Malware Analysis Report

2025-08-05 15:10

Sample ID 250503-teaw6av1ez
Target 2025-05-03_456c521cfcd8766448c2d24f229aab38_black-basta_elex_hijackloader_luca-stealer
SHA256 39d98d6cd9f959e770a930b09470cd492cb311fecc87bbd698b070b36fafd4d5
Tags
upx defense_evasion discovery persistence ransomware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V16

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

39d98d6cd9f959e770a930b09470cd492cb311fecc87bbd698b070b36fafd4d5

Threat Level: Known bad

The file 2025-05-03_456c521cfcd8766448c2d24f229aab38_black-basta_elex_hijackloader_luca-stealer was found to be: Known bad.

Malicious Activity Summary

upx defense_evasion discovery persistence ransomware trojan

Modifies visibility of file extensions in Explorer

UAC bypass

Modifies WinLogon for persistence

Modifies visiblity of hidden/system files in Explorer

Drops file in Drivers directory

Disables use of System Restore points

Disables RegEdit via registry modification

Event Triggered Execution: Image File Execution Options Injection

Loads dropped DLL

Executes dropped EXE

Adds Run key to start application

Drops desktop.ini file(s)

Checks whether UAC is enabled

Enumerates connected drives

Sets desktop wallpaper using registry

Drops file in System32 directory

UPX packed file

Drops autorun.inf file

Drops file in Windows directory

System Location Discovery: System Language Discovery

System Network Configuration Discovery: Internet Connection Discovery

Unsigned PE

Runs ping.exe

Modifies Internet Explorer settings

Modifies Control Panel

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

System policy modification

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-05-03 15:57

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-05-03 15:57

Reported

2025-05-03 16:00

Platform

win10v2004-20250502-en

Max time kernel

149s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2025-05-03_456c521cfcd8766448c2d24f229aab38_black-basta_elex_hijackloader_luca-stealer.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" C:\Users\Admin\AppData\Local\Temp\2025-05-03_456c521cfcd8766448c2d24f229aab38_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" C:\Users\Admin\AppData\Local\Temp\2025-05-03_456c521cfcd8766448c2d24f229aab38_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A

Modifies visibility of file extensions in Explorer

defense_evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Users\Admin\AppData\Local\Temp\2025-05-03_456c521cfcd8766448c2d24f229aab38_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A

Modifies visiblity of hidden/system files in Explorer

defense_evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\AppData\Local\Temp\2025-05-03_456c521cfcd8766448c2d24f229aab38_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A

UAC bypass

defense_evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\2025-05-03_456c521cfcd8766448c2d24f229aab38_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A

Disables RegEdit via registry modification

defense_evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\2025-05-03_456c521cfcd8766448c2d24f229aab38_black-basta_elex_hijackloader_luca-stealer.exe N/A

Disables use of System Restore points

defense_evasion

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Users\Admin\AppData\Local\Temp\2025-05-03_456c521cfcd8766448c2d24f229aab38_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\system32.exe C:\Users\Admin\AppData\Local\Temp\2025-05-03_456c521cfcd8766448c2d24f229aab38_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
File created C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File created C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File created C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
File created C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Users\Admin\AppData\Local\Temp\2025-05-03_456c521cfcd8766448c2d24f229aab38_black-basta_elex_hijackloader_luca-stealer.exe N/A
File created C:\Windows\SysWOW64\drivers\system32.exe C:\Users\Admin\AppData\Local\Temp\2025-05-03_456c521cfcd8766448c2d24f229aab38_black-basta_elex_hijackloader_luca-stealer.exe N/A
File created C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File created C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File created C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A

Event Triggered Execution: Image File Execution Options Injection

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe C:\Users\Admin\AppData\Local\Temp\2025-05-03_456c521cfcd8766448c2d24f229aab38_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe\Debugger = "drivers\\Kazekage.exe" C:\Users\Admin\AppData\Local\Temp\2025-05-03_456c521cfcd8766448c2d24f229aab38_black-basta_elex_hijackloader_luca-stealer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe C:\Users\Admin\AppData\Local\Temp\2025-05-03_456c521cfcd8766448c2d24f229aab38_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger = "drivers\\Kazekage.exe" C:\Users\Admin\AppData\Local\Temp\2025-05-03_456c521cfcd8766448c2d24f229aab38_black-basta_elex_hijackloader_luca-stealer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe C:\Users\Admin\AppData\Local\Temp\2025-05-03_456c521cfcd8766448c2d24f229aab38_black-basta_elex_hijackloader_luca-stealer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe C:\Users\Admin\AppData\Local\Temp\2025-05-03_456c521cfcd8766448c2d24f229aab38_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe\Debugger = "cmd.exe /c del" C:\Users\Admin\AppData\Local\Temp\2025-05-03_456c521cfcd8766448c2d24f229aab38_black-basta_elex_hijackloader_luca-stealer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe C:\Users\Admin\AppData\Local\Temp\2025-05-03_456c521cfcd8766448c2d24f229aab38_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe C:\Users\Admin\AppData\Local\Temp\2025-05-03_456c521cfcd8766448c2d24f229aab38_black-basta_elex_hijackloader_luca-stealer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe C:\Users\Admin\AppData\Local\Temp\2025-05-03_456c521cfcd8766448c2d24f229aab38_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe\Debugger = "cmd.exe /c del" C:\Users\Admin\AppData\Local\Temp\2025-05-03_456c521cfcd8766448c2d24f229aab38_black-basta_elex_hijackloader_luca-stealer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com\Debugger = "cmd.exe /c del" C:\Users\Admin\AppData\Local\Temp\2025-05-03_456c521cfcd8766448c2d24f229aab38_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "3-5-2025.exe" C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 3 - 5 - 2025\\smss.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 3 - 5 - 2025\\Gaara.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 3 - 5 - 2025\\smss.exe" C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 3 - 5 - 2025\\Gaara.exe" C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 3 - 5 - 2025\\Gaara.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 3 - 5 - 2025\\smss.exe" C:\Users\Admin\AppData\Local\Temp\2025-05-03_456c521cfcd8766448c2d24f229aab38_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" C:\Users\Admin\AppData\Local\Temp\2025-05-03_456c521cfcd8766448c2d24f229aab38_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 3 - 5 - 2025\\smss.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 3 - 5 - 2025\\smss.exe" C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 3 - 5 - 2025\\Gaara.exe" C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "3-5-2025.exe" C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "3-5-2025.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 3 - 5 - 2025\\Gaara.exe" C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "3-5-2025.exe" C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 3 - 5 - 2025\\smss.exe" C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "3-5-2025.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 3 - 5 - 2025\\Gaara.exe" C:\Users\Admin\AppData\Local\Temp\2025-05-03_456c521cfcd8766448c2d24f229aab38_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "3-5-2025.exe" C:\Users\Admin\AppData\Local\Temp\2025-05-03_456c521cfcd8766448c2d24f229aab38_black-basta_elex_hijackloader_luca-stealer.exe N/A

Checks whether UAC is enabled

defense_evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\2025-05-03_456c521cfcd8766448c2d24f229aab38_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification \??\N:\Desktop.ini C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
File opened for modification F:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\W:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\O:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_456c521cfcd8766448c2d24f229aab38_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification \??\L:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\J:\Desktop.ini C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\V:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_456c521cfcd8766448c2d24f229aab38_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification \??\T:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification D:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_456c521cfcd8766448c2d24f229aab38_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification \??\G:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_456c521cfcd8766448c2d24f229aab38_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification \??\Q:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\R:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification F:\Desktop.ini C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\A:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\H:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_456c521cfcd8766448c2d24f229aab38_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification \??\Q:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_456c521cfcd8766448c2d24f229aab38_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification D:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\V:\Desktop.ini C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\Z:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\K:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_456c521cfcd8766448c2d24f229aab38_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification \??\W:\Desktop.ini C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File opened for modification \??\G:\Desktop.ini C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\Y:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_456c521cfcd8766448c2d24f229aab38_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification \??\G:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\K:\Desktop.ini C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File opened for modification \??\E:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_456c521cfcd8766448c2d24f229aab38_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification \??\J:\Desktop.ini C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File opened for modification \??\L:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_456c521cfcd8766448c2d24f229aab38_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification \??\Z:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_456c521cfcd8766448c2d24f229aab38_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification \??\Z:\Desktop.ini C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File opened for modification \??\E:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\I:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\O:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\P:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\Y:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\S:\Desktop.ini C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File opened for modification \??\N:\Desktop.ini C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File opened for modification \??\B:\Desktop.ini C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\P:\Desktop.ini C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\H:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\G:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\E:\Desktop.ini C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
File opened for modification D:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\U:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\U:\Desktop.ini C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File opened for modification \??\A:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\A:\Desktop.ini C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\E:\Desktop.ini C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File opened for modification \??\H:\Desktop.ini C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File opened for modification F:\Desktop.ini C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File opened for modification \??\X:\Desktop.ini C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File opened for modification \??\Y:\Desktop.ini C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File opened for modification \??\B:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification F:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_456c521cfcd8766448c2d24f229aab38_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification \??\J:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\Q:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\T:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\T:\Desktop.ini C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File opened for modification \??\O:\Desktop.ini C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File opened for modification C:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification F:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\X:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\L:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\M:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\H: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\J: C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File opened (read-only) \??\S: C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\A: C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\2025-05-03_456c521cfcd8766448c2d24f229aab38_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\O: C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\2025-05-03_456c521cfcd8766448c2d24f229aab38_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened (read-only) \??\W: C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\B: C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\2025-05-03_456c521cfcd8766448c2d24f229aab38_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened (read-only) \??\V: C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\2025-05-03_456c521cfcd8766448c2d24f229aab38_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened (read-only) \??\Y: C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\W: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\K: C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
File opened (read-only) \??\V: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\G: C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\K: C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File opened (read-only) \??\E: C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
File opened (read-only) \??\T: C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
File opened (read-only) \??\U: C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File opened (read-only) \??\Z: C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\E: C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File opened (read-only) \??\O: C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\2025-05-03_456c521cfcd8766448c2d24f229aab38_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened (read-only) \??\A: C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
File opened (read-only) \??\Q: C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File opened (read-only) \??\Z: C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\2025-05-03_456c521cfcd8766448c2d24f229aab38_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\2025-05-03_456c521cfcd8766448c2d24f229aab38_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\Q: C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\L: C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
File opened (read-only) \??\Y: C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
File opened (read-only) \??\A: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\E: C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\2025-05-03_456c521cfcd8766448c2d24f229aab38_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\L: C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File opened (read-only) \??\M: C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\I: C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
File opened (read-only) \??\B: C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\2025-05-03_456c521cfcd8766448c2d24f229aab38_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\2025-05-03_456c521cfcd8766448c2d24f229aab38_black-basta_elex_hijackloader_luca-stealer.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File created \??\Y:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2025-05-03_456c521cfcd8766448c2d24f229aab38_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification \??\K:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File created \??\W:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created \??\U:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File created \??\X:\Autorun.inf C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File opened for modification \??\H:\Autorun.inf C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
File opened for modification C:\Autorun.inf C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File created \??\H:\Autorun.inf C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File created \??\Q:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File created \??\L:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2025-05-03_456c521cfcd8766448c2d24f229aab38_black-basta_elex_hijackloader_luca-stealer.exe N/A
File created \??\Q:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2025-05-03_456c521cfcd8766448c2d24f229aab38_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification \??\T:\Autorun.inf C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File opened for modification D:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification F:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2025-05-03_456c521cfcd8766448c2d24f229aab38_black-basta_elex_hijackloader_luca-stealer.exe N/A
File created \??\M:\Autorun.inf C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File opened for modification \??\O:\Autorun.inf C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File created \??\Y:\Autorun.inf C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\E:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\G:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2025-05-03_456c521cfcd8766448c2d24f229aab38_black-basta_elex_hijackloader_luca-stealer.exe N/A
File created \??\M:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2025-05-03_456c521cfcd8766448c2d24f229aab38_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification D:\Autorun.inf C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\N:\Autorun.inf C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\O:\Autorun.inf C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\A:\Autorun.inf C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File opened for modification D:\Autorun.inf C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File opened for modification F:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created \??\B:\Autorun.inf C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File created \??\S:\Autorun.inf C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
File created \??\S:\Autorun.inf C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File opened for modification \??\P:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created \??\G:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File created \??\H:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\B:\Autorun.inf C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
File created \??\W:\Autorun.inf C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
File created \??\Y:\Autorun.inf C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File created \??\K:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\I:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2025-05-03_456c521cfcd8766448c2d24f229aab38_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification \??\P:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2025-05-03_456c521cfcd8766448c2d24f229aab38_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification \??\N:\Autorun.inf C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File created \??\R:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File created \??\Z:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2025-05-03_456c521cfcd8766448c2d24f229aab38_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification C:\Autorun.inf C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File opened for modification \??\Q:\Autorun.inf C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
File created \??\T:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\O:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2025-05-03_456c521cfcd8766448c2d24f229aab38_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification \??\R:\Autorun.inf C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
File opened for modification F:\Autorun.inf C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File created \??\N:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification D:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2025-05-03_456c521cfcd8766448c2d24f229aab38_black-basta_elex_hijackloader_luca-stealer.exe N/A
File created \??\I:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2025-05-03_456c521cfcd8766448c2d24f229aab38_black-basta_elex_hijackloader_luca-stealer.exe N/A
File created \??\G:\Autorun.inf C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File opened for modification \??\J:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\M:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2025-05-03_456c521cfcd8766448c2d24f229aab38_black-basta_elex_hijackloader_luca-stealer.exe N/A
File created \??\L:\Autorun.inf C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File created \??\T:\Autorun.inf C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
File created \??\G:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\L:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\L:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2025-05-03_456c521cfcd8766448c2d24f229aab38_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification \??\V:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2025-05-03_456c521cfcd8766448c2d24f229aab38_black-basta_elex_hijackloader_luca-stealer.exe N/A
File created \??\V:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2025-05-03_456c521cfcd8766448c2d24f229aab38_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification F:\Autorun.inf C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File opened for modification \??\Z:\Autorun.inf C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File opened for modification \??\Y:\Autorun.inf C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\Desktop.ini C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\SysWOW64\mscomctl.ocx C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\SysWOW64\3-5-2025.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\SysWOW64\mscomctl.ocx C:\Users\Admin\AppData\Local\Temp\2025-05-03_456c521cfcd8766448c2d24f229aab38_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification C:\Windows\SysWOW64\Desktop.ini C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
File opened for modification C:\Windows\SysWOW64\mscomctl.ocx C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\SysWOW64\3-5-2025.exe C:\Users\Admin\AppData\Local\Temp\2025-05-03_456c521cfcd8766448c2d24f229aab38_black-basta_elex_hijackloader_luca-stealer.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File created C:\Windows\SysWOW64\mscomctl.ocx C:\Users\Admin\AppData\Local\Temp\2025-05-03_456c521cfcd8766448c2d24f229aab38_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\mscomctl.ocx C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File created C:\Windows\SysWOW64\3-5-2025.exe C:\Users\Admin\AppData\Local\Temp\2025-05-03_456c521cfcd8766448c2d24f229aab38_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification C:\Windows\SysWOW64\3-5-2025.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
File opened for modification C:\Windows\SysWOW64\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_456c521cfcd8766448c2d24f229aab38_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\mscomctl.ocx C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\SysWOW64\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_456c521cfcd8766448c2d24f229aab38_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification C:\Windows\SysWOW64\3-5-2025.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\3-5-2025.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\SysWOW64\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_456c521cfcd8766448c2d24f229aab38_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
File opened for modification C:\Windows\SysWOW64\3-5-2025.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\SysWOW64\mscomctl.ocx C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\SysWOW64\Desktop.ini C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Users\Admin\AppData\Local\Temp\2025-05-03_456c521cfcd8766448c2d24f229aab38_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_456c521cfcd8766448c2d24f229aab38_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Users\Admin\AppData\Local\Temp\2025-05-03_456c521cfcd8766448c2d24f229aab38_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\SysWOW64\drivers\system32.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Fonts\Admin 3 - 5 - 2025\msvbvm60.dll C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\mscomctl.ocx C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File created C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
File opened for modification C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe C:\Users\Admin\AppData\Local\Temp\2025-05-03_456c521cfcd8766448c2d24f229aab38_black-basta_elex_hijackloader_luca-stealer.exe N/A
File created C:\Windows\system\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_456c521cfcd8766448c2d24f229aab38_black-basta_elex_hijackloader_luca-stealer.exe N/A
File created C:\Windows\WBEM\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_456c521cfcd8766448c2d24f229aab38_black-basta_elex_hijackloader_luca-stealer.exe N/A
File created C:\Windows\WBEM\msvbvm60.dll C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\system\mscoree.dll C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
File opened for modification C:\Windows\mscomctl.ocx C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe C:\Users\Admin\AppData\Local\Temp\2025-05-03_456c521cfcd8766448c2d24f229aab38_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification C:\Windows\Fonts\Admin 3 - 5 - 2025\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_456c521cfcd8766448c2d24f229aab38_black-basta_elex_hijackloader_luca-stealer.exe N/A
File created C:\Windows\WBEM\msvbvm60.dll C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
File created C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Windows\system\mscoree.dll C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\system\msvbvm60.dll C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\ C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\Fonts\The Kazekage.jpg C:\Users\Admin\AppData\Local\Temp\2025-05-03_456c521cfcd8766448c2d24f229aab38_black-basta_elex_hijackloader_luca-stealer.exe N/A
File created C:\Windows\Fonts\Admin 3 - 5 - 2025\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_456c521cfcd8766448c2d24f229aab38_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File created C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Windows\Fonts\The Kazekage.jpg C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File created C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
File opened for modification C:\Windows\Fonts\The Kazekage.jpg C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
File created C:\Windows\Fonts\Admin 3 - 5 - 2025\msvbvm60.dll C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\system\msvbvm60.dll C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\WBEM\msvbvm60.dll C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\Fonts\Admin 3 - 5 - 2025\msvbvm60.dll C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\mscomctl.ocx C:\Users\Admin\AppData\Local\Temp\2025-05-03_456c521cfcd8766448c2d24f229aab38_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification C:\Windows\mscomctl.ocx C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\ C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\Fonts\The Kazekage.jpg C:\Users\Admin\AppData\Local\Temp\2025-05-03_456c521cfcd8766448c2d24f229aab38_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification C:\Windows\system\msvbvm60.dll C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
File opened for modification C:\Windows\system\msvbvm60.dll C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Windows\Fonts\The Kazekage.jpg C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_456c521cfcd8766448c2d24f229aab38_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_456c521cfcd8766448c2d24f229aab38_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification C:\Windows\Fonts\The Kazekage.jpg C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
File opened for modification C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
File created C:\Windows\WBEM\msvbvm60.dll C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File created C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
File opened for modification C:\Windows\system\mscoree.dll C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File created C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Windows\system\mscoree.dll C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\WBEM\msvbvm60.dll C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\ C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\system\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_456c521cfcd8766448c2d24f229aab38_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\mscomctl.ocx C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
File created C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe C:\Users\Admin\AppData\Local\Temp\2025-05-03_456c521cfcd8766448c2d24f229aab38_black-basta_elex_hijackloader_luca-stealer.exe N/A
File created C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe C:\Users\Admin\AppData\Local\Temp\2025-05-03_456c521cfcd8766448c2d24f229aab38_black-basta_elex_hijackloader_luca-stealer.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2025-05-03_456c521cfcd8766448c2d24f229aab38_black-basta_elex_hijackloader_luca-stealer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\system32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\system32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\system32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\system32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\system32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A

Modifies Control Panel

defense_evasion
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" C:\Users\Admin\AppData\Local\Temp\2025-05-03_456c521cfcd8766448c2d24f229aab38_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\Control Panel\Screen Saver.Marquee\Size = "72" C:\Users\Admin\AppData\Local\Temp\2025-05-03_456c521cfcd8766448c2d24f229aab38_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" C:\Users\Admin\AppData\Local\Temp\2025-05-03_456c521cfcd8766448c2d24f229aab38_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\Control Panel\Desktop\WallpaperStyle = "2" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" C:\Users\Admin\AppData\Local\Temp\2025-05-03_456c521cfcd8766448c2d24f229aab38_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\Control Panel\Desktop C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\Control Panel\Screen Saver.Marquee C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\Control Panel\Screen Saver.Marquee C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" C:\Users\Admin\AppData\Local\Temp\2025-05-03_456c521cfcd8766448c2d24f229aab38_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" C:\Users\Admin\AppData\Local\Temp\2025-05-03_456c521cfcd8766448c2d24f229aab38_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" C:\Users\Admin\AppData\Local\Temp\2025-05-03_456c521cfcd8766448c2d24f229aab38_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Users\Admin\AppData\Local\Temp\2025-05-03_456c521cfcd8766448c2d24f229aab38_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\Control Panel\Screen Saver.Marquee\Speed = "4" C:\Users\Admin\AppData\Local\Temp\2025-05-03_456c521cfcd8766448c2d24f229aab38_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\Control Panel\Screen Saver.Marquee\Speed = "4" C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\Control Panel\Screen Saver.Marquee\Size = "72" C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\Control Panel\Desktop\WallpaperStyle = "2" C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\Control Panel\Screen Saver.Marquee\Size = "72" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" C:\Users\Admin\AppData\Local\Temp\2025-05-03_456c521cfcd8766448c2d24f229aab38_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\Control Panel\Screen Saver.Marquee\Size = "72" C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\Control Panel\Desktop\WallpaperStyle = "2" C:\Users\Admin\AppData\Local\Temp\2025-05-03_456c521cfcd8766448c2d24f229aab38_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\Control Panel\Desktop\WallpaperStyle = "2" C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\Control Panel\Screen Saver.Marquee\Speed = "4" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\Control Panel\Screen Saver.Marquee\Speed = "4" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" C:\Windows\SysWOW64\drivers\system32.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\Software\Microsoft\Internet Explorer\Main C:\Users\Admin\AppData\Local\Temp\2025-05-03_456c521cfcd8766448c2d24f229aab38_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" C:\Users\Admin\AppData\Local\Temp\2025-05-03_456c521cfcd8766448c2d24f229aab38_black-basta_elex_hijackloader_luca-stealer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3690492401-2005096563-3427069815-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command C:\Users\Admin\AppData\Local\Temp\2025-05-03_456c521cfcd8766448c2d24f229aab38_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" C:\Users\Admin\AppData\Local\Temp\2025-05-03_456c521cfcd8766448c2d24f229aab38_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" C:\Users\Admin\AppData\Local\Temp\2025-05-03_456c521cfcd8766448c2d24f229aab38_black-basta_elex_hijackloader_luca-stealer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command C:\Users\Admin\AppData\Local\Temp\2025-05-03_456c521cfcd8766448c2d24f229aab38_black-basta_elex_hijackloader_luca-stealer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command C:\Users\Admin\AppData\Local\Temp\2025-05-03_456c521cfcd8766448c2d24f229aab38_black-basta_elex_hijackloader_luca-stealer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" C:\Users\Admin\AppData\Local\Temp\2025-05-03_456c521cfcd8766448c2d24f229aab38_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" C:\Users\Admin\AppData\Local\Temp\2025-05-03_456c521cfcd8766448c2d24f229aab38_black-basta_elex_hijackloader_luca-stealer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command C:\Users\Admin\AppData\Local\Temp\2025-05-03_456c521cfcd8766448c2d24f229aab38_black-basta_elex_hijackloader_luca-stealer.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-03_456c521cfcd8766448c2d24f229aab38_black-basta_elex_hijackloader_luca-stealer.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1584 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-03_456c521cfcd8766448c2d24f229aab38_black-basta_elex_hijackloader_luca-stealer.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe
PID 1584 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-03_456c521cfcd8766448c2d24f229aab38_black-basta_elex_hijackloader_luca-stealer.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe
PID 1584 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-03_456c521cfcd8766448c2d24f229aab38_black-basta_elex_hijackloader_luca-stealer.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe
PID 2212 wrote to memory of 4292 N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe
PID 2212 wrote to memory of 4292 N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe
PID 2212 wrote to memory of 4292 N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe
PID 2212 wrote to memory of 1780 N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe
PID 2212 wrote to memory of 1780 N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe
PID 2212 wrote to memory of 1780 N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe
PID 1780 wrote to memory of 2504 N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe
PID 1780 wrote to memory of 2504 N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe
PID 1780 wrote to memory of 2504 N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe
PID 1780 wrote to memory of 4520 N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe
PID 1780 wrote to memory of 4520 N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe
PID 1780 wrote to memory of 4520 N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe
PID 1780 wrote to memory of 3196 N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe
PID 1780 wrote to memory of 3196 N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe
PID 1780 wrote to memory of 3196 N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe
PID 3196 wrote to memory of 1400 N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe
PID 3196 wrote to memory of 1400 N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe
PID 3196 wrote to memory of 1400 N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe
PID 3196 wrote to memory of 5064 N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe
PID 3196 wrote to memory of 5064 N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe
PID 3196 wrote to memory of 5064 N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe
PID 3196 wrote to memory of 4664 N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe
PID 3196 wrote to memory of 4664 N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe
PID 3196 wrote to memory of 4664 N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe
PID 3196 wrote to memory of 2476 N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 3196 wrote to memory of 2476 N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 3196 wrote to memory of 2476 N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 2476 wrote to memory of 4916 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe
PID 2476 wrote to memory of 4916 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe
PID 2476 wrote to memory of 4916 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe
PID 2476 wrote to memory of 3056 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe
PID 2476 wrote to memory of 3056 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe
PID 2476 wrote to memory of 3056 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe
PID 2476 wrote to memory of 1604 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe
PID 2476 wrote to memory of 1604 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe
PID 2476 wrote to memory of 1604 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe
PID 2476 wrote to memory of 3088 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 2476 wrote to memory of 3088 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 2476 wrote to memory of 3088 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 2476 wrote to memory of 2976 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 2476 wrote to memory of 2976 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 2476 wrote to memory of 2976 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 2976 wrote to memory of 3028 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe
PID 2976 wrote to memory of 3028 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe
PID 2976 wrote to memory of 3028 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe
PID 2976 wrote to memory of 4200 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe
PID 2976 wrote to memory of 4200 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe
PID 2976 wrote to memory of 4200 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe
PID 2976 wrote to memory of 1712 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe
PID 2976 wrote to memory of 1712 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe
PID 2976 wrote to memory of 1712 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe
PID 2976 wrote to memory of 2640 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 2976 wrote to memory of 2640 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 2976 wrote to memory of 2640 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 2976 wrote to memory of 4224 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 2976 wrote to memory of 4224 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 2976 wrote to memory of 4224 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 3196 wrote to memory of 3452 N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 3196 wrote to memory of 3452 N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 3196 wrote to memory of 3452 N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 1780 wrote to memory of 396 N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe C:\Windows\SysWOW64\drivers\Kazekage.exe

System policy modification

defense_evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\2025-05-03_456c521cfcd8766448c2d24f229aab38_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\2025-05-03_456c521cfcd8766448c2d24f229aab38_black-basta_elex_hijackloader_luca-stealer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2025-05-03_456c521cfcd8766448c2d24f229aab38_black-basta_elex_hijackloader_luca-stealer.exe

"C:\Users\Admin\AppData\Local\Temp\2025-05-03_456c521cfcd8766448c2d24f229aab38_black-basta_elex_hijackloader_luca-stealer.exe"

C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe

"C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe"

C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe

"C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe"

C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe

"C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe"

C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe

"C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe"

C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe

"C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe"

C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe

"C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe"

C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe

"C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe"

C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe

"C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe"

C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe

"C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe"

C:\Windows\SysWOW64\drivers\Kazekage.exe

C:\Windows\system32\drivers\Kazekage.exe

C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe

"C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe"

C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe

"C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe"

C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe

"C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe"

C:\Windows\SysWOW64\drivers\Kazekage.exe

C:\Windows\system32\drivers\Kazekage.exe

C:\Windows\SysWOW64\drivers\system32.exe

C:\Windows\system32\drivers\system32.exe

C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe

"C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe"

C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe

"C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe"

C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe

"C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe"

C:\Windows\SysWOW64\drivers\Kazekage.exe

C:\Windows\system32\drivers\Kazekage.exe

C:\Windows\SysWOW64\drivers\system32.exe

C:\Windows\system32\drivers\system32.exe

C:\Windows\SysWOW64\drivers\system32.exe

C:\Windows\system32\drivers\system32.exe

C:\Windows\SysWOW64\drivers\Kazekage.exe

C:\Windows\system32\drivers\Kazekage.exe

C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe

"C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe"

C:\Windows\SysWOW64\drivers\system32.exe

C:\Windows\system32\drivers\system32.exe

C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe

"C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe"

C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe

"C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe"

C:\Windows\SysWOW64\drivers\Kazekage.exe

C:\Windows\system32\drivers\Kazekage.exe

C:\Windows\SysWOW64\drivers\Kazekage.exe

C:\Windows\system32\drivers\Kazekage.exe

C:\Windows\SysWOW64\drivers\system32.exe

C:\Windows\system32\drivers\system32.exe

C:\Windows\SysWOW64\drivers\system32.exe

C:\Windows\system32\drivers\system32.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c Fonts\Admin 3 - 5 - 2025\smss.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c Fonts\Admin 3 - 5 - 2025\Gaara.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c 3-5-2025.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c drivers\csrss.exe

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

Network

Country Destination Domain Proto
US 8.8.8.8:53 c.pki.goog udp
DE 142.250.184.195:80 c.pki.goog tcp

Files

memory/1584-0-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe

MD5 0057c5d38129fd05bd14195add76d2d4
SHA1 2eb0ca3fed52b18f3276c6de88fe885aeb5c3e98
SHA256 8c70719761f74117887f6b613de0eb7745b1bf4c7c236251a666c96b0188870d
SHA512 781f81e5291f22cebef7d1687bcd2756d8d04d192b44b098e24af37b70e54f0d10fbd13d1c58e6f69bdeee608173e3c244a7873035157bc28db6146063dc83f0

C:\Windows\System\msvbvm60.dll

MD5 25f62c02619174b35851b0e0455b3d94
SHA1 4e8ee85157f1769f6e3f61c0acbe59072209da71
SHA256 898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2
SHA512 f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe

MD5 bc7afaee3eb02f4af723afe64e39ee70
SHA1 c3c904487f7989a50e20470a2e73e1c172628a7f
SHA256 177e234a54efc0101dfb9b213a1abf78e7353db098de517e607749fdb56fc4bc
SHA512 8e3f89370098cee26d957a55aa962ecb8c718b7b99e4d42cfe3b5ba0f9bcc2e58a70f7de70fff36be6b6493258ed5cf77a3694c23f29304478f4afbe8ea62983

memory/2212-32-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Windows\Fonts\The Kazekage.jpg

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/4292-70-0x0000000000400000-0x000000000042B000-memory.dmp

memory/1780-77-0x0000000000400000-0x000000000042B000-memory.dmp

memory/4292-76-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe

MD5 a47557e15823e226bda337e7dbabc26d
SHA1 528d2af22a3c9a77a0f32eaf73ea207a3a0625ae
SHA256 547b60c00681920bd59b395bc6b359609d9881a042337f788758bc8f82d39770
SHA512 7de81bdb79d4c6b78d90a2955da0dc41c2c96a6bd2e6d0ea542dacca6049098966be0125e45127415369fc002d60c8b6e8c1a6787ba6b611b3bf4db2b75205cb

C:\Windows\Fonts\The Kazekage.jpg

MD5 d6b05020d4a0ec2a3a8b687099e335df
SHA1 df239d830ebcd1cde5c68c46a7b76dad49d415f4
SHA256 9824b98dab6af65a9e84c2ea40e9df948f9766ce2096e81feecad7db8dd6080a
SHA512 78fd360faa4d34f5732056d6e9ad7b9930964441c69cf24535845d397de92179553b9377a25649c01eb5ac7d547c29cc964e69ede7f2af9fc677508a99251fff

memory/4520-114-0x0000000000400000-0x000000000042B000-memory.dmp

memory/2504-113-0x0000000000400000-0x000000000042B000-memory.dmp

memory/4520-117-0x0000000000400000-0x000000000042B000-memory.dmp

memory/3196-122-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe

MD5 c8d6b5f9358ff325422af07b90afb4cd
SHA1 1b9af89076b4ff5e2fb57e9e20654ff5f3d9d641
SHA256 3416ab65b731bdf915e8fdef79d8b84d259be765f107cc37eadc5ebb39158c0e
SHA512 95d6ce8f2739d92ac424053c07a0bb5969e6d0c872a90425b48ead4f09ee702bf44925f7558a93105dde6320f8d818bd889003f9248b8b731a8592db3b8aab53

memory/1584-153-0x0000000000400000-0x000000000042B000-memory.dmp

memory/1400-155-0x0000000000400000-0x000000000042B000-memory.dmp

memory/2212-159-0x0000000000400000-0x000000000042B000-memory.dmp

memory/5064-160-0x0000000000400000-0x000000000042B000-memory.dmp

memory/4664-163-0x0000000000400000-0x000000000042B000-memory.dmp

memory/2476-166-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Windows\SysWOW64\drivers\Kazekage.exe

MD5 f61eb3681fe607dc97e40f5cf8350e5f
SHA1 b9591c9c4f0187089b0ea784524a58315b060905
SHA256 26a0a49b4e408977d1454f8b1edcc0df93914771c7440f4c7e5587ed7127ab77
SHA512 321b4f518dd77cc5d66154205f7299f87d91f524d8470a33d68647561ea0a39b7469d58223a1352485dc60dbed065e75406d7a87f4105d204d43bbcb91393ca6

memory/1780-189-0x0000000000400000-0x000000000042B000-memory.dmp

memory/4916-195-0x0000000000400000-0x000000000042B000-memory.dmp

memory/3196-200-0x0000000000400000-0x000000000042B000-memory.dmp

memory/3056-202-0x0000000000400000-0x000000000042B000-memory.dmp

memory/1604-205-0x0000000000400000-0x000000000042B000-memory.dmp

memory/3088-208-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Windows\SysWOW64\drivers\system32.exe

MD5 50f183967d34df9bbe9a9ac0aa5c2d49
SHA1 909d6e0bed866e3a69b498dca6725f648096fbfe
SHA256 22b9f603a57e87bbc8e3faebc42c78e75c8fdcda7c89950fc5d6c959c3d34fa6
SHA512 60dcef887a32e878885cc3d0ff47cfd1cb56e95bd59b9efb29d2d0504467b06d88a2136ecf2f9952c8433d92919b5e6866b2c3de80f12880a4052c9e64c05082

memory/2976-211-0x0000000000400000-0x000000000042B000-memory.dmp

memory/3028-232-0x0000000000400000-0x000000000042B000-memory.dmp

memory/4200-236-0x0000000000400000-0x000000000042B000-memory.dmp

memory/1712-239-0x0000000000400000-0x000000000042B000-memory.dmp

memory/2476-238-0x0000000000400000-0x000000000042B000-memory.dmp

memory/2640-242-0x0000000000400000-0x000000000042B000-memory.dmp

memory/4224-245-0x0000000000400000-0x000000000042B000-memory.dmp

memory/3452-251-0x0000000000400000-0x000000000042B000-memory.dmp

memory/396-256-0x0000000000400000-0x000000000042B000-memory.dmp

memory/3728-260-0x0000000000400000-0x000000000042B000-memory.dmp

memory/2040-261-0x0000000000400000-0x000000000042B000-memory.dmp

memory/2976-259-0x0000000000400000-0x000000000042B000-memory.dmp

memory/3052-266-0x0000000000400000-0x000000000042B000-memory.dmp

memory/3496-274-0x0000000000400000-0x000000000042B000-memory.dmp

memory/1388-275-0x0000000000400000-0x000000000042B000-memory.dmp

memory/2348-271-0x0000000000400000-0x000000000042B000-memory.dmp

memory/2348-278-0x0000000000400000-0x000000000042B000-memory.dmp

memory/4460-279-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Autorun.inf

MD5 1564dfe69ffed40950e5cb644e0894d1
SHA1 201b6f7a01cc49bb698bea6d4945a082ed454ce4
SHA256 be114a2dbcc08540b314b01882aa836a772a883322a77b67aab31233e26dc184
SHA512 72df187e39674b657974392cfa268e71ef86dc101ebd2303896381ca56d3c05aa9db3f0ab7d0e428d7436e0108c8f19e94c2013814d30b0b95a23a6b9e341097

C:\Admin Games\Readme.txt

MD5 bb5d6abdf8d0948ac6895ce7fdfbc151
SHA1 9266b7a247a4685892197194d2b9b86c8f6dddbd
SHA256 5db2e0915b5464d32e83484f8ae5e3c73d2c78f238fde5f58f9b40dbb5322de8
SHA512 878444760e8df878d65bb62b4798177e168eb099def58ad3634f4348e96705c83f74324f9fa358f0eff389991976698a233ca53e9b72034ae11c86d42322a76c

C:\Windows\SysWOW64\Desktop.ini

MD5 64acfa7e03b01f48294cf30d201a0026
SHA1 10facd995b38a095f30b4a800fa454c0bcbf8438
SHA256 ba8159d865d106e7b4d0043007a63d1541e1de455dc8d7ff0edd3013bd425c62
SHA512 65a9b2e639de74a2a7faa83463a03f5f5b526495e3c793ec1e144c422ed0b842dd304cd5ff4f8aec3d76d826507030c5916f70a231429cea636ec2d8ab43931a

C:\Admin Games\Kazekage.exe

MD5 5f079eacc7facd771d883a19731aa945
SHA1 378f8dce17f3cf59a9e0e0dd4c09ee0567b53c2b
SHA256 221badb4ee41abb2fd6746c63276671b3c4336d7a18f32b76969eea03ecc04d7
SHA512 6562f60e66582c478505ba913f9d2d3b1a0f683db627a6e38b9b95aee31af553b5d3a065a7cb412a033ef226551c8c2e89f8c2f8d4dfaf2ad673fc5eafbe61da

Analysis: behavioral2

Detonation Overview

Submitted

2025-05-03 15:57

Reported

2025-05-03 16:00

Platform

win11-20250502-en

Max time kernel

150s

Max time network

128s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2025-05-03_456c521cfcd8766448c2d24f229aab38_black-basta_elex_hijackloader_luca-stealer.exe"

Signatures

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" C:\Users\Admin\AppData\Local\Temp\2025-05-03_456c521cfcd8766448c2d24f229aab38_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" C:\Users\Admin\AppData\Local\Temp\2025-05-03_456c521cfcd8766448c2d24f229aab38_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "userinit.exe,drivers\\system32.exe" C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe, drivers\\csrss.exe" C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A

Modifies visibility of file extensions in Explorer

defense_evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Users\Admin\AppData\Local\Temp\2025-05-03_456c521cfcd8766448c2d24f229aab38_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C:\Windows\SysWOW64\drivers\system32.exe N/A

Modifies visiblity of hidden/system files in Explorer

defense_evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Users\Admin\AppData\Local\Temp\2025-05-03_456c521cfcd8766448c2d24f229aab38_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A

UAC bypass

defense_evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\2025-05-03_456c521cfcd8766448c2d24f229aab38_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A

Disables RegEdit via registry modification

defense_evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Users\Admin\AppData\Local\Temp\2025-05-03_456c521cfcd8766448c2d24f229aab38_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A

Disables use of System Restore points

defense_evasion

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Users\Admin\AppData\Local\Temp\2025-05-03_456c521cfcd8766448c2d24f229aab38_black-basta_elex_hijackloader_luca-stealer.exe N/A
File created C:\Windows\SysWOW64\drivers\system32.exe C:\Users\Admin\AppData\Local\Temp\2025-05-03_456c521cfcd8766448c2d24f229aab38_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File created C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File created C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File created C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File created C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File created C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
File created C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Users\Admin\AppData\Local\Temp\2025-05-03_456c521cfcd8766448c2d24f229aab38_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\system32.exe C:\Users\Admin\AppData\Local\Temp\2025-05-03_456c521cfcd8766448c2d24f229aab38_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A

Event Triggered Execution: Image File Execution Options Injection

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "drivers\\Kazekage.exe" C:\Users\Admin\AppData\Local\Temp\2025-05-03_456c521cfcd8766448c2d24f229aab38_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "drivers\\Kazekage.exe" C:\Users\Admin\AppData\Local\Temp\2025-05-03_456c521cfcd8766448c2d24f229aab38_black-basta_elex_hijackloader_luca-stealer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cscript.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe C:\Users\Admin\AppData\Local\Temp\2025-05-03_456c521cfcd8766448c2d24f229aab38_black-basta_elex_hijackloader_luca-stealer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Rin.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe C:\Users\Admin\AppData\Local\Temp\2025-05-03_456c521cfcd8766448c2d24f229aab38_black-basta_elex_hijackloader_luca-stealer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspoold.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe\Debugger = "drivers\\Kazekage.exe" C:\Users\Admin\AppData\Local\Temp\2025-05-03_456c521cfcd8766448c2d24f229aab38_black-basta_elex_hijackloader_luca-stealer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\kspool.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedt32.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger = "drivers\\Kazekage.exe" C:\Users\Admin\AppData\Local\Temp\2025-05-03_456c521cfcd8766448c2d24f229aab38_black-basta_elex_hijackloader_luca-stealer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Funny UST Scandal.avi.exe\Debugger = "cmd.exe /c del" C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\regedit.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\KakashiHatake.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Thumbs.com C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msconfig.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HokageFile.exe\Debugger = "cmd.exe /c del" C:\Users\Admin\AppData\Local\Temp\2025-05-03_456c521cfcd8766448c2d24f229aab38_black-basta_elex_hijackloader_luca-stealer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Obito.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HOKAGE4.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\Debugger = "cmd.exe /c del" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\Debugger = "cmd.exe /c del" C:\Users\Admin\AppData\Local\Temp\2025-05-03_456c521cfcd8766448c2d24f229aab38_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mmc.exe\Debugger = "drivers\\Kazekage.exe" C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 3 - 5 - 2025\\Gaara.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "3-5-2025.exe" C:\Users\Admin\AppData\Local\Temp\2025-05-03_456c521cfcd8766448c2d24f229aab38_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" C:\Users\Admin\AppData\Local\Temp\2025-05-03_456c521cfcd8766448c2d24f229aab38_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "3-5-2025.exe" C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "3-5-2025.exe" C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 3 - 5 - 2025\\Gaara.exe" C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 3 - 5 - 2025\\smss.exe" C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 3 - 5 - 2025\\Gaara.exe" C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 3 - 5 - 2025\\smss.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 3 - 5 - 2025\\Gaara.exe" C:\Users\Admin\AppData\Local\Temp\2025-05-03_456c521cfcd8766448c2d24f229aab38_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 3 - 5 - 2025\\smss.exe" C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SystemRun = "drivers\\csrss.exe" C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 3 - 5 - 2025\\smss.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "3-5-2025.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 3 - 5 - 2025\\smss.exe" C:\Users\Admin\AppData\Local\Temp\2025-05-03_456c521cfcd8766448c2d24f229aab38_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "3-5-2025.exe" C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DesertSand = "Fonts\\Admin 3 - 5 - 2025\\smss.exe" C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 3 - 5 - 2025\\Gaara.exe" C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\FreeAV = "Fonts\\Admin 3 - 5 - 2025\\Gaara.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\644r4 = "3-5-2025.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A

Checks whether UAC is enabled

defense_evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\2025-05-03_456c521cfcd8766448c2d24f229aab38_black-basta_elex_hijackloader_luca-stealer.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification \??\Z:\Desktop.ini C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File opened for modification \??\O:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\X:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\Y:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\N:\Desktop.ini C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File opened for modification \??\S:\Desktop.ini C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File opened for modification \??\S:\Desktop.ini C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\V:\Desktop.ini C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File opened for modification D:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\I:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\R:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\B:\Desktop.ini C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File opened for modification \??\U:\Desktop.ini C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\X:\Desktop.ini C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File opened for modification \??\M:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_456c521cfcd8766448c2d24f229aab38_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification \??\I:\Desktop.ini C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File opened for modification \??\W:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\H:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_456c521cfcd8766448c2d24f229aab38_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification \??\S:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_456c521cfcd8766448c2d24f229aab38_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification C:\Desktop.ini C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File opened for modification \??\X:\Desktop.ini C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File opened for modification \??\E:\Desktop.ini C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\Q:\Desktop.ini C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File opened for modification \??\R:\Desktop.ini C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File opened for modification \??\A:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_456c521cfcd8766448c2d24f229aab38_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification \??\W:\Desktop.ini C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File opened for modification \??\Z:\Desktop.ini C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\L:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\P:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_456c521cfcd8766448c2d24f229aab38_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification \??\L:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\N:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_456c521cfcd8766448c2d24f229aab38_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification \??\X:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_456c521cfcd8766448c2d24f229aab38_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification \??\W:\Desktop.ini C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\X:\Desktop.ini C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\Y:\Desktop.ini C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\N:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\T:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\Y:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_456c521cfcd8766448c2d24f229aab38_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification \??\M:\Desktop.ini C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File opened for modification \??\V:\Desktop.ini C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File opened for modification \??\J:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\A:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\O:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\U:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_456c521cfcd8766448c2d24f229aab38_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification \??\Y:\Desktop.ini C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File opened for modification \??\U:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\J:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_456c521cfcd8766448c2d24f229aab38_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification \??\E:\Desktop.ini C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File opened for modification \??\L:\Desktop.ini C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File opened for modification \??\H:\Desktop.ini C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File opened for modification \??\L:\Desktop.ini C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File opened for modification \??\O:\Desktop.ini C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File opened for modification \??\T:\Desktop.ini C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File opened for modification \??\R:\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\S:\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\B:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_456c521cfcd8766448c2d24f229aab38_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification \??\G:\Desktop.ini C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File opened for modification \??\J:\Desktop.ini C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File opened for modification C:\Desktop.ini C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\J:\Desktop.ini C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\S:\Desktop.ini C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File opened for modification \??\V:\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_456c521cfcd8766448c2d24f229aab38_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification \??\U:\Desktop.ini C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File opened for modification \??\G:\Desktop.ini C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\W: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\2025-05-03_456c521cfcd8766448c2d24f229aab38_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened (read-only) \??\G: C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File opened (read-only) \??\T: C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File opened (read-only) \??\Y: C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
File opened (read-only) \??\R: C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File opened (read-only) \??\H: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\O: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\J: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\J: C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\2025-05-03_456c521cfcd8766448c2d24f229aab38_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened (read-only) \??\R: C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File opened (read-only) \??\T: C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
File opened (read-only) \??\X: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\E: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\I: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\2025-05-03_456c521cfcd8766448c2d24f229aab38_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\2025-05-03_456c521cfcd8766448c2d24f229aab38_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened (read-only) \??\N: C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File opened (read-only) \??\L: C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
File opened (read-only) \??\Z: C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File opened (read-only) \??\J: C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File opened (read-only) \??\G: C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
File opened (read-only) \??\A: C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File opened (read-only) \??\S: C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\Y: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\T: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\2025-05-03_456c521cfcd8766448c2d24f229aab38_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\2025-05-03_456c521cfcd8766448c2d24f229aab38_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened (read-only) \??\I: C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File opened (read-only) \??\U: C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
File opened (read-only) \??\W: C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File opened (read-only) \??\M: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\S: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\G: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\A: C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
File opened (read-only) \??\V: C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
File opened (read-only) \??\K: C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
File opened (read-only) \??\K: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\N: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\U: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\R: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\O: C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File opened (read-only) \??\W: C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File opened (read-only) \??\Q: C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File opened (read-only) \??\L: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\X: C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File opened (read-only) \??\S: C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
File opened (read-only) \??\B: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\P: C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\2025-05-03_456c521cfcd8766448c2d24f229aab38_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened (read-only) \??\S: C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File opened (read-only) \??\O: C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
File opened (read-only) \??\U: C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File opened (read-only) \??\O: C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File opened (read-only) \??\W: C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
File opened (read-only) \??\K: C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File opened (read-only) \??\X: C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File opened (read-only) \??\Q: C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\2025-05-03_456c521cfcd8766448c2d24f229aab38_black-basta_elex_hijackloader_luca-stealer.exe N/A

Drops autorun.inf file

Description Indicator Process Target
File created \??\A:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2025-05-03_456c521cfcd8766448c2d24f229aab38_black-basta_elex_hijackloader_luca-stealer.exe N/A
File created \??\K:\Autorun.inf C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
File created \??\T:\Autorun.inf C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\O:\Autorun.inf C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created \??\O:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created \??\U:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created \??\B:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\I:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\A:\Autorun.inf C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File created \??\L:\Autorun.inf C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File opened for modification \??\U:\Autorun.inf C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File opened for modification \??\W:\Autorun.inf C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File opened for modification \??\G:\Autorun.inf C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\L:\Autorun.inf C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File created \??\Y:\Autorun.inf C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File opened for modification \??\S:\Autorun.inf C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File created F:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2025-05-03_456c521cfcd8766448c2d24f229aab38_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification \??\R:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2025-05-03_456c521cfcd8766448c2d24f229aab38_black-basta_elex_hijackloader_luca-stealer.exe N/A
File created \??\E:\Autorun.inf C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File created \??\J:\Autorun.inf C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\W:\Autorun.inf C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
File opened for modification C:\Autorun.inf C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File opened for modification F:\Autorun.inf C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File opened for modification \??\Y:\Autorun.inf C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File opened for modification \??\E:\Autorun.inf C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
File created \??\Q:\Autorun.inf C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\G:\Autorun.inf C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File opened for modification \??\V:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created \??\Z:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created \??\J:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File created \??\Q:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File created \??\P:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2025-05-03_456c521cfcd8766448c2d24f229aab38_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification \??\X:\Autorun.inf C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
File created \??\T:\Autorun.inf C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File opened for modification \??\B:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\X:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File created \??\K:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\O:\Autorun.inf C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File opened for modification \??\R:\Autorun.inf C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File opened for modification \??\M:\Autorun.inf C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File created \??\W:\Autorun.inf C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File created \??\S:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2025-05-03_456c521cfcd8766448c2d24f229aab38_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification \??\T:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2025-05-03_456c521cfcd8766448c2d24f229aab38_black-basta_elex_hijackloader_luca-stealer.exe N/A
File created \??\B:\Autorun.inf C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File created \??\R:\Autorun.inf C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
File created \??\G:\Autorun.inf C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File created \??\L:\Autorun.inf C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File opened for modification \??\O:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2025-05-03_456c521cfcd8766448c2d24f229aab38_black-basta_elex_hijackloader_luca-stealer.exe N/A
File created \??\H:\Autorun.inf C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File opened for modification \??\P:\Autorun.inf C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\U:\Autorun.inf C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
File opened for modification \??\J:\Autorun.inf C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File created \??\T:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created \??\W:\Autorun.inf C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification \??\K:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File created \??\H:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2025-05-03_456c521cfcd8766448c2d24f229aab38_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification \??\Q:\Autorun.inf C:\Users\Admin\AppData\Local\Temp\2025-05-03_456c521cfcd8766448c2d24f229aab38_black-basta_elex_hijackloader_luca-stealer.exe N/A
File created D:\Autorun.inf C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File created \??\W:\Autorun.inf C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File opened for modification \??\E:\Autorun.inf C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File opened for modification \??\E:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification \??\J:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A
File created \??\R:\Autorun.inf C:\Windows\SysWOW64\drivers\system32.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\mscomctl.ocx C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\Desktop.ini C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
File opened for modification C:\Windows\SysWOW64\mscomctl.ocx C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
File opened for modification C:\Windows\SysWOW64\Desktop.ini C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File created C:\Windows\SysWOW64\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_456c521cfcd8766448c2d24f229aab38_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification C:\Windows\SysWOW64\mscomctl.ocx C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\SysWOW64\mscomctl.ocx C:\Users\Admin\AppData\Local\Temp\2025-05-03_456c521cfcd8766448c2d24f229aab38_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification C:\Windows\SysWOW64\Desktop.ini C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\SysWOW64\3-5-2025.exe C:\Users\Admin\AppData\Local\Temp\2025-05-03_456c521cfcd8766448c2d24f229aab38_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification C:\Windows\SysWOW64\3-5-2025.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\Desktop.ini C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\SysWOW64\3-5-2025.exe C:\Users\Admin\AppData\Local\Temp\2025-05-03_456c521cfcd8766448c2d24f229aab38_black-basta_elex_hijackloader_luca-stealer.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_456c521cfcd8766448c2d24f229aab38_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification C:\Windows\SysWOW64\3-5-2025.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\3-5-2025.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\SysWOW64\3-5-2025.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\SysWOW64\Desktop.ini C:\Users\Admin\AppData\Local\Temp\2025-05-03_456c521cfcd8766448c2d24f229aab38_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Users\Admin\AppData\Local\Temp\2025-05-03_456c521cfcd8766448c2d24f229aab38_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_456c521cfcd8766448c2d24f229aab38_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification C:\Windows\SysWOW64\mscomctl.ocx C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\Desktop.ini C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\3-5-2025.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Windows\SysWOW64\ C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
File opened for modification C:\Windows\SysWOW64\mscomctl.ocx C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\SysWOW64\msvbvm60.dll C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\SysWOW64\mscomctl.ocx C:\Users\Admin\AppData\Local\Temp\2025-05-03_456c521cfcd8766448c2d24f229aab38_black-basta_elex_hijackloader_luca-stealer.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Users\Admin\AppData\Local\Temp\2025-05-03_456c521cfcd8766448c2d24f229aab38_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Control Panel\Desktop\Wallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\SysWOW64\drivers\system32.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File created C:\Windows\WBEM\msvbvm60.dll C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File created C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\ C:\Users\Admin\AppData\Local\Temp\2025-05-03_456c521cfcd8766448c2d24f229aab38_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification C:\Windows\mscomctl.ocx C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\Fonts\Admin 3 - 5 - 2025\msvbvm60.dll C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File created C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
File created C:\Windows\Fonts\Admin 3 - 5 - 2025\msvbvm60.dll C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe C:\Users\Admin\AppData\Local\Temp\2025-05-03_456c521cfcd8766448c2d24f229aab38_black-basta_elex_hijackloader_luca-stealer.exe N/A
File created C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe C:\Users\Admin\AppData\Local\Temp\2025-05-03_456c521cfcd8766448c2d24f229aab38_black-basta_elex_hijackloader_luca-stealer.exe N/A
File created C:\Windows\Fonts\Admin 3 - 5 - 2025\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_456c521cfcd8766448c2d24f229aab38_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification C:\Windows\Fonts\Admin 3 - 5 - 2025\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_456c521cfcd8766448c2d24f229aab38_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
File opened for modification C:\Windows\system\mscoree.dll C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Windows\system\msvbvm60.dll C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\mscomctl.ocx C:\Users\Admin\AppData\Local\Temp\2025-05-03_456c521cfcd8766448c2d24f229aab38_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification C:\Windows\system\mscoree.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_456c521cfcd8766448c2d24f229aab38_black-basta_elex_hijackloader_luca-stealer.exe N/A
File created C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe C:\Users\Admin\AppData\Local\Temp\2025-05-03_456c521cfcd8766448c2d24f229aab38_black-basta_elex_hijackloader_luca-stealer.exe N/A
File created C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File created C:\Windows\Fonts\The Kazekage.jpg C:\Users\Admin\AppData\Local\Temp\2025-05-03_456c521cfcd8766448c2d24f229aab38_black-basta_elex_hijackloader_luca-stealer.exe N/A
File created C:\Windows\WBEM\msvbvm60.dll C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
File opened for modification C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\ C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe C:\Users\Admin\AppData\Local\Temp\2025-05-03_456c521cfcd8766448c2d24f229aab38_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File created C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\Fonts\Admin 3 - 5 - 2025\msvbvm60.dll C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\Fonts\Admin 3 - 5 - 2025\msvbvm60.dll C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\Fonts\The Kazekage.jpg C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
File created C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
File opened for modification C:\Windows\Fonts\The Kazekage.jpg C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\system\msvbvm60.dll C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\WBEM\msvbvm60.dll C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe C:\Windows\SysWOW64\drivers\system32.exe N/A
File created C:\Windows\mscomctl.ocx C:\Users\Admin\AppData\Local\Temp\2025-05-03_456c521cfcd8766448c2d24f229aab38_black-basta_elex_hijackloader_luca-stealer.exe N/A
File created C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\Fonts\The Kazekage.jpg C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File created C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\ C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe C:\Users\Admin\AppData\Local\Temp\2025-05-03_456c521cfcd8766448c2d24f229aab38_black-basta_elex_hijackloader_luca-stealer.exe N/A
File created C:\Windows\WBEM\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_456c521cfcd8766448c2d24f229aab38_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification C:\Windows\system\mscoree.dll C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\system\msvbvm60.dll C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\system\msvbvm60.dll C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Windows\system\mscoree.dll C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File created C:\Windows\system\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_456c521cfcd8766448c2d24f229aab38_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification C:\Windows\system\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_456c521cfcd8766448c2d24f229aab38_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification C:\Windows\mscomctl.ocx C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
File opened for modification C:\Windows\mscomctl.ocx C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Windows\ C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Windows\system\msvbvm60.dll C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File created C:\Windows\WBEM\msvbvm60.dll C:\Windows\SysWOW64\drivers\system32.exe N/A
File opened for modification C:\Windows\mscomctl.ocx C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
File opened for modification C:\Windows\Fonts\The Kazekage.jpg C:\Users\Admin\AppData\Local\Temp\2025-05-03_456c521cfcd8766448c2d24f229aab38_black-basta_elex_hijackloader_luca-stealer.exe N/A
File opened for modification C:\Windows\msvbvm60.dll C:\Users\Admin\AppData\Local\Temp\2025-05-03_456c521cfcd8766448c2d24f229aab38_black-basta_elex_hijackloader_luca-stealer.exe N/A
File created C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
File opened for modification C:\Windows\ C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\system32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2025-05-03_456c521cfcd8766448c2d24f229aab38_black-basta_elex_hijackloader_luca-stealer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\system32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\system32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\system32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\system32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\drivers\system32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\ping.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A

Modifies Control Panel

defense_evasion
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" C:\Users\Admin\AppData\Local\Temp\2025-05-03_456c521cfcd8766448c2d24f229aab38_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" C:\Users\Admin\AppData\Local\Temp\2025-05-03_456c521cfcd8766448c2d24f229aab38_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" C:\Users\Admin\AppData\Local\Temp\2025-05-03_456c521cfcd8766448c2d24f229aab38_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Control Panel\Screen Saver.Marquee\Size = "72" C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Control Panel\Desktop\WallpaperStyle = "2" C:\Users\Admin\AppData\Local\Temp\2025-05-03_456c521cfcd8766448c2d24f229aab38_black-basta_elex_hijackloader_luca-stealer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Control Panel\Desktop C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Control Panel\Screen Saver.Marquee\Size = "72" C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Control Panel\Desktop C:\Users\Admin\AppData\Local\Temp\2025-05-03_456c521cfcd8766448c2d24f229aab38_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" C:\Users\Admin\AppData\Local\Temp\2025-05-03_456c521cfcd8766448c2d24f229aab38_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Control Panel\Screen Saver.Marquee\Size = "72" C:\Users\Admin\AppData\Local\Temp\2025-05-03_456c521cfcd8766448c2d24f229aab38_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Control Panel\Screen Saver.Marquee\BackgroundColor = "0 0 0" C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Control Panel\Screen Saver.Marquee\Size = "72" C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Control Panel\Desktop C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Control Panel\Desktop C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Control Panel\Screen Saver.Marquee\Speed = "4" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" C:\Users\Admin\AppData\Local\Temp\2025-05-03_456c521cfcd8766448c2d24f229aab38_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Control Panel\Desktop\WallpaperStyle = "2" C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Control Panel\Screen Saver.Marquee C:\Users\Admin\AppData\Local\Temp\2025-05-03_456c521cfcd8766448c2d24f229aab38_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Control Panel\Screen Saver.Marquee\Speed = "4" C:\Users\Admin\AppData\Local\Temp\2025-05-03_456c521cfcd8766448c2d24f229aab38_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Control Panel\Desktop\ScreenSaveTimeOut = "400" C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Control Panel\Screen Saver.Marquee\Font = "Blackadder ITC" C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Control Panel\Screen Saver.Marquee\Mode.EXE = "1" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Control Panel\Screen Saver.Marquee\Speed = "4" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" C:\Users\Admin\AppData\Local\Temp\2025-05-03_456c521cfcd8766448c2d24f229aab38_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" C:\Users\Admin\AppData\Local\Temp\2025-05-03_456c521cfcd8766448c2d24f229aab38_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Control Panel\Screen Saver.Marquee\Speed = "4" C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Control Panel\Desktop\WallpaperStyle = "2" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Control Panel\Screen Saver.Marquee C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Control Panel\Desktop\SCRNSAVE.EXE = "ssmarque.scr" C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Control Panel\Screen Saver.Marquee C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Control Panel\Screen Saver.Marquee\TextColor = "255 0 0" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Control Panel\Screen Saver.Marquee\Text = "Gaara The Kazekage ( Warning : don't save any porn stuffs files in this computer )" C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Control Panel\Screen Saver.Marquee\Speed = "4" C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Control Panel\Screen Saver.Marquee C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Control Panel\Desktop\ConvertedWallpaper = "C:\\Windows\\Fonts\\The Kazekage.jpg" C:\Users\Admin\AppData\Local\Temp\2025-05-03_456c521cfcd8766448c2d24f229aab38_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Control Panel\Desktop\WallpaperStyle = "2" C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Control Panel\Desktop\ConvertedWallpaper = "Fonts\\The Kazekage.jpg" C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" C:\Users\Admin\AppData\Local\Temp\2025-05-03_456c521cfcd8766448c2d24f229aab38_black-basta_elex_hijackloader_luca-stealer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Software\Microsoft\Internet Explorer\Main C:\Users\Admin\AppData\Local\Temp\2025-05-03_456c521cfcd8766448c2d24f229aab38_black-basta_elex_hijackloader_luca-stealer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Software\Microsoft\Internet Explorer\Main\Window Title = "!!! Hello HokageFile (AnbuTeam-Sampit), Is this my places, Wanna start a War !!!" C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\USER\S-1-5-21-779059454-4269757009-3780780039-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\SysWOW64\drivers\system32.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command C:\Users\Admin\AppData\Local\Temp\2025-05-03_456c521cfcd8766448c2d24f229aab38_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" C:\Users\Admin\AppData\Local\Temp\2025-05-03_456c521cfcd8766448c2d24f229aab38_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" C:\Users\Admin\AppData\Local\Temp\2025-05-03_456c521cfcd8766448c2d24f229aab38_black-basta_elex_hijackloader_luca-stealer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command C:\Users\Admin\AppData\Local\Temp\2025-05-03_456c521cfcd8766448c2d24f229aab38_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command C:\Users\Admin\AppData\Local\Temp\2025-05-03_456c521cfcd8766448c2d24f229aab38_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" C:\Users\Admin\AppData\Local\Temp\2025-05-03_456c521cfcd8766448c2d24f229aab38_black-basta_elex_hijackloader_luca-stealer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command\ = "calc.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Edit\Command\ = "calc.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" C:\Users\Admin\AppData\Local\Temp\2025-05-03_456c521cfcd8766448c2d24f229aab38_black-basta_elex_hijackloader_luca-stealer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command C:\Users\Admin\AppData\Local\Temp\2025-05-03_456c521cfcd8766448c2d24f229aab38_black-basta_elex_hijackloader_luca-stealer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command\ = "shutdown -r -f -t 0" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open\Command\ = "calc.exe" C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\inffile\shell\Install\command C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\VBSFile\Shell\Open2\Command C:\Windows\SysWOW64\drivers\system32.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A
N/A N/A C:\Windows\SysWOW64\ping.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-03_456c521cfcd8766448c2d24f229aab38_black-basta_elex_hijackloader_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-03_456c521cfcd8766448c2d24f229aab38_black-basta_elex_hijackloader_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-03_456c521cfcd8766448c2d24f229aab38_black-basta_elex_hijackloader_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-03_456c521cfcd8766448c2d24f229aab38_black-basta_elex_hijackloader_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-03_456c521cfcd8766448c2d24f229aab38_black-basta_elex_hijackloader_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-03_456c521cfcd8766448c2d24f229aab38_black-basta_elex_hijackloader_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-03_456c521cfcd8766448c2d24f229aab38_black-basta_elex_hijackloader_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-03_456c521cfcd8766448c2d24f229aab38_black-basta_elex_hijackloader_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-03_456c521cfcd8766448c2d24f229aab38_black-basta_elex_hijackloader_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-03_456c521cfcd8766448c2d24f229aab38_black-basta_elex_hijackloader_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-03_456c521cfcd8766448c2d24f229aab38_black-basta_elex_hijackloader_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-03_456c521cfcd8766448c2d24f229aab38_black-basta_elex_hijackloader_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-03_456c521cfcd8766448c2d24f229aab38_black-basta_elex_hijackloader_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-03_456c521cfcd8766448c2d24f229aab38_black-basta_elex_hijackloader_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-03_456c521cfcd8766448c2d24f229aab38_black-basta_elex_hijackloader_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-03_456c521cfcd8766448c2d24f229aab38_black-basta_elex_hijackloader_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-03_456c521cfcd8766448c2d24f229aab38_black-basta_elex_hijackloader_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-03_456c521cfcd8766448c2d24f229aab38_black-basta_elex_hijackloader_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-03_456c521cfcd8766448c2d24f229aab38_black-basta_elex_hijackloader_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-03_456c521cfcd8766448c2d24f229aab38_black-basta_elex_hijackloader_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-03_456c521cfcd8766448c2d24f229aab38_black-basta_elex_hijackloader_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-03_456c521cfcd8766448c2d24f229aab38_black-basta_elex_hijackloader_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-03_456c521cfcd8766448c2d24f229aab38_black-basta_elex_hijackloader_luca-stealer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-03_456c521cfcd8766448c2d24f229aab38_black-basta_elex_hijackloader_luca-stealer.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-05-03_456c521cfcd8766448c2d24f229aab38_black-basta_elex_hijackloader_luca-stealer.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
N/A N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
N/A N/A C:\Windows\SysWOW64\drivers\system32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5784 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-03_456c521cfcd8766448c2d24f229aab38_black-basta_elex_hijackloader_luca-stealer.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe
PID 5784 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-03_456c521cfcd8766448c2d24f229aab38_black-basta_elex_hijackloader_luca-stealer.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe
PID 5784 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\2025-05-03_456c521cfcd8766448c2d24f229aab38_black-basta_elex_hijackloader_luca-stealer.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe
PID 2940 wrote to memory of 2752 N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe
PID 2940 wrote to memory of 2752 N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe
PID 2940 wrote to memory of 2752 N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe
PID 2940 wrote to memory of 3952 N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe
PID 2940 wrote to memory of 3952 N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe
PID 2940 wrote to memory of 3952 N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe
PID 3952 wrote to memory of 5220 N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe
PID 3952 wrote to memory of 5220 N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe
PID 3952 wrote to memory of 5220 N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe
PID 3952 wrote to memory of 2348 N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe
PID 3952 wrote to memory of 2348 N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe
PID 3952 wrote to memory of 2348 N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe
PID 3952 wrote to memory of 5516 N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe
PID 3952 wrote to memory of 5516 N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe
PID 3952 wrote to memory of 5516 N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe
PID 5516 wrote to memory of 3684 N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe
PID 5516 wrote to memory of 3684 N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe
PID 5516 wrote to memory of 3684 N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe
PID 5516 wrote to memory of 5316 N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe
PID 5516 wrote to memory of 5316 N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe
PID 5516 wrote to memory of 5316 N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe
PID 5516 wrote to memory of 5004 N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe
PID 5516 wrote to memory of 5004 N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe
PID 5516 wrote to memory of 5004 N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe
PID 5516 wrote to memory of 3160 N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 5516 wrote to memory of 3160 N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 5516 wrote to memory of 3160 N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 3160 wrote to memory of 464 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe
PID 3160 wrote to memory of 464 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe
PID 3160 wrote to memory of 464 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe
PID 3160 wrote to memory of 548 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe
PID 3160 wrote to memory of 548 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe
PID 3160 wrote to memory of 548 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe
PID 3160 wrote to memory of 744 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe
PID 3160 wrote to memory of 744 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe
PID 3160 wrote to memory of 744 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe
PID 3160 wrote to memory of 1056 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 3160 wrote to memory of 1056 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 3160 wrote to memory of 1056 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 3160 wrote to memory of 248 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 3160 wrote to memory of 248 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 3160 wrote to memory of 248 N/A C:\Windows\SysWOW64\drivers\Kazekage.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 248 wrote to memory of 5876 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe
PID 248 wrote to memory of 5876 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe
PID 248 wrote to memory of 5876 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe
PID 248 wrote to memory of 5856 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe
PID 248 wrote to memory of 5856 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe
PID 248 wrote to memory of 5856 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe
PID 248 wrote to memory of 4480 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe
PID 248 wrote to memory of 4480 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe
PID 248 wrote to memory of 4480 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe
PID 248 wrote to memory of 5088 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 248 wrote to memory of 5088 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 248 wrote to memory of 5088 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\Kazekage.exe
PID 248 wrote to memory of 2976 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 248 wrote to memory of 2976 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 248 wrote to memory of 2976 N/A C:\Windows\SysWOW64\drivers\system32.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 5516 wrote to memory of 3388 N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 5516 wrote to memory of 3388 N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 5516 wrote to memory of 3388 N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe C:\Windows\SysWOW64\drivers\system32.exe
PID 3952 wrote to memory of 5580 N/A C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe C:\Windows\SysWOW64\drivers\Kazekage.exe

System policy modification

defense_evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\drivers\system32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\2025-05-03_456c521cfcd8766448c2d24f229aab38_black-basta_elex_hijackloader_luca-stealer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\SysWOW64\drivers\system32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\SysWOW64\drivers\Kazekage.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Users\Admin\AppData\Local\Temp\2025-05-03_456c521cfcd8766448c2d24f229aab38_black-basta_elex_hijackloader_luca-stealer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2025-05-03_456c521cfcd8766448c2d24f229aab38_black-basta_elex_hijackloader_luca-stealer.exe

"C:\Users\Admin\AppData\Local\Temp\2025-05-03_456c521cfcd8766448c2d24f229aab38_black-basta_elex_hijackloader_luca-stealer.exe"

C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe

"C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe"

C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe

"C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe"

C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe

"C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe"

C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe

"C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe"

C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe

"C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe"

C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe

"C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe"

C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe

"C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe"

C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe

"C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe"

C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe

"C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe"

C:\Windows\SysWOW64\drivers\Kazekage.exe

C:\Windows\system32\drivers\Kazekage.exe

C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe

"C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe"

C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe

"C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe"

C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe

"C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe"

C:\Windows\SysWOW64\drivers\Kazekage.exe

C:\Windows\system32\drivers\Kazekage.exe

C:\Windows\SysWOW64\drivers\system32.exe

C:\Windows\system32\drivers\system32.exe

C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe

"C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe"

C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe

"C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe"

C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe

"C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe"

C:\Windows\SysWOW64\drivers\Kazekage.exe

C:\Windows\system32\drivers\Kazekage.exe

C:\Windows\SysWOW64\drivers\system32.exe

C:\Windows\system32\drivers\system32.exe

C:\Windows\SysWOW64\drivers\system32.exe

C:\Windows\system32\drivers\system32.exe

C:\Windows\SysWOW64\drivers\Kazekage.exe

C:\Windows\system32\drivers\Kazekage.exe

C:\Windows\SysWOW64\drivers\system32.exe

C:\Windows\system32\drivers\system32.exe

C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe

"C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe"

C:\Windows\SysWOW64\drivers\Kazekage.exe

C:\Windows\system32\drivers\Kazekage.exe

C:\Windows\SysWOW64\drivers\system32.exe

C:\Windows\system32\drivers\system32.exe

C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe

"C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe"

C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe

"C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe"

C:\Windows\SysWOW64\drivers\Kazekage.exe

C:\Windows\system32\drivers\Kazekage.exe

C:\Windows\SysWOW64\drivers\system32.exe

C:\Windows\system32\drivers\system32.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c Fonts\Admin 3 - 5 - 2025\smss.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c Fonts\Admin 3 - 5 - 2025\Gaara.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c 3-5-2025.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c drivers\csrss.exe

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.rasasayang.com.my 65500

C:\Windows\SysWOW64\ping.exe

ping -a -l www.duniasex.com 65500

Network

Files

memory/5784-0-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe

MD5 456c521cfcd8766448c2d24f229aab38
SHA1 ae5b1f5abe5f7144b5d021b8a87846a2c278edde
SHA256 39d98d6cd9f959e770a930b09470cd492cb311fecc87bbd698b070b36fafd4d5
SHA512 0ed512dd0f33476f83decc840573611ec4f60eb43a79cfae2e4639c13e78278108b6806eb1362a5b8b996b76d57f500f027b250659aad9c6aee2067358abe590

C:\Windows\System\msvbvm60.dll

MD5 25f62c02619174b35851b0e0455b3d94
SHA1 4e8ee85157f1769f6e3f61c0acbe59072209da71
SHA256 898288bd3b21d0e7d5f406df2e0b69a5bbfa4f241baf29a2cdf8a3cf4d4619f2
SHA512 f4529fd9eca4e4696f7f06874866ff98a1447a9b0d3a20ef0de54d4d694e2497fd39c452f73fab9b8a02962a7b2b88d1e85f6e35c7cbcb9555003c6828bebc3a

C:\Windows\Fonts\Admin 3 - 5 - 2025\smss.exe

MD5 bc7afaee3eb02f4af723afe64e39ee70
SHA1 c3c904487f7989a50e20470a2e73e1c172628a7f
SHA256 177e234a54efc0101dfb9b213a1abf78e7353db098de517e607749fdb56fc4bc
SHA512 8e3f89370098cee26d957a55aa962ecb8c718b7b99e4d42cfe3b5ba0f9bcc2e58a70f7de70fff36be6b6493258ed5cf77a3694c23f29304478f4afbe8ea62983

memory/2940-32-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Windows\Fonts\The Kazekage.jpg

MD5 d6b05020d4a0ec2a3a8b687099e335df
SHA1 df239d830ebcd1cde5c68c46a7b76dad49d415f4
SHA256 9824b98dab6af65a9e84c2ea40e9df948f9766ce2096e81feecad7db8dd6080a
SHA512 78fd360faa4d34f5732056d6e9ad7b9930964441c69cf24535845d397de92179553b9377a25649c01eb5ac7d547c29cc964e69ede7f2af9fc677508a99251fff

C:\Windows\SysWOW64\3-5-2025.exe

MD5 79a3d011fb86cd717ac653281a31c49d
SHA1 d18a8dc1ba0be46dc18d2c4222644adac015d5bc
SHA256 ccbd9743a22442a4adce844d3cce6622552caf60903a0dc696dfd4b0a7dbef37
SHA512 92bf883a8a9ec98c4f9437b71068d813eb6d16b5623fc43a1f56e6c0dca1454376ea232bfc470d3aff2b65d248ff38115526a01db7401079180507173c0416e4

memory/2752-70-0x0000000000400000-0x000000000042B000-memory.dmp

memory/2752-73-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Windows\Fonts\Admin 3 - 5 - 2025\Gaara.exe

MD5 a47557e15823e226bda337e7dbabc26d
SHA1 528d2af22a3c9a77a0f32eaf73ea207a3a0625ae
SHA256 547b60c00681920bd59b395bc6b359609d9881a042337f788758bc8f82d39770
SHA512 7de81bdb79d4c6b78d90a2955da0dc41c2c96a6bd2e6d0ea542dacca6049098966be0125e45127415369fc002d60c8b6e8c1a6787ba6b611b3bf4db2b75205cb

memory/3952-78-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Windows\Fonts\The Kazekage.jpg

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/2348-115-0x0000000000400000-0x000000000042B000-memory.dmp

memory/5516-120-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Windows\Fonts\Admin 3 - 5 - 2025\csrss.exe

MD5 c8d6b5f9358ff325422af07b90afb4cd
SHA1 1b9af89076b4ff5e2fb57e9e20654ff5f3d9d641
SHA256 3416ab65b731bdf915e8fdef79d8b84d259be765f107cc37eadc5ebb39158c0e
SHA512 95d6ce8f2739d92ac424053c07a0bb5969e6d0c872a90425b48ead4f09ee702bf44925f7558a93105dde6320f8d818bd889003f9248b8b731a8592db3b8aab53

C:\Windows\SysWOW64\drivers\system32.exe

MD5 a758f842434f42340f96507c5d9325c6
SHA1 d7fa0b19ec71a9a103899c2c5daea092d485cfdd
SHA256 3ab9e4834b71b4f3cc4f16e017303c4e091bf3b1fb4dc0d0b569c2a3d7018784
SHA512 4c73476c36e0ae554269a4960c6728d30eb7165695316d4f72abe26b3695cbd98e56c346df4feaa3f167cb09973c76969b9a0e413b1492e2b8a5928ec3e4cccb

C:\Windows\SysWOW64\drivers\system32.exe

MD5 9c2f09f3da010369b8f89c18b6c38585
SHA1 16eec10b59bb6a9b47d2f83e8c5dea7330263144
SHA256 c6896529c73989e9c3bd66a59e8b9694982cf20eb0609ae81aae2bac2fce5658
SHA512 519f3de2c9bbd4d7e836cf96ff5494d5928769a4d8bbecfa11353712b68aaeca57656b2b586e4a418dc8cffb629c1ad4a528c3f3cf8d56577067a73f2f94d1f8

C:\Windows\SysWOW64\drivers\Kazekage.exe

MD5 11739404073274d2c0dbede1da293833
SHA1 f44f429d0d9bfff112524d434fb9ba6dc81baeab
SHA256 bdf22e17eec74ba0c9491fedcdf0eeef988f5595d2db19d0390583ee42a5f070
SHA512 01b58ecd56e164f1d1718eb7343d90e11d3bef620a0f9f9fd2120ac0b6395494bc107171debadb2a5a375c509bb7d894a66bc9e883c9f5f51b287e34acc08e12

memory/5316-150-0x0000000000400000-0x000000000042B000-memory.dmp

memory/5004-157-0x0000000000400000-0x000000000042B000-memory.dmp

memory/5316-156-0x0000000000400000-0x000000000042B000-memory.dmp

memory/5004-160-0x0000000000400000-0x000000000042B000-memory.dmp

memory/3160-165-0x0000000000400000-0x000000000042B000-memory.dmp

memory/5784-164-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Windows\SysWOW64\3-5-2025.exe

MD5 eb0c8742a56d978676353c34fbd665d3
SHA1 b25f43e6fa6a0bf69f5cc237d8b6200f8ac78d87
SHA256 8bf43ac790ac00ba14e54e8c0b8c62a21a1e8635a60233e1400c79db39d0b8d5
SHA512 f3a20c2cd09b5dbded32658c25788a2be4fba78f503a6848b4c10c74aa7e5706053f5f288b52fa3c5b2f7c7272f2f70c3812264c516d1fcabcaea8dc5b35abb6

C:\Windows\SysWOW64\drivers\system32.exe

MD5 75d54f4c81e07f2b7ffebd6ed11b3848
SHA1 adc0200421c0f0a44593f201e1c916281414fbb0
SHA256 9bbffae6fea561b06972c02c4a4531d37ee0de23d611626bac85255daf815df1
SHA512 60e3c512b43f191e5f02fe76e7c18c1113c533c834369a64554a20990f178e534a9d30b9692abb495919ebaaac7b992c816406a74a72e5f4ddc785f4ad4870d3

memory/2940-188-0x0000000000400000-0x000000000042B000-memory.dmp

memory/464-193-0x0000000000400000-0x000000000042B000-memory.dmp

memory/548-201-0x0000000000400000-0x000000000042B000-memory.dmp

memory/3952-198-0x0000000000400000-0x000000000042B000-memory.dmp

memory/1056-205-0x0000000000400000-0x000000000042B000-memory.dmp

memory/248-209-0x0000000000400000-0x000000000042B000-memory.dmp

memory/5516-227-0x0000000000400000-0x000000000042B000-memory.dmp

memory/5856-232-0x0000000000400000-0x000000000042B000-memory.dmp

memory/4480-236-0x0000000000400000-0x000000000042B000-memory.dmp

memory/5088-235-0x0000000000400000-0x000000000042B000-memory.dmp

memory/2976-241-0x0000000000400000-0x000000000042B000-memory.dmp

memory/3388-247-0x0000000000400000-0x000000000042B000-memory.dmp

memory/5580-253-0x0000000000400000-0x000000000042B000-memory.dmp

memory/5524-256-0x0000000000400000-0x000000000042B000-memory.dmp

memory/248-259-0x0000000000400000-0x000000000042B000-memory.dmp

memory/1784-262-0x0000000000400000-0x000000000042B000-memory.dmp

memory/5996-265-0x0000000000400000-0x000000000042B000-memory.dmp

memory/1824-272-0x0000000000400000-0x000000000042B000-memory.dmp

memory/5864-275-0x0000000000400000-0x000000000042B000-memory.dmp

memory/2976-244-0x0000000000400000-0x000000000042B000-memory.dmp

memory/3160-240-0x0000000000400000-0x000000000042B000-memory.dmp

memory/5088-239-0x0000000000400000-0x000000000042B000-memory.dmp

memory/576-276-0x0000000000400000-0x000000000042B000-memory.dmp

C:\Autorun.inf

MD5 1564dfe69ffed40950e5cb644e0894d1
SHA1 201b6f7a01cc49bb698bea6d4945a082ed454ce4
SHA256 be114a2dbcc08540b314b01882aa836a772a883322a77b67aab31233e26dc184
SHA512 72df187e39674b657974392cfa268e71ef86dc101ebd2303896381ca56d3c05aa9db3f0ab7d0e428d7436e0108c8f19e94c2013814d30b0b95a23a6b9e341097

C:\Admin Games\Readme.txt

MD5 bb5d6abdf8d0948ac6895ce7fdfbc151
SHA1 9266b7a247a4685892197194d2b9b86c8f6dddbd
SHA256 5db2e0915b5464d32e83484f8ae5e3c73d2c78f238fde5f58f9b40dbb5322de8
SHA512 878444760e8df878d65bb62b4798177e168eb099def58ad3634f4348e96705c83f74324f9fa358f0eff389991976698a233ca53e9b72034ae11c86d42322a76c

C:\Windows\SysWOW64\Desktop.ini

MD5 64acfa7e03b01f48294cf30d201a0026
SHA1 10facd995b38a095f30b4a800fa454c0bcbf8438
SHA256 ba8159d865d106e7b4d0043007a63d1541e1de455dc8d7ff0edd3013bd425c62
SHA512 65a9b2e639de74a2a7faa83463a03f5f5b526495e3c793ec1e144c422ed0b842dd304cd5ff4f8aec3d76d826507030c5916f70a231429cea636ec2d8ab43931a