Malware Analysis Report

2025-08-05 15:10

Sample ID 250503-s924fsxrs6
Target 2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer
SHA256 7edeb8b50717817a353d24aadcecec71fd9ed6648998384b723017d98d79a45b
Tags
upx defense_evasion discovery persistence ransomware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V16

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7edeb8b50717817a353d24aadcecec71fd9ed6648998384b723017d98d79a45b

Threat Level: Known bad

The file 2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer was found to be: Known bad.

Malicious Activity Summary

upx defense_evasion discovery persistence ransomware trojan

Modifies visibility of file extensions in Explorer

UAC bypass

Modifies WinLogon for persistence

Modifies visiblity of hidden/system files in Explorer

Disables use of System Restore points

Disables RegEdit via registry modification

Event Triggered Execution: Image File Execution Options Injection

Drops file in Drivers directory

Loads dropped DLL

Executes dropped EXE

Enumerates connected drives

Drops desktop.ini file(s)

Checks whether UAC is enabled

Adds Run key to start application

Sets desktop wallpaper using registry

UPX packed file

Drops file in System32 directory

Drops autorun.inf file

Drops file in Windows directory

System Location Discovery: System Language Discovery

System Network Configuration Discovery: Internet Connection Discovery

Unsigned PE

Modifies Control Panel

System policy modification

Runs ping.exe

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Modifies Internet Explorer settings

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-05-03 15:50

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-05-03 15:50

Reported

2025-05-03 15:52

Platform

win10v2004-20250502-en

Max time kernel

149s

Max time network

136s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" C:\Users\Admin\AppData\Local\Temp\2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" C:\Users\Admin\AppData\Local\Temp\2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe N/A

Modifies visibility of file extensions in Explorer

defense_evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Users\Admin\AppData\Local\Temp\2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A

Modifies visiblity of hidden/system files in Explorer

defense_evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\AppData\Local\Temp\2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A

UAC bypass

defense_evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A

Disables RegEdit via registry modification

defense_evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A

Disables use of System Restore points

defense_evasion

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File created C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File created C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
File created C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\system32.exe C:\Users\Admin\AppData\Local\Temp\2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File created C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File created C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Users\Admin\AppData\Local\Temp\2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Users\Admin\AppData\Local\Temp\2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
File created C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\SysWOW64\drivers\system32.exe C:\Users\Admin\AppData\Local\Temp\2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A

Event Triggered Execution: Image File Execution Options Injection

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe C:\Users\Admin\AppData\Local\Temp\2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe\Debugger = "cmd.exe /c del" C:\Users\Admin\AppData\Local\Temp\2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe C:\Users\Admin\AppData\Local\Temp\2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe C:\Users\Admin\AppData\Local\Temp\2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe C:\Users\Admin\AppData\Local\Temp\2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe C:\Users\Admin\AppData\Local\Temp\2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe C:\Users\Admin\AppData\Local\Temp\2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe\Debugger = "drivers\\Kazekage.exe" C:\Users\Admin\AppData\Local\Temp\2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "drivers\\Kazekage.exe" C:\Users\Admin\AppData\Local\Temp\2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe C:\Users\Admin\AppData\Local\Temp\2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe\Debugger = "cmd.exe /c del" C:\Users\Admin\AppData\Local\Temp\2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe C:\Users\Admin\AppData\Local\Temp\2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "3-5-2025.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "3-5-2025.exe" C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 3 - 5 - 2025\\smss.exe" C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 3 - 5 - 2025\\Gaara.exe" C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 3 - 5 - 2025\\smss.exe" C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 3 - 5 - 2025\\smss.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 3 - 5 - 2025\\smss.exe" C:\Users\Admin\AppData\Local\Temp\2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "3-5-2025.exe" C:\Users\Admin\AppData\Local\Temp\2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" C:\Users\Admin\AppData\Local\Temp\2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 3 - 5 - 2025\\Gaara.exe" C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "3-5-2025.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 3 - 5 - 2025\\Gaara.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "3-5-2025.exe" C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "3-5-2025.exe" C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 3 - 5 - 2025\\Gaara.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 3 - 5 - 2025\\smss.exe" C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 3 - 5 - 2025\\Gaara.exe" C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 3 - 5 - 2025\\Gaara.exe" C:\Users\Admin\AppData\Local\Temp\2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 3 - 5 - 2025\\smss.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A

Checks whether UAC is enabled

defense_evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification \??\M:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification \??\V:\Desktop.ini C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File opened for modification \??\S:\Desktop.ini C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\X:\Desktop.ini C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File opened for modification \??\X:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\K:\Desktop.ini C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File opened for modification F:\Desktop.ini C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\P:\Desktop.ini C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\B:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\I:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\E:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification \??\I:\Desktop.ini C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File opened for modification \??\K:\Desktop.ini C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File opened for modification \??\V:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\A:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\I:\Desktop.ini C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File opened for modification \??\W:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification \??\M:\Desktop.ini C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File opened for modification \??\O:\Desktop.ini C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\T:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\A:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification \??\G:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\M:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\O:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\B:\Desktop.ini C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\L:\Desktop.ini C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File opened for modification \??\W:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\T:\Desktop.ini C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File opened for modification \??\S:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification D:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\Q:\Desktop.ini C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\N:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\U:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\P:\Desktop.ini C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File opened for modification \??\K:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification \??\R:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification \??\A:\Desktop.ini C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File opened for modification \??\E:\Desktop.ini C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File opened for modification \??\H:\Desktop.ini C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\X:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification C:\Desktop.ini C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\B:\Desktop.ini C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File opened for modification \??\T:\Desktop.ini C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\O:\Desktop.ini C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File opened for modification \??\P:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\T:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\G:\Desktop.ini C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File opened for modification \??\W:\Desktop.ini C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File opened for modification \??\J:\Desktop.ini C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\L:\Desktop.ini C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\W:\Desktop.ini C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\K:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\Y:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\A:\Desktop.ini C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File opened for modification \??\G:\Desktop.ini C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File opened for modification \??\G:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\B:\Desktop.ini C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File opened for modification \??\N:\Desktop.ini C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\B:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\J:\Desktop.ini C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File opened for modification \??\M:\Desktop.ini C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File opened for modification \??\R:\Desktop.ini C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\N:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification \??\P:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\A: C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File opened (read-only) \??\V: C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\P: C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File opened (read-only) \??\Z: C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened (read-only) \??\O: C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened (read-only) \??\N: C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened (read-only) \??\L: C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\M: C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File opened (read-only) \??\X: C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened (read-only) \??\M: C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
File opened (read-only) \??\Z: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened (read-only) \??\E: C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened (read-only) \??\B: C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
File opened (read-only) \??\H: C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
File opened (read-only) \??\I: C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
File opened (read-only) \??\J: C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
File opened (read-only) \??\O: C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File opened (read-only) \??\R: C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
File opened (read-only) \??\Z: C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\V: C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
File opened (read-only) \??\W: C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\V: C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File opened (read-only) \??\E: C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
File opened (read-only) \??\U: C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\B: C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File opened (read-only) \??\X: C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\M: C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File opened (read-only) \??\B: C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File opened (read-only) \??\Y: C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\H: C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File opened (read-only) \??\Y: C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened (read-only) \??\H: C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened (read-only) \??\R: C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened (read-only) \??\G: C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File opened (read-only) \??\R: C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File opened for modification \??\S:\Autorun.inf C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File created \??\S:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created \??\O:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification \??\A:\Autorun.inf C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File opened for modification \??\E:\Autorun.inf C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File opened for modification \??\J:\Autorun.inf C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\X:\Autorun.inf C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File created D:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\O:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created \??\W:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File created \??\A:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification \??\L:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe N/A
File created \??\N:\Autorun.inf C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File created \??\H:\Autorun.inf C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\Q:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created \??\V:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\H:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File created \??\Y:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe N/A
File created \??\B:\Autorun.inf C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File created \??\J:\Autorun.inf C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File created \??\Q:\Autorun.inf C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File opened for modification \??\H:\Autorun.inf C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\U:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created \??\Z:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File created \??\N:\Autorun.inf C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\M:\Autorun.inf C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File created \??\K:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\B:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification \??\Q:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe N/A
File created D:\Autorun.inf C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File opened for modification F:\Autorun.inf C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File created \??\A:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File created \??\P:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File created \??\S:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File created D:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification \??\Q:\Autorun.inf C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File opened for modification \??\B:\Autorun.inf C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
File created \??\E:\Autorun.inf C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File opened for modification F:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\R:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe N/A
File created \??\K:\Autorun.inf C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File opened for modification \??\W:\Autorun.inf C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File opened for modification \??\Y:\Autorun.inf C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File created \??\Q:\Autorun.inf C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
File created \??\X:\Autorun.inf C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\O:\Autorun.inf C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File opened for modification \??\E:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\A:\Autorun.inf C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\W:\Autorun.inf C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\G:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created \??\G:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created \??\E:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created \??\W:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe N/A
File created \??\Z:\Autorun.inf C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\B:\Autorun.inf C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File created \??\I:\Autorun.inf C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File created \??\U:\Autorun.inf C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File opened for modification D:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\P:\Autorun.inf C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File opened for modification \??\S:\Autorun.inf C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File created \??\M:\Autorun.inf C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File created \??\T:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\U:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification \??\U:\Autorun.inf C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification C:\Windows\SysWOW64\3-5-2025.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File created C:\Windows\SysWOW64\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification C:\Windows\SysWOW64\Desktop.ini C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\Desktop.ini C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\Desktop.ini C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\mscomctl.ocx C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\3-5-2025.exe C:\Users\Admin\AppData\Local\Temp\2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification C:\Windows\SysWOW64\3-5-2025.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Users\Admin\AppData\Local\Temp\2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification C:\Windows\SysWOW64\mscomctl.ocx C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
File opened for modification C:\Windows\SysWOW64\mscomctl.ocx C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\SysWOW64\3-5-2025.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification C:\Windows\SysWOW64\mscomctl.ocx C:\Users\Admin\AppData\Local\Temp\2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification C:\Windows\SysWOW64\mscomctl.ocx C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification C:\Windows\SysWOW64\mscomctl.ocx C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\SysWOW64\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\3-5-2025.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\SysWOW64\3-5-2025.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\SysWOW64\mscomctl.ocx C:\Users\Admin\AppData\Local\Temp\2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe N/A
File created C:\Windows\SysWOW64\3-5-2025.exe C:\Users\Admin\AppData\Local\Temp\2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Users\Admin\AppData\Local\Temp\2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\system\msvbvm60.dll C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\Fonts\The Kazekage.jpg C:\Users\Admin\AppData\Local\Temp\2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification C:\Windows\system\mscoree.dll C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
File opened for modification C:\Windows\system\msvbvm60.dll C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File created C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\mscomctl.ocx C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
File created C:\Windows\WBEM\msvbvm60.dll C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File created C:\Windows\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
File created C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\Fonts\The Kazekage.jpg C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\mscomctl.ocx C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\system\mscoree.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\system\mscoree.dll C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File created C:\Windows\Fonts\Admin 3 - 5 - 2025\msvbvm60.dll C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\ C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\ C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification C:\Windows\system\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe N/A
File created C:\Windows\WBEM\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe N/A
File created C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
File opened for modification C:\Windows\Fonts\The Kazekage.jpg C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File created C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\Fonts\Admin 3 - 5 - 2025\msvbvm60.dll C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe C:\Users\Admin\AppData\Local\Temp\2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe N/A
File created C:\Windows\Fonts\Admin 3 - 5 - 2025\msvbvm60.dll C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File created C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
File opened for modification C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
File opened for modification C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\mscomctl.ocx C:\Users\Admin\AppData\Local\Temp\2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe C:\Users\Admin\AppData\Local\Temp\2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe N/A
File created C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Windows\system\mscoree.dll C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\mscomctl.ocx C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Windows\ C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe C:\Users\Admin\AppData\Local\Temp\2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification C:\Windows\ C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\Fonts\The Kazekage.jpg C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe C:\Users\Admin\AppData\Local\Temp\2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\Fonts\The Kazekage.jpg C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\system\msvbvm60.dll C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\WBEM\msvbvm60.dll C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\Fonts\The Kazekage.jpg C:\Users\Admin\AppData\Local\Temp\2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe N/A
File created C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe C:\Users\Admin\AppData\Local\Temp\2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\mscomctl.ocx C:\Users\Admin\AppData\Local\Temp\2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification C:\Windows\ C:\Windows\SysWOW64\drivers\system32.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\system32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\system32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\system32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\system32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\system32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\system32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A

Modifies Control Panel

defense_evasion
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" C:\Users\Admin\AppData\Local\Temp\2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\Screen Saver.Marquee\Speed = "4" C:\Users\Admin\AppData\Local\Temp\2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\Screen Saver.Marquee\Size = "72" C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\Screen Saver.Marquee C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\Screen Saver.Marquee\Size = "72" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\Desktop\WallpaperStyle = "2" C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\Desktop\WallpaperStyle = "2" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\Desktop C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\Desktop C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\Screen Saver.Marquee\Size = "72" C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\Screen Saver.Marquee C:\Users\Admin\AppData\Local\Temp\2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\Desktop C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\Desktop\WallpaperStyle = "2" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" C:\Users\Admin\AppData\Local\Temp\2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\Screen Saver.Marquee\Size = "72" C:\Users\Admin\AppData\Local\Temp\2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\Screen Saver.Marquee\Size = "72" C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\Desktop C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\Screen Saver.Marquee\Speed = "4" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" C:\Users\Admin\AppData\Local\Temp\2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" C:\Users\Admin\AppData\Local\Temp\2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\Screen Saver.Marquee C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\Desktop C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\Desktop C:\Users\Admin\AppData\Local\Temp\2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\Screen Saver.Marquee\Size = "72" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\Screen Saver.Marquee C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\Screen Saver.Marquee\Speed = "4" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Users\Admin\AppData\Local\Temp\2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\Desktop\WallpaperStyle = "2" C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\Desktop\WallpaperStyle = "2" C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" C:\Users\Admin\AppData\Local\Temp\2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" C:\Users\Admin\AppData\Local\Temp\2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Control Panel\Screen Saver.Marquee C:\Windows\SysWOW64\drivers\system32.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" C:\Users\Admin\AppData\Local\Temp\2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Software\Microsoft\Internet Explorer\Main C:\Users\Admin\AppData\Local\Temp\2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3674642747-2260306818-3009887879-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" C:\Users\Admin\AppData\Local\Temp\2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command C:\Users\Admin\AppData\Local\Temp\2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command C:\Users\Admin\AppData\Local\Temp\2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" C:\Users\Admin\AppData\Local\Temp\2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command C:\Users\Admin\AppData\Local\Temp\2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" C:\Users\Admin\AppData\Local\Temp\2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" C:\Users\Admin\AppData\Local\Temp\2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command C:\Users\Admin\AppData\Local\Temp\2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile C:\Windows\SysWOW64\drivers\system32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1832 wrote to memory of 4972 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe
PID 1832 wrote to memory of 4972 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe
PID 1832 wrote to memory of 4972 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe
PID 4972 wrote to memory of 5068 N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe
PID 4972 wrote to memory of 5068 N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe
PID 4972 wrote to memory of 5068 N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe
PID 4972 wrote to memory of 3296 N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe
PID 4972 wrote to memory of 3296 N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe
PID 4972 wrote to memory of 3296 N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe
PID 3296 wrote to memory of 1004 N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe
PID 3296 wrote to memory of 1004 N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe
PID 3296 wrote to memory of 1004 N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe
PID 3296 wrote to memory of 2532 N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe
PID 3296 wrote to memory of 2532 N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe
PID 3296 wrote to memory of 2532 N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe
PID 3296 wrote to memory of 1640 N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe
PID 3296 wrote to memory of 1640 N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe
PID 3296 wrote to memory of 1640 N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe
PID 1640 wrote to memory of 4844 N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe
PID 1640 wrote to memory of 4844 N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe
PID 1640 wrote to memory of 4844 N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe
PID 1640 wrote to memory of 3380 N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe
PID 1640 wrote to memory of 3380 N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe
PID 1640 wrote to memory of 3380 N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe
PID 1832 wrote to memory of 1484 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe
PID 1832 wrote to memory of 1484 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe
PID 1832 wrote to memory of 1484 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe
PID 1640 wrote to memory of 2852 N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe
PID 1640 wrote to memory of 2852 N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe
PID 1640 wrote to memory of 2852 N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe
PID 1832 wrote to memory of 4692 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe
PID 1832 wrote to memory of 4692 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe
PID 1832 wrote to memory of 4692 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe
PID 1640 wrote to memory of 2876 N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 1640 wrote to memory of 2876 N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 1640 wrote to memory of 2876 N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 1832 wrote to memory of 4036 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 1832 wrote to memory of 4036 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 1832 wrote to memory of 4036 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 2876 wrote to memory of 1852 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe
PID 2876 wrote to memory of 1852 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe
PID 2876 wrote to memory of 1852 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe
PID 1832 wrote to memory of 4740 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 1832 wrote to memory of 4740 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 1832 wrote to memory of 4740 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 4972 wrote to memory of 3924 N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe
PID 4972 wrote to memory of 3924 N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe
PID 4972 wrote to memory of 3924 N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe
PID 2876 wrote to memory of 4700 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe
PID 2876 wrote to memory of 4700 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe
PID 2876 wrote to memory of 4700 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe
PID 4972 wrote to memory of 3968 N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 4972 wrote to memory of 3968 N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 4972 wrote to memory of 3968 N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 4740 wrote to memory of 4908 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe
PID 4740 wrote to memory of 4908 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe
PID 4740 wrote to memory of 4908 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe
PID 2876 wrote to memory of 4292 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe
PID 2876 wrote to memory of 4292 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe
PID 2876 wrote to memory of 4292 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe
PID 4740 wrote to memory of 4352 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe
PID 4740 wrote to memory of 4352 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe
PID 4740 wrote to memory of 4352 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe
PID 4972 wrote to memory of 4904 N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe C:\Windows\SysWOW64\drivers\system32.exe

System policy modification

defense_evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe

"C:\Users\Admin\AppData\Local\Temp\2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe"

C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe

"C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe"

C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe

"C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe"

C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe

"C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe"

C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe

"C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe"

C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe

"C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe"

C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe

"C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe"

C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe

"C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe"

C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe

"C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe"

C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe

"C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe"

C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe

"C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe"

C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe

"C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe"

C:\Windows\SysWOW64\drivers\Kazekage.exe

C:\Windows\system32\drivers\Kazekage.exe

C:\Windows\SysWOW64\drivers\Kazekage.exe

C:\Windows\system32\drivers\Kazekage.exe

C:\Windows\SysWOW64\drivers\system32.exe

C:\Windows\system32\drivers\system32.exe

C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe

"C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe"

C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe

"C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe"

C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe

"C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe"

C:\Windows\SysWOW64\drivers\Kazekage.exe

C:\Windows\system32\drivers\Kazekage.exe

C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe

"C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe"

C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe

"C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe"

C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe

"C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe"

C:\Windows\SysWOW64\drivers\system32.exe

C:\Windows\system32\drivers\system32.exe

C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe

"C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe"

C:\Windows\SysWOW64\drivers\Kazekage.exe

C:\Windows\system32\drivers\Kazekage.exe

C:\Windows\SysWOW64\drivers\Kazekage.exe

C:\Windows\system32\drivers\Kazekage.exe

C:\Windows\SysWOW64\drivers\system32.exe

C:\Windows\system32\drivers\system32.exe

C:\Windows\SysWOW64\drivers\Kazekage.exe

C:\Windows\system32\drivers\Kazekage.exe

C:\Windows\SysWOW64\drivers\system32.exe

C:\Windows\system32\drivers\system32.exe

C:\Windows\SysWOW64\drivers\system32.exe

C:\Windows\system32\drivers\system32.exe

C:\Windows\SysWOW64\drivers\system32.exe

C:\Windows\system32\drivers\system32.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c Fonts\Admin 3 - 5 - 2025\smss.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c Fonts\Admin 3 - 5 - 2025\Gaara.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c 3-5-2025.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c drivers\csrss.exe

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 c.pki.goog udp
DE 142.250.184.195:80 c.pki.goog tcp

Files

memory/1832-0-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe

MD5 0187b29f338fa5329aecfdf4dd33458a
SHA1 da8b3f2af5e495daa6040b420dc4e0ac40d39c9b
SHA256 7edeb8b50717817a353d24aadcecec71fd9ed6648998384b723017d98d79a45b
SHA512 1257fcbe48c4e74adeaddb6957dd7702bc19ff6bdeed88500041f1f1db3f711c101e51e598e55f2c638af3a5cf3c48eaa0f76902193750e249913d7d0affdb54

C:\Windows\System\msvbvm60.dll

MD5 25f62c02619174b35851b0e0455b3d94
SHA1 4e8ee85157f1769f6e3f61c0acbe59072209da71
SHA256 898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2
SHA512 f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe

MD5 984643d1ed01b4b3084d3c35b50e0015
SHA1 2697549eb4b527db5d797dcb792a2497a24110f4
SHA256 c7df9a68bd6b0cf16add2ed42f0bdc320b017a0178861c28219a280416f91830
SHA512 b7bd81022f5f49b34842ec96b96de0957c1386446ad77ab21409b18144cc868dc344fbcf791204c5dc2f80f32ed8ae0baf9ff03f030f14ba8e7866079b026d63

memory/4972-34-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Windows\Fonts\The Kazekage.jpg

MD5 d6b05020d4a0ec2a3a8b687099e335df
SHA1 df239d830ebcd1cde5c68c46a7b76dad49d415f4
SHA256 9824b98dab6af65a9e84c2ea40e9df948f9766ce2096e81feecad7db8dd6080a
SHA512 78fd360faa4d34f5732056d6e9ad7b9930964441c69cf24535845d397de92179553b9377a25649c01eb5ac7d547c29cc964e69ede7f2af9fc677508a99251fff

C:\Windows\SysWOW64\drivers\system32.exe

MD5 fffce58a221ee5f65353dd56fc297872
SHA1 1c37131d0e0c594e98643e857a53d7e72ccec37f
SHA256 c37e46f1000c0a7b59e14f01282c15f20808265374979bc98f6d3f16adaececb
SHA512 a65f3767c5bdcd8b8873d32a3157299b6dbbc22895d585676758a96d59f6289eaf8ddaa303d32acf98dc480c088547616762b1f989d61eace46f479f96b33fcd

memory/5068-72-0x0000000000400000-0x000000000042B000-memory.dmp

memory/5068-73-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe

MD5 8c7eadf82ff963ee343fe0c94320b083
SHA1 7b7715c5100061f92b651226ec70ef0ff7440bc2
SHA256 281deebd586f2f66688f4627d00451bbef854b930bfa030f2c0338faf2524a6a
SHA512 57dd7569f1917e46fbbbc43c43f79c3d9fe5bc590eb441662d023c7c6eaf6483e1b4d41d9dd6b27bdb3ef0d4335734158294227b04633d42a379a20ca9b224ec

memory/3296-76-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Windows\SysWOW64\drivers\Kazekage.exe

MD5 931224987af5b516e0a043a11516c785
SHA1 c956f19b7d709588a1bc60c827434af22daa44da
SHA256 fb76cc81bae535cd76880d563aab19b41cc2dddeee6629abfdc77b2436167ec6
SHA512 9a46c68e8eb0d412203c0f919b69acc66fde39156ae77afd3f2cc608c8cb768832cb01ecff6f02ece5aafb34e1033fa379adf30904ffbea9f8292d73c66ffdfc

C:\Windows\SysWOW64\drivers\system32.exe

MD5 a7e92d73089a6ada18991ed2df1cb7b6
SHA1 13d779d94a7be32a3c24c64ea426680de6b678d6
SHA256 e3f88830dad4e8b1587ae3d767c258347e88fde6892d271fca3eaf7e058ab37b
SHA512 f54d74581d5fb3ce4c65b0efde34237ef7cac4803a3c12988613241c613d319aef8702c5918c3b8fd1026927ffcaffca19788ec372d4666e100b12ce08cc03ff

memory/1004-109-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Windows\SysWOW64\3-5-2025.exe

MD5 c870d7b5cb93b595db0c8154d5f06fad
SHA1 8ccb4906ffd196e6700823c98e08bb4e998b37ce
SHA256 f4c28897e9083e57f02e33580a39ce1d02833a8de2363de377b22a5f8a99426d
SHA512 f959073ed16bc10f3c75129bcabb043f589dace45b4d0ac164b51a7ee3a0c952c4d29fef52fd4f4010e4103d9880383ce33c22ec0761edd0572d8c013d1b6bff

memory/2532-116-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe

MD5 9d38936821c393fb9125254267ca8616
SHA1 9c4be7685d74bc69cb2257752869d32869902d28
SHA256 ca9da0328c1ac82651a5282293a60bb9e46c533f2bde329d2f93ab81c86e6ac0
SHA512 43d3c16dc88577c8bf7c41d433e4b5b54251f5a72c559cf7c0a156ca997f8f33664fa7e6ed1b4dc8d2fe5508893ace5158f6b0d5ec9a5187d4f842259c51d881

memory/1640-120-0x0000000000400000-0x000000000042B000-memory.dmp

memory/1832-119-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Windows\SysWOW64\3-5-2025.exe

MD5 8425f07ababa51f95e72d7944e60e4b1
SHA1 3314bad1808d14be46bf96c1f3d7fcdb0dfe6e02
SHA256 e37d479ef463691262d6ecee631df52cb6f1ff96867cc700cbc37c14fb1b4e47
SHA512 db971a1e051030289601403d1b95bd27d38c45ff3c8a602886acbe0282a3532e71b0e3c2c9135e45f1200b5b7abed557357c86336adbe2b88b6da36d26837f5e

memory/4972-133-0x0000000000400000-0x000000000042B000-memory.dmp

memory/3380-154-0x0000000000400000-0x000000000042B000-memory.dmp

memory/4692-166-0x0000000000400000-0x000000000042B000-memory.dmp

memory/3380-167-0x0000000000400000-0x000000000042B000-memory.dmp

memory/1484-168-0x0000000000400000-0x000000000042B000-memory.dmp

memory/3296-165-0x0000000000400000-0x000000000042B000-memory.dmp

memory/4692-173-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Windows\SysWOW64\drivers\Kazekage.exe

MD5 d029d3be2972528e17fdb573d5f5f9d4
SHA1 1d856f859cbf76d2fd4181126713600c94a179d4
SHA256 e4b7f33d07656212458176cb1742e61185f2db067699fe1e8274442e4f86f295
SHA512 3625ca6d501c9d0197ba8b21a4134e3660992812140feb4625a7d7ef479d4d0a476f4a9c01c0c4faba2eaa04bcc9be079505a7c79481cf3f32fa01e64b12afab

memory/2876-177-0x0000000000400000-0x000000000042B000-memory.dmp

memory/4036-179-0x0000000000400000-0x000000000042B000-memory.dmp

memory/1640-182-0x0000000000400000-0x000000000042B000-memory.dmp

memory/4036-188-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Windows\SysWOW64\3-5-2025.exe

MD5 c1253ef816ab533b4e385f81c3bc6291
SHA1 ec812e5a6cce024d21526af40c0f98eb90232fbe
SHA256 08594e1645c5394b03ce62ada7d99309d953102808846549b829a9774956e449
SHA512 babf0a92b8ec859c5ef45c52850c861488126b5f74636d9fcffb2815054f1f1e8bb08d35cc7ce05e4df255c74787b13a28263bfa6c008a33191c16414e615f45

C:\Windows\SysWOW64\drivers\system32.exe

MD5 6620e44a609922cc876f886b0aed62a7
SHA1 5dbd1bcf01b3fd89a3b1193019caf08c9ee0bd66
SHA256 ff658117b6fdbd0fe775e1b8791bcd7e67411f910736c408bb368d6008d12eef
SHA512 3f90688467439141b205ea3c576fc4d7c474d15d95ee4069f46a7b707a9599ba485c0ca7c78269380d0407b0dc74355b2f00ae9081a1c2d9ae9db6dcd0505ca5

memory/4740-202-0x0000000000400000-0x000000000042B000-memory.dmp

memory/3924-222-0x0000000000400000-0x000000000042B000-memory.dmp

memory/2876-234-0x0000000000400000-0x000000000042B000-memory.dmp

memory/4908-236-0x0000000000400000-0x000000000042B000-memory.dmp

memory/4904-238-0x0000000000400000-0x000000000042B000-memory.dmp

memory/3968-239-0x0000000000400000-0x000000000042B000-memory.dmp

memory/4740-237-0x0000000000400000-0x000000000042B000-memory.dmp

memory/4700-235-0x0000000000400000-0x000000000042B000-memory.dmp

memory/4904-246-0x0000000000400000-0x000000000042B000-memory.dmp

memory/4352-247-0x0000000000400000-0x000000000042B000-memory.dmp

memory/2776-259-0x0000000000400000-0x000000000042B000-memory.dmp

memory/3040-260-0x0000000000400000-0x000000000042B000-memory.dmp

memory/4252-266-0x0000000000400000-0x000000000042B000-memory.dmp

memory/3116-269-0x0000000000400000-0x000000000042B000-memory.dmp

memory/4140-271-0x0000000000400000-0x000000000042B000-memory.dmp

memory/4568-272-0x0000000000400000-0x000000000042B000-memory.dmp

memory/540-273-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Autorun.inf

MD5 1564dfe69ffed40950e5cb644e0894d1
SHA1 201b6f7a01cc49bb698bea6d4945a082ed454ce4
SHA256 be114a2dbcc08540b314b01882aa836a772a883322a77b67aab31233e26dc184
SHA512 72df187e39674b657974392cfa268e71ef86dc101ebd2303896381ca56d3c05aa9db3f0ab7d0e428d7436e0108c8f19e94c2013814d30b0b95a23a6b9e341097

C:\Admin Games\Readme.txt

MD5 bb5d6abdf8d0948ac6895ce7fdfbc151
SHA1 9266b7a247a4685892197194d2b9b86c8f6dddbd
SHA256 5db2e0915b5464d32e83484f8ae5e3c73d2c78f238fde5f58f9b40dbb5322de8
SHA512 878444760e8df878d65bb62b4798177e168eb099def58ad3634f4348e96705c83f74324f9fa358f0eff389991976698a233ca53e9b72034ae11c86d42322a76c

C:\Windows\SysWOW64\Desktop.ini

MD5 64acfa7e03b01f48294cf30d201a0026
SHA1 10facd995b38a095f30b4a800fa454c0bcbf8438
SHA256 ba8159d865d106e7b4d0043007a63d1541e1de455dc8d7ff0edd3013bd425c62
SHA512 65a9b2e639de74a2a7faa83463a03f5f5b526495e3c793ec1e144c422ed0b842dd304cd5ff4f8aec3d76d826507030c5916f70a231429cea636ec2d8ab43931a

Analysis: behavioral2

Detonation Overview

Submitted

2025-05-03 15:50

Reported

2025-05-03 15:52

Platform

win11-20250502-en

Max time kernel

150s

Max time network

133s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" C:\Users\Admin\AppData\Local\Temp\2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" C:\Users\Admin\AppData\Local\Temp\2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe N/A

Modifies visibility of file extensions in Explorer

defense_evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2329104403-2882594830-3136665766-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2329104403-2882594830-3136665766-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2329104403-2882594830-3136665766-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2329104403-2882594830-3136665766-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2329104403-2882594830-3136665766-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Users\Admin\AppData\Local\Temp\2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2329104403-2882594830-3136665766-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A

Modifies visiblity of hidden/system files in Explorer

defense_evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2329104403-2882594830-3136665766-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\AppData\Local\Temp\2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2329104403-2882594830-3136665766-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2329104403-2882594830-3136665766-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2329104403-2882594830-3136665766-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2329104403-2882594830-3136665766-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2329104403-2882594830-3136665766-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\drivers\system32.exe N/A

UAC bypass

defense_evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A

Disables RegEdit via registry modification

defense_evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-2329104403-2882594830-3136665766-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2329104403-2882594830-3136665766-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2329104403-2882594830-3136665766-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2329104403-2882594830-3136665766-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2329104403-2882594830-3136665766-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2329104403-2882594830-3136665766-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A

Disables use of System Restore points

defense_evasion

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\drivers\system32.exe C:\Users\Admin\AppData\Local\Temp\2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File created C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
File created C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File created C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Users\Admin\AppData\Local\Temp\2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Users\Admin\AppData\Local\Temp\2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\system32.exe C:\Users\Admin\AppData\Local\Temp\2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File created C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File created C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File created C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A

Event Triggered Execution: Image File Execution Options Injection

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe C:\Users\Admin\AppData\Local\Temp\2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe C:\Users\Admin\AppData\Local\Temp\2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe C:\Users\Admin\AppData\Local\Temp\2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe C:\Users\Admin\AppData\Local\Temp\2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe\Debugger = "cmd.exe /c del" C:\Users\Admin\AppData\Local\Temp\2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe C:\Users\Admin\AppData\Local\Temp\2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe\Debugger = "cmd.exe /c del" C:\Users\Admin\AppData\Local\Temp\2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe\Debugger = "cmd.exe /c del" C:\Users\Admin\AppData\Local\Temp\2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "3-5-2025.exe" C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 3 - 5 - 2025\\smss.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 3 - 5 - 2025\\smss.exe" C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 3 - 5 - 2025\\Gaara.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "3-5-2025.exe" C:\Users\Admin\AppData\Local\Temp\2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 3 - 5 - 2025\\smss.exe" C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 3 - 5 - 2025\\Gaara.exe" C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "3-5-2025.exe" C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 3 - 5 - 2025\\Gaara.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 3 - 5 - 2025\\Gaara.exe" C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 3 - 5 - 2025\\smss.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" C:\Users\Admin\AppData\Local\Temp\2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 3 - 5 - 2025\\smss.exe" C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "3-5-2025.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "3-5-2025.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 3 - 5 - 2025\\Gaara.exe" C:\Users\Admin\AppData\Local\Temp\2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 3 - 5 - 2025\\Gaara.exe" C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "3-5-2025.exe" C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 3 - 5 - 2025\\smss.exe" C:\Users\Admin\AppData\Local\Temp\2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe N/A

Checks whether UAC is enabled

defense_evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\drivers\system32.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification \??\R:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\G:\Desktop.ini C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\M:\Desktop.ini C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\N:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification \??\P:\Desktop.ini C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\Y:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification \??\G:\Desktop.ini C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File opened for modification \??\Y:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\N:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\S:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\O:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\V:\Desktop.ini C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File opened for modification \??\X:\Desktop.ini C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File opened for modification \??\A:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\I:\Desktop.ini C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\Q:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification \??\B:\Desktop.ini C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File opened for modification D:\Desktop.ini C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File opened for modification \??\I:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\K:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\M:\Desktop.ini C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File opened for modification \??\P:\Desktop.ini C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File opened for modification \??\M:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\K:\Desktop.ini C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File opened for modification \??\V:\Desktop.ini C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File opened for modification \??\Y:\Desktop.ini C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File opened for modification \??\P:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\T:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\V:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\W:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification \??\S:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification \??\J:\Desktop.ini C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File opened for modification \??\S:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\A:\Desktop.ini C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File opened for modification \??\U:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\W:\Desktop.ini C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File opened for modification \??\X:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification \??\J:\Desktop.ini C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File opened for modification D:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification \??\E:\Desktop.ini C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File opened for modification C:\Desktop.ini C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
File opened for modification F:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification \??\L:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\L:\Desktop.ini C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File opened for modification \??\W:\Desktop.ini C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File opened for modification \??\W:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification D:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification F:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\O:\Desktop.ini C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File opened for modification \??\Z:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\K:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification \??\Q:\Desktop.ini C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\U:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification \??\K:\Desktop.ini C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File opened for modification \??\L:\Desktop.ini C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File opened for modification \??\N:\Desktop.ini C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File opened for modification \??\K:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\Y:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\B:\Desktop.ini C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\T:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\Q:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\X:\Desktop.ini C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File opened for modification \??\Z:\Desktop.ini C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\W: C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
File opened (read-only) \??\X: C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened (read-only) \??\K: C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File opened (read-only) \??\Q: C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened (read-only) \??\A: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\N: C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File opened (read-only) \??\J: C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\V: C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File opened (read-only) \??\U: C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File opened (read-only) \??\Q: C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened (read-only) \??\G: C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
File opened (read-only) \??\E: C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File opened (read-only) \??\P: C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\L: C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
File opened (read-only) \??\O: C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened (read-only) \??\L: C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File opened (read-only) \??\Y: C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\N: C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
File opened (read-only) \??\A: C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\M: C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\X: C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened (read-only) \??\G: C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File opened (read-only) \??\H: C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
File opened (read-only) \??\T: C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File opened (read-only) \??\U: C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened (read-only) \??\I: C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\V: C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File opened (read-only) \??\R: C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
File opened (read-only) \??\M: C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
File opened (read-only) \??\Y: C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\B: C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
File opened (read-only) \??\K: C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File opened (read-only) \??\W: C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File opened (read-only) \??\T: C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
File opened (read-only) \??\I: C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\R: C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\S: C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File opened (read-only) \??\N: C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\drivers\system32.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File created \??\Z:\Autorun.inf C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File created \??\M:\Autorun.inf C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
File opened for modification F:\Autorun.inf C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File opened for modification \??\G:\Autorun.inf C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File opened for modification \??\K:\Autorun.inf C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File opened for modification \??\R:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File created \??\J:\Autorun.inf C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File opened for modification \??\H:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\K:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\X:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe N/A
File created \??\K:\Autorun.inf C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File opened for modification \??\N:\Autorun.inf C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File opened for modification \??\B:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe N/A
File created \??\B:\Autorun.inf C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File created \??\K:\Autorun.inf C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\O:\Autorun.inf C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
File created \??\T:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File created \??\V:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File created \??\E:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification \??\I:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe N/A
File created \??\N:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification \??\E:\Autorun.inf C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File created \??\V:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created \??\H:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File created \??\Y:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\Z:\Autorun.inf C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File opened for modification D:\Autorun.inf C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\J:\Autorun.inf C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
File created \??\Y:\Autorun.inf C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\Y:\Autorun.inf C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File created \??\E:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\P:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\G:\Autorun.inf C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File created \??\N:\Autorun.inf C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File opened for modification \??\M:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\H:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File created \??\Z:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\T:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe N/A
File created \??\R:\Autorun.inf C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File opened for modification \??\B:\Autorun.inf C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\B:\Autorun.inf C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File created \??\R:\Autorun.inf C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File opened for modification \??\R:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created \??\A:\Autorun.inf C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File opened for modification \??\A:\Autorun.inf C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\M:\Autorun.inf C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File created \??\Z:\Autorun.inf C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\M:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File created \??\J:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification F:\Autorun.inf C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File created \??\H:\Autorun.inf C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
File created \??\N:\Autorun.inf C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
File opened for modification D:\Autorun.inf C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File created \??\Y:\Autorun.inf C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File created \??\U:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\Z:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\V:\Autorun.inf C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File created \??\E:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File created \??\P:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File created \??\S:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\B:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe N/A
File created \??\X:\Autorun.inf C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\3-5-2025.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\SysWOW64\mscomctl.ocx C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\mscomctl.ocx C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\SysWOW64\3-5-2025.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
File opened for modification C:\Windows\SysWOW64\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe N/A
File created C:\Windows\SysWOW64\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification C:\Windows\SysWOW64\Desktop.ini C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\SysWOW64\Desktop.ini C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File created C:\Windows\SysWOW64\3-5-2025.exe C:\Users\Admin\AppData\Local\Temp\2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification C:\Windows\SysWOW64\3-5-2025.exe C:\Users\Admin\AppData\Local\Temp\2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification C:\Windows\SysWOW64\3-5-2025.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\SysWOW64\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\SysWOW64\mscomctl.ocx C:\Users\Admin\AppData\Local\Temp\2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification C:\Windows\SysWOW64\3-5-2025.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\SysWOW64\3-5-2025.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Users\Admin\AppData\Local\Temp\2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification C:\Windows\SysWOW64\mscomctl.ocx C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
File created C:\Windows\SysWOW64\mscomctl.ocx C:\Users\Admin\AppData\Local\Temp\2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification C:\Windows\SysWOW64\Desktop.ini C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
File opened for modification C:\Windows\SysWOW64\mscomctl.ocx C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\SysWOW64\mscomctl.ocx C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2329104403-2882594830-3136665766-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2329104403-2882594830-3136665766-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2329104403-2882594830-3136665766-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2329104403-2882594830-3136665766-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2329104403-2882594830-3136665766-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Users\Admin\AppData\Local\Temp\2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2329104403-2882594830-3136665766-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File created C:\Windows\WBEM\msvbvm60.dll C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File created C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe C:\Users\Admin\AppData\Local\Temp\2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification C:\Windows\Fonts\The Kazekage.jpg C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\system\msvbvm60.dll C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File created C:\Windows\Fonts\Admin 3 - 5 - 2025\msvbvm60.dll C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
File created C:\Windows\Fonts\Admin 3 - 5 - 2025\msvbvm60.dll C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Windows\system\mscoree.dll C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\system\msvbvm60.dll C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\WBEM\msvbvm60.dll C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\mscomctl.ocx C:\Users\Admin\AppData\Local\Temp\2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification C:\Windows\mscomctl.ocx C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
File created C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
File created C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe C:\Users\Admin\AppData\Local\Temp\2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification C:\Windows\system\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe N/A
File created C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\mscomctl.ocx C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
File opened for modification C:\Windows\ C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
File opened for modification C:\Windows\Fonts\The Kazekage.jpg C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
File created C:\Windows\Fonts\Admin 3 - 5 - 2025\msvbvm60.dll C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File created C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
File opened for modification C:\Windows\Fonts\The Kazekage.jpg C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File created C:\Windows\Fonts\Admin 3 - 5 - 2025\msvbvm60.dll C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File created C:\Windows\WBEM\msvbvm60.dll C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File created C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\Fonts\Admin 3 - 5 - 2025\msvbvm60.dll C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\mscomctl.ocx C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\Fonts\The Kazekage.jpg C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\system\mscoree.dll C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\ C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File created C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe C:\Users\Admin\AppData\Local\Temp\2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe N/A
File created C:\Windows\Fonts\Admin 3 - 5 - 2025\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe N/A
File created C:\Windows\system\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File created C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Windows\system\mscoree.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe C:\Users\Admin\AppData\Local\Temp\2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\ C:\Users\Admin\AppData\Local\Temp\2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification C:\Windows\Fonts\The Kazekage.jpg C:\Users\Admin\AppData\Local\Temp\2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe N/A
File created C:\Windows\Fonts\The Kazekage.jpg C:\Users\Admin\AppData\Local\Temp\2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification C:\Windows\system\mscoree.dll C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\system\mscoree.dll C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
File opened for modification C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\mscomctl.ocx C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\Fonts\Admin 3 - 5 - 2025\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe N/A
File created C:\Windows\WBEM\msvbvm60.dll C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\system32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\system32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\system32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\system32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\system32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\system32.exe N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A

Modifies Control Panel

defense_evasion
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2329104403-2882594830-3136665766-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2329104403-2882594830-3136665766-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2329104403-2882594830-3136665766-1000\Control Panel\Screen Saver.Marquee C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2329104403-2882594830-3136665766-1000\Control Panel\Screen Saver.Marquee\Size = "72" C:\Users\Admin\AppData\Local\Temp\2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2329104403-2882594830-3136665766-1000\Control Panel\Screen Saver.Marquee C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2329104403-2882594830-3136665766-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Users\Admin\AppData\Local\Temp\2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2329104403-2882594830-3136665766-1000\Control Panel\Desktop C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2329104403-2882594830-3136665766-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" C:\Users\Admin\AppData\Local\Temp\2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2329104403-2882594830-3136665766-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2329104403-2882594830-3136665766-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2329104403-2882594830-3136665766-1000\Control Panel\Screen Saver.Marquee\Speed = "4" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2329104403-2882594830-3136665766-1000\Control Panel\Desktop C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2329104403-2882594830-3136665766-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" C:\Users\Admin\AppData\Local\Temp\2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2329104403-2882594830-3136665766-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2329104403-2882594830-3136665766-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2329104403-2882594830-3136665766-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2329104403-2882594830-3136665766-1000\Control Panel\Desktop\WallpaperStyle = "2" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2329104403-2882594830-3136665766-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" C:\Users\Admin\AppData\Local\Temp\2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2329104403-2882594830-3136665766-1000\Control Panel\Screen Saver.Marquee\Size = "72" C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2329104403-2882594830-3136665766-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2329104403-2882594830-3136665766-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2329104403-2882594830-3136665766-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2329104403-2882594830-3136665766-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2329104403-2882594830-3136665766-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2329104403-2882594830-3136665766-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2329104403-2882594830-3136665766-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" C:\Users\Admin\AppData\Local\Temp\2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2329104403-2882594830-3136665766-1000\Control Panel\Screen Saver.Marquee\Speed = "4" C:\Users\Admin\AppData\Local\Temp\2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2329104403-2882594830-3136665766-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2329104403-2882594830-3136665766-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2329104403-2882594830-3136665766-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2329104403-2882594830-3136665766-1000\Control Panel\Desktop\WallpaperStyle = "2" C:\Users\Admin\AppData\Local\Temp\2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2329104403-2882594830-3136665766-1000\Control Panel\Desktop\WallpaperStyle = "2" C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2329104403-2882594830-3136665766-1000\Control Panel\Desktop C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2329104403-2882594830-3136665766-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2329104403-2882594830-3136665766-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2329104403-2882594830-3136665766-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2329104403-2882594830-3136665766-1000\Control Panel\Screen Saver.Marquee C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2329104403-2882594830-3136665766-1000\Control Panel\Screen Saver.Marquee C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2329104403-2882594830-3136665766-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2329104403-2882594830-3136665766-1000\Control Panel\Screen Saver.Marquee\Speed = "4" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2329104403-2882594830-3136665766-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2329104403-2882594830-3136665766-1000\Control Panel\Screen Saver.Marquee\Size = "72" C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2329104403-2882594830-3136665766-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" C:\Users\Admin\AppData\Local\Temp\2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2329104403-2882594830-3136665766-1000\Control Panel\Screen Saver.Marquee\Speed = "4" C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2329104403-2882594830-3136665766-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2329104403-2882594830-3136665766-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2329104403-2882594830-3136665766-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2329104403-2882594830-3136665766-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2329104403-2882594830-3136665766-1000\Control Panel\Desktop\WallpaperStyle = "2" C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2329104403-2882594830-3136665766-1000\Control Panel\Desktop\WallpaperStyle = "2" C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2329104403-2882594830-3136665766-1000\Control Panel\Desktop C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2329104403-2882594830-3136665766-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" C:\Users\Admin\AppData\Local\Temp\2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2329104403-2882594830-3136665766-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2329104403-2882594830-3136665766-1000\Control Panel\Desktop C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2329104403-2882594830-3136665766-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2329104403-2882594830-3136665766-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2329104403-2882594830-3136665766-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2329104403-2882594830-3136665766-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2329104403-2882594830-3136665766-1000\Control Panel\Screen Saver.Marquee C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2329104403-2882594830-3136665766-1000\Control Panel\Screen Saver.Marquee\Speed = "4" C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2329104403-2882594830-3136665766-1000\Control Panel\Screen Saver.Marquee\Size = "72" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2329104403-2882594830-3136665766-1000\Control Panel\Desktop\WallpaperStyle = "2" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2329104403-2882594830-3136665766-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" C:\Users\Admin\AppData\Local\Temp\2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2329104403-2882594830-3136665766-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2329104403-2882594830-3136665766-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2329104403-2882594830-3136665766-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2329104403-2882594830-3136665766-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2329104403-2882594830-3136665766-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2329104403-2882594830-3136665766-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2329104403-2882594830-3136665766-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2329104403-2882594830-3136665766-1000\Software\Microsoft\Internet Explorer\Main C:\Users\Admin\AppData\Local\Temp\2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2329104403-2882594830-3136665766-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" C:\Users\Admin\AppData\Local\Temp\2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2329104403-2882594830-3136665766-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2329104403-2882594830-3136665766-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2329104403-2882594830-3136665766-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2329104403-2882594830-3136665766-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\drivers\system32.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command C:\Users\Admin\AppData\Local\Temp\2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command C:\Users\Admin\AppData\Local\Temp\2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell C:\Users\Admin\AppData\Local\Temp\2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" C:\Users\Admin\AppData\Local\Temp\2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command C:\Users\Admin\AppData\Local\Temp\2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command C:\Users\Admin\AppData\Local\Temp\2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" C:\Users\Admin\AppData\Local\Temp\2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" C:\Users\Admin\AppData\Local\Temp\2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" C:\Users\Admin\AppData\Local\Temp\2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile C:\Users\Admin\AppData\Local\Temp\2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install C:\Users\Admin\AppData\Local\Temp\2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2412 wrote to memory of 3960 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe
PID 2412 wrote to memory of 3960 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe
PID 2412 wrote to memory of 3960 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe
PID 3960 wrote to memory of 4808 N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe
PID 3960 wrote to memory of 4808 N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe
PID 3960 wrote to memory of 4808 N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe
PID 3960 wrote to memory of 3776 N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe
PID 3960 wrote to memory of 3776 N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe
PID 3960 wrote to memory of 3776 N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe
PID 3776 wrote to memory of 3172 N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe
PID 3776 wrote to memory of 3172 N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe
PID 3776 wrote to memory of 3172 N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe
PID 3776 wrote to memory of 4508 N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe
PID 3776 wrote to memory of 4508 N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe
PID 3776 wrote to memory of 4508 N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe
PID 3776 wrote to memory of 2564 N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe
PID 3776 wrote to memory of 2564 N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe
PID 3776 wrote to memory of 2564 N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe
PID 2564 wrote to memory of 1848 N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe
PID 2564 wrote to memory of 1848 N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe
PID 2564 wrote to memory of 1848 N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe
PID 2564 wrote to memory of 5300 N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe
PID 2564 wrote to memory of 5300 N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe
PID 2564 wrote to memory of 5300 N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe
PID 2564 wrote to memory of 5108 N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe
PID 2564 wrote to memory of 5108 N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe
PID 2564 wrote to memory of 5108 N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe
PID 2564 wrote to memory of 2108 N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 2564 wrote to memory of 2108 N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 2564 wrote to memory of 2108 N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 2108 wrote to memory of 3040 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe
PID 2108 wrote to memory of 3040 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe
PID 2108 wrote to memory of 3040 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe
PID 2412 wrote to memory of 3308 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe
PID 2412 wrote to memory of 3308 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe
PID 2412 wrote to memory of 3308 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe
PID 2108 wrote to memory of 3100 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe
PID 2108 wrote to memory of 3100 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe
PID 2108 wrote to memory of 3100 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe
PID 2412 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe
PID 2412 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe
PID 2412 wrote to memory of 2060 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe
PID 2108 wrote to memory of 5456 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe
PID 2108 wrote to memory of 5456 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe
PID 2108 wrote to memory of 5456 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe
PID 2412 wrote to memory of 4796 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 2412 wrote to memory of 4796 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 2412 wrote to memory of 4796 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 2108 wrote to memory of 2244 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 2108 wrote to memory of 2244 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 2108 wrote to memory of 2244 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 2412 wrote to memory of 3336 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 2412 wrote to memory of 3336 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 2412 wrote to memory of 3336 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 2108 wrote to memory of 4212 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 2108 wrote to memory of 4212 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 2108 wrote to memory of 4212 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 2564 wrote to memory of 2512 N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 2564 wrote to memory of 2512 N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 2564 wrote to memory of 2512 N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 3776 wrote to memory of 1912 N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 3776 wrote to memory of 1912 N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 3776 wrote to memory of 1912 N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 3336 wrote to memory of 5656 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe

System policy modification

defense_evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe

"C:\Users\Admin\AppData\Local\Temp\2025-05-03_0187b29f338fa5329aecfdf4dd33458a_black-basta_elex_hijackloader_luca-stealer.exe"

C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe

"C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe"

C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe

"C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe"

C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe

"C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe"

C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe

"C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe"

C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe

"C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe"

C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe

"C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe"

C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe

"C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe"

C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe

"C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe"

C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe

"C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe"

C:\Windows\SysWOW64\drivers\Kazekage.exe

C:\Windows\system32\drivers\Kazekage.exe

C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe

"C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe"

C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe

"C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe"

C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe

"C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe"

C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe

"C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe"

C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe

"C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe"

C:\Windows\SysWOW64\drivers\Kazekage.exe

C:\Windows\system32\drivers\Kazekage.exe

C:\Windows\SysWOW64\drivers\Kazekage.exe

C:\Windows\system32\drivers\Kazekage.exe

C:\Windows\SysWOW64\drivers\system32.exe

C:\Windows\system32\drivers\system32.exe

C:\Windows\SysWOW64\drivers\system32.exe

C:\Windows\system32\drivers\system32.exe

C:\Windows\SysWOW64\drivers\system32.exe

C:\Windows\system32\drivers\system32.exe

C:\Windows\SysWOW64\drivers\Kazekage.exe

C:\Windows\system32\drivers\Kazekage.exe

C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe

"C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe"

C:\Windows\SysWOW64\drivers\system32.exe

C:\Windows\system32\drivers\system32.exe

C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe

"C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe"

C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe

"C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe"

C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe

"C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe"

C:\Windows\SysWOW64\drivers\Kazekage.exe

C:\Windows\system32\drivers\Kazekage.exe

C:\Windows\SysWOW64\drivers\Kazekage.exe

C:\Windows\system32\drivers\Kazekage.exe

C:\Windows\SysWOW64\drivers\system32.exe

C:\Windows\system32\drivers\system32.exe

C:\Windows\SysWOW64\drivers\system32.exe

C:\Windows\system32\drivers\system32.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c Fonts\Admin 3 - 5 - 2025\smss.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c Fonts\Admin 3 - 5 - 2025\Gaara.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c 3-5-2025.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c drivers\csrss.exe

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

Network

Files

memory/2412-0-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe

MD5 0187b29f338fa5329aecfdf4dd33458a
SHA1 da8b3f2af5e495daa6040b420dc4e0ac40d39c9b
SHA256 7edeb8b50717817a353d24aadcecec71fd9ed6648998384b723017d98d79a45b
SHA512 1257fcbe48c4e74adeaddb6957dd7702bc19ff6bdeed88500041f1f1db3f711c101e51e598e55f2c638af3a5cf3c48eaa0f76902193750e249913d7d0affdb54

C:\Windows\System\msvbvm60.dll

MD5 25f62c02619174b35851b0e0455b3d94
SHA1 4e8ee85157f1769f6e3f61c0acbe59072209da71
SHA256 898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2
SHA512 f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe

MD5 984643d1ed01b4b3084d3c35b50e0015
SHA1 2697549eb4b527db5d797dcb792a2497a24110f4
SHA256 c7df9a68bd6b0cf16add2ed42f0bdc320b017a0178861c28219a280416f91830
SHA512 b7bd81022f5f49b34842ec96b96de0957c1386446ad77ab21409b18144cc868dc344fbcf791204c5dc2f80f32ed8ae0baf9ff03f030f14ba8e7866079b026d63

memory/3960-32-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Windows\Fonts\The Kazekage.jpg

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Windows\SysWOW64\drivers\Kazekage.exe

MD5 6f24837ffea15f4ec7902e1ad7c72cd0
SHA1 742890f230bce81d6dfb873b1c27f024e936eb1b
SHA256 98d40d6e528df525efb54a604d91ad78cd9d4392af52b56692e042733857e955
SHA512 20318354a0bd78abf21bd9b138971b34daffc0713085fd6d68c6120cf6f71c65e7ae6fb7a6fd7c13c7cf4ecc29aba8af6e9740507da336aac0a919cdce034699

memory/4808-70-0x0000000000400000-0x000000000042B000-memory.dmp

memory/4808-73-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe

MD5 f2fd96d3c1b0d017b2e03cace136008b
SHA1 32fff01894d82f62548c6d4496a9f233bc93c797
SHA256 3c071a5a59b84888dd3aab5623828a71e9f71e903a3a01110603eeaf67b74dd2
SHA512 bcfdd0a9cff64cd887e36f458be69ab3a5d3c2031b7ea3b6e5778a297c583ac8d184f15a7e78fa0693a93a593aa72d0e1af7c95d8bda47478fd50dab1e8d6795

memory/3776-76-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Windows\Fonts\The Kazekage.jpg

MD5 d6b05020d4a0ec2a3a8b687099e335df
SHA1 df239d830ebcd1cde5c68c46a7b76dad49d415f4
SHA256 9824b98dab6af65a9e84c2ea40e9df948f9766ce2096e81feecad7db8dd6080a
SHA512 78fd360faa4d34f5732056d6e9ad7b9930964441c69cf24535845d397de92179553b9377a25649c01eb5ac7d547c29cc964e69ede7f2af9fc677508a99251fff

C:\Windows\SysWOW64\drivers\system32.exe

MD5 a7e92d73089a6ada18991ed2df1cb7b6
SHA1 13d779d94a7be32a3c24c64ea426680de6b678d6
SHA256 e3f88830dad4e8b1587ae3d767c258347e88fde6892d271fca3eaf7e058ab37b
SHA512 f54d74581d5fb3ce4c65b0efde34237ef7cac4803a3c12988613241c613d319aef8702c5918c3b8fd1026927ffcaffca19788ec372d4666e100b12ce08cc03ff

memory/4508-117-0x0000000000400000-0x000000000042B000-memory.dmp

memory/2564-122-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe

MD5 38fdaadfebea03b9b64ff95400f28340
SHA1 3be99e5a06ea9b448f2ffcef14667c043954edf1
SHA256 1a5f95c786d8aa8f2d0deae1fd8a51f0b8a0893507dbf40942281144fa0463d7
SHA512 0f69e1fc94f1a4ed467c94b06dd64e079abd29cf0aeb351b729d3ca78134a47f4a12fdf3ed2ec7e70817fc8426cb8257f40ca35e88e547ee606da8372b9a4428

memory/4508-114-0x0000000000400000-0x000000000042B000-memory.dmp

memory/3172-113-0x0000000000400000-0x000000000042B000-memory.dmp

memory/2412-126-0x0000000000400000-0x000000000042B000-memory.dmp

memory/3960-148-0x0000000000400000-0x000000000042B000-memory.dmp

memory/5300-157-0x0000000000400000-0x000000000042B000-memory.dmp

memory/5108-159-0x0000000000400000-0x000000000042B000-memory.dmp

memory/5300-161-0x0000000000400000-0x000000000042B000-memory.dmp

memory/5108-164-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Windows\SysWOW64\drivers\Kazekage.exe

MD5 f91ab7664eccff5cb4f1600a98c14063
SHA1 2434b80bbf1d361b93e0769104289c9c4171ae2a
SHA256 0da1c4e65e0da3bc0e452778ba15287c7dc5f7a82944039b619194ac1b9d62e6
SHA512 285baab7c41cb161eb1fbc1824bc8aaa98c93a071c37c549d47c3ee61b22b27066a177b55adca9cce46c95452125b783db4fb312c128f5893a89a6592c66c36c

memory/2108-168-0x0000000000400000-0x000000000042B000-memory.dmp

memory/3776-167-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Windows\SysWOW64\3-5-2025.exe

MD5 62b490e0dc9ca7d6dbee42594d6bce2c
SHA1 a8fc9a061cf26d86575e8feec3232c03d1cff3ec
SHA256 fad0a802727d4a84bab726fa741fce5055dddd536353467040bf64635eca4241
SHA512 832e67926e5bfe544d34c441c19645577403bf203bde7f3dbdb1e493601fecdec236fc419b46b55a5875c125836303fac6f8e7517fb45d97c1f860e004829e81

C:\Windows\SysWOW64\drivers\system32.exe

MD5 e750d3811a43c0c2a851e3727a8aaeae
SHA1 771c8d1bfc6c75dab8b0985952a9320113f98c83
SHA256 e89f89dec47c34dbc72b90e1f622e0f024cbccf05aeb697ffbaa7e4215f20dd2
SHA512 02c22240f8765b05a06fbef7c26600db09fac5aba4b6c16815dee54c7f68f642e9f1fccd90af6fc33b6df53b8dfab4eb4cfe9642aed2ef4bec4156ff67a276c6

memory/3308-205-0x0000000000400000-0x000000000042B000-memory.dmp

memory/3100-208-0x0000000000400000-0x000000000042B000-memory.dmp

memory/2564-204-0x0000000000400000-0x000000000042B000-memory.dmp

memory/4796-219-0x0000000000400000-0x000000000042B000-memory.dmp

memory/2244-220-0x0000000000400000-0x000000000042B000-memory.dmp

memory/2108-226-0x0000000000400000-0x000000000042B000-memory.dmp

memory/3336-225-0x0000000000400000-0x000000000042B000-memory.dmp

memory/4212-233-0x0000000000400000-0x000000000042B000-memory.dmp

memory/2512-242-0x0000000000400000-0x000000000042B000-memory.dmp

memory/3648-252-0x0000000000400000-0x000000000042B000-memory.dmp

memory/1912-253-0x0000000000400000-0x000000000042B000-memory.dmp

memory/5656-256-0x0000000000400000-0x000000000042B000-memory.dmp

memory/3648-259-0x0000000000400000-0x000000000042B000-memory.dmp

memory/5296-262-0x0000000000400000-0x000000000042B000-memory.dmp

memory/3472-263-0x0000000000400000-0x000000000042B000-memory.dmp

memory/3336-264-0x0000000000400000-0x000000000042B000-memory.dmp

memory/2288-270-0x0000000000400000-0x000000000042B000-memory.dmp

memory/5620-274-0x0000000000400000-0x000000000042B000-memory.dmp

memory/5756-275-0x0000000000400000-0x000000000042B000-memory.dmp

memory/5400-278-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Autorun.inf

MD5 1564dfe69ffed40950e5cb644e0894d1
SHA1 201b6f7a01cc49bb698bea6d4945a082ed454ce4
SHA256 be114a2dbcc08540b314b01882aa836a772a883322a77b67aab31233e26dc184
SHA512 72df187e39674b657974392cfa268e71ef86dc101ebd2303896381ca56d3c05aa9db3f0ab7d0e428d7436e0108c8f19e94c2013814d30b0b95a23a6b9e341097

C:\Admin Games\Readme.txt

MD5 bb5d6abdf8d0948ac6895ce7fdfbc151
SHA1 9266b7a247a4685892197194d2b9b86c8f6dddbd
SHA256 5db2e0915b5464d32e83484f8ae5e3c73d2c78f238fde5f58f9b40dbb5322de8
SHA512 878444760e8df878d65bb62b4798177e168eb099def58ad3634f4348e96705c83f74324f9fa358f0eff389991976698a233ca53e9b72034ae11c86d42322a76c

C:\Windows\SysWOW64\Desktop.ini

MD5 64acfa7e03b01f48294cf30d201a0026
SHA1 10facd995b38a095f30b4a800fa454c0bcbf8438
SHA256 ba8159d865d106e7b4d0043007a63d1541e1de455dc8d7ff0edd3013bd425c62
SHA512 65a9b2e639de74a2a7faa83463a03f5f5b526495e3c793ec1e144c422ed0b842dd304cd5ff4f8aec3d76d826507030c5916f70a231429cea636ec2d8ab43931a