modification F:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-02_d6e4413c1010ef7b120dde43e7653bb9_black-basta_elex_luca-stealer.exe N/A
File opened for modification \??\T:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-02_d6e4413c1010ef7b120dde43e7653bb9_black-basta_elex_luca-stealer.exe N/A
File opened for modification \??\S:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\J:\Desktop.ini C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File opened for modification \??\K:\Desktop.ini C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\L:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\P:\Desktop.ini C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
File opened for modification \??\B:\Desktop.ini C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
File opened for modification \??\Y:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-02_d6e4413c1010ef7b120dde43e7653bb9_black-basta_elex_luca-stealer.exe N/A
File opened for modification \??\B:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\V:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\E:\Desktop.ini C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File opened for modification D:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\M:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\R:\Desktop.ini C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
File opened for modification \??\H:\Desktop.ini C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File opened for modification \??\S:\Desktop.ini C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\S:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\X:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\E:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\O:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\M:\Desktop.ini C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\E:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\S:\Desktop.ini C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
File opened for modification \??\W:\Desktop.ini C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\X:\Desktop.ini C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File opened for modification \??\Q:\Desktop.ini C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
File opened for modification \??\H:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-02_d6e4413c1010ef7b120dde43e7653bb9_black-basta_elex_luca-stealer.exe N/A
File opened for modification \??\S:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-02_d6e4413c1010ef7b120dde43e7653bb9_black-basta_elex_luca-stealer.exe N/A
File opened for modification \??\J:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\L:\Desktop.ini C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File opened for modification \??\L:\Desktop.ini C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\P:\Desktop.ini C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File opened for modification F:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Desktop.ini C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
File opened for modification \??\K:\Desktop.ini C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
File opened for modification \??\N:\Desktop.ini C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\N:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\P:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\Z:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\Y:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Desktop.ini C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\P:\Desktop.ini C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File opened for modification \??\U:\Desktop.ini C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
File opened for modification \??\A:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\A:\Desktop.ini C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\V:\Desktop.ini C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\M:\Desktop.ini C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
File opened for modification \??\T:\Desktop.ini C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
File opened for modification \??\K:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-02_d6e4413c1010ef7b120dde43e7653bb9_black-basta_elex_luca-stealer.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\N: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\2025-05-02_d6e4413c1010ef7b120dde43e7653bb9_black-basta_elex_luca-stealer.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\2025-05-02_d6e4413c1010ef7b120dde43e7653bb9_black-basta_elex_luca-stealer.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\G: C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File opened (read-only) \??\U: C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\2025-05-02_d6e4413c1010ef7b120dde43e7653bb9_black-basta_elex_luca-stealer.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\2025-05-02_d6e4413c1010ef7b120dde43e7653bb9_black-basta_elex_luca-stealer.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\E: C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File opened (read-only) \??\O: C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\I: C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
File opened (read-only) \??\A: C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\J: C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\2025-05-02_d6e4413c1010ef7b120dde43e7653bb9_black-basta_elex_luca-stealer.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\2025-05-02_d6e4413c1010ef7b120dde43e7653bb9_black-basta_elex_luca-stealer.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\2025-05-02_d6e4413c1010ef7b120dde43e7653bb9_black-basta_elex_luca-stealer.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\2025-05-02_d6e4413c1010ef7b120dde43e7653bb9_black-basta_elex_luca-stealer.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\P: C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\S: C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File opened (read-only) \??\T: C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\N: C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\R: C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\A: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\L: C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\I: C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File opened (read-only) \??\X: C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\V: C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File opened (read-only) \??\X: C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
File opened (read-only) \??\K: C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File opened (read-only) \??\O: C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File opened (read-only) \??\T: C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\B: C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File opened (read-only) \??\H: C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File opened (read-only) \??\H: C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File opened (read-only) \??\L: C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File opened (read-only) \??\P: C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\W: C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File opened (read-only) \??\A: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\2025-05-02_d6e4413c1010ef7b120dde43e7653bb9_black-basta_elex_luca-stealer.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification \??\X:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created \??\Z:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2025-05-02_d6e4413c1010ef7b120dde43e7653bb9_black-basta_elex_luca-stealer.exe N/A
File opened for modification \??\M:\Autorun.inf C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File created \??\H:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created \??\I:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\Q:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\L:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2025-05-02_d6e4413c1010ef7b120dde43e7653bb9_black-basta_elex_luca-stealer.exe N/A
File created \??\I:\Autorun.inf C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File opened for modification \??\J:\Autorun.inf C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File opened for modification \??\M:\Autorun.inf C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\O:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File created \??\W:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2025-05-02_d6e4413c1010ef7b120dde43e7653bb9_black-basta_elex_luca-stealer.exe N/A
File opened for modification \??\G:\Autorun.inf C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
File created \??\V:\Autorun.inf C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
File opened for modification \??\Y:\Autorun.inf C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
File opened for modification \??\Z:\Autorun.inf C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
File opened for modification F:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created \??\N:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\B:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\A:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2025-05-02_d6e4413c1010ef7b120dde43e7653bb9_black-basta_elex_luca-stealer.exe N/A
File opened for modification \??\T:\Autorun.inf C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File created \??\H:\Autorun.inf C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
File created \??\E:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\Z:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Autorun.inf C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File created \??\B:\Autorun.inf C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\G:\Autorun.inf C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\Z:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\I:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2025-05-02_d6e4413c1010ef7b120dde43e7653bb9_black-basta_elex_luca-stealer.exe N/A
File created \??\R:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2025-05-02_d6e4413c1010ef7b120dde43e7653bb9_black-basta_elex_luca-stealer.exe N/A
File created \??\X:\Autorun.inf C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File opened for modification D:\Autorun.inf C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File created \??\Q:\Autorun.inf C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
File created \??\R:\Autorun.inf C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
File opened for modification \??\G:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\W:\Autorun.inf C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File opened for modification \??\I:\Autorun.inf C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
File created \??\Y:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\G:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File created \??\G:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File created \??\L:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File created \??\B:\Autorun.inf C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File created \??\A:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2025-05-02_d6e4413c1010ef7b120dde43e7653bb9_black-basta_elex_luca-stealer.exe N/A
File opened for modification \??\S:\Autorun.inf C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File opened for modification \??\L:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification F:\Autorun.inf C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File created \??\O:\Autorun.inf C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File opened for modification \??\U:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File created F:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2025-05-02_d6e4413c1010ef7b120dde43e7653bb9_black-basta_elex_luca-stealer.exe N/A
File opened for modification \??\N:\Autorun.inf C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File created \??\X:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\T:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2025-05-02_d6e4413c1010ef7b120dde43e7653bb9_black-basta_elex_luca-stealer.exe N/A
File created D:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File created \??\V:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\W:\Autorun.inf C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\A:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\K:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\E:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2025-05-02_d6e4413c1010ef7b120dde43e7653bb9_black-basta_elex_luca-stealer.exe N/A
File opened for modification \??\E:\Autorun.inf C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File created \??\J:\Autorun.inf C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File opened for modification \??\L:\Autorun.inf C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File created \??\T:\Autorun.inf C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File created \??\Z:\Autorun.inf C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File opened for modification \??\B:\Autorun.inf C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\2-5-2025.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\SysWOW64\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-02_d6e4413c1010ef7b120dde43e7653bb9_black-basta_elex_luca-stealer.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\2025-05-02_d6e4413c1010ef7b120dde43e7653bb9_black-basta_elex_luca-stealer.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\2-5-2025.exe C:\Users\Admin\AppData\Local\Temp\2025-05-02_d6e4413c1010ef7b120dde43e7653bb9_black-basta_elex_luca-stealer.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\2025-05-02_d6e4413c1010ef7b120dde43e7653bb9_black-basta_elex_luca-stealer.exe N/A
File opened for modification C:\Windows\SysWOW64\mscomctl.ocx C:\Users\Admin\AppData\Local\Temp\2025-05-02_d6e4413c1010ef7b120dde43e7653bb9_black-basta_elex_luca-stealer.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Users\Admin\AppData\Local\Temp\2025-05-02_d6e4413c1010ef7b120dde43e7653bb9_black-basta_elex_luca-stealer.exe N/A
File opened for modification C:\Windows\SysWOW64\mscomctl.ocx C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\SysWOW64\Desktop.ini C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\SysWOW64\2-5-2025.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\SysWOW64\2-5-2025.exe C:\Users\Admin\AppData\Local\Temp\2025-05-02_d6e4413c1010ef7b120dde43e7653bb9_black-basta_elex_luca-stealer.exe N/A
File opened for modification C:\Windows\SysWOW64\2-5-2025.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\2-5-2025.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\SysWOW64\Desktop.ini C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\SysWOW64\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-02_d6e4413c1010ef7b120dde43e7653bb9_black-basta_elex_luca-stealer.exe N/A
File created C:\Windows\SysWOW64\mscomctl.ocx C:\Users\Admin\AppData\Local\Temp\2025-05-02_d6e4413c1010ef7b120dde43e7653bb9_black-basta_elex_luca-stealer.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\mscomctl.ocx C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\mscomctl.ocx C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\SysWOW64\mscomctl.ocx C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\SysWOW64\Desktop.ini C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File opened for modification C:\Windows\SysWOW64\mscomctl.ocx C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File opened for modification C:\Windows\SysWOW64\2-5-2025.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Users\Admin\AppData\Local\Temp\2025-05-02_d6e4413c1010ef7b120dde43e7653bb9_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\SysWOW64\drivers\system32.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\system\mscoree.dll C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\Fonts\Admin 2 - 5 - 2025\msvbvm60.dll C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\system\mscoree.dll C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\WBEM\msvbvm60.dll C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\system\msvbvm60.dll C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File created C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
File created C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File opened for modification C:\Windows\mscomctl.ocx C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\system\mscoree.dll C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\Fonts\The Kazekage.jpg C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File created C:\Windows\Fonts\Admin 2 - 5 - 2025\msvbvm60.dll C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File opened for modification C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
File created C:\Windows\Fonts\Admin 2 - 5 - 2025\msvbvm60.dll C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
File created C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\mscomctl.ocx C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\Fonts\The Kazekage.jpg C:\Users\Admin\AppData\Local\Temp\2025-05-02_d6e4413c1010ef7b120dde43e7653bb9_black-basta_elex_luca-stealer.exe N/A
File created C:\Windows\Fonts\The Kazekage.jpg C:\Users\Admin\AppData\Local\Temp\2025-05-02_d6e4413c1010ef7b120dde43e7653bb9_black-basta_elex_luca-stealer.exe N/A
File opened for modification C:\Windows\system\mscoree.dll C:\Users\Admin\AppData\Local\Temp\2025-05-02_d6e4413c1010ef7b120dde43e7653bb9_black-basta_elex_luca-stealer.exe N/A
File opened for modification C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File opened for modification C:\Windows\system\msvbvm60.dll C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\system\msvbvm60.dll C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
File created C:\Windows\WBEM\msvbvm60.dll C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\ C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe C:\Users\Admin\AppData\Local\Temp\2025-05-02_d6e4413c1010ef7b120dde43e7653bb9_black-basta_elex_luca-stealer.exe N/A
File opened for modification C:\Windows\Fonts\The Kazekage.jpg C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File opened for modification C:\Windows\Fonts\The Kazekage.jpg C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\mscomctl.ocx C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File opened for modification C:\Windows\ C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\2025-05-02_d6e4413c1010ef7b120dde43e7653bb9_black-basta_elex_luca-stealer.exe N/A
File opened for modification C:\Windows\system\mscoree.dll C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File opened for modification C:\Windows\ C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\mscomctl.ocx C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
File created C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe C:\Users\Admin\AppData\Local\Temp\2025-05-02_d6e4413c1010ef7b120dde43e7653bb9_black-basta_elex_luca-stealer.exe N/A
File created C:\Windows\WBEM\msvbvm60.dll C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\Fonts\Admin 2 - 5 - 2025\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\2025-05-02_d6e4413c1010ef7b120dde43e7653bb9_black-basta_elex_luca-stealer.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File created C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File created C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
File created C:\Windows\Fonts\Admin 2 - 5 - 2025\msvbvm60.dll C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\mscomctl.ocx C:\Users\Admin\AppData\Local\Temp\2025-05-02_d6e4413c1010ef7b120dde43e7653bb9_black-basta_elex_luca-stealer.exe N/A
File opened for modification C:\Windows\mscomctl.ocx C:\Users\Admin\AppData\Local\Temp\2025-05-02_d6e4413c1010ef7b120dde43e7653bb9_black-basta_elex_luca-stealer.exe N/A
File opened for modification C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe C:\Users\Admin\AppData\Local\Temp\2025-05-02_d6e4413c1010ef7b120dde43e7653bb9_black-basta_elex_luca-stealer.exe N/A
File created C:\Windows\Fonts\Admin 2 - 5 - 2025\msvbvm60.dll C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
File created C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File created C:\Windows\WBEM\msvbvm60.dll C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
File opened for modification C:\Windows\Fonts\The Kazekage.jpg C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe C:\Users\Admin\AppData\Local\Temp\2025-05-02_d6e4413c1010ef7b120dde43e7653bb9_black-basta_elex_luca-stealer.exe N/A
File created C:\Windows\system\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\2025-05-02_d6e4413c1010ef7b120dde43e7653bb9_black-basta_elex_luca-stealer.exe N/A
File opened for modification C:\Windows\ C:\Users\Admin\AppData\Local\Temp\2025-05-02_d6e4413c1010ef7b120dde43e7653bb9_black-basta_elex_luca-stealer.exe N/A
File created C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe C:\Users\Admin\AppData\Local\Temp\2025-05-02_d6e4413c1010ef7b120dde43e7653bb9_black-basta_elex_luca-stealer.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\system32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\system32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\system32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\system32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\system32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\system32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2025-05-02_d6e4413c1010ef7b120dde43e7653bb9_black-basta_elex_luca-stealer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A

Modifies Control Panel

defense_evasion
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\Desktop\WallpaperStyle = "2" C:\Users\Admin\AppData\Local\Temp\2025-05-02_d6e4413c1010ef7b120dde43e7653bb9_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" C:\Users\Admin\AppData\Local\Temp\2025-05-02_d6e4413c1010ef7b120dde43e7653bb9_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" C:\Users\Admin\AppData\Local\Temp\2025-05-02_d6e4413c1010ef7b120dde43e7653bb9_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" C:\Users\Admin\AppData\Local\Temp\2025-05-02_d6e4413c1010ef7b120dde43e7653bb9_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" C:\Users\Admin\AppData\Local\Temp\2025-05-02_d6e4413c1010ef7b120dde43e7653bb9_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\Desktop C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" C:\Users\Admin\AppData\Local\Temp\2025-05-02_d6e4413c1010ef7b120dde43e7653bb9_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\Screen Saver.Marquee\Speed = "4" C:\Users\Admin\AppData\Local\Temp\2025-05-02_d6e4413c1010ef7b120dde43e7653bb9_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\Screen Saver.Marquee C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\Desktop C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\Desktop C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\Screen Saver.Marquee\Size = "72" C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\Desktop\WallpaperStyle = "2" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\Screen Saver.Marquee C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\Screen Saver.Marquee\Size = "72" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\Screen Saver.Marquee C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\Screen Saver.Marquee\Speed = "4" C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\Screen Saver.Marquee\Speed = "4" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\Screen Saver.Marquee C:\Users\Admin\AppData\Local\Temp\2025-05-02_d6e4413c1010ef7b120dde43e7653bb9_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\Screen Saver.Marquee\Size = "72" C:\Users\Admin\AppData\Local\Temp\2025-05-02_d6e4413c1010ef7b120dde43e7653bb9_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" C:\Users\Admin\AppData\Local\Temp\2025-05-02_d6e4413c1010ef7b120dde43e7653bb9_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\Screen Saver.Marquee\Speed = "4" C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\Desktop C:\Users\Admin\AppData\Local\Temp\2025-05-02_d6e4413c1010ef7b120dde43e7653bb9_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\Screen Saver.Marquee\Size = "72" C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" C:\Users\Admin\AppData\Local\Temp\2025-05-02_d6e4413c1010ef7b120dde43e7653bb9_black-basta_elex_luca-stealer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\Screen Saver.Marquee C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\Desktop C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\Desktop C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\Desktop\WallpaperStyle = "2" C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" C:\Users\Admin\AppData\Local\Temp\2025-05-02_d6e4413c1010ef7b120dde43e7653bb9_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\Screen Saver.Marquee\Speed = "4" C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\Screen Saver.Marquee C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Control Panel\Screen Saver.Marquee\Size = "72" C:\Windows\SysWOW64\drivers\system32.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Software\Microsoft\Internet Explorer\Main C:\Users\Admin\AppData\Local\Temp\2025-05-02_d6e4413c1010ef7b120dde43e7653bb9_black-basta_elex_luca-stealer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" C:\Users\Admin\AppData\Local\Temp\2025-05-02_d6e4413c1010ef7b120dde43e7653bb9_black-basta_elex_luca-stealer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-446031748-3036493239-2009529691-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command C:\Users\Admin\AppData\Local\Temp\2025-05-02_d6e4413c1010ef7b120dde43e7653bb9_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" C:\Users\Admin\AppData\Local\Temp\2025-05-02_d6e4413c1010ef7b120dde43e7653bb9_black-basta_elex_luca-stealer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command C:\Users\Admin\AppData\Local\Temp\2025-05-02_d6e4413c1010ef7b120dde43e7653bb9_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command C:\Users\Admin\AppData\Local\Temp\2025-05-02_d6e4413c1010ef7b120dde43e7653bb9_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" C:\Users\Admin\AppData\Local\Temp\2025-05-02_d6e4413c1010ef7b120dde43e7653bb9_black-basta_elex_luca-stealer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command C:\Users\Admin\AppData\Local\Temp\2025-05-02_d6e4413c1010ef7b120dde43e7653bb9_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" C:\Users\Admin\AppData\Local\Temp\2025-05-02_d6e4413c1010ef7b120dde43e7653bb9_black-basta_elex_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" C:\Users\Admin\AppData\Local\Temp\2025-05-02_d6e4413c1010ef7b120dde43e7653bb9_black-basta_elex_luca-stealer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_d6e4413c1010ef7b120dde43e7653bb9_black-basta_elex_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_d6e4413c1010ef7b120dde43e7653bb9_black-basta_elex_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_d6e4413c1010ef7b120dde43e7653bb9_black-basta_elex_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_d6e4413c1010ef7b120dde43e7653bb9_black-basta_elex_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_d6e4413c1010ef7b120dde43e7653bb9_black-basta_elex_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_d6e4413c1010ef7b120dde43e7653bb9_black-basta_elex_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_d6e4413c1010ef7b120dde43e7653bb9_black-basta_elex_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_d6e4413c1010ef7b120dde43e7653bb9_black-basta_elex_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_d6e4413c1010ef7b120dde43e7653bb9_black-basta_elex_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_d6e4413c1010ef7b120dde43e7653bb9_black-basta_elex_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_d6e4413c1010ef7b120dde43e7653bb9_black-basta_elex_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_d6e4413c1010ef7b120dde43e7653bb9_black-basta_elex_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_d6e4413c1010ef7b120dde43e7653bb9_black-basta_elex_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_d6e4413c1010ef7b120dde43e7653bb9_black-basta_elex_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_d6e4413c1010ef7b120dde43e7653bb9_black-basta_elex_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_d6e4413c1010ef7b120dde43e7653bb9_black-basta_elex_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_d6e4413c1010ef7b120dde43e7653bb9_black-basta_elex_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_d6e4413c1010ef7b120dde43e7653bb9_black-basta_elex_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_d6e4413c1010ef7b120dde43e7653bb9_black-basta_elex_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_d6e4413c1010ef7b120dde43e7653bb9_black-basta_elex_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_d6e4413c1010ef7b120dde43e7653bb9_black-basta_elex_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_d6e4413c1010ef7b120dde43e7653bb9_black-basta_elex_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_d6e4413c1010ef7b120dde43e7653bb9_black-basta_elex_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_d6e4413c1010ef7b120dde43e7653bb9_black-basta_elex_luca-stealer.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_d6e4413c1010ef7b120dde43e7653bb9_black-basta_elex_luca-stealer.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4456 wrote to memory of 4336 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_d6e4413c1010ef7b120dde43e7653bb9_black-basta_elex_luca-stealer.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe
PID 4456 wrote to memory of 4336 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_d6e4413c1010ef7b120dde43e7653bb9_black-basta_elex_luca-stealer.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe
PID 4456 wrote to memory of 4336 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_d6e4413c1010ef7b120dde43e7653bb9_black-basta_elex_luca-stealer.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe
PID 4336 wrote to memory of 3292 N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe
PID 4336 wrote to memory of 3292 N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe
PID 4336 wrote to memory of 3292 N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe
PID 4336 wrote to memory of 5536 N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe
PID 4336 wrote to memory of 5536 N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe
PID 4336 wrote to memory of 5536 N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe
PID 5536 wrote to memory of 5732 N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe
PID 5536 wrote to memory of 5732 N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe
PID 5536 wrote to memory of 5732 N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe
PID 5536 wrote to memory of 4500 N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe
PID 5536 wrote to memory of 4500 N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe
PID 5536 wrote to memory of 4500 N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe
PID 5536 wrote to memory of 4680 N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe
PID 5536 wrote to memory of 4680 N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe
PID 5536 wrote to memory of 4680 N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe
PID 4680 wrote to memory of 2880 N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe
PID 4680 wrote to memory of 2880 N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe
PID 4680 wrote to memory of 2880 N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe
PID 4680 wrote to memory of 1012 N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe
PID 4680 wrote to memory of 1012 N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe
PID 4680 wrote to memory of 1012 N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe
PID 4680 wrote to memory of 1884 N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe
PID 4680 wrote to memory of 1884 N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe
PID 4680 wrote to memory of 1884 N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe
PID 4680 wrote to memory of 5668 N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 4680 wrote to memory of 5668 N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 4680 wrote to memory of 5668 N/A C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 5668 wrote to memory of 4896 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe
PID 5668 wrote to memory of 4896 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe
PID 5668 wrote to memory of 4896 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe
PID 5668 wrote to memory of 3004 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe
PID 5668 wrote to memory of 3004 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe
PID 5668 wrote to memory of 3004 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe
PID 5668 wrote to memory of 3764 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe
PID 5668 wrote to memory of 3764 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe
PID 5668 wrote to memory of 3764 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe
PID 5668 wrote to memory of 5524 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 5668 wrote to memory of 5524 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 5668 wrote to memory of 5524 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 4456 wrote to memory of 444 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_d6e4413c1010ef7b120dde43e7653bb9_black-basta_elex_luca-stealer.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe
PID 4456 wrote to memory of 444 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_d6e4413c1010ef7b120dde43e7653bb9_black-basta_elex_luca-stealer.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe
PID 4456 wrote to memory of 444 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_d6e4413c1010ef7b120dde43e7653bb9_black-basta_elex_luca-stealer.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe
PID 4456 wrote to memory of 4080 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_d6e4413c1010ef7b120dde43e7653bb9_black-basta_elex_luca-stealer.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe
PID 4456 wrote to memory of 4080 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_d6e4413c1010ef7b120dde43e7653bb9_black-basta_elex_luca-stealer.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe
PID 4456 wrote to memory of 4080 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_d6e4413c1010ef7b120dde43e7653bb9_black-basta_elex_luca-stealer.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe
PID 5668 wrote to memory of 1592 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 5668 wrote to memory of 1592 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 5668 wrote to memory of 1592 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 4456 wrote to memory of 3428 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_d6e4413c1010ef7b120dde43e7653bb9_black-basta_elex_luca-stealer.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 4456 wrote to memory of 3428 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_d6e4413c1010ef7b120dde43e7653bb9_black-basta_elex_luca-stealer.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 4456 wrote to memory of 3428 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_d6e4413c1010ef7b120dde43e7653bb9_black-basta_elex_luca-stealer.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 1592 wrote to memory of 4908 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe
PID 1592 wrote to memory of 4908 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe
PID 1592 wrote to memory of 4908 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe
PID 4456 wrote to memory of 5060 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_d6e4413c1010ef7b120dde43e7653bb9_black-basta_elex_luca-stealer.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 4456 wrote to memory of 5060 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_d6e4413c1010ef7b120dde43e7653bb9_black-basta_elex_luca-stealer.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 4456 wrote to memory of 5060 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-02_d6e4413c1010ef7b120dde43e7653bb9_black-basta_elex_luca-stealer.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 1592 wrote to memory of 4844 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe
PID 1592 wrote to memory of 4844 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe
PID 1592 wrote to memory of 4844 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe
PID 1592 wrote to memory of 1420 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe

System policy modification

defense_evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\2025-05-02_d6e4413c1010ef7b120dde43e7653bb9_black-basta_elex_luca-stealer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\2025-05-02_d6e4413c1010ef7b120dde43e7653bb9_black-basta_elex_luca-stealer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2025-05-02_d6e4413c1010ef7b120dde43e7653bb9_black-basta_elex_luca-stealer.exe

"C:\Users\Admin\AppData\Local\Temp\2025-05-02_d6e4413c1010ef7b120dde43e7653bb9_black-basta_elex_luca-stealer.exe"

C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe

"C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe"

C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe

"C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe"

C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe

"C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe"

C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe

"C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe"

C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe

"C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe"

C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe

"C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe"

C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe

"C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe"

C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe

"C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe"

C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe

"C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe"

C:\Windows\SysWOW64\drivers\Kazekage.exe

C:\Windows\system32\drivers\Kazekage.exe

C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe

"C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe"

C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe

"C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe"

C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe

"C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe"

C:\Windows\SysWOW64\drivers\Kazekage.exe

C:\Windows\system32\drivers\Kazekage.exe

C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe

"C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe"

C:\Windows\SysWOW64\drivers\system32.exe

C:\Windows\system32\drivers\system32.exe

C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe

"C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe"

C:\Windows\SysWOW64\drivers\Kazekage.exe

C:\Windows\system32\drivers\Kazekage.exe

C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe

"C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe"

C:\Windows\SysWOW64\drivers\system32.exe

C:\Windows\system32\drivers\system32.exe

C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe

"C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe"

C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe

"C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe"

C:\Windows\SysWOW64\drivers\Kazekage.exe

C:\Windows\system32\drivers\Kazekage.exe

C:\Windows\SysWOW64\drivers\system32.exe

C:\Windows\system32\drivers\system32.exe

C:\Windows\SysWOW64\drivers\system32.exe

C:\Windows\system32\drivers\system32.exe

C:\Windows\SysWOW64\drivers\Kazekage.exe

C:\Windows\system32\drivers\Kazekage.exe

C:\Windows\SysWOW64\drivers\system32.exe

C:\Windows\system32\drivers\system32.exe

C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe

"C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe"

C:\Windows\SysWOW64\drivers\Kazekage.exe

C:\Windows\system32\drivers\Kazekage.exe

C:\Windows\SysWOW64\drivers\system32.exe

C:\Windows\system32\drivers\system32.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\smss.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c Fonts\Admin 2 - 5 - 2025\Gaara.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c 2-5-2025.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c drivers\csrss.exe

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

Network

Country Destination Domain Proto
US 8.8.8.8:53 c.pki.goog udp
DE 142.250.185.131:80 c.pki.goog tcp

Files

memory/4456-0-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe

MD5 d6e4413c1010ef7b120dde43e7653bb9
SHA1 d472413359b5713e44eb4f46d15ee7b0dda3a572
SHA256 ad05adca0ff65c0c5c77e9abdfedc22c13554614686ea56c68c452ecec6f8419
SHA512 c9bc90c9fa0146f57e2331563848db84f6084b2fd47b94eda06ccfb2935ca47a46658870c1cd55a801cec1631e1a831c56c97bf10488daccb3d3750b8c468d47

C:\Windows\System\msvbvm60.dll

MD5 25f62c02619174b35851b0e0455b3d94
SHA1 4e8ee85157f1769f6e3f61c0acbe59072209da71
SHA256 898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2
SHA512 f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

C:\Windows\Fonts\Admin 2 - 5 - 2025\smss.exe

MD5 25aba9492ba1a5801059a253a5e34616
SHA1 a658c0c25687538eb0d3619851c5e12c77cd3d9e
SHA256 24d505dd6b08762f82274c0f829c38546eb38a8dcf1b7a36bfa9f22531a48670
SHA512 ccfa2c48888c51f2c12a3d971e997473adc186b5065fa5e5f987a848c59aa403d588ab2ba7746956c22277202d6c10931d8a0a5fb74c4a2f4def4c6d4ad39f47

memory/4336-32-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Windows\Fonts\The Kazekage.jpg

MD5 d6b05020d4a0ec2a3a8b687099e335df
SHA1 df239d830ebcd1cde5c68c46a7b76dad49d415f4
SHA256 9824b98dab6af65a9e84c2ea40e9df948f9766ce2096e81feecad7db8dd6080a
SHA512 78fd360faa4d34f5732056d6e9ad7b9930964441c69cf24535845d397de92179553b9377a25649c01eb5ac7d547c29cc964e69ede7f2af9fc677508a99251fff

memory/3292-70-0x0000000000400000-0x000000000042A000-memory.dmp

memory/3292-74-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Windows\Fonts\Admin 2 - 5 - 2025\Gaara.exe

MD5 34a1003b9cad0c6de1d421566b75f1e9
SHA1 d556deadd28f3514dd6735025c15a107fa8851d7
SHA256 20e681d856f1ace2139df31b3ee0a92c7e52e9671197d495f76852c2f95df238
SHA512 73393c1696c22ae837f7c5cb1908bbd91b71dfd3f108170c37ef69839349bb9aad662247526699b8c1b16819e7e6e75317c559302e18a4c4bdb67caa9cb6f9ae

memory/5536-79-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Windows\Fonts\Admin 2 - 5 - 2025\csrss.exe

MD5 feee03114e7de08e00a36e6bca1abd64
SHA1 f8cc197977aa7c18f8b87285d81c1d157b608dfc
SHA256 b8e18f979cec6a6cebf00f46d14a0cb1ad6e8db425cf4ee331a484b3aa3231ec
SHA512 54edec18991f57c1c50d6f3a6759f3829b75b6eb34bd1065120184ac46bcd25977f05c36f68dfc35d2a20aec16bd32feceec8348764771e44ed27ee8c97d4511

C:\Windows\SysWOW64\2-5-2025.exe

MD5 6c2cc84526064c545e438620daa861f1
SHA1 c067c935cba799b5d6e9a2b0d3dce7f124f32ebc
SHA256 17708915ca6e628da8305ab2110afdcc8bed6269cd4183ec6610a9b9acb04e00
SHA512 837f8febcd52e888f1b0192822bf965621f030ee1bd25cfcc12043064ea5aa33ad4d97c86f61f2a2970cbd2a7173077d01cfed6dd0a15e9816612df427650e85

C:\Windows\SysWOW64\drivers\Kazekage.exe

MD5 012d00c5f8d2bdda254b273892c47a2c
SHA1 cc09b5b8ef79faea907d0ad5a1277616331478b0
SHA256 76e85197c192cc5b8031dc542047f254e00dee6e6651e0d17b27837f579ab680
SHA512 9d8932c551484c1fac560619180cd716532075976737514e5304f97aa2653364a491520539809b25b8755853999dccb49eb0cbbeda15005ce4ee407f86551a11

C:\Windows\SysWOW64\drivers\system32.exe

MD5 8b54bf514184d5764b49f9edeeea944a
SHA1 9e8e68893cfe087007499aba52abf5e15cb92d08
SHA256 998b0cfe6aed7acddd4cd749d20ef7805b8372c9c18705f6e1edb9cc8960f656
SHA512 43c66cb5c268b50e75df0f581c763f0f4714d62b2c166906f51c9eda531e9fe177dfd8c25156be77b907859e5a23962a3034d87ae579a7e08bed87b5920aeb13

memory/5732-116-0x0000000000400000-0x000000000042A000-memory.dmp

memory/4500-114-0x0000000000400000-0x000000000042A000-memory.dmp

memory/4500-120-0x0000000000400000-0x000000000042A000-memory.dmp

memory/4680-123-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Windows\Fonts\The Kazekage.jpg

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/2880-153-0x0000000000400000-0x000000000042A000-memory.dmp

memory/4456-152-0x0000000000400000-0x000000000042A000-memory.dmp

memory/4336-157-0x0000000000400000-0x000000000042A000-memory.dmp

memory/1012-165-0x0000000000400000-0x000000000042A000-memory.dmp

memory/1884-169-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Windows\SysWOW64\drivers\Kazekage.exe

MD5 cd794aa0640f399d070b274c33a9d498
SHA1 5982154f6ccd3d4b346256a8347932839134153f
SHA256 7365e35ce432a0d81f5be3eb8b4404b918ed14fbb14b4bff7fcec4ca864d6914
SHA512 7a8893a1bed2505459cd400e088dd109a0c89c0e555af54c2803d25c4411f6ee8e3d865fb50963c02b02625a7f0f0d69740bc0813629cd2dd8cf5248ae0117f8

memory/5668-172-0x0000000000400000-0x000000000042A000-memory.dmp

memory/5536-196-0x0000000000400000-0x000000000042A000-memory.dmp

memory/4896-204-0x0000000000400000-0x000000000042A000-memory.dmp

memory/3004-202-0x0000000000400000-0x000000000042A000-memory.dmp

memory/3764-209-0x0000000000400000-0x000000000042A000-memory.dmp

memory/3004-211-0x0000000000400000-0x000000000042A000-memory.dmp

memory/3764-217-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Windows\SysWOW64\drivers\system32.exe

MD5 dd386feaed547217cc0a0b6026e73ef5
SHA1 0c2e568e4d9d2b89363b2afe68683a3ad75fbd80
SHA256 f967b2e042da488f9e7f563ddb3538e12c698cd745f91044885fe28aecb28032
SHA512 f704a07d482084c93d3a9ff5405463695330980257a336467360d0cded548cd5c754ac6a7706a43b20147584f3d5f0dfa612d1ddb90cd40b8428744fd1dc6cfc

memory/5524-233-0x0000000000400000-0x000000000042A000-memory.dmp

memory/444-235-0x0000000000400000-0x000000000042A000-memory.dmp

memory/1592-231-0x0000000000400000-0x000000000042A000-memory.dmp

memory/4080-230-0x0000000000400000-0x000000000042A000-memory.dmp

memory/4680-229-0x0000000000400000-0x000000000042A000-memory.dmp

memory/3428-241-0x0000000000400000-0x000000000042A000-memory.dmp

memory/4080-244-0x0000000000400000-0x000000000042A000-memory.dmp

memory/4908-256-0x0000000000400000-0x000000000042A000-memory.dmp

memory/3428-262-0x0000000000400000-0x000000000042A000-memory.dmp

memory/5060-260-0x0000000000400000-0x000000000042A000-memory.dmp

memory/5668-259-0x0000000000400000-0x000000000042A000-memory.dmp

memory/1420-275-0x0000000000400000-0x000000000042A000-memory.dmp

memory/4844-274-0x0000000000400000-0x000000000042A000-memory.dmp

memory/5060-269-0x0000000000400000-0x000000000042A000-memory.dmp

memory/3896-282-0x0000000000400000-0x000000000042A000-memory.dmp

memory/1520-286-0x0000000000400000-0x000000000042A000-memory.dmp

memory/1592-290-0x0000000000400000-0x000000000042A000-memory.dmp

memory/976-292-0x0000000000400000-0x000000000042A000-memory.dmp

memory/3756-296-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2176-300-0x0000000000400000-0x000000000042A000-memory.dmp

memory/3480-305-0x0000000000400000-0x000000000042A000-memory.dmp

memory/2716-308-0x0000000000400000-0x000000000042A000-memory.dmp

memory/432-312-0x0000000000400000-0x000000000042A000-memory.dmp

memory/4680-313-0x0000000000400000-0x000000000042A000-memory.dmp

memory/5668-314-0x0000000000400000-0x000000000042A000-memory.dmp

memory/4456-315-0x0000000000400000-0x000000000042A000-memory.dmp

memory/1592-317-0x0000000000400000-0x000000000042A000-memory.dmp

memory/4336-316-0x0000000000400000-0x000000000042A000-memory.dmp

memory/5536-318-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Autorun.inf

MD5 1564dfe69ffed40950e5cb644e0894d1
SHA1 201b6f7a01cc49bb698bea6d4945a082ed454ce4
SHA256 be114a2dbcc08540b314b01882aa836a772a883322a77b67aab31233e26dc184
SHA512 72df187e39674b657974392cfa268e71ef86dc101ebd2303896381ca56d3c05aa9db3f0ab7d0e428d7436e0108c8f19e94c2013814d30b0b95a23a6b9e341097

C:\Admin Games\Readme.txt

MD5 bb5d6abdf8d0948ac6895ce7fdfbc151
SHA1 9266b7a247a4685892197194d2b9b86c8f6dddbd
SHA256 5db2e0915b5464d32e83484f8ae5e3c73d2c78f238fde5f58f9b40dbb5322de8
SHA512 878444760e8df878d65bb62b4798177e168eb099def58ad3634f4348e96705c83f74324f9fa358f0eff389991976698a233ca53e9b72034ae11c86d42322a76c

memory/4336-377-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Windows\SysWOW64\Desktop.ini

MD5 64acfa7e03b01f48294cf30d201a0026
SHA1 10facd995b38a095f30b4a800fa454c0bcbf8438
SHA256 ba8159d865d106e7b4d0043007a63d1541e1de455dc8d7ff0edd3013bd425c62
SHA512 65a9b2e639de74a2a7faa83463a03f5f5b526495e3c793ec1e144c422ed0b842dd304cd5ff4f8aec3d76d826507030c5916f70a231429cea636ec2d8ab43931a

memory/4680-486-0x0000000000400000-0x000000000042A000-memory.dmp

memory/4456-545-0x0000000000400000-0x000000000042A000-memory.dmp

memory/5668-546-0x0000000000400000-0x000000000042A000-memory.dmp

memory/5536-590-0x0000000000400000-0x000000000042A000-memory.dmp

memory/1592-595-0x0000000000400000-0x000000000042A000-memory.dmp