Analysis
-
max time kernel
149s -
max time network
141s -
platform
windows10-2004_x64 -
resource
win10v2004-20250619-en -
resource tags
arch:x64arch:x86image:win10v2004-20250619-enlocale:en-usos:windows10-2004-x64system -
submitted
04/07/2025, 12:09
Static task
static1
Behavioral task
behavioral1
Sample
2025-07-04_e37be1089c7fab683aad8eba3d1056b1_black-basta_elex_gcleaner_hijackloader.exe
Resource
win10v2004-20250619-en
Behavioral task
behavioral2
Sample
2025-07-04_e37be1089c7fab683aad8eba3d1056b1_black-basta_elex_gcleaner_hijackloader.exe
Resource
win11-20250619-en
General
-
Target
2025-07-04_e37be1089c7fab683aad8eba3d1056b1_black-basta_elex_gcleaner_hijackloader.exe
-
Size
1.7MB
-
MD5
e37be1089c7fab683aad8eba3d1056b1
-
SHA1
553834e528d3c3e08057a3825cf63fa7687c13a3
-
SHA256
273c547c2f03d92388f8b8a2c953814e2f0d850428123fe8d076976767935be8
-
SHA512
b31c32bb72f7911c8b2e3c12508d5a9e887d60eff4cfde68b374cfe3892b6490217bdd1017ed50b1e1d0d6e40386df73fa3b8b04e57e5dcd1c994060a80fe3a9
-
SSDEEP
24576:SmzSJw6X23ttqFjSxeEY3oouRRdL+wf40m9v17YDdOJyAUw61+:SmzSJw/eEY3aj5TfDm9N7GdOQZ1
Malware Config
Signatures
-
Renames multiple (257) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Drops file in Drivers directory 3 IoCs
description ioc Process File opened for modification C:\Windows\system32\drivers\etc\hosts 2025-07-04_e37be1089c7fab683aad8eba3d1056b1_black-basta_elex_gcleaner_hijackloader.exe File opened for modification C:\Windows\system32\drivers\etc\hosts Logo1_.exe File opened for modification C:\Windows\system32\drivers\etc\hosts rundl132.exe -
Executes dropped EXE 3 IoCs
pid Process 3276 Logo1_.exe 4240 rundl132.exe 4712 2025-07-04_e37be1089c7fab683aad8eba3d1056b1_black-basta_elex_gcleaner_hijackloader.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\load = "C:\\Windows\\uninstall\\rundl132.exe" Logo1_.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\load = "C:\\Windows\\uninstall\\rundl132.exe" 2025-07-04_e37be1089c7fab683aad8eba3d1056b1_black-basta_elex_gcleaner_hijackloader.exe -
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\Z: Logo1_.exe File opened (read-only) \??\V: Logo1_.exe File opened (read-only) \??\U: Logo1_.exe File opened (read-only) \??\S: Logo1_.exe File opened (read-only) \??\Q: Logo1_.exe File opened (read-only) \??\P: Logo1_.exe File opened (read-only) \??\Y: Logo1_.exe File opened (read-only) \??\W: Logo1_.exe File opened (read-only) \??\T: Logo1_.exe File opened (read-only) \??\R: Logo1_.exe File opened (read-only) \??\M: Logo1_.exe File opened (read-only) \??\K: Logo1_.exe File opened (read-only) \??\G: Logo1_.exe File opened (read-only) \??\N: Logo1_.exe File opened (read-only) \??\H: Logo1_.exe File opened (read-only) \??\E: Logo1_.exe File opened (read-only) \??\X: Logo1_.exe File opened (read-only) \??\O: Logo1_.exe File opened (read-only) \??\L: Logo1_.exe File opened (read-only) \??\J: Logo1_.exe File opened (read-only) \??\I: Logo1_.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jdk-1.8\bin\RCX22FC.tmp Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jps.exe Logo1_.exe File created C:\Program Files\Java\jdk-1.8\bin\wsgen.exe.Exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe.Exe Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\pwahelper.exe Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\MicrosoftEdgeUpdateBroker.exe Logo1_.exe File opened for modification C:\Program Files\7-Zip\7z.exe.Exe Logo1_.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\createdump.exe.Exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javadoc.exe.Exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe.Exe Logo1_.exe File created C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe.Exe Logo1_.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\RCX249D.tmp Logo1_.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\SPREADSHEETCOMPARE.EXE.Exe Logo1_.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ielowutil.exe Logo1_.exe File created C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe.Exe Logo1_.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\ktab.exe Logo1_.exe File created C:\Program Files\Java\jre-1.8\bin\rmid.exe.Exe Logo1_.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Common.DBConnection64.exe.Exe Logo1_.exe File created C:\Program Files\VideoLAN\VLC\vlc.exe.Exe Logo1_.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\msedge.exe Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\msedgewebview2.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe.Exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\java.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jhat.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsgen.exe.Exe Logo1_.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\MSOHTMED.EXE.Exe Logo1_.exe File opened for modification C:\Program Files\Mozilla Firefox\pingsender.exe.Exe Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe.Exe Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe.Exe Logo1_.exe File opened for modification C:\Program Files\Google\Chrome\Application\133.0.6943.60\os_update_handler.exe.Exe Logo1_.exe File created C:\Program Files\Java\jdk-1.8\bin\jcmd.exe.Exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\klist.exe.Exe Logo1_.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\rmid.exe.Exe Logo1_.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\SmartTagInstall.exe Logo1_.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\DATABASECOMPARE.EXE.Exe Logo1_.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice.exe Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\Installer\setup.exe Logo1_.exe File created C:\Program Files\Java\jdk-1.8\bin\javah.exe.Exe Logo1_.exe File created C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe.Exe Logo1_.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\keytool.exe.Exe Logo1_.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\OLicenseHeartbeat.exe.Exe Logo1_.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\SPREADSHEETCOMPARE.EXE.Exe Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe.Exe Logo1_.exe File created C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe.Exe Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\MicrosoftEdgeUpdate.exe.Exe Logo1_.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javadoc.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jinfo.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe Logo1_.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\RCX23DD.tmp Logo1_.exe File opened for modification C:\Program Files\Microsoft Office 15\ClientX64\RCX2570.tmp Logo1_.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Time.exe Logo1_.exe File created C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\pwahelper.exe.Exe Logo1_.exe File created C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe.Exe Logo1_.exe File created C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\notification_click_helper.exe.Exe Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\msedge_proxy.exe.Exe Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\notification_helper.exe Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\notification_helper.exe.Exe Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Media Player\setup_wm.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe Logo1_.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe.Exe Logo1_.exe File opened for modification C:\Program Files\Google\Chrome\Application\133.0.6943.60\chrome_pwa_launcher.exe Logo1_.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE Logo1_.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification C:\Windows\uninstall\rundl132.exe Logo1_.exe File created C:\Windows\RichDll.dll Logo1_.exe File created C:\Windows\uninstall\rundl132.exe 2025-07-04_e37be1089c7fab683aad8eba3d1056b1_black-basta_elex_gcleaner_hijackloader.exe File created C:\Windows\Logo1_.exe 2025-07-04_e37be1089c7fab683aad8eba3d1056b1_black-basta_elex_gcleaner_hijackloader.exe -
System Location Discovery: System Language Discovery 1 TTPs 10 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-07-04_e37be1089c7fab683aad8eba3d1056b1_black-basta_elex_gcleaner_hijackloader.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundl132.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Logo1_.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1972 2025-07-04_e37be1089c7fab683aad8eba3d1056b1_black-basta_elex_gcleaner_hijackloader.exe 1972 2025-07-04_e37be1089c7fab683aad8eba3d1056b1_black-basta_elex_gcleaner_hijackloader.exe 1972 2025-07-04_e37be1089c7fab683aad8eba3d1056b1_black-basta_elex_gcleaner_hijackloader.exe 1972 2025-07-04_e37be1089c7fab683aad8eba3d1056b1_black-basta_elex_gcleaner_hijackloader.exe 1972 2025-07-04_e37be1089c7fab683aad8eba3d1056b1_black-basta_elex_gcleaner_hijackloader.exe 1972 2025-07-04_e37be1089c7fab683aad8eba3d1056b1_black-basta_elex_gcleaner_hijackloader.exe 1972 2025-07-04_e37be1089c7fab683aad8eba3d1056b1_black-basta_elex_gcleaner_hijackloader.exe 1972 2025-07-04_e37be1089c7fab683aad8eba3d1056b1_black-basta_elex_gcleaner_hijackloader.exe 1972 2025-07-04_e37be1089c7fab683aad8eba3d1056b1_black-basta_elex_gcleaner_hijackloader.exe 1972 2025-07-04_e37be1089c7fab683aad8eba3d1056b1_black-basta_elex_gcleaner_hijackloader.exe 1972 2025-07-04_e37be1089c7fab683aad8eba3d1056b1_black-basta_elex_gcleaner_hijackloader.exe 1972 2025-07-04_e37be1089c7fab683aad8eba3d1056b1_black-basta_elex_gcleaner_hijackloader.exe 1972 2025-07-04_e37be1089c7fab683aad8eba3d1056b1_black-basta_elex_gcleaner_hijackloader.exe 1972 2025-07-04_e37be1089c7fab683aad8eba3d1056b1_black-basta_elex_gcleaner_hijackloader.exe 1972 2025-07-04_e37be1089c7fab683aad8eba3d1056b1_black-basta_elex_gcleaner_hijackloader.exe 1972 2025-07-04_e37be1089c7fab683aad8eba3d1056b1_black-basta_elex_gcleaner_hijackloader.exe 1972 2025-07-04_e37be1089c7fab683aad8eba3d1056b1_black-basta_elex_gcleaner_hijackloader.exe 1972 2025-07-04_e37be1089c7fab683aad8eba3d1056b1_black-basta_elex_gcleaner_hijackloader.exe 1972 2025-07-04_e37be1089c7fab683aad8eba3d1056b1_black-basta_elex_gcleaner_hijackloader.exe 1972 2025-07-04_e37be1089c7fab683aad8eba3d1056b1_black-basta_elex_gcleaner_hijackloader.exe 1972 2025-07-04_e37be1089c7fab683aad8eba3d1056b1_black-basta_elex_gcleaner_hijackloader.exe 1972 2025-07-04_e37be1089c7fab683aad8eba3d1056b1_black-basta_elex_gcleaner_hijackloader.exe 1972 2025-07-04_e37be1089c7fab683aad8eba3d1056b1_black-basta_elex_gcleaner_hijackloader.exe 1972 2025-07-04_e37be1089c7fab683aad8eba3d1056b1_black-basta_elex_gcleaner_hijackloader.exe 1972 2025-07-04_e37be1089c7fab683aad8eba3d1056b1_black-basta_elex_gcleaner_hijackloader.exe 1972 2025-07-04_e37be1089c7fab683aad8eba3d1056b1_black-basta_elex_gcleaner_hijackloader.exe 3276 Logo1_.exe 3276 Logo1_.exe 3276 Logo1_.exe 3276 Logo1_.exe 3276 Logo1_.exe 3276 Logo1_.exe 3276 Logo1_.exe 3276 Logo1_.exe 3276 Logo1_.exe 3276 Logo1_.exe 3276 Logo1_.exe 3276 Logo1_.exe 3276 Logo1_.exe 3276 Logo1_.exe 3276 Logo1_.exe 3276 Logo1_.exe 3276 Logo1_.exe 3276 Logo1_.exe 3276 Logo1_.exe 3276 Logo1_.exe 3276 Logo1_.exe 3276 Logo1_.exe 3276 Logo1_.exe 3276 Logo1_.exe 3276 Logo1_.exe 3276 Logo1_.exe 3276 Logo1_.exe 3276 Logo1_.exe 3276 Logo1_.exe 3276 Logo1_.exe 3276 Logo1_.exe 3276 Logo1_.exe 3276 Logo1_.exe 3276 Logo1_.exe 3276 Logo1_.exe 3276 Logo1_.exe 3276 Logo1_.exe 3276 Logo1_.exe -
Suspicious use of WriteProcessMemory 31 IoCs
description pid Process procid_target PID 1972 wrote to memory of 4720 1972 2025-07-04_e37be1089c7fab683aad8eba3d1056b1_black-basta_elex_gcleaner_hijackloader.exe 85 PID 1972 wrote to memory of 4720 1972 2025-07-04_e37be1089c7fab683aad8eba3d1056b1_black-basta_elex_gcleaner_hijackloader.exe 85 PID 1972 wrote to memory of 4720 1972 2025-07-04_e37be1089c7fab683aad8eba3d1056b1_black-basta_elex_gcleaner_hijackloader.exe 85 PID 4720 wrote to memory of 1532 4720 net.exe 87 PID 4720 wrote to memory of 1532 4720 net.exe 87 PID 4720 wrote to memory of 1532 4720 net.exe 87 PID 1972 wrote to memory of 2544 1972 2025-07-04_e37be1089c7fab683aad8eba3d1056b1_black-basta_elex_gcleaner_hijackloader.exe 93 PID 1972 wrote to memory of 2544 1972 2025-07-04_e37be1089c7fab683aad8eba3d1056b1_black-basta_elex_gcleaner_hijackloader.exe 93 PID 1972 wrote to memory of 2544 1972 2025-07-04_e37be1089c7fab683aad8eba3d1056b1_black-basta_elex_gcleaner_hijackloader.exe 93 PID 1972 wrote to memory of 3276 1972 2025-07-04_e37be1089c7fab683aad8eba3d1056b1_black-basta_elex_gcleaner_hijackloader.exe 94 PID 1972 wrote to memory of 3276 1972 2025-07-04_e37be1089c7fab683aad8eba3d1056b1_black-basta_elex_gcleaner_hijackloader.exe 94 PID 1972 wrote to memory of 3276 1972 2025-07-04_e37be1089c7fab683aad8eba3d1056b1_black-basta_elex_gcleaner_hijackloader.exe 94 PID 3276 wrote to memory of 1076 3276 Logo1_.exe 96 PID 3276 wrote to memory of 1076 3276 Logo1_.exe 96 PID 3276 wrote to memory of 1076 3276 Logo1_.exe 96 PID 4088 wrote to memory of 4240 4088 cmd.exe 98 PID 4088 wrote to memory of 4240 4088 cmd.exe 98 PID 4088 wrote to memory of 4240 4088 cmd.exe 98 PID 1076 wrote to memory of 1880 1076 net.exe 99 PID 1076 wrote to memory of 1880 1076 net.exe 99 PID 1076 wrote to memory of 1880 1076 net.exe 99 PID 2544 wrote to memory of 4712 2544 cmd.exe 100 PID 2544 wrote to memory of 4712 2544 cmd.exe 100 PID 3276 wrote to memory of 1600 3276 Logo1_.exe 102 PID 3276 wrote to memory of 1600 3276 Logo1_.exe 102 PID 3276 wrote to memory of 1600 3276 Logo1_.exe 102 PID 1600 wrote to memory of 2612 1600 net.exe 104 PID 1600 wrote to memory of 2612 1600 net.exe 104 PID 1600 wrote to memory of 2612 1600 net.exe 104 PID 3276 wrote to memory of 3452 3276 Logo1_.exe 56 PID 3276 wrote to memory of 3452 3276 Logo1_.exe 56
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3452
-
C:\Users\Admin\AppData\Local\Temp\2025-07-04_e37be1089c7fab683aad8eba3d1056b1_black-basta_elex_gcleaner_hijackloader.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-04_e37be1089c7fab683aad8eba3d1056b1_black-basta_elex_gcleaner_hijackloader.exe"2⤵
- Drops file in Drivers directory
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1972 -
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4720 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"4⤵
- System Location Discovery: System Language Discovery
PID:1532
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a8CBF.bat3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2544 -
C:\Users\Admin\AppData\Local\Temp\2025-07-04_e37be1089c7fab683aad8eba3d1056b1_black-basta_elex_gcleaner_hijackloader.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-04_e37be1089c7fab683aad8eba3d1056b1_black-basta_elex_gcleaner_hijackloader.exe"4⤵
- Executes dropped EXE
PID:4712
-
-
-
C:\Windows\Logo1_.exeC:\Windows\Logo1_.exe3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Adds Run key to start application
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3276 -
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1076 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"5⤵
- System Location Discovery: System Language Discovery
PID:1880
-
-
-
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1600 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"5⤵
- System Location Discovery: System Language Discovery
PID:2612
-
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\uninstall\rundl132.exe2⤵
- Suspicious use of WriteProcessMemory
PID:4088 -
C:\Windows\uninstall\rundl132.exeC:\Windows\uninstall\rundl132.exe3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4240
-
-
Network
MITRE ATT&CK Enterprise v16
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
94KB
MD542abd6418c18632af368b5f00d30ed6b
SHA124c4ffbbc4a2f1aa8639fc06bf378c8fadaea939
SHA256eedef1c34f09db98366600f36622049a2d7572f7ce92d1b3a8d504f8806a4bbd
SHA512af420b0c8736f40994b14e576cc7acb661442a13036d6fab8dcffbcde2a1a786d4c9d5efa116e4e21d5de108c3d4f39a32e02d53b78218396eb7681731a99b88
-
Filesize
91KB
MD51fba2715ae2d2ce107c85ac8606e36e5
SHA12b5272f8aab4f4ea246dc923c2090371dc4cb921
SHA256649f9b5ff0e324ddb544058c9bad0872e89a72766b8abf0840dbb504bcb8099f
SHA5122410930a03a5577eb899bbbae7b100c3793765c27dca2356693095632834dc402c99f8f60c995c32b09044ab65dcf4d3d4931d37a3cd726eaeb1f050a978fa09
-
Filesize
103KB
MD5cf1795d577bbf2e80bf0efd93d91effa
SHA1dea26943ec8212f5d8ffa8880e04cc80f49f765a
SHA25693103455a5ba410d2a730c3a453d4fb21ca9b3cb3841f08ff4ecb2aa95b181a4
SHA5128998c2fa87e009b206b5e17a5e00a32886b9c8963255401f5ee29d21050ff1cc959448cc3aa7b02a2b0e35d292919697063ee86542d3c48fe13439dc67867154
-
Filesize
118KB
MD5dde25734ea4e682bea092bbabae511c5
SHA1869c1d3c957e51e80393d00156be1b52046e5da9
SHA256bff943ae1447badd683a293249a81ecc438dbd9100b98aa7b0b910d8e3bfb906
SHA5121d4758ab813cf248ff7c5d7f927984708e73216072532bdcc23770af99172a63c665b3ab23b45b5cdda12d848b9f0bf82a5cff86ccad8acb8b22c76b206c1864
-
Filesize
100KB
MD5e65d32f7b7fdd5d71b47bb0d978be3fb
SHA1610cf8160c9be206a03e214c1817375d3d00d35a
SHA25642afb65cf5e2135050a35c36171195f1ba6b5c34b9e920b0b9edb907c5de420e
SHA512c33bbeb02077828a3bd7ed7861768373523c205f3dd53e9e69b7a7dcd9f665ded4eb857be7398d8af7abb08a5065a2dd457272f3d3b10d850d181e2fc20db352
-
Filesize
91KB
MD54389811b49284e06042f88e80b46d0c3
SHA11ae13c15927cee471080e1f57458e8484938ed30
SHA256a53608ecec5158f888a3ce8363f9b71839495656104717281a817678b01fe70c
SHA512bcbdb71f5c87922da1b44a310cc7d60f546883eea530d4fbb73f61a09b363dfaaf47f078f7d65f8a63b09566f73a7c937e6e0d3f8a04ff119efcc7168321e49b
-
Filesize
92KB
MD531ee44bbaab8e799a8c8481ceb1fc3dc
SHA1d2032040b871a6bde19411132a9303c0c80041a1
SHA2566852953f0de0f88dce6964f5eee76f1da94ddaf83bea292b3dc2be0f92d51aca
SHA512b0fd36658523e6de9566586778d7f9fc5209745278bb84dc9b0a16d3fba429f32301b02eecb120af3fb82004e04f816f6d2d7ff3be7ff437eadf2a8a6285ec40
-
Filesize
4.3MB
MD58553786eeb74ad0108cbc6088633f422
SHA11c126143005ae9698904e637d7a71c42ae55583e
SHA25612dc8fb700d3a68b22d66fa0866ed50db715c7aa707d0bf5bac390102337e7c0
SHA5129e2cc02842391f282e302a11e817b926e907111d5507fae433dfc29b037d52d89f5c2d4b3bbe46501f1e61ba3527663446354ff8394b7ec1efb8c405c22e7545
-
Filesize
91KB
MD5cc25207fbe38a021e4888d2f74f1521b
SHA138baa7e66b2e3b13e3305422a56d7e02116a696d
SHA256d27d7402232716b563183e79023aed19d240952326cb8c97e50cfd89a874b438
SHA5126f0c4d35697dfa68387a6fd9e7fb98c97b630d440ac490819fee6924be093dbaba13df41dc7f23cc0c23ab427b6f4cdefa28350ef70f7727cc24d858936ad421
-
Filesize
92KB
MD5ae140b54368c51b6e8930493db4cee22
SHA152064bf58c1d9fb9f463587213b78f345375c924
SHA256b0a46de4ecd585d695d00b6e952b01c6933034d3e4de47093bb42cd7d0f302e5
SHA512ebadc7c358a041d700e4248e0ee5fe306d9fa24de59df3c2cc531eee331b696daf5cb0d99fbd9fc8c25765b850397aa3e7205f7d376d42b2c29ab69c061c976e
-
Filesize
830B
MD5b792e02cc89f64619452eb4f4e5e15d2
SHA16424b29546fd3fbccd736a945f4ca03f326dc424
SHA2563d6def87069cd7200c95d1f13b4ed820279235f50daf2eca0187725c1373f41e
SHA5128f1d8b2b21b6b3919c5c7ae7dd552c3c78f2d6e8339a680ac4ec4f0765005eab241d1201a1b9b8c977517763ed93de985039e6345fb6129c78567543e4a98a51
-
C:\Users\Admin\AppData\Local\Temp\2025-07-04_e37be1089c7fab683aad8eba3d1056b1_black-basta_elex_gcleaner_hijackloader.exe.exe
Filesize1.7MB
MD5cca5f1a4afe1a8c35b880549b7c63a81
SHA10a9e9f2b3eec58b0e5ddcdb0ec87777334ed2976
SHA2560e466adcd2306c77b3b56c2b117efb948f022d2d2a9e153cbfa23632f7332efe
SHA512f844c5a42204947a10aaaaa7a6ae24cabd6f8e8802c12050a5ec4f8b1edb6f011317a78c902a31a4801e4087a1dc54458a5d36190fc5f6d855c278eb1e86fefc
-
Filesize
93KB
MD5158256700cf45ccb837c95bdcc23deb9
SHA115015b19f7de288090b945bf41565aad334206e9
SHA256a3e00a8beb5ae7fac43bd717d283691286141d3cf038d90630849dd21d1baa1a
SHA51267c4e13f7e4b44b932f6e588adce291df60749d9e183b169e7b48d812e3d99b5afb11fddc625fe9c38f88795a86e815c3d9171ccfd768a10fad14653e0a45aa6
-
Filesize
842B
MD56f4adf207ef402d9ef40c6aa52ffd245
SHA14b05b495619c643f02e278dede8f5b1392555a57
SHA256d9704dab05e988be3e5e7b7c020bb9814906d11bb9c31ad80d4ed1316f6bc94e
SHA512a6306bd200a26ea78192ae5b00cc49cfab3fba025fe7233709a4e62db0f9ed60030dce22b34afe57aad86a098c9a8c44e080cedc43227cb87ef4690baec35b47