Malware Analysis Report

2025-08-05 15:10

Sample ID 250503-r96wzavtgs
Target 2025-05-03_1060946c9efba0979fef540d0cb16087_black-basta_elex_hijackloader_luca-stealer
SHA256 f56b9bb5bf2980192b6a6df25652706f6b094b74a3c2bd5dc905a6c42fb93969
Tags
defense_evasion discovery persistence ransomware trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V16

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f56b9bb5bf2980192b6a6df25652706f6b094b74a3c2bd5dc905a6c42fb93969

Threat Level: Known bad

The file 2025-05-03_1060946c9efba0979fef540d0cb16087_black-basta_elex_hijackloader_luca-stealer was found to be: Known bad.

Malicious Activity Summary

defense_evasion discovery persistence ransomware trojan upx

UAC bypass

Modifies WinLogon for persistence

Modifies visiblity of hidden/system files in Explorer

Modifies visibility of file extensions in Explorer

Disables use of System Restore points

Event Triggered Execution: Image File Execution Options Injection

Drops file in Drivers directory

Disables RegEdit via registry modification

Executes dropped EXE

Loads dropped DLL

Enumerates connected drives

Drops desktop.ini file(s)

Checks whether UAC is enabled

Adds Run key to start application

UPX packed file

Drops autorun.inf file

Sets desktop wallpaper using registry

Drops file in System32 directory

Drops file in Windows directory

System Location Discovery: System Language Discovery

Unsigned PE

System Network Configuration Discovery: Internet Connection Discovery

Modifies Internet Explorer settings

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Modifies registry class

Suspicious behavior: EnumeratesProcesses

System policy modification

Modifies Control Panel

Runs ping.exe

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-05-03 14:54

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-05-03 14:54

Reported

2025-05-03 14:57

Platform

win10v2004-20250502-en

Max time kernel

150s

Max time network

135s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2025-05-03_1060946c9efba0979fef540d0cb16087_black-basta_elex_hijackloader_luca-stealer.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" C:\Users\Admin\AppData\Local\Temp\2025-05-03_1060946c9efba0979fef540d0cb16087_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" C:\Users\Admin\AppData\Local\Temp\2025-05-03_1060946c9efba0979fef540d0cb16087_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A

Modifies visibility of file extensions in Explorer

defense_evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Users\Admin\AppData\Local\Temp\2025-05-03_1060946c9efba0979fef540d0cb16087_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A

Modifies visiblity of hidden/system files in Explorer

defense_evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\AppData\Local\Temp\2025-05-03_1060946c9efba0979fef540d0cb16087_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A

UAC bypass

defense_evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\2025-05-03_1060946c9efba0979fef540d0cb16087_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A

Disables RegEdit via registry modification

defense_evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\2025-05-03_1060946c9efba0979fef540d0cb16087_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A

Disables use of System Restore points

defense_evasion

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File created C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
File created C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\system32.exe C:\Users\Admin\AppData\Local\Temp\2025-05-03_1060946c9efba0979fef540d0cb16087_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File created C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File created C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Users\Admin\AppData\Local\Temp\2025-05-03_1060946c9efba0979fef540d0cb16087_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Users\Admin\AppData\Local\Temp\2025-05-03_1060946c9efba0979fef540d0cb16087_black-basta_elex_hijackloader_luca-stealer.exe N/A
File created C:\Windows\SysWOW64\drivers\system32.exe C:\Users\Admin\AppData\Local\Temp\2025-05-03_1060946c9efba0979fef540d0cb16087_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File created C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A

Event Triggered Execution: Image File Execution Options Injection

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe\Debugger = "cmd.exe /c del" C:\Users\Admin\AppData\Local\Temp\2025-05-03_1060946c9efba0979fef540d0cb16087_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\Debugger = "cmd.exe /c del" C:\Users\Admin\AppData\Local\Temp\2025-05-03_1060946c9efba0979fef540d0cb16087_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe C:\Users\Admin\AppData\Local\Temp\2025-05-03_1060946c9efba0979fef540d0cb16087_black-basta_elex_hijackloader_luca-stealer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe C:\Users\Admin\AppData\Local\Temp\2025-05-03_1060946c9efba0979fef540d0cb16087_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe C:\Users\Admin\AppData\Local\Temp\2025-05-03_1060946c9efba0979fef540d0cb16087_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe\Debugger = "cmd.exe /c del" C:\Users\Admin\AppData\Local\Temp\2025-05-03_1060946c9efba0979fef540d0cb16087_black-basta_elex_hijackloader_luca-stealer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe C:\Users\Admin\AppData\Local\Temp\2025-05-03_1060946c9efba0979fef540d0cb16087_black-basta_elex_hijackloader_luca-stealer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 3 - 5 - 2025\\Gaara.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 3 - 5 - 2025\\smss.exe" C:\Users\Admin\AppData\Local\Temp\2025-05-03_1060946c9efba0979fef540d0cb16087_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" C:\Users\Admin\AppData\Local\Temp\2025-05-03_1060946c9efba0979fef540d0cb16087_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 3 - 5 - 2025\\Gaara.exe" C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 3 - 5 - 2025\\smss.exe" C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 3 - 5 - 2025\\Gaara.exe" C:\Users\Admin\AppData\Local\Temp\2025-05-03_1060946c9efba0979fef540d0cb16087_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 3 - 5 - 2025\\smss.exe" C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "3-5-2025.exe" C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 3 - 5 - 2025\\Gaara.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 3 - 5 - 2025\\Gaara.exe" C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "3-5-2025.exe" C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "3-5-2025.exe" C:\Users\Admin\AppData\Local\Temp\2025-05-03_1060946c9efba0979fef540d0cb16087_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "3-5-2025.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "3-5-2025.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 3 - 5 - 2025\\smss.exe" C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 3 - 5 - 2025\\Gaara.exe" C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "3-5-2025.exe" C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 3 - 5 - 2025\\smss.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 3 - 5 - 2025\\smss.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A

Checks whether UAC is enabled

defense_evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\2025-05-03_1060946c9efba0979fef540d0cb16087_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification \??\T:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_1060946c9efba0979fef540d0cb16087_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification \??\H:\Desktop.ini C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\R:\Desktop.ini C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
File opened for modification F:\Desktop.ini C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File opened for modification \??\Y:\Desktop.ini C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File opened for modification \??\E:\Desktop.ini C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File opened for modification \??\O:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\I:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_1060946c9efba0979fef540d0cb16087_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification \??\J:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_1060946c9efba0979fef540d0cb16087_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification \??\P:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\N:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\V:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification F:\Desktop.ini C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File opened for modification \??\G:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_1060946c9efba0979fef540d0cb16087_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification \??\A:\Desktop.ini C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File opened for modification \??\K:\Desktop.ini C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\P:\Desktop.ini C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\E:\Desktop.ini C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File opened for modification \??\U:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\V:\Desktop.ini C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File opened for modification \??\X:\Desktop.ini C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File opened for modification \??\E:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_1060946c9efba0979fef540d0cb16087_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification \??\H:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\T:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\G:\Desktop.ini C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File opened for modification \??\V:\Desktop.ini C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File opened for modification F:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_1060946c9efba0979fef540d0cb16087_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification \??\B:\Desktop.ini C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\I:\Desktop.ini C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\Z:\Desktop.ini C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File opened for modification \??\K:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\A:\Desktop.ini C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File opened for modification \??\B:\Desktop.ini C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File opened for modification \??\M:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_1060946c9efba0979fef540d0cb16087_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification F:\Desktop.ini C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\N:\Desktop.ini C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\Q:\Desktop.ini C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\O:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification D:\Desktop.ini C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File opened for modification \??\X:\Desktop.ini C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File opened for modification \??\A:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_1060946c9efba0979fef540d0cb16087_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification \??\K:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_1060946c9efba0979fef540d0cb16087_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification \??\W:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_1060946c9efba0979fef540d0cb16087_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification \??\Q:\Desktop.ini C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File opened for modification \??\S:\Desktop.ini C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File opened for modification C:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\U:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_1060946c9efba0979fef540d0cb16087_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification \??\Z:\Desktop.ini C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\N:\Desktop.ini C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File opened for modification \??\B:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_1060946c9efba0979fef540d0cb16087_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification \??\P:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_1060946c9efba0979fef540d0cb16087_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification \??\L:\Desktop.ini C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\R:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\H:\Desktop.ini C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File opened for modification \??\V:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\U:\Desktop.ini C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Desktop.ini C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\J:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\A:\Desktop.ini C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
File opened for modification D:\Desktop.ini C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\G:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\W:\Desktop.ini C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File opened for modification \??\Y:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\L:\Desktop.ini C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\2025-05-03_1060946c9efba0979fef540d0cb16087_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened (read-only) \??\A: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\N: C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File opened (read-only) \??\R: C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\2025-05-03_1060946c9efba0979fef540d0cb16087_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\2025-05-03_1060946c9efba0979fef540d0cb16087_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened (read-only) \??\K: C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
File opened (read-only) \??\Q: C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\Y: C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File opened (read-only) \??\T: C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
File opened (read-only) \??\G: C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\2025-05-03_1060946c9efba0979fef540d0cb16087_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened (read-only) \??\L: C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\K: C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File opened (read-only) \??\Q: C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File opened (read-only) \??\T: C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File opened (read-only) \??\V: C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\2025-05-03_1060946c9efba0979fef540d0cb16087_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\O: C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\2025-05-03_1060946c9efba0979fef540d0cb16087_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\2025-05-03_1060946c9efba0979fef540d0cb16087_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\2025-05-03_1060946c9efba0979fef540d0cb16087_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\2025-05-03_1060946c9efba0979fef540d0cb16087_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened (read-only) \??\N: C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
File opened (read-only) \??\E: C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File opened (read-only) \??\U: C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File opened (read-only) \??\W: C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\A: C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File opened (read-only) \??\E: C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
File opened (read-only) \??\B: C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File opened (read-only) \??\X: C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\X: C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File opened (read-only) \??\Z: C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\2025-05-03_1060946c9efba0979fef540d0cb16087_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\2025-05-03_1060946c9efba0979fef540d0cb16087_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened (read-only) \??\J: C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\H: C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File opened (read-only) \??\B: C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\X: C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\2025-05-03_1060946c9efba0979fef540d0cb16087_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\drivers\system32.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification \??\K:\Autorun.inf C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\T:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\U:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2025-05-03_1060946c9efba0979fef540d0cb16087_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification C:\Autorun.inf C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File opened for modification \??\H:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\E:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File created \??\L:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\N:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File created \??\K:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2025-05-03_1060946c9efba0979fef540d0cb16087_black-basta_elex_hijackloader_luca-stealer.exe N/A
File created \??\Q:\Autorun.inf C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File created \??\Y:\Autorun.inf C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File created C:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2025-05-03_1060946c9efba0979fef540d0cb16087_black-basta_elex_hijackloader_luca-stealer.exe N/A
File created F:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2025-05-03_1060946c9efba0979fef540d0cb16087_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification \??\Y:\Autorun.inf C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File created \??\X:\Autorun.inf C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File opened for modification \??\I:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\R:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File created \??\V:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File created \??\Z:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification D:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2025-05-03_1060946c9efba0979fef540d0cb16087_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification \??\N:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2025-05-03_1060946c9efba0979fef540d0cb16087_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification \??\Q:\Autorun.inf C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
File created \??\W:\Autorun.inf C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
File created \??\S:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\P:\Autorun.inf C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File created \??\P:\Autorun.inf C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File created \??\R:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\T:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File created \??\G:\Autorun.inf C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
File created \??\W:\Autorun.inf C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File created \??\R:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\X:\Autorun.inf C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File created \??\E:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2025-05-03_1060946c9efba0979fef540d0cb16087_black-basta_elex_hijackloader_luca-stealer.exe N/A
File created \??\A:\Autorun.inf C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File opened for modification \??\N:\Autorun.inf C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File created \??\S:\Autorun.inf C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File opened for modification \??\J:\Autorun.inf C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File created \??\O:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\Q:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\U:\Autorun.inf C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File created \??\O:\Autorun.inf C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\X:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File created \??\Z:\Autorun.inf C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File opened for modification \??\Q:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2025-05-03_1060946c9efba0979fef540d0cb16087_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification \??\G:\Autorun.inf C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File created \??\W:\Autorun.inf C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File opened for modification \??\X:\Autorun.inf C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
File created \??\H:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\U:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\B:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2025-05-03_1060946c9efba0979fef540d0cb16087_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification \??\B:\Autorun.inf C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File created \??\U:\Autorun.inf C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File created \??\J:\Autorun.inf C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File created \??\O:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File created \??\E:\Autorun.inf C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
File created \??\W:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2025-05-03_1060946c9efba0979fef540d0cb16087_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification \??\I:\Autorun.inf C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File created \??\L:\Autorun.inf C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File opened for modification \??\W:\Autorun.inf C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\J:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\E:\Autorun.inf C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\S:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2025-05-03_1060946c9efba0979fef540d0cb16087_black-basta_elex_hijackloader_luca-stealer.exe N/A
File created D:\Autorun.inf C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File created \??\K:\Autorun.inf C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_1060946c9efba0979fef540d0cb16087_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification C:\Windows\SysWOW64\Desktop.ini C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_1060946c9efba0979fef540d0cb16087_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_1060946c9efba0979fef540d0cb16087_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
File opened for modification C:\Windows\SysWOW64\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\SysWOW64\3-5-2025.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\SysWOW64\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_1060946c9efba0979fef540d0cb16087_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\SysWOW64\3-5-2025.exe C:\Users\Admin\AppData\Local\Temp\2025-05-03_1060946c9efba0979fef540d0cb16087_black-basta_elex_hijackloader_luca-stealer.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\SysWOW64\mscomctl.ocx C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\SysWOW64\3-5-2025.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\SysWOW64\mscomctl.ocx C:\Users\Admin\AppData\Local\Temp\2025-05-03_1060946c9efba0979fef540d0cb16087_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification C:\Windows\SysWOW64\mscomctl.ocx C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\SysWOW64\mscomctl.ocx C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\SysWOW64\3-5-2025.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\SysWOW64\mscomctl.ocx C:\Users\Admin\AppData\Local\Temp\2025-05-03_1060946c9efba0979fef540d0cb16087_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Users\Admin\AppData\Local\Temp\2025-05-03_1060946c9efba0979fef540d0cb16087_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification C:\Windows\SysWOW64\Desktop.ini C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
File opened for modification C:\Windows\SysWOW64\mscomctl.ocx C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\SysWOW64\3-5-2025.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\mscomctl.ocx C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\Desktop.ini C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
File created C:\Windows\SysWOW64\3-5-2025.exe C:\Users\Admin\AppData\Local\Temp\2025-05-03_1060946c9efba0979fef540d0cb16087_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification C:\Windows\SysWOW64\3-5-2025.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Users\Admin\AppData\Local\Temp\2025-05-03_1060946c9efba0979fef540d0cb16087_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\Fonts\Admin 3 - 5 - 2025\msvbvm60.dll C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\mscomctl.ocx C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File created C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe C:\Users\Admin\AppData\Local\Temp\2025-05-03_1060946c9efba0979fef540d0cb16087_black-basta_elex_hijackloader_luca-stealer.exe N/A
File created C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
File created C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Windows\system\mscoree.dll C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\mscomctl.ocx C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
File opened for modification C:\Windows\system\msvbvm60.dll C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
File created C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\WBEM\msvbvm60.dll C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\ C:\Users\Admin\AppData\Local\Temp\2025-05-03_1060946c9efba0979fef540d0cb16087_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification C:\Windows\ C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
File opened for modification C:\Windows\ C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\WBEM\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_1060946c9efba0979fef540d0cb16087_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification C:\Windows\Fonts\The Kazekage.jpg C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
File created C:\Windows\WBEM\msvbvm60.dll C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
File created C:\Windows\WBEM\msvbvm60.dll C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\mscomctl.ocx C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\Fonts\Admin 3 - 5 - 2025\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_1060946c9efba0979fef540d0cb16087_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification C:\Windows\Fonts\The Kazekage.jpg C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
File opened for modification C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Windows\system\msvbvm60.dll C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\system\mscoree.dll C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\mscomctl.ocx C:\Users\Admin\AppData\Local\Temp\2025-05-03_1060946c9efba0979fef540d0cb16087_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe C:\Users\Admin\AppData\Local\Temp\2025-05-03_1060946c9efba0979fef540d0cb16087_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification C:\Windows\system\mscoree.dll C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File created C:\Windows\WBEM\msvbvm60.dll C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\ C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe C:\Users\Admin\AppData\Local\Temp\2025-05-03_1060946c9efba0979fef540d0cb16087_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\system\msvbvm60.dll C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
File opened for modification C:\Windows\Fonts\The Kazekage.jpg C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\ C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Windows\Fonts\The Kazekage.jpg C:\Users\Admin\AppData\Local\Temp\2025-05-03_1060946c9efba0979fef540d0cb16087_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification C:\Windows\system\mscoree.dll C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\Fonts\The Kazekage.jpg C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\mscomctl.ocx C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File created C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
File opened for modification C:\Windows\system\mscoree.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_1060946c9efba0979fef540d0cb16087_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe C:\Users\Admin\AppData\Local\Temp\2025-05-03_1060946c9efba0979fef540d0cb16087_black-basta_elex_hijackloader_luca-stealer.exe N/A
File created C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe C:\Users\Admin\AppData\Local\Temp\2025-05-03_1060946c9efba0979fef540d0cb16087_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\mscomctl.ocx C:\Users\Admin\AppData\Local\Temp\2025-05-03_1060946c9efba0979fef540d0cb16087_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_1060946c9efba0979fef540d0cb16087_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification C:\Windows\system\msvbvm60.dll C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\system\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_1060946c9efba0979fef540d0cb16087_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification C:\Windows\system\mscoree.dll C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2025-05-03_1060946c9efba0979fef540d0cb16087_black-basta_elex_hijackloader_luca-stealer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\system32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\system32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\system32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\system32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\system32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\system32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A

Modifies Control Panel

defense_evasion
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\Control Panel\Screen Saver.Marquee\Size = "72" C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\Control Panel\Screen Saver.Marquee\Speed = "4" C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\Control Panel\Screen Saver.Marquee\Size = "72" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\Control Panel\Desktop C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\Control Panel\Desktop C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" C:\Users\Admin\AppData\Local\Temp\2025-05-03_1060946c9efba0979fef540d0cb16087_black-basta_elex_hijackloader_luca-stealer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\Control Panel\Screen Saver.Marquee C:\Users\Admin\AppData\Local\Temp\2025-05-03_1060946c9efba0979fef540d0cb16087_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\Control Panel\Desktop C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\Control Panel\Screen Saver.Marquee\Size = "72" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" C:\Users\Admin\AppData\Local\Temp\2025-05-03_1060946c9efba0979fef540d0cb16087_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\Control Panel\Desktop C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Users\Admin\AppData\Local\Temp\2025-05-03_1060946c9efba0979fef540d0cb16087_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\Control Panel\Screen Saver.Marquee\Size = "72" C:\Users\Admin\AppData\Local\Temp\2025-05-03_1060946c9efba0979fef540d0cb16087_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\Control Panel\Screen Saver.Marquee\Speed = "4" C:\Users\Admin\AppData\Local\Temp\2025-05-03_1060946c9efba0979fef540d0cb16087_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\Control Panel\Screen Saver.Marquee C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" C:\Users\Admin\AppData\Local\Temp\2025-05-03_1060946c9efba0979fef540d0cb16087_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" C:\Users\Admin\AppData\Local\Temp\2025-05-03_1060946c9efba0979fef540d0cb16087_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\Control Panel\Screen Saver.Marquee C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\Control Panel\Screen Saver.Marquee C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" C:\Users\Admin\AppData\Local\Temp\2025-05-03_1060946c9efba0979fef540d0cb16087_black-basta_elex_hijackloader_luca-stealer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\Control Panel\Screen Saver.Marquee C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\Control Panel\Desktop\WallpaperStyle = "2" C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" C:\Users\Admin\AppData\Local\Temp\2025-05-03_1060946c9efba0979fef540d0cb16087_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\Control Panel\Screen Saver.Marquee\Speed = "4" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\Control Panel\Desktop C:\Users\Admin\AppData\Local\Temp\2025-05-03_1060946c9efba0979fef540d0cb16087_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" C:\Users\Admin\AppData\Local\Temp\2025-05-03_1060946c9efba0979fef540d0cb16087_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\Control Panel\Screen Saver.Marquee\Speed = "4" C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\Control Panel\Desktop\WallpaperStyle = "2" C:\Users\Admin\AppData\Local\Temp\2025-05-03_1060946c9efba0979fef540d0cb16087_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\Control Panel\Desktop\WallpaperStyle = "2" C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\Software\Microsoft\Internet Explorer\Main C:\Users\Admin\AppData\Local\Temp\2025-05-03_1060946c9efba0979fef540d0cb16087_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" C:\Users\Admin\AppData\Local\Temp\2025-05-03_1060946c9efba0979fef540d0cb16087_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3623617754-4043701611-775564599-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command C:\Users\Admin\AppData\Local\Temp\2025-05-03_1060946c9efba0979fef540d0cb16087_black-basta_elex_hijackloader_luca-stealer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command C:\Users\Admin\AppData\Local\Temp\2025-05-03_1060946c9efba0979fef540d0cb16087_black-basta_elex_hijackloader_luca-stealer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile C:\Users\Admin\AppData\Local\Temp\2025-05-03_1060946c9efba0979fef540d0cb16087_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" C:\Users\Admin\AppData\Local\Temp\2025-05-03_1060946c9efba0979fef540d0cb16087_black-basta_elex_hijackloader_luca-stealer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" C:\Users\Admin\AppData\Local\Temp\2025-05-03_1060946c9efba0979fef540d0cb16087_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command C:\Users\Admin\AppData\Local\Temp\2025-05-03_1060946c9efba0979fef540d0cb16087_black-basta_elex_hijackloader_luca-stealer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install C:\Users\Admin\AppData\Local\Temp\2025-05-03_1060946c9efba0979fef540d0cb16087_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" C:\Users\Admin\AppData\Local\Temp\2025-05-03_1060946c9efba0979fef540d0cb16087_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" C:\Users\Admin\AppData\Local\Temp\2025-05-03_1060946c9efba0979fef540d0cb16087_black-basta_elex_hijackloader_luca-stealer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell C:\Users\Admin\AppData\Local\Temp\2025-05-03_1060946c9efba0979fef540d0cb16087_black-basta_elex_hijackloader_luca-stealer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command C:\Users\Admin\AppData\Local\Temp\2025-05-03_1060946c9efba0979fef540d0cb16087_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command C:\Windows\SysWOW64\drivers\Kazekage.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-03_1060946c9efba0979fef540d0cb16087_black-basta_elex_hijackloader_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-03_1060946c9efba0979fef540d0cb16087_black-basta_elex_hijackloader_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-03_1060946c9efba0979fef540d0cb16087_black-basta_elex_hijackloader_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-03_1060946c9efba0979fef540d0cb16087_black-basta_elex_hijackloader_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-03_1060946c9efba0979fef540d0cb16087_black-basta_elex_hijackloader_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-03_1060946c9efba0979fef540d0cb16087_black-basta_elex_hijackloader_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-03_1060946c9efba0979fef540d0cb16087_black-basta_elex_hijackloader_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-03_1060946c9efba0979fef540d0cb16087_black-basta_elex_hijackloader_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-03_1060946c9efba0979fef540d0cb16087_black-basta_elex_hijackloader_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-03_1060946c9efba0979fef540d0cb16087_black-basta_elex_hijackloader_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-03_1060946c9efba0979fef540d0cb16087_black-basta_elex_hijackloader_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-03_1060946c9efba0979fef540d0cb16087_black-basta_elex_hijackloader_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-03_1060946c9efba0979fef540d0cb16087_black-basta_elex_hijackloader_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-03_1060946c9efba0979fef540d0cb16087_black-basta_elex_hijackloader_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-03_1060946c9efba0979fef540d0cb16087_black-basta_elex_hijackloader_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-03_1060946c9efba0979fef540d0cb16087_black-basta_elex_hijackloader_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-03_1060946c9efba0979fef540d0cb16087_black-basta_elex_hijackloader_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-03_1060946c9efba0979fef540d0cb16087_black-basta_elex_hijackloader_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-03_1060946c9efba0979fef540d0cb16087_black-basta_elex_hijackloader_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-03_1060946c9efba0979fef540d0cb16087_black-basta_elex_hijackloader_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-03_1060946c9efba0979fef540d0cb16087_black-basta_elex_hijackloader_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-03_1060946c9efba0979fef540d0cb16087_black-basta_elex_hijackloader_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-03_1060946c9efba0979fef540d0cb16087_black-basta_elex_hijackloader_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-03_1060946c9efba0979fef540d0cb16087_black-basta_elex_hijackloader_luca-stealer.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-03_1060946c9efba0979fef540d0cb16087_black-basta_elex_hijackloader_luca-stealer.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1488 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-03_1060946c9efba0979fef540d0cb16087_black-basta_elex_hijackloader_luca-stealer.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe
PID 1488 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-03_1060946c9efba0979fef540d0cb16087_black-basta_elex_hijackloader_luca-stealer.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe
PID 1488 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-03_1060946c9efba0979fef540d0cb16087_black-basta_elex_hijackloader_luca-stealer.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe
PID 2260 wrote to memory of 4220 N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe
PID 2260 wrote to memory of 4220 N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe
PID 2260 wrote to memory of 4220 N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe
PID 2260 wrote to memory of 1360 N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe
PID 2260 wrote to memory of 1360 N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe
PID 2260 wrote to memory of 1360 N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe
PID 1360 wrote to memory of 4380 N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe
PID 1360 wrote to memory of 4380 N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe
PID 1360 wrote to memory of 4380 N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe
PID 1360 wrote to memory of 2332 N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe
PID 1360 wrote to memory of 2332 N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe
PID 1360 wrote to memory of 2332 N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe
PID 1360 wrote to memory of 3212 N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe
PID 1360 wrote to memory of 3212 N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe
PID 1360 wrote to memory of 3212 N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe
PID 3212 wrote to memory of 3664 N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe
PID 3212 wrote to memory of 3664 N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe
PID 3212 wrote to memory of 3664 N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe
PID 3212 wrote to memory of 1192 N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe
PID 3212 wrote to memory of 1192 N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe
PID 3212 wrote to memory of 1192 N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe
PID 3212 wrote to memory of 2920 N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe
PID 3212 wrote to memory of 2920 N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe
PID 3212 wrote to memory of 2920 N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe
PID 3212 wrote to memory of 5104 N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 3212 wrote to memory of 5104 N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 3212 wrote to memory of 5104 N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 5104 wrote to memory of 5044 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe
PID 5104 wrote to memory of 5044 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe
PID 5104 wrote to memory of 5044 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe
PID 5104 wrote to memory of 5004 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe
PID 5104 wrote to memory of 5004 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe
PID 5104 wrote to memory of 5004 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe
PID 1488 wrote to memory of 3568 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-03_1060946c9efba0979fef540d0cb16087_black-basta_elex_hijackloader_luca-stealer.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe
PID 1488 wrote to memory of 3568 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-03_1060946c9efba0979fef540d0cb16087_black-basta_elex_hijackloader_luca-stealer.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe
PID 1488 wrote to memory of 3568 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-03_1060946c9efba0979fef540d0cb16087_black-basta_elex_hijackloader_luca-stealer.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe
PID 5104 wrote to memory of 3084 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe
PID 5104 wrote to memory of 3084 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe
PID 5104 wrote to memory of 3084 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe
PID 1488 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-03_1060946c9efba0979fef540d0cb16087_black-basta_elex_hijackloader_luca-stealer.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe
PID 1488 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-03_1060946c9efba0979fef540d0cb16087_black-basta_elex_hijackloader_luca-stealer.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe
PID 1488 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-03_1060946c9efba0979fef540d0cb16087_black-basta_elex_hijackloader_luca-stealer.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe
PID 5104 wrote to memory of 1776 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 5104 wrote to memory of 1776 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 5104 wrote to memory of 1776 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 1488 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-03_1060946c9efba0979fef540d0cb16087_black-basta_elex_hijackloader_luca-stealer.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 1488 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-03_1060946c9efba0979fef540d0cb16087_black-basta_elex_hijackloader_luca-stealer.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 1488 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-03_1060946c9efba0979fef540d0cb16087_black-basta_elex_hijackloader_luca-stealer.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 5104 wrote to memory of 3096 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 5104 wrote to memory of 3096 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 5104 wrote to memory of 3096 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 1488 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-03_1060946c9efba0979fef540d0cb16087_black-basta_elex_hijackloader_luca-stealer.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 1488 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-03_1060946c9efba0979fef540d0cb16087_black-basta_elex_hijackloader_luca-stealer.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 1488 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-03_1060946c9efba0979fef540d0cb16087_black-basta_elex_hijackloader_luca-stealer.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 3096 wrote to memory of 4000 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe
PID 3096 wrote to memory of 4000 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe
PID 3096 wrote to memory of 4000 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe
PID 3096 wrote to memory of 4496 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe
PID 3096 wrote to memory of 4496 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe
PID 3096 wrote to memory of 4496 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe
PID 3096 wrote to memory of 1484 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe

System policy modification

defense_evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\2025-05-03_1060946c9efba0979fef540d0cb16087_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\2025-05-03_1060946c9efba0979fef540d0cb16087_black-basta_elex_hijackloader_luca-stealer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2025-05-03_1060946c9efba0979fef540d0cb16087_black-basta_elex_hijackloader_luca-stealer.exe

"C:\Users\Admin\AppData\Local\Temp\2025-05-03_1060946c9efba0979fef540d0cb16087_black-basta_elex_hijackloader_luca-stealer.exe"

C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe

"C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe"

C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe

"C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe"

C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe

"C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe"

C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe

"C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe"

C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe

"C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe"

C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe

"C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe"

C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe

"C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe"

C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe

"C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe"

C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe

"C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe"

C:\Windows\SysWOW64\drivers\Kazekage.exe

C:\Windows\system32\drivers\Kazekage.exe

C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe

"C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe"

C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe

"C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe"

C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe

"C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe"

C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe

"C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe"

C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe

"C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe"

C:\Windows\SysWOW64\drivers\Kazekage.exe

C:\Windows\system32\drivers\Kazekage.exe

C:\Windows\SysWOW64\drivers\Kazekage.exe

C:\Windows\system32\drivers\Kazekage.exe

C:\Windows\SysWOW64\drivers\system32.exe

C:\Windows\system32\drivers\system32.exe

C:\Windows\SysWOW64\drivers\system32.exe

C:\Windows\system32\drivers\system32.exe

C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe

"C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe"

C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe

"C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe"

C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe

"C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe"

C:\Windows\SysWOW64\drivers\Kazekage.exe

C:\Windows\system32\drivers\Kazekage.exe

C:\Windows\SysWOW64\drivers\system32.exe

C:\Windows\system32\drivers\system32.exe

C:\Windows\SysWOW64\drivers\system32.exe

C:\Windows\system32\drivers\system32.exe

C:\Windows\SysWOW64\drivers\Kazekage.exe

C:\Windows\system32\drivers\Kazekage.exe

C:\Windows\SysWOW64\drivers\system32.exe

C:\Windows\system32\drivers\system32.exe

C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe

"C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe"

C:\Windows\SysWOW64\drivers\Kazekage.exe

C:\Windows\system32\drivers\Kazekage.exe

C:\Windows\SysWOW64\drivers\system32.exe

C:\Windows\system32\drivers\system32.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c Fonts\Admin 3 - 5 - 2025\smss.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c Fonts\Admin 3 - 5 - 2025\Gaara.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c 3-5-2025.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c drivers\csrss.exe

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 c.pki.goog udp
DE 142.250.184.195:80 c.pki.goog tcp

Files

memory/1488-0-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe

MD5 1060946c9efba0979fef540d0cb16087
SHA1 f69206a9598bcb86d9ca9ec0fc2345868a57c0e3
SHA256 f56b9bb5bf2980192b6a6df25652706f6b094b74a3c2bd5dc905a6c42fb93969
SHA512 27b63ec4eeea75baec4c0a977131f9f9534c38d8b9b5cc913cad9ebed9d721492b027c6c4e9acbe65dfd00438e3661658d9977fec144e351f10c121ead387df6

C:\Windows\System\msvbvm60.dll

MD5 25f62c02619174b35851b0e0455b3d94
SHA1 4e8ee85157f1769f6e3f61c0acbe59072209da71
SHA256 898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2
SHA512 f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe

MD5 bd1f7d2a3eac0864cd8294db74de21a5
SHA1 ba62c38c02c00b1e1984aa2dc05abf4ca5a7ba89
SHA256 dc6c02e965f1ecef557a2ad54089f1afc5bc366b7ff844cd6e58db96f11944a5
SHA512 2ab83f68e12cb454a2522cd3e312783f90a8e1980e3e851a315658fda5f6c514da512ea1a3ba5947e0f36fc39ad1a23ef2889324267435dba81fe1f404c82452

memory/2260-32-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Windows\Fonts\The Kazekage.jpg

MD5 d6b05020d4a0ec2a3a8b687099e335df
SHA1 df239d830ebcd1cde5c68c46a7b76dad49d415f4
SHA256 9824b98dab6af65a9e84c2ea40e9df948f9766ce2096e81feecad7db8dd6080a
SHA512 78fd360faa4d34f5732056d6e9ad7b9930964441c69cf24535845d397de92179553b9377a25649c01eb5ac7d547c29cc964e69ede7f2af9fc677508a99251fff

memory/4220-72-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe

MD5 b70152f361c07ca4a913d66251f05bca
SHA1 de1fc06cb730f25ab30ae423b0ff9fb0d38d84b0
SHA256 471268c1077105e918202be1dd96d9e824fb57cde69226b0c1a74d46b89445e6
SHA512 b97cdc6471590bf9b472c78cc189e61268eb74f7431b9aa3748122cce09269d4bf2e9776585d9c23b2875848906bf0776e3c1d5f05d43e13fb660a0d794303a0

memory/1360-75-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Windows\Fonts\The Kazekage.jpg

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Windows\SysWOW64\3-5-2025.exe

MD5 32b52a8ee1ec5b9c83f7a27e87d0c83a
SHA1 a56b09abc9fcf81a33676b802d213fcac044d167
SHA256 5db103c4d05b6376a90642f3f9042080b694e055a971c75d5e7d3d95a4ab9878
SHA512 c65b891a1e0b30b44009bdad6bd911894239d6629280d256ff640ca65964df0754a04c7c8f50d7ee2397aea3ed22e02b4ddb89f1bc16752b439f9a1b572a2d5b

C:\Windows\SysWOW64\drivers\system32.exe

MD5 315c257ae488b1026e99a8c3ffc12e1a
SHA1 17ffb1043fa3c6866d5c84369b295eb91f9e64a8
SHA256 8124fcd02a0be597f0e451db321276f197193fce8dc4009141833abd17a9e327
SHA512 3d53037e95d49dea50d5a29d319fb18f1e995f46f6fe72091cf09b5ee4d1279c0861a2014d8df1bdb5ccb3791276691997185b8c8d80e032a493bb8d4da47f20

memory/4380-108-0x0000000000400000-0x000000000042B000-memory.dmp

memory/4380-113-0x0000000000400000-0x000000000042B000-memory.dmp

memory/2332-116-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe

MD5 237cac657eee592669f9deb7b9b89d49
SHA1 7e53dc769ac3f7b9af38fe65f66f99facf62d98e
SHA256 af817c6cf6eb0b5e252c8c0b1dafeb636869cd87d45f4b4a8a5a615978575a0b
SHA512 6d7b9b7721c03b7ee451c0404d26ec8454b453955d0deecec7f3cca5d37ff9a33485c1ddbf7717b4b874eefeba009756957b8134e20b74898c4a78a728346394

memory/3212-119-0x0000000000400000-0x000000000042B000-memory.dmp

memory/1488-148-0x0000000000400000-0x000000000042B000-memory.dmp

memory/2260-151-0x0000000000400000-0x000000000042B000-memory.dmp

memory/1192-159-0x0000000000400000-0x000000000042B000-memory.dmp

memory/2920-158-0x0000000000400000-0x000000000042B000-memory.dmp

memory/2920-162-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Windows\SysWOW64\drivers\Kazekage.exe

MD5 62cf440cd067e062877a767066b77c8c
SHA1 0e0165cbf64619ed0e98e178acb5e072bf8b6a55
SHA256 74b0fab087659beca717b004b4a290c3bcbfca5abc593d5f3e0c9798f9ed6259
SHA512 e16ea0826f32cde87f27717c30282d3fbba70321dd6f5b004113a330b933568f274ada614d44d88f66f915ddfe79bd5b925de1af55dd65aee688a2a7c77ec55d

memory/5104-165-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Windows\SysWOW64\3-5-2025.exe

MD5 2e53e80e1f77c7150fffa59b0bd622f0
SHA1 60117e3b7ce9eacf5fdabebdadc1b22a6ff25a00
SHA256 0eca239c0cf040be5a023eec551248244d7057e06ad5f10b63d9adeb1d3fb09b
SHA512 2a39a223fdf8e7863e4d54bbf3927195ed0ca09f7284310ce568f875efa1531e6cb7dce76a29b462257e4a5d92fe2a98fc9c96d1f091f35da259e0b6ea4b8bbb

memory/5044-191-0x0000000000400000-0x000000000042B000-memory.dmp

memory/5004-196-0x0000000000400000-0x000000000042B000-memory.dmp

memory/1360-195-0x0000000000400000-0x000000000042B000-memory.dmp

memory/5004-207-0x0000000000400000-0x000000000042B000-memory.dmp

memory/3568-210-0x0000000000400000-0x000000000042B000-memory.dmp

memory/3212-206-0x0000000000400000-0x000000000042B000-memory.dmp

memory/3084-217-0x0000000000400000-0x000000000042B000-memory.dmp

memory/1776-215-0x0000000000400000-0x000000000042B000-memory.dmp

memory/2380-223-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Windows\SysWOW64\drivers\system32.exe

MD5 5a3955510f8eadf27ffdff3cccfbab80
SHA1 eb64bade32ab4d14ba80a5cf1eb58413896b9d84
SHA256 20907c11f90b631a518828dc5e7f8564ad7a1e8c8da528b6ec274154b0618106
SHA512 e325f09016c081282e6c923364b847ca7c3c6920f2f1bee4db2b1703ca3ae41d14ff213002034f4cd2d9d8b377f311b0a97c6838e30318f7d4607869ec2ae86e

memory/3096-225-0x0000000000400000-0x000000000042B000-memory.dmp

memory/1940-229-0x0000000000400000-0x000000000042B000-memory.dmp

memory/5104-227-0x0000000000400000-0x000000000042B000-memory.dmp

memory/1776-221-0x0000000000400000-0x000000000042B000-memory.dmp

memory/1940-235-0x0000000000400000-0x000000000042B000-memory.dmp

memory/4000-249-0x0000000000400000-0x000000000042B000-memory.dmp

memory/4496-252-0x0000000000400000-0x000000000042B000-memory.dmp

memory/1484-255-0x0000000000400000-0x000000000042B000-memory.dmp

memory/4488-258-0x0000000000400000-0x000000000042B000-memory.dmp

memory/4052-259-0x0000000000400000-0x000000000042B000-memory.dmp

memory/1036-262-0x0000000000400000-0x000000000042B000-memory.dmp

memory/2164-265-0x0000000000400000-0x000000000042B000-memory.dmp

memory/3096-268-0x0000000000400000-0x000000000042B000-memory.dmp

memory/3232-271-0x0000000000400000-0x000000000042B000-memory.dmp

memory/1992-274-0x0000000000400000-0x000000000042B000-memory.dmp

memory/4836-277-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Autorun.inf

MD5 1564dfe69ffed40950e5cb644e0894d1
SHA1 201b6f7a01cc49bb698bea6d4945a082ed454ce4
SHA256 be114a2dbcc08540b314b01882aa836a772a883322a77b67aab31233e26dc184
SHA512 72df187e39674b657974392cfa268e71ef86dc101ebd2303896381ca56d3c05aa9db3f0ab7d0e428d7436e0108c8f19e94c2013814d30b0b95a23a6b9e341097

C:\Admin Games\Readme.txt

MD5 bb5d6abdf8d0948ac6895ce7fdfbc151
SHA1 9266b7a247a4685892197194d2b9b86c8f6dddbd
SHA256 5db2e0915b5464d32e83484f8ae5e3c73d2c78f238fde5f58f9b40dbb5322de8
SHA512 878444760e8df878d65bb62b4798177e168eb099def58ad3634f4348e96705c83f74324f9fa358f0eff389991976698a233ca53e9b72034ae11c86d42322a76c

C:\Windows\SysWOW64\Desktop.ini

MD5 64acfa7e03b01f48294cf30d201a0026
SHA1 10facd995b38a095f30b4a800fa454c0bcbf8438
SHA256 ba8159d865d106e7b4d0043007a63d1541e1de455dc8d7ff0edd3013bd425c62
SHA512 65a9b2e639de74a2a7faa83463a03f5f5b526495e3c793ec1e144c422ed0b842dd304cd5ff4f8aec3d76d826507030c5916f70a231429cea636ec2d8ab43931a

Analysis: behavioral2

Detonation Overview

Submitted

2025-05-03 14:54

Reported

2025-05-03 14:57

Platform

win11-20250502-en

Max time kernel

149s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2025-05-03_1060946c9efba0979fef540d0cb16087_black-basta_elex_hijackloader_luca-stealer.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" C:\Users\Admin\AppData\Local\Temp\2025-05-03_1060946c9efba0979fef540d0cb16087_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" C:\Users\Admin\AppData\Local\Temp\2025-05-03_1060946c9efba0979fef540d0cb16087_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A

Modifies visibility of file extensions in Explorer

defense_evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Users\Admin\AppData\Local\Temp\2025-05-03_1060946c9efba0979fef540d0cb16087_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A

Modifies visiblity of hidden/system files in Explorer

defense_evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\AppData\Local\Temp\2025-05-03_1060946c9efba0979fef540d0cb16087_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A

UAC bypass

defense_evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\2025-05-03_1060946c9efba0979fef540d0cb16087_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A

Disables RegEdit via registry modification

defense_evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\2025-05-03_1060946c9efba0979fef540d0cb16087_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\drivers\system32.exe N/A

Disables use of System Restore points

defense_evasion

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File created C:\Windows\SysWOW64\drivers\system32.exe C:\Users\Admin\AppData\Local\Temp\2025-05-03_1060946c9efba0979fef540d0cb16087_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\system32.exe C:\Users\Admin\AppData\Local\Temp\2025-05-03_1060946c9efba0979fef540d0cb16087_black-basta_elex_hijackloader_luca-stealer.exe N/A
File created C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Users\Admin\AppData\Local\Temp\2025-05-03_1060946c9efba0979fef540d0cb16087_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Users\Admin\AppData\Local\Temp\2025-05-03_1060946c9efba0979fef540d0cb16087_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File created C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File created C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
File created C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File created C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File created C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\system32.exe N/A

Event Triggered Execution: Image File Execution Options Injection

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "drivers\\Kazekage.exe" C:\Users\Admin\AppData\Local\Temp\2025-05-03_1060946c9efba0979fef540d0cb16087_black-basta_elex_hijackloader_luca-stealer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com C:\Users\Admin\AppData\Local\Temp\2025-05-03_1060946c9efba0979fef540d0cb16087_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe C:\Users\Admin\AppData\Local\Temp\2025-05-03_1060946c9efba0979fef540d0cb16087_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com\Debugger = "cmd.exe /c del" C:\Users\Admin\AppData\Local\Temp\2025-05-03_1060946c9efba0979fef540d0cb16087_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe C:\Users\Admin\AppData\Local\Temp\2025-05-03_1060946c9efba0979fef540d0cb16087_black-basta_elex_hijackloader_luca-stealer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe C:\Users\Admin\AppData\Local\Temp\2025-05-03_1060946c9efba0979fef540d0cb16087_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe\Debugger = "cmd.exe /c del" C:\Users\Admin\AppData\Local\Temp\2025-05-03_1060946c9efba0979fef540d0cb16087_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe C:\Users\Admin\AppData\Local\Temp\2025-05-03_1060946c9efba0979fef540d0cb16087_black-basta_elex_hijackloader_luca-stealer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe C:\Users\Admin\AppData\Local\Temp\2025-05-03_1060946c9efba0979fef540d0cb16087_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe\Debugger = "drivers\\Kazekage.exe" C:\Users\Admin\AppData\Local\Temp\2025-05-03_1060946c9efba0979fef540d0cb16087_black-basta_elex_hijackloader_luca-stealer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe\Debugger = "cmd.exe /c del" C:\Users\Admin\AppData\Local\Temp\2025-05-03_1060946c9efba0979fef540d0cb16087_black-basta_elex_hijackloader_luca-stealer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe C:\Users\Admin\AppData\Local\Temp\2025-05-03_1060946c9efba0979fef540d0cb16087_black-basta_elex_hijackloader_luca-stealer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe C:\Windows\SysWOW64\drivers\system32.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 3 - 5 - 2025\\smss.exe" C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "3-5-2025.exe" C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 3 - 5 - 2025\\Gaara.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "3-5-2025.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 3 - 5 - 2025\\smss.exe" C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 3 - 5 - 2025\\Gaara.exe" C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "3-5-2025.exe" C:\Users\Admin\AppData\Local\Temp\2025-05-03_1060946c9efba0979fef540d0cb16087_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 3 - 5 - 2025\\Gaara.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 3 - 5 - 2025\\Gaara.exe" C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 3 - 5 - 2025\\smss.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "3-5-2025.exe" C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 3 - 5 - 2025\\smss.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "3-5-2025.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 3 - 5 - 2025\\smss.exe" C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "3-5-2025.exe" C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 3 - 5 - 2025\\Gaara.exe" C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 3 - 5 - 2025\\smss.exe" C:\Users\Admin\AppData\Local\Temp\2025-05-03_1060946c9efba0979fef540d0cb16087_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 3 - 5 - 2025\\Gaara.exe" C:\Users\Admin\AppData\Local\Temp\2025-05-03_1060946c9efba0979fef540d0cb16087_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" C:\Users\Admin\AppData\Local\Temp\2025-05-03_1060946c9efba0979fef540d0cb16087_black-basta_elex_hijackloader_luca-stealer.exe N/A

Checks whether UAC is enabled

defense_evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\2025-05-03_1060946c9efba0979fef540d0cb16087_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\drivers\system32.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Desktop.ini C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
File opened for modification F:\Desktop.ini C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\Y:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_1060946c9efba0979fef540d0cb16087_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification F:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\B:\Desktop.ini C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File opened for modification \??\P:\Desktop.ini C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\K:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_1060946c9efba0979fef540d0cb16087_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification \??\W:\Desktop.ini C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\E:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_1060946c9efba0979fef540d0cb16087_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification \??\G:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_1060946c9efba0979fef540d0cb16087_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification \??\L:\Desktop.ini C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File opened for modification \??\J:\Desktop.ini C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File opened for modification \??\U:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\A:\Desktop.ini C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File opened for modification F:\Desktop.ini C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File opened for modification \??\A:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_1060946c9efba0979fef540d0cb16087_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification \??\L:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_1060946c9efba0979fef540d0cb16087_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification \??\S:\Desktop.ini C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File opened for modification \??\V:\Desktop.ini C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification D:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\T:\Desktop.ini C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
File opened for modification C:\Desktop.ini C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File opened for modification \??\K:\Desktop.ini C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File opened for modification \??\W:\Desktop.ini C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File opened for modification \??\K:\Desktop.ini C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File opened for modification \??\M:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\K:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\O:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\H:\Desktop.ini C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File opened for modification \??\J:\Desktop.ini C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File opened for modification \??\O:\Desktop.ini C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File opened for modification \??\Y:\Desktop.ini C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File opened for modification F:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\K:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\O:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_1060946c9efba0979fef540d0cb16087_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification \??\G:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\G:\Desktop.ini C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File opened for modification \??\T:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\V:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\Z:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\S:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\Y:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\E:\Desktop.ini C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File opened for modification \??\Q:\Desktop.ini C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File opened for modification \??\M:\Desktop.ini C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File opened for modification \??\U:\Desktop.ini C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File opened for modification \??\Q:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\S:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_1060946c9efba0979fef540d0cb16087_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification \??\V:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_1060946c9efba0979fef540d0cb16087_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification \??\U:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\T:\Desktop.ini C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File opened for modification \??\X:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\X:\Desktop.ini C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Desktop.ini C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File opened for modification \??\I:\Desktop.ini C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File opened for modification \??\I:\Desktop.ini C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\T:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_1060946c9efba0979fef540d0cb16087_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification \??\Z:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_1060946c9efba0979fef540d0cb16087_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification \??\A:\Desktop.ini C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File opened for modification \??\P:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_1060946c9efba0979fef540d0cb16087_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification C:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\B:\Desktop.ini C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\H:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\Z: C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\I: C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
File opened (read-only) \??\O: C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
File opened (read-only) \??\Q: C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
File opened (read-only) \??\W: C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
File opened (read-only) \??\X: C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File opened (read-only) \??\N: C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File opened (read-only) \??\L: C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File opened (read-only) \??\G: C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File opened (read-only) \??\V: C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
File opened (read-only) \??\V: C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File opened (read-only) \??\J: C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
File opened (read-only) \??\X: C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\2025-05-03_1060946c9efba0979fef540d0cb16087_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\Y: C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File opened (read-only) \??\L: C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\M: C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
File opened (read-only) \??\R: C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\M: C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File opened (read-only) \??\S: C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\K: C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\2025-05-03_1060946c9efba0979fef540d0cb16087_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\S: C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File opened (read-only) \??\Q: C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\A: C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\U: C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File opened (read-only) \??\V: C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File opened (read-only) \??\R: C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\B: C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\2025-05-03_1060946c9efba0979fef540d0cb16087_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\2025-05-03_1060946c9efba0979fef540d0cb16087_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\O: C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File opened (read-only) \??\B: C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\2025-05-03_1060946c9efba0979fef540d0cb16087_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened (read-only) \??\U: C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\2025-05-03_1060946c9efba0979fef540d0cb16087_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened (read-only) \??\G: C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\P: C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
File opened (read-only) \??\B: C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\2025-05-03_1060946c9efba0979fef540d0cb16087_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\N: C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File opened (read-only) \??\U: C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\2025-05-03_1060946c9efba0979fef540d0cb16087_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened (read-only) \??\I: C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\G: C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification \??\N:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created \??\O:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created \??\U:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\I:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File created \??\T:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\A:\Autorun.inf C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File opened for modification \??\G:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\N:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File created \??\W:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\A:\Autorun.inf C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
File created \??\A:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created \??\I:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\O:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File created \??\X:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2025-05-03_1060946c9efba0979fef540d0cb16087_black-basta_elex_hijackloader_luca-stealer.exe N/A
File created \??\T:\Autorun.inf C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
File created \??\Z:\Autorun.inf C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File opened for modification \??\O:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\P:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\K:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2025-05-03_1060946c9efba0979fef540d0cb16087_black-basta_elex_hijackloader_luca-stealer.exe N/A
File created \??\O:\Autorun.inf C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File created \??\T:\Autorun.inf C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File opened for modification \??\V:\Autorun.inf C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File created \??\W:\Autorun.inf C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File created \??\I:\Autorun.inf C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\I:\Autorun.inf C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File opened for modification \??\S:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created \??\B:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File created \??\Z:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\H:\Autorun.inf C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File created \??\I:\Autorun.inf C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File created D:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\H:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\B:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2025-05-03_1060946c9efba0979fef540d0cb16087_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification C:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2025-05-03_1060946c9efba0979fef540d0cb16087_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification \??\N:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2025-05-03_1060946c9efba0979fef540d0cb16087_black-basta_elex_hijackloader_luca-stealer.exe N/A
File created \??\Y:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2025-05-03_1060946c9efba0979fef540d0cb16087_black-basta_elex_hijackloader_luca-stealer.exe N/A
File created \??\J:\Autorun.inf C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File opened for modification D:\Autorun.inf C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File opened for modification \??\R:\Autorun.inf C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File created \??\P:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2025-05-03_1060946c9efba0979fef540d0cb16087_black-basta_elex_hijackloader_luca-stealer.exe N/A
File created \??\S:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2025-05-03_1060946c9efba0979fef540d0cb16087_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification \??\E:\Autorun.inf C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File opened for modification \??\L:\Autorun.inf C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File opened for modification C:\Autorun.inf C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
File created D:\Autorun.inf C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File created \??\K:\Autorun.inf C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File created \??\R:\Autorun.inf C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File created \??\V:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2025-05-03_1060946c9efba0979fef540d0cb16087_black-basta_elex_hijackloader_luca-stealer.exe N/A
File created \??\J:\Autorun.inf C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File opened for modification \??\K:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created \??\K:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created \??\Q:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created \??\Y:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created \??\H:\Autorun.inf C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File opened for modification \??\N:\Autorun.inf C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\S:\Autorun.inf C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
File created \??\T:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\X:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\U:\Autorun.inf C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
File created \??\L:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File created \??\S:\Autorun.inf C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
File created \??\W:\Autorun.inf C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File opened for modification \??\W:\Autorun.inf C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File opened for modification \??\T:\Autorun.inf C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\3-5-2025.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\SysWOW64\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_1060946c9efba0979fef540d0cb16087_black-basta_elex_hijackloader_luca-stealer.exe N/A
File created C:\Windows\SysWOW64\3-5-2025.exe C:\Users\Admin\AppData\Local\Temp\2025-05-03_1060946c9efba0979fef540d0cb16087_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification C:\Windows\SysWOW64\3-5-2025.exe C:\Users\Admin\AppData\Local\Temp\2025-05-03_1060946c9efba0979fef540d0cb16087_black-basta_elex_hijackloader_luca-stealer.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\SysWOW64\3-5-2025.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
File opened for modification C:\Windows\SysWOW64\mscomctl.ocx C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\mscomctl.ocx C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_1060946c9efba0979fef540d0cb16087_black-basta_elex_hijackloader_luca-stealer.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
File created C:\Windows\SysWOW64\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_1060946c9efba0979fef540d0cb16087_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification C:\Windows\SysWOW64\mscomctl.ocx C:\Users\Admin\AppData\Local\Temp\2025-05-03_1060946c9efba0979fef540d0cb16087_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification C:\Windows\SysWOW64\Desktop.ini C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\3-5-2025.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_1060946c9efba0979fef540d0cb16087_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\mscomctl.ocx C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File created C:\Windows\SysWOW64\mscomctl.ocx C:\Users\Admin\AppData\Local\Temp\2025-05-03_1060946c9efba0979fef540d0cb16087_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Users\Admin\AppData\Local\Temp\2025-05-03_1060946c9efba0979fef540d0cb16087_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\mscomctl.ocx C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\Desktop.ini C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
File opened for modification C:\Windows\SysWOW64\Desktop.ini C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\SysWOW64\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\SysWOW64\3-5-2025.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\3-5-2025.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\mscomctl.ocx C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Users\Admin\AppData\Local\Temp\2025-05-03_1060946c9efba0979fef540d0cb16087_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\SysWOW64\drivers\system32.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\system\msvbvm60.dll C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
File opened for modification C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Windows\system\mscoree.dll C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\Fonts\The Kazekage.jpg C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File created C:\Windows\Fonts\Admin 3 - 5 - 2025\msvbvm60.dll C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\system\msvbvm60.dll C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
File opened for modification C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\WBEM\msvbvm60.dll C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\Fonts\The Kazekage.jpg C:\Users\Admin\AppData\Local\Temp\2025-05-03_1060946c9efba0979fef540d0cb16087_black-basta_elex_hijackloader_luca-stealer.exe N/A
File created C:\Windows\Fonts\Admin 3 - 5 - 2025\msvbvm60.dll C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File created C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\mscomctl.ocx C:\Users\Admin\AppData\Local\Temp\2025-05-03_1060946c9efba0979fef540d0cb16087_black-basta_elex_hijackloader_luca-stealer.exe N/A
File created C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\mscomctl.ocx C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\ C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\mscomctl.ocx C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\Fonts\The Kazekage.jpg C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
File opened for modification C:\Windows\system\mscoree.dll C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
File opened for modification C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Windows\system\mscoree.dll C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\mscomctl.ocx C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe C:\Users\Admin\AppData\Local\Temp\2025-05-03_1060946c9efba0979fef540d0cb16087_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe C:\Users\Admin\AppData\Local\Temp\2025-05-03_1060946c9efba0979fef540d0cb16087_black-basta_elex_hijackloader_luca-stealer.exe N/A
File created C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\mscomctl.ocx C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
File opened for modification C:\Windows\ C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\system\mscoree.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_1060946c9efba0979fef540d0cb16087_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_1060946c9efba0979fef540d0cb16087_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File created C:\Windows\Fonts\Admin 3 - 5 - 2025\msvbvm60.dll C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\system\mscoree.dll C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File created C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe C:\Users\Admin\AppData\Local\Temp\2025-05-03_1060946c9efba0979fef540d0cb16087_black-basta_elex_hijackloader_luca-stealer.exe N/A
File created C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File created C:\Windows\WBEM\msvbvm60.dll C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\Fonts\Admin 3 - 5 - 2025\msvbvm60.dll C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\mscomctl.ocx C:\Users\Admin\AppData\Local\Temp\2025-05-03_1060946c9efba0979fef540d0cb16087_black-basta_elex_hijackloader_luca-stealer.exe N/A
File created C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File created C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
File opened for modification C:\Windows\mscomctl.ocx C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File created C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
File opened for modification C:\Windows\ C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Windows\ C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\Fonts\The Kazekage.jpg C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File created C:\Windows\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_1060946c9efba0979fef540d0cb16087_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\ C:\Users\Admin\AppData\Local\Temp\2025-05-03_1060946c9efba0979fef540d0cb16087_black-basta_elex_hijackloader_luca-stealer.exe N/A
File created C:\Windows\Fonts\Admin 3 - 5 - 2025\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_1060946c9efba0979fef540d0cb16087_black-basta_elex_hijackloader_luca-stealer.exe N/A
File created C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File created C:\Windows\WBEM\msvbvm60.dll C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Windows\system\msvbvm60.dll C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\system\msvbvm60.dll C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe C:\Users\Admin\AppData\Local\Temp\2025-05-03_1060946c9efba0979fef540d0cb16087_black-basta_elex_hijackloader_luca-stealer.exe N/A
File created C:\Windows\system\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_1060946c9efba0979fef540d0cb16087_black-basta_elex_hijackloader_luca-stealer.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\system32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\system32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2025-05-03_1060946c9efba0979fef540d0cb16087_black-basta_elex_hijackloader_luca-stealer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\system32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\system32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\system32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\system32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A

Modifies Control Panel

defense_evasion
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" C:\Users\Admin\AppData\Local\Temp\2025-05-03_1060946c9efba0979fef540d0cb16087_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" C:\Users\Admin\AppData\Local\Temp\2025-05-03_1060946c9efba0979fef540d0cb16087_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Control Panel\Screen Saver.Marquee\Size = "72" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Control Panel\Screen Saver.Marquee\Speed = "4" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Control Panel\Screen Saver.Marquee\Speed = "4" C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Control Panel\Desktop\WallpaperStyle = "2" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" C:\Users\Admin\AppData\Local\Temp\2025-05-03_1060946c9efba0979fef540d0cb16087_black-basta_elex_hijackloader_luca-stealer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Control Panel\Desktop C:\Users\Admin\AppData\Local\Temp\2025-05-03_1060946c9efba0979fef540d0cb16087_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Control Panel\Desktop\WallpaperStyle = "2" C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Control Panel\Screen Saver.Marquee C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Control Panel\Desktop C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" C:\Users\Admin\AppData\Local\Temp\2025-05-03_1060946c9efba0979fef540d0cb16087_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" C:\Users\Admin\AppData\Local\Temp\2025-05-03_1060946c9efba0979fef540d0cb16087_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Control Panel\Desktop C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" C:\Users\Admin\AppData\Local\Temp\2025-05-03_1060946c9efba0979fef540d0cb16087_black-basta_elex_hijackloader_luca-stealer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Control Panel\Screen Saver.Marquee C:\Users\Admin\AppData\Local\Temp\2025-05-03_1060946c9efba0979fef540d0cb16087_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Control Panel\Screen Saver.Marquee\Speed = "4" C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Control Panel\Screen Saver.Marquee\Size = "72" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" C:\Users\Admin\AppData\Local\Temp\2025-05-03_1060946c9efba0979fef540d0cb16087_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Users\Admin\AppData\Local\Temp\2025-05-03_1060946c9efba0979fef540d0cb16087_black-basta_elex_hijackloader_luca-stealer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Control Panel\Desktop C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Control Panel\Screen Saver.Marquee\Size = "72" C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Control Panel\Screen Saver.Marquee\Size = "72" C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Control Panel\Screen Saver.Marquee C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" C:\Users\Admin\AppData\Local\Temp\2025-05-03_1060946c9efba0979fef540d0cb16087_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Control Panel\Screen Saver.Marquee\Size = "72" C:\Users\Admin\AppData\Local\Temp\2025-05-03_1060946c9efba0979fef540d0cb16087_black-basta_elex_hijackloader_luca-stealer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Control Panel\Screen Saver.Marquee C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Control Panel\Desktop C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Software\Microsoft\Internet Explorer\Main C:\Users\Admin\AppData\Local\Temp\2025-05-03_1060946c9efba0979fef540d0cb16087_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" C:\Users\Admin\AppData\Local\Temp\2025-05-03_1060946c9efba0979fef540d0cb16087_black-basta_elex_hijackloader_luca-stealer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" C:\Users\Admin\AppData\Local\Temp\2025-05-03_1060946c9efba0979fef540d0cb16087_black-basta_elex_hijackloader_luca-stealer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command C:\Users\Admin\AppData\Local\Temp\2025-05-03_1060946c9efba0979fef540d0cb16087_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command C:\Users\Admin\AppData\Local\Temp\2025-05-03_1060946c9efba0979fef540d0cb16087_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" C:\Users\Admin\AppData\Local\Temp\2025-05-03_1060946c9efba0979fef540d0cb16087_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command C:\Users\Admin\AppData\Local\Temp\2025-05-03_1060946c9efba0979fef540d0cb16087_black-basta_elex_hijackloader_luca-stealer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" C:\Users\Admin\AppData\Local\Temp\2025-05-03_1060946c9efba0979fef540d0cb16087_black-basta_elex_hijackloader_luca-stealer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command C:\Users\Admin\AppData\Local\Temp\2025-05-03_1060946c9efba0979fef540d0cb16087_black-basta_elex_hijackloader_luca-stealer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" C:\Users\Admin\AppData\Local\Temp\2025-05-03_1060946c9efba0979fef540d0cb16087_black-basta_elex_hijackloader_luca-stealer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command C:\Windows\SysWOW64\drivers\system32.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-03_1060946c9efba0979fef540d0cb16087_black-basta_elex_hijackloader_luca-stealer.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 6032 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-03_1060946c9efba0979fef540d0cb16087_black-basta_elex_hijackloader_luca-stealer.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe
PID 6032 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-03_1060946c9efba0979fef540d0cb16087_black-basta_elex_hijackloader_luca-stealer.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe
PID 6032 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-03_1060946c9efba0979fef540d0cb16087_black-basta_elex_hijackloader_luca-stealer.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe
PID 3068 wrote to memory of 4884 N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe
PID 3068 wrote to memory of 4884 N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe
PID 3068 wrote to memory of 4884 N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe
PID 3068 wrote to memory of 4736 N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe
PID 3068 wrote to memory of 4736 N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe
PID 3068 wrote to memory of 4736 N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe
PID 4736 wrote to memory of 3788 N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe
PID 4736 wrote to memory of 3788 N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe
PID 4736 wrote to memory of 3788 N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe
PID 4736 wrote to memory of 724 N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe
PID 4736 wrote to memory of 724 N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe
PID 4736 wrote to memory of 724 N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe
PID 4736 wrote to memory of 3380 N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe
PID 4736 wrote to memory of 3380 N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe
PID 4736 wrote to memory of 3380 N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe
PID 3380 wrote to memory of 4176 N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe
PID 3380 wrote to memory of 4176 N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe
PID 3380 wrote to memory of 4176 N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe
PID 3380 wrote to memory of 1696 N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe
PID 3380 wrote to memory of 1696 N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe
PID 3380 wrote to memory of 1696 N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe
PID 3380 wrote to memory of 4080 N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe
PID 3380 wrote to memory of 4080 N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe
PID 3380 wrote to memory of 4080 N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe
PID 3380 wrote to memory of 1972 N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 3380 wrote to memory of 1972 N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 3380 wrote to memory of 1972 N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 1972 wrote to memory of 2920 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe
PID 1972 wrote to memory of 2920 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe
PID 1972 wrote to memory of 2920 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe
PID 1972 wrote to memory of 2984 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe
PID 1972 wrote to memory of 2984 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe
PID 1972 wrote to memory of 2984 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe
PID 1972 wrote to memory of 1900 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe
PID 1972 wrote to memory of 1900 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe
PID 1972 wrote to memory of 1900 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe
PID 1972 wrote to memory of 1056 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 1972 wrote to memory of 1056 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 1972 wrote to memory of 1056 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 1972 wrote to memory of 440 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 1972 wrote to memory of 440 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 1972 wrote to memory of 440 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 440 wrote to memory of 1672 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe
PID 440 wrote to memory of 1672 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe
PID 440 wrote to memory of 1672 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe
PID 440 wrote to memory of 560 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe
PID 440 wrote to memory of 560 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe
PID 440 wrote to memory of 560 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe
PID 440 wrote to memory of 1968 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe
PID 440 wrote to memory of 1968 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe
PID 440 wrote to memory of 1968 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe
PID 440 wrote to memory of 4892 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 440 wrote to memory of 4892 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 440 wrote to memory of 4892 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 440 wrote to memory of 2808 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 440 wrote to memory of 2808 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 440 wrote to memory of 2808 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 3380 wrote to memory of 6016 N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 3380 wrote to memory of 6016 N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 3380 wrote to memory of 6016 N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 4736 wrote to memory of 4052 N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe C:\Windows\SysWOW64\drivers\Kazekage.exe

System policy modification

defense_evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\2025-05-03_1060946c9efba0979fef540d0cb16087_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\2025-05-03_1060946c9efba0979fef540d0cb16087_black-basta_elex_hijackloader_luca-stealer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\SysWOW64\drivers\system32.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2025-05-03_1060946c9efba0979fef540d0cb16087_black-basta_elex_hijackloader_luca-stealer.exe

"C:\Users\Admin\AppData\Local\Temp\2025-05-03_1060946c9efba0979fef540d0cb16087_black-basta_elex_hijackloader_luca-stealer.exe"

C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe

"C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe"

C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe

"C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe"

C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe

"C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe"

C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe

"C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe"

C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe

"C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe"

C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe

"C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe"

C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe

"C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe"

C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe

"C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe"

C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe

"C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe"

C:\Windows\SysWOW64\drivers\Kazekage.exe

C:\Windows\system32\drivers\Kazekage.exe

C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe

"C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe"

C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe

"C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe"

C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe

"C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe"

C:\Windows\SysWOW64\drivers\Kazekage.exe

C:\Windows\system32\drivers\Kazekage.exe

C:\Windows\SysWOW64\drivers\system32.exe

C:\Windows\system32\drivers\system32.exe

C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe

"C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe"

C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe

"C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe"

C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe

"C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe"

C:\Windows\SysWOW64\drivers\Kazekage.exe

C:\Windows\system32\drivers\Kazekage.exe

C:\Windows\SysWOW64\drivers\system32.exe

C:\Windows\system32\drivers\system32.exe

C:\Windows\SysWOW64\drivers\system32.exe

C:\Windows\system32\drivers\system32.exe

C:\Windows\SysWOW64\drivers\Kazekage.exe

C:\Windows\system32\drivers\Kazekage.exe

C:\Windows\SysWOW64\drivers\system32.exe

C:\Windows\system32\drivers\system32.exe

C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe

"C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe"

C:\Windows\SysWOW64\drivers\Kazekage.exe

C:\Windows\system32\drivers\Kazekage.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c Fonts\Admin 3 - 5 - 2025\smss.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c Fonts\Admin 3 - 5 - 2025\Gaara.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c 3-5-2025.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c drivers\csrss.exe

C:\Windows\SysWOW64\drivers\system32.exe

C:\Windows\system32\drivers\system32.exe

C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe

"C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe"

C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe

"C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe"

C:\Windows\SysWOW64\drivers\Kazekage.exe

C:\Windows\system32\drivers\Kazekage.exe

C:\Windows\SysWOW64\drivers\system32.exe

C:\Windows\system32\drivers\system32.exe

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

Network

Files

memory/6032-0-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe

MD5 e59484f5161196c498aed84baeb1aeef
SHA1 c17c9dfff357e16ce1e7a8f3d40b6806a62d6936
SHA256 facdde53c8139a55df600b7b4206f9a3bd4460b87291a77f5f5f7485b7abbc45
SHA512 7404d66a9f6f1b6e4f08d0e1674d09d6c8d9577b9a014065fce33c70ad2374b77b44a1cb38e48c852eca909797d8ebc309a5b9eed654de134f1e71e172934445

C:\Windows\System\msvbvm60.dll

MD5 25f62c02619174b35851b0e0455b3d94
SHA1 4e8ee85157f1769f6e3f61c0acbe59072209da71
SHA256 898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2
SHA512 f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

memory/3068-32-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe

MD5 bd1f7d2a3eac0864cd8294db74de21a5
SHA1 ba62c38c02c00b1e1984aa2dc05abf4ca5a7ba89
SHA256 dc6c02e965f1ecef557a2ad54089f1afc5bc366b7ff844cd6e58db96f11944a5
SHA512 2ab83f68e12cb454a2522cd3e312783f90a8e1980e3e851a315658fda5f6c514da512ea1a3ba5947e0f36fc39ad1a23ef2889324267435dba81fe1f404c82452

C:\Windows\Fonts\The Kazekage.jpg

MD5 d6b05020d4a0ec2a3a8b687099e335df
SHA1 df239d830ebcd1cde5c68c46a7b76dad49d415f4
SHA256 9824b98dab6af65a9e84c2ea40e9df948f9766ce2096e81feecad7db8dd6080a
SHA512 78fd360faa4d34f5732056d6e9ad7b9930964441c69cf24535845d397de92179553b9377a25649c01eb5ac7d547c29cc964e69ede7f2af9fc677508a99251fff

memory/4884-70-0x0000000000400000-0x000000000042B000-memory.dmp

memory/4884-73-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe

MD5 067404925708f22c96b3ad60c2c9fd59
SHA1 ef066bfcbd92cbb3a8d444e6400647e10ae4fa91
SHA256 abc6e31c25319a24be216cf2db2d5cead9dfefc2c2fe4d4ce1b7bc2dc07fc19d
SHA512 fb66a5caa190a4c65566469b99699b91441f752861704b1eabe47533ad9c04e3e994d514551860642f4829c8ee10b36ea436f64af4d3ae3029ba7a8579a95735

memory/4736-78-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Windows\SysWOW64\3-5-2025.exe

MD5 0e8194b1ed08051a6184b9b3097b34b9
SHA1 5cffff1625775d83ef675bb54c80047e90c5d1b5
SHA256 08ed2fdf39f63890ecd4b089920deac5e7c9fccb9c0eb97e63e69adb4a06253d
SHA512 fabf37ca24c95a1dc2cc514e9458e606495513709b76737e9725b47cbd15e58fb0ba4b85905f782b1f335de85ce97b8790a24f10ed36c010bb9a7396ae10e2b9

C:\Windows\SysWOW64\drivers\system32.exe

MD5 2c8a335e21eb5e8ec23adcc41d5c11a3
SHA1 0d7c6c061515fa31d5a88b0d2234ef5227364a9a
SHA256 628b0341c86a55f3b913724822194d57e60ca416d04f5a17e6ed0ac878e0bd1d
SHA512 c832881a821938b9d60e81690e3b44d70bcb21557ce66abbe4d7cde76f209627516cb4fbd5b8b773803b6abd4e4283a37cffee4a949bdc22973e9bfbda5565b5

memory/3788-115-0x0000000000400000-0x000000000042B000-memory.dmp

memory/724-116-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe

MD5 8d289316c691eceed888985db874aeac
SHA1 9fc6a73ae4288713f7107fb543b2290d6827e56b
SHA256 f50e2ee50754b3056ad53e78cc8491fac0e07501f72bb70e0621d746f1021e50
SHA512 ead8b44c9db27cc9507dea4d44313b905d7c100050229d5837e10dbdf63c5d996175e58b8182eb70730f5bec322ff7cadc4ed364300313a0d748dd147ad1b337

memory/3380-121-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Windows\SysWOW64\drivers\Kazekage.exe

MD5 282a9c52f27f15fca3ef888298c916bb
SHA1 550d029f386d2deb78e014aabf4fac9dbcc87c08
SHA256 f829f347af6227ba9a4e16e88f85ad1800e1afb62e3eaf60c65fd720e50d78df
SHA512 0d9820dbcbdbdcaf3aebfe6ff76021670dca5feb241cf578491665c10731cb42f83e0bbf0f185e0920ea3ad387bad1654248647fe30af6d8526626f23c539311

C:\Windows\SysWOW64\drivers\system32.exe

MD5 b3b3b3fea6692c00fb23fcc497744f95
SHA1 d85e6b765e7413212e451ee0a59acf6c4e02ff91
SHA256 1e0341e87df4e41f7f5495412f39a20fa664f5858ba85051a37690a73f5b009c
SHA512 4f912106d2ee1a7a492530f3d8f47dd3f09fc16bce86a5a618ebc4eb8a8b4f127eb55ff1bceaf4bba9ef1becb07808c8018a84db63c112f7ac2273c860c65bdd

C:\Windows\SysWOW64\3-5-2025.exe

MD5 0ae958ada3d011a7cea469e6d5b0eeeb
SHA1 5d4e107bade0da7c1f2d87d16047ea2783f20084
SHA256 e1b3f36500186fe51f6ffa1b63685876e27d70b10e2709adb4abb50704bc94e9
SHA512 18e876d28bbf6989c2faae8b413389a63eef81abbb3236fe1f685663847bd2c7bab4b87c88d29fc67558d4cfe71043ae67fe11560a19bb9848cc0c45fc9f3568

memory/1696-159-0x0000000000400000-0x000000000042B000-memory.dmp

memory/4080-158-0x0000000000400000-0x000000000042B000-memory.dmp

memory/4080-162-0x0000000000400000-0x000000000042B000-memory.dmp

memory/1972-167-0x0000000000400000-0x000000000042B000-memory.dmp

memory/3068-166-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Windows\SysWOW64\drivers\system32.exe

MD5 d6d959305c1612a6eeab63d12cae27bb
SHA1 d5f829ea66822877b53c23e9870511cfa431c317
SHA256 29d16f8c4163b9ac92cf196519bc250ca5531eab3e0ddf8ef6eefbc20877b53c
SHA512 3ad202209da6ed40d5c82c1268cd99b003dee6ea514ee23cffff369c03de7f827a4329141872f5471711236c87c386702765efaa5e0d94031b4d704d1b686253

memory/1056-204-0x0000000000400000-0x000000000042B000-memory.dmp

memory/1900-203-0x0000000000400000-0x000000000042B000-memory.dmp

memory/2984-199-0x0000000000400000-0x000000000042B000-memory.dmp

memory/4736-194-0x0000000000400000-0x000000000042B000-memory.dmp

memory/1056-207-0x0000000000400000-0x000000000042B000-memory.dmp

memory/6032-157-0x0000000000400000-0x000000000042B000-memory.dmp

memory/1696-151-0x0000000000400000-0x000000000042B000-memory.dmp

memory/440-211-0x0000000000400000-0x000000000042B000-memory.dmp

memory/3380-210-0x0000000000400000-0x000000000042B000-memory.dmp

memory/560-235-0x0000000000400000-0x000000000042B000-memory.dmp

memory/1672-232-0x0000000000400000-0x000000000042B000-memory.dmp

memory/1972-240-0x0000000000400000-0x000000000042B000-memory.dmp

memory/4892-241-0x0000000000400000-0x000000000042B000-memory.dmp

memory/2808-244-0x0000000000400000-0x000000000042B000-memory.dmp

memory/6016-250-0x0000000000400000-0x000000000042B000-memory.dmp

memory/4052-254-0x0000000000400000-0x000000000042B000-memory.dmp

memory/4580-253-0x0000000000400000-0x000000000042B000-memory.dmp

memory/4580-257-0x0000000000400000-0x000000000042B000-memory.dmp

memory/440-260-0x0000000000400000-0x000000000042B000-memory.dmp

memory/3028-263-0x0000000000400000-0x000000000042B000-memory.dmp

memory/5332-266-0x0000000000400000-0x000000000042B000-memory.dmp

memory/5460-274-0x0000000000400000-0x000000000042B000-memory.dmp

memory/1516-277-0x0000000000400000-0x000000000042B000-memory.dmp

memory/4088-269-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Autorun.inf

MD5 1564dfe69ffed40950e5cb644e0894d1
SHA1 201b6f7a01cc49bb698bea6d4945a082ed454ce4
SHA256 be114a2dbcc08540b314b01882aa836a772a883322a77b67aab31233e26dc184
SHA512 72df187e39674b657974392cfa268e71ef86dc101ebd2303896381ca56d3c05aa9db3f0ab7d0e428d7436e0108c8f19e94c2013814d30b0b95a23a6b9e341097

C:\Admin Games\Readme.txt

MD5 bb5d6abdf8d0948ac6895ce7fdfbc151
SHA1 9266b7a247a4685892197194d2b9b86c8f6dddbd
SHA256 5db2e0915b5464d32e83484f8ae5e3c73d2c78f238fde5f58f9b40dbb5322de8
SHA512 878444760e8df878d65bb62b4798177e168eb099def58ad3634f4348e96705c83f74324f9fa358f0eff389991976698a233ca53e9b72034ae11c86d42322a76c

C:\Windows\SysWOW64\Desktop.ini

MD5 64acfa7e03b01f48294cf30d201a0026
SHA1 10facd995b38a095f30b4a800fa454c0bcbf8438
SHA256 ba8159d865d106e7b4d0043007a63d1541e1de455dc8d7ff0edd3013bd425c62
SHA512 65a9b2e639de74a2a7faa83463a03f5f5b526495e3c793ec1e144c422ed0b842dd304cd5ff4f8aec3d76d826507030c5916f70a231429cea636ec2d8ab43931a

F:\Admin Games\Kazekage VS Hokage.exe

MD5 876ec9763dd6e98bac50662b6c2dfad6
SHA1 c523d316d98da4df66252122e265e23fddd4121e
SHA256 92536f8501c57218c08579c1fdc87b4917ec4b94669d8db419e051abd6178ca5
SHA512 952231a7242beffd3b09aeca8be10a7187e397782f2dbce8d92bbef9c47fcf7ff4bb7eb78b569b09a0683217cfb7f3c6ad2be1aa7a7b5d665f4ed9b03170448c