Analysis
-
max time kernel
149s -
max time network
104s -
platform
windows11-21h2_x64 -
resource
win11-20250619-en -
resource tags
arch:x64arch:x86image:win11-20250619-enlocale:en-usos:windows11-21h2-x64system -
submitted
04/07/2025, 12:09
Static task
static1
Behavioral task
behavioral1
Sample
2025-07-04_e37be1089c7fab683aad8eba3d1056b1_black-basta_elex_gcleaner_hijackloader.exe
Resource
win10v2004-20250619-en
Behavioral task
behavioral2
Sample
2025-07-04_e37be1089c7fab683aad8eba3d1056b1_black-basta_elex_gcleaner_hijackloader.exe
Resource
win11-20250619-en
General
-
Target
2025-07-04_e37be1089c7fab683aad8eba3d1056b1_black-basta_elex_gcleaner_hijackloader.exe
-
Size
1.7MB
-
MD5
e37be1089c7fab683aad8eba3d1056b1
-
SHA1
553834e528d3c3e08057a3825cf63fa7687c13a3
-
SHA256
273c547c2f03d92388f8b8a2c953814e2f0d850428123fe8d076976767935be8
-
SHA512
b31c32bb72f7911c8b2e3c12508d5a9e887d60eff4cfde68b374cfe3892b6490217bdd1017ed50b1e1d0d6e40386df73fa3b8b04e57e5dcd1c994060a80fe3a9
-
SSDEEP
24576:SmzSJw6X23ttqFjSxeEY3oouRRdL+wf40m9v17YDdOJyAUw61+:SmzSJw/eEY3aj5TfDm9N7GdOQZ1
Malware Config
Signatures
-
Renames multiple (256) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Drops file in Drivers directory 3 IoCs
description ioc Process File opened for modification C:\Windows\system32\drivers\etc\hosts 2025-07-04_e37be1089c7fab683aad8eba3d1056b1_black-basta_elex_gcleaner_hijackloader.exe File opened for modification C:\Windows\system32\drivers\etc\hosts Logo1_.exe File opened for modification C:\Windows\system32\drivers\etc\hosts rundl132.exe -
Executes dropped EXE 3 IoCs
pid Process 1464 Logo1_.exe 5288 rundl132.exe 3172 2025-07-04_e37be1089c7fab683aad8eba3d1056b1_black-basta_elex_gcleaner_hijackloader.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\load = "C:\\Windows\\uninstall\\rundl132.exe" 2025-07-04_e37be1089c7fab683aad8eba3d1056b1_black-basta_elex_gcleaner_hijackloader.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\load = "C:\\Windows\\uninstall\\rundl132.exe" Logo1_.exe -
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\K: Logo1_.exe File opened (read-only) \??\J: Logo1_.exe File opened (read-only) \??\I: Logo1_.exe File opened (read-only) \??\G: Logo1_.exe File opened (read-only) \??\Z: Logo1_.exe File opened (read-only) \??\Y: Logo1_.exe File opened (read-only) \??\T: Logo1_.exe File opened (read-only) \??\S: Logo1_.exe File opened (read-only) \??\H: Logo1_.exe File opened (read-only) \??\W: Logo1_.exe File opened (read-only) \??\Q: Logo1_.exe File opened (read-only) \??\O: Logo1_.exe File opened (read-only) \??\N: Logo1_.exe File opened (read-only) \??\E: Logo1_.exe File opened (read-only) \??\V: Logo1_.exe File opened (read-only) \??\U: Logo1_.exe File opened (read-only) \??\R: Logo1_.exe File opened (read-only) \??\L: Logo1_.exe File opened (read-only) \??\X: Logo1_.exe File opened (read-only) \??\P: Logo1_.exe File opened (read-only) \??\M: Logo1_.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\createdump.exe Logo1_.exe File created C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe.Exe Logo1_.exe File created C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe.Exe Logo1_.exe File opened for modification C:\Program Files\Mozilla Firefox\RCX123A.tmp Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe.Exe Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_196812\javaws.exe Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\RCX1D2F.tmp Logo1_.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\createdump.exe.Exe Logo1_.exe File opened for modification C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe.Exe Logo1_.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\javacpl.exe Logo1_.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\keytool.exe.Exe Logo1_.exe File created C:\Program Files\Microsoft Office\root\Client\AppVLP.exe.Exe Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe.Exe Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe.Exe Logo1_.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\pwahelper.exe.Exe Logo1_.exe File created C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe.Exe Logo1_.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\filecompare.exe Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\cookie_exporter.exe.Exe Logo1_.exe File created C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe.Exe Logo1_.exe File opened for modification C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevated_tracing_service.exe.Exe Logo1_.exe File created C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe.Exe Logo1_.exe File created C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe.Exe Logo1_.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jabswitch.exe Logo1_.exe File opened for modification C:\Program Files\Mozilla Firefox\private_browsing.exe.Exe Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe.Exe Logo1_.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\identity_helper.exe.Exe Logo1_.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\msedge_proxy.exe.Exe Logo1_.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\createdump.exe.Exe Logo1_.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\createdump.exe.Exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe Logo1_.exe File created C:\Program Files\Java\jdk-1.8\bin\keytool.exe.Exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe.Exe Logo1_.exe File opened for modification C:\Program Files\Microsoft Office\root\Client\AppVDllSurrogate64.exe.Exe Logo1_.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\MSOHTMED.EXE Logo1_.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\RCX11C5.tmp Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jjs.exe Logo1_.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\orbd.exe Logo1_.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Paint_10.2104.17.0_x64__8wekyb3d8bbwe\PaintApp\mspaint.exe Logo1_.exe File opened for modification C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\Widgets.exe Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\RCX1BBB.tmp Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevated_tracing_service.exe.Exe Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\identity_helper.exe.Exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdeps.exe.Exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jmap.exe Logo1_.exe File opened for modification C:\Program Files\Microsoft Office\root\Client\AppVDllSurrogate32.exe.Exe Logo1_.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.40978.0_x64__8wekyb3d8bbwe\codecpacks.heif.exe Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\BHO\ie_to_edge_stub.exe.Exe Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\cookie_exporter.exe Logo1_.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\cookie_exporter.exe.Exe Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\identity_helper.exe Logo1_.exe File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe.Exe Logo1_.exe File opened for modification C:\Program Files\Google\Chrome\Application\133.0.6943.60\Installer\setup.exe.Exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe.Exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe Logo1_.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Common.DBConnection64.exe.Exe Logo1_.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe Logo1_.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.6.10571.0_x64__8wekyb3d8bbwe\WindowsTerminal.exe Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe.Exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe Logo1_.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\tnameserv.exe Logo1_.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\OLicenseHeartbeat.exe Logo1_.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification C:\Windows\uninstall\rundl132.exe Logo1_.exe File created C:\Windows\RichDll.dll Logo1_.exe File created C:\Windows\uninstall\rundl132.exe 2025-07-04_e37be1089c7fab683aad8eba3d1056b1_black-basta_elex_gcleaner_hijackloader.exe File created C:\Windows\Logo1_.exe 2025-07-04_e37be1089c7fab683aad8eba3d1056b1_black-basta_elex_gcleaner_hijackloader.exe -
System Location Discovery: System Language Discovery 1 TTPs 10 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-07-04_e37be1089c7fab683aad8eba3d1056b1_black-basta_elex_gcleaner_hijackloader.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundl132.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Logo1_.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 536 2025-07-04_e37be1089c7fab683aad8eba3d1056b1_black-basta_elex_gcleaner_hijackloader.exe 536 2025-07-04_e37be1089c7fab683aad8eba3d1056b1_black-basta_elex_gcleaner_hijackloader.exe 536 2025-07-04_e37be1089c7fab683aad8eba3d1056b1_black-basta_elex_gcleaner_hijackloader.exe 536 2025-07-04_e37be1089c7fab683aad8eba3d1056b1_black-basta_elex_gcleaner_hijackloader.exe 536 2025-07-04_e37be1089c7fab683aad8eba3d1056b1_black-basta_elex_gcleaner_hijackloader.exe 536 2025-07-04_e37be1089c7fab683aad8eba3d1056b1_black-basta_elex_gcleaner_hijackloader.exe 536 2025-07-04_e37be1089c7fab683aad8eba3d1056b1_black-basta_elex_gcleaner_hijackloader.exe 536 2025-07-04_e37be1089c7fab683aad8eba3d1056b1_black-basta_elex_gcleaner_hijackloader.exe 536 2025-07-04_e37be1089c7fab683aad8eba3d1056b1_black-basta_elex_gcleaner_hijackloader.exe 536 2025-07-04_e37be1089c7fab683aad8eba3d1056b1_black-basta_elex_gcleaner_hijackloader.exe 536 2025-07-04_e37be1089c7fab683aad8eba3d1056b1_black-basta_elex_gcleaner_hijackloader.exe 536 2025-07-04_e37be1089c7fab683aad8eba3d1056b1_black-basta_elex_gcleaner_hijackloader.exe 536 2025-07-04_e37be1089c7fab683aad8eba3d1056b1_black-basta_elex_gcleaner_hijackloader.exe 536 2025-07-04_e37be1089c7fab683aad8eba3d1056b1_black-basta_elex_gcleaner_hijackloader.exe 536 2025-07-04_e37be1089c7fab683aad8eba3d1056b1_black-basta_elex_gcleaner_hijackloader.exe 536 2025-07-04_e37be1089c7fab683aad8eba3d1056b1_black-basta_elex_gcleaner_hijackloader.exe 536 2025-07-04_e37be1089c7fab683aad8eba3d1056b1_black-basta_elex_gcleaner_hijackloader.exe 536 2025-07-04_e37be1089c7fab683aad8eba3d1056b1_black-basta_elex_gcleaner_hijackloader.exe 536 2025-07-04_e37be1089c7fab683aad8eba3d1056b1_black-basta_elex_gcleaner_hijackloader.exe 536 2025-07-04_e37be1089c7fab683aad8eba3d1056b1_black-basta_elex_gcleaner_hijackloader.exe 536 2025-07-04_e37be1089c7fab683aad8eba3d1056b1_black-basta_elex_gcleaner_hijackloader.exe 536 2025-07-04_e37be1089c7fab683aad8eba3d1056b1_black-basta_elex_gcleaner_hijackloader.exe 536 2025-07-04_e37be1089c7fab683aad8eba3d1056b1_black-basta_elex_gcleaner_hijackloader.exe 536 2025-07-04_e37be1089c7fab683aad8eba3d1056b1_black-basta_elex_gcleaner_hijackloader.exe 536 2025-07-04_e37be1089c7fab683aad8eba3d1056b1_black-basta_elex_gcleaner_hijackloader.exe 536 2025-07-04_e37be1089c7fab683aad8eba3d1056b1_black-basta_elex_gcleaner_hijackloader.exe 1464 Logo1_.exe 1464 Logo1_.exe 1464 Logo1_.exe 1464 Logo1_.exe 1464 Logo1_.exe 1464 Logo1_.exe 1464 Logo1_.exe 1464 Logo1_.exe 1464 Logo1_.exe 1464 Logo1_.exe 1464 Logo1_.exe 1464 Logo1_.exe 1464 Logo1_.exe 1464 Logo1_.exe 1464 Logo1_.exe 1464 Logo1_.exe 1464 Logo1_.exe 1464 Logo1_.exe 1464 Logo1_.exe 1464 Logo1_.exe 1464 Logo1_.exe 1464 Logo1_.exe 1464 Logo1_.exe 1464 Logo1_.exe 1464 Logo1_.exe 1464 Logo1_.exe 1464 Logo1_.exe 1464 Logo1_.exe 1464 Logo1_.exe 1464 Logo1_.exe 1464 Logo1_.exe 1464 Logo1_.exe 1464 Logo1_.exe 1464 Logo1_.exe 1464 Logo1_.exe 1464 Logo1_.exe 1464 Logo1_.exe 1464 Logo1_.exe -
Suspicious use of WriteProcessMemory 31 IoCs
description pid Process procid_target PID 536 wrote to memory of 6100 536 2025-07-04_e37be1089c7fab683aad8eba3d1056b1_black-basta_elex_gcleaner_hijackloader.exe 78 PID 536 wrote to memory of 6100 536 2025-07-04_e37be1089c7fab683aad8eba3d1056b1_black-basta_elex_gcleaner_hijackloader.exe 78 PID 536 wrote to memory of 6100 536 2025-07-04_e37be1089c7fab683aad8eba3d1056b1_black-basta_elex_gcleaner_hijackloader.exe 78 PID 6100 wrote to memory of 2168 6100 net.exe 80 PID 6100 wrote to memory of 2168 6100 net.exe 80 PID 6100 wrote to memory of 2168 6100 net.exe 80 PID 536 wrote to memory of 4020 536 2025-07-04_e37be1089c7fab683aad8eba3d1056b1_black-basta_elex_gcleaner_hijackloader.exe 83 PID 536 wrote to memory of 4020 536 2025-07-04_e37be1089c7fab683aad8eba3d1056b1_black-basta_elex_gcleaner_hijackloader.exe 83 PID 536 wrote to memory of 4020 536 2025-07-04_e37be1089c7fab683aad8eba3d1056b1_black-basta_elex_gcleaner_hijackloader.exe 83 PID 536 wrote to memory of 1464 536 2025-07-04_e37be1089c7fab683aad8eba3d1056b1_black-basta_elex_gcleaner_hijackloader.exe 84 PID 536 wrote to memory of 1464 536 2025-07-04_e37be1089c7fab683aad8eba3d1056b1_black-basta_elex_gcleaner_hijackloader.exe 84 PID 536 wrote to memory of 1464 536 2025-07-04_e37be1089c7fab683aad8eba3d1056b1_black-basta_elex_gcleaner_hijackloader.exe 84 PID 1464 wrote to memory of 3092 1464 Logo1_.exe 86 PID 1464 wrote to memory of 3092 1464 Logo1_.exe 86 PID 1464 wrote to memory of 3092 1464 Logo1_.exe 86 PID 6092 wrote to memory of 5288 6092 cmd.exe 88 PID 6092 wrote to memory of 5288 6092 cmd.exe 88 PID 6092 wrote to memory of 5288 6092 cmd.exe 88 PID 4020 wrote to memory of 3172 4020 cmd.exe 89 PID 4020 wrote to memory of 3172 4020 cmd.exe 89 PID 3092 wrote to memory of 5780 3092 net.exe 90 PID 3092 wrote to memory of 5780 3092 net.exe 90 PID 3092 wrote to memory of 5780 3092 net.exe 90 PID 1464 wrote to memory of 3460 1464 Logo1_.exe 91 PID 1464 wrote to memory of 3460 1464 Logo1_.exe 91 PID 1464 wrote to memory of 3460 1464 Logo1_.exe 91 PID 3460 wrote to memory of 4856 3460 net.exe 93 PID 3460 wrote to memory of 4856 3460 net.exe 93 PID 3460 wrote to memory of 4856 3460 net.exe 93 PID 1464 wrote to memory of 3264 1464 Logo1_.exe 52 PID 1464 wrote to memory of 3264 1464 Logo1_.exe 52
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3264
-
C:\Users\Admin\AppData\Local\Temp\2025-07-04_e37be1089c7fab683aad8eba3d1056b1_black-basta_elex_gcleaner_hijackloader.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-04_e37be1089c7fab683aad8eba3d1056b1_black-basta_elex_gcleaner_hijackloader.exe"2⤵
- Drops file in Drivers directory
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:536 -
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:6100 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"4⤵
- System Location Discovery: System Language Discovery
PID:2168
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a79C4.bat3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4020 -
C:\Users\Admin\AppData\Local\Temp\2025-07-04_e37be1089c7fab683aad8eba3d1056b1_black-basta_elex_gcleaner_hijackloader.exe"C:\Users\Admin\AppData\Local\Temp\2025-07-04_e37be1089c7fab683aad8eba3d1056b1_black-basta_elex_gcleaner_hijackloader.exe"4⤵
- Executes dropped EXE
PID:3172
-
-
-
C:\Windows\Logo1_.exeC:\Windows\Logo1_.exe3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Adds Run key to start application
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1464 -
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3092 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"5⤵
- System Location Discovery: System Language Discovery
PID:5780
-
-
-
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3460 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"5⤵
- System Location Discovery: System Language Discovery
PID:4856
-
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\uninstall\rundl132.exe2⤵
- Suspicious use of WriteProcessMemory
PID:6092 -
C:\Windows\uninstall\rundl132.exeC:\Windows\uninstall\rundl132.exe3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5288
-
-
Network
MITRE ATT&CK Enterprise v16
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
156KB
MD5c41bb9cefac868d0fa09898933b44049
SHA1b6034d44fbd235d92ac5a8dc5cc1af21d3e88086
SHA256a689b767857bf0b1b30b8c7d243782c6b26e660b022073b3ec564f5d23a278cb
SHA512029af8ebc2631d0362ce52cb0bcbbce57a86d7985324701783db85d1247503188b6dc8feffff2067a9b11598f8b30606c79855a6ff741bdf05c1b98501323cd9
-
Filesize
94KB
MD542abd6418c18632af368b5f00d30ed6b
SHA124c4ffbbc4a2f1aa8639fc06bf378c8fadaea939
SHA256eedef1c34f09db98366600f36622049a2d7572f7ce92d1b3a8d504f8806a4bbd
SHA512af420b0c8736f40994b14e576cc7acb661442a13036d6fab8dcffbcde2a1a786d4c9d5efa116e4e21d5de108c3d4f39a32e02d53b78218396eb7681731a99b88
-
Filesize
91KB
MD51fba2715ae2d2ce107c85ac8606e36e5
SHA12b5272f8aab4f4ea246dc923c2090371dc4cb921
SHA256649f9b5ff0e324ddb544058c9bad0872e89a72766b8abf0840dbb504bcb8099f
SHA5122410930a03a5577eb899bbbae7b100c3793765c27dca2356693095632834dc402c99f8f60c995c32b09044ab65dcf4d3d4931d37a3cd726eaeb1f050a978fa09
-
Filesize
103KB
MD5cf1795d577bbf2e80bf0efd93d91effa
SHA1dea26943ec8212f5d8ffa8880e04cc80f49f765a
SHA25693103455a5ba410d2a730c3a453d4fb21ca9b3cb3841f08ff4ecb2aa95b181a4
SHA5128998c2fa87e009b206b5e17a5e00a32886b9c8963255401f5ee29d21050ff1cc959448cc3aa7b02a2b0e35d292919697063ee86542d3c48fe13439dc67867154
-
Filesize
118KB
MD5dde25734ea4e682bea092bbabae511c5
SHA1869c1d3c957e51e80393d00156be1b52046e5da9
SHA256bff943ae1447badd683a293249a81ecc438dbd9100b98aa7b0b910d8e3bfb906
SHA5121d4758ab813cf248ff7c5d7f927984708e73216072532bdcc23770af99172a63c665b3ab23b45b5cdda12d848b9f0bf82a5cff86ccad8acb8b22c76b206c1864
-
Filesize
91KB
MD515beeb489f50a52c6c383d9ba297a30f
SHA1ebf6f2ddbcf4906de755c33439aba8d6129c4412
SHA2562011a62b52abbf698504bb5acda15d7fe115ed464311a80f5ae7a49cc3367133
SHA51278c3f1d7872f2f9c331c6bc15f96b4d30e698a9ff2dfd0f2514ef1eccfcae148cb889806bd88f0b33f6c247d425da2329771187aa84c7c9c49b79b968bd7d8b9
-
Filesize
92KB
MD531ee44bbaab8e799a8c8481ceb1fc3dc
SHA1d2032040b871a6bde19411132a9303c0c80041a1
SHA2566852953f0de0f88dce6964f5eee76f1da94ddaf83bea292b3dc2be0f92d51aca
SHA512b0fd36658523e6de9566586778d7f9fc5209745278bb84dc9b0a16d3fba429f32301b02eecb120af3fb82004e04f816f6d2d7ff3be7ff437eadf2a8a6285ec40
-
C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\RCX11C6.tmp
Filesize91KB
MD5815d89fb8fecaf4255602b12142f0162
SHA18977cd9e441a4af07df70c08465367d0f69866ff
SHA25694928b91b3a30ac1e1c4f037ba8294943b7b2d1286df3b994c0d28d2d50a8ee7
SHA5127ab583ee8d330b0a2fc71ab64649759e25858c23b707801ab5d8aa7b811ce4f37edd048728daac5b7790a11c72f744fec37dda418f7ae0adff6310592e6fa0b9
-
Filesize
100KB
MD5e65d32f7b7fdd5d71b47bb0d978be3fb
SHA1610cf8160c9be206a03e214c1817375d3d00d35a
SHA25642afb65cf5e2135050a35c36171195f1ba6b5c34b9e920b0b9edb907c5de420e
SHA512c33bbeb02077828a3bd7ed7861768373523c205f3dd53e9e69b7a7dcd9f665ded4eb857be7398d8af7abb08a5065a2dd457272f3d3b10d850d181e2fc20db352
-
Filesize
545KB
MD52b080b07c5d28342b014c7af3f3b5f69
SHA162fd16564225a347fc2e6de8eb0bf5fcf487287b
SHA256e5b0ca86c43d3244a8850d29173e0a016ceffe1d0f904ad8f5e5091d6bbae7b3
SHA512dfeb721ec85b81d4a70444d55d17902e03f4fad2624717c84eafa63a2ee0bbaf4012cddf978e9e514f716f22dbe137a2c8911d97f8a63f6fd37ed5708b3c6bb7
-
Filesize
830B
MD578bd4d9c81bf1eeea16059b5b4dea671
SHA18b46b92aedb70d876dcd67d6ed23418be7f4eae5
SHA2566610be08b0ee01fc2688dba0256632b1f338a8aa27e8eb97d674dde4656efda0
SHA5128362d2dff9afca2e54681e1ec9aa4037be8fcf573bf2269583f5316d3fae7b0f7bb9fe49da48fbd72e20d49462205ee410a585a429e9e6070e5c2bf7391fa31d
-
C:\Users\Admin\AppData\Local\Temp\2025-07-04_e37be1089c7fab683aad8eba3d1056b1_black-basta_elex_gcleaner_hijackloader.exe.exe
Filesize1.7MB
MD5cca5f1a4afe1a8c35b880549b7c63a81
SHA10a9e9f2b3eec58b0e5ddcdb0ec87777334ed2976
SHA2560e466adcd2306c77b3b56c2b117efb948f022d2d2a9e153cbfa23632f7332efe
SHA512f844c5a42204947a10aaaaa7a6ae24cabd6f8e8802c12050a5ec4f8b1edb6f011317a78c902a31a4801e4087a1dc54458a5d36190fc5f6d855c278eb1e86fefc
-
Filesize
93KB
MD5158256700cf45ccb837c95bdcc23deb9
SHA115015b19f7de288090b945bf41565aad334206e9
SHA256a3e00a8beb5ae7fac43bd717d283691286141d3cf038d90630849dd21d1baa1a
SHA51267c4e13f7e4b44b932f6e588adce291df60749d9e183b169e7b48d812e3d99b5afb11fddc625fe9c38f88795a86e815c3d9171ccfd768a10fad14653e0a45aa6
-
Filesize
842B
MD56f4adf207ef402d9ef40c6aa52ffd245
SHA14b05b495619c643f02e278dede8f5b1392555a57
SHA256d9704dab05e988be3e5e7b7c020bb9814906d11bb9c31ad80d4ed1316f6bc94e
SHA512a6306bd200a26ea78192ae5b00cc49cfab3fba025fe7233709a4e62db0f9ed60030dce22b34afe57aad86a098c9a8c44e080cedc43227cb87ef4690baec35b47