Malware Analysis Report

2025-08-10 20:04

Sample ID 250704-pbn76asvhz
Target 2025-07-04_e37be1089c7fab683aad8eba3d1056b1_black-basta_elex_gcleaner_hijackloader
SHA256 273c547c2f03d92388f8b8a2c953814e2f0d850428123fe8d076976767935be8
Tags
discovery persistence ransomware spyware stealer
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V16

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

273c547c2f03d92388f8b8a2c953814e2f0d850428123fe8d076976767935be8

Threat Level: Likely malicious

The file 2025-07-04_e37be1089c7fab683aad8eba3d1056b1_black-basta_elex_gcleaner_hijackloader was found to be: Likely malicious.

Malicious Activity Summary

discovery persistence ransomware spyware stealer

Renames multiple (256) files with added filename extension

Renames multiple (257) files with added filename extension

Drops file in Drivers directory

Reads user/profile data of web browsers

Executes dropped EXE

Enumerates connected drives

Adds Run key to start application

Drops file in Windows directory

Drops file in Program Files directory

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious behavior: EnumeratesProcesses

Runs net.exe

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-07-04 12:09

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-07-04 12:09

Reported

2025-07-04 12:12

Platform

win10v2004-20250619-en

Max time kernel

149s

Max time network

141s

Command Line

C:\Windows\Explorer.EXE

Signatures

Renames multiple (257) files with added filename extension

ransomware

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\2025-07-04_e37be1089c7fab683aad8eba3d1056b1_black-basta_elex_gcleaner_hijackloader.exe N/A
File opened for modification C:\Windows\system32\drivers\etc\hosts C:\Windows\Logo1_.exe N/A
File opened for modification C:\Windows\system32\drivers\etc\hosts C:\Windows\uninstall\rundl132.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\load = "C:\\Windows\\uninstall\\rundl132.exe" C:\Windows\Logo1_.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\load = "C:\\Windows\\uninstall\\rundl132.exe" C:\Users\Admin\AppData\Local\Temp\2025-07-04_e37be1089c7fab683aad8eba3d1056b1_black-basta_elex_gcleaner_hijackloader.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\Z: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\V: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\U: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\S: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Q: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\P: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Y: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\W: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\T: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\R: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\M: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\K: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\G: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\N: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\H: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\E: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\X: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\O: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\L: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\J: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\I: C:\Windows\Logo1_.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Java\jdk-1.8\bin\RCX22FC.tmp C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jps.exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\wsgen.exe.Exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe.Exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\pwahelper.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\MicrosoftEdgeUpdateBroker.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\7-Zip\7z.exe.Exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\createdump.exe.Exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\javadoc.exe.Exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe.Exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe.Exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\RCX249D.tmp C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\SPREADSHEETCOMPARE.EXE.Exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Internet Explorer\ielowutil.exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe.Exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\ktab.exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\rmid.exe.Exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Common.DBConnection64.exe.Exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\vlc.exe.Exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\msedge.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\msedgewebview2.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe.Exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\java.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jhat.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsgen.exe.Exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\MSOHTMED.EXE.Exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\pingsender.exe.Exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe.Exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe.Exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\133.0.6943.60\os_update_handler.exe.Exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\jcmd.exe.Exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\klist.exe.Exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\rmid.exe.Exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\SmartTagInstall.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\DATABASECOMPARE.EXE.Exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\Installer\setup.exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\javah.exe.Exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe.Exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\keytool.exe.Exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\OLicenseHeartbeat.exe.Exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\SPREADSHEETCOMPARE.EXE.Exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe.Exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe.Exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\MicrosoftEdgeUpdate.exe.Exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\javadoc.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jinfo.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\RCX23DD.tmp C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Microsoft Office 15\ClientX64\RCX2570.tmp C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\Time.exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\pwahelper.exe.Exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe.Exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\notification_click_helper.exe.Exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\msedge_proxy.exe.Exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\notification_helper.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\notification_helper.exe.Exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Windows Media Player\setup_wm.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\7-Zip\Uninstall.exe.Exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\133.0.6943.60\chrome_pwa_launcher.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE C:\Windows\Logo1_.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\uninstall\rundl132.exe C:\Windows\Logo1_.exe N/A
File created C:\Windows\RichDll.dll C:\Windows\Logo1_.exe N/A
File created C:\Windows\uninstall\rundl132.exe C:\Users\Admin\AppData\Local\Temp\2025-07-04_e37be1089c7fab683aad8eba3d1056b1_black-basta_elex_gcleaner_hijackloader.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\2025-07-04_e37be1089c7fab683aad8eba3d1056b1_black-basta_elex_gcleaner_hijackloader.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2025-07-04_e37be1089c7fab683aad8eba3d1056b1_black-basta_elex_gcleaner_hijackloader.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\uninstall\rundl132.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Logo1_.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-07-04_e37be1089c7fab683aad8eba3d1056b1_black-basta_elex_gcleaner_hijackloader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-07-04_e37be1089c7fab683aad8eba3d1056b1_black-basta_elex_gcleaner_hijackloader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-07-04_e37be1089c7fab683aad8eba3d1056b1_black-basta_elex_gcleaner_hijackloader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-07-04_e37be1089c7fab683aad8eba3d1056b1_black-basta_elex_gcleaner_hijackloader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-07-04_e37be1089c7fab683aad8eba3d1056b1_black-basta_elex_gcleaner_hijackloader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-07-04_e37be1089c7fab683aad8eba3d1056b1_black-basta_elex_gcleaner_hijackloader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-07-04_e37be1089c7fab683aad8eba3d1056b1_black-basta_elex_gcleaner_hijackloader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-07-04_e37be1089c7fab683aad8eba3d1056b1_black-basta_elex_gcleaner_hijackloader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-07-04_e37be1089c7fab683aad8eba3d1056b1_black-basta_elex_gcleaner_hijackloader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-07-04_e37be1089c7fab683aad8eba3d1056b1_black-basta_elex_gcleaner_hijackloader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-07-04_e37be1089c7fab683aad8eba3d1056b1_black-basta_elex_gcleaner_hijackloader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-07-04_e37be1089c7fab683aad8eba3d1056b1_black-basta_elex_gcleaner_hijackloader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-07-04_e37be1089c7fab683aad8eba3d1056b1_black-basta_elex_gcleaner_hijackloader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-07-04_e37be1089c7fab683aad8eba3d1056b1_black-basta_elex_gcleaner_hijackloader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-07-04_e37be1089c7fab683aad8eba3d1056b1_black-basta_elex_gcleaner_hijackloader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-07-04_e37be1089c7fab683aad8eba3d1056b1_black-basta_elex_gcleaner_hijackloader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-07-04_e37be1089c7fab683aad8eba3d1056b1_black-basta_elex_gcleaner_hijackloader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-07-04_e37be1089c7fab683aad8eba3d1056b1_black-basta_elex_gcleaner_hijackloader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-07-04_e37be1089c7fab683aad8eba3d1056b1_black-basta_elex_gcleaner_hijackloader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-07-04_e37be1089c7fab683aad8eba3d1056b1_black-basta_elex_gcleaner_hijackloader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-07-04_e37be1089c7fab683aad8eba3d1056b1_black-basta_elex_gcleaner_hijackloader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-07-04_e37be1089c7fab683aad8eba3d1056b1_black-basta_elex_gcleaner_hijackloader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-07-04_e37be1089c7fab683aad8eba3d1056b1_black-basta_elex_gcleaner_hijackloader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-07-04_e37be1089c7fab683aad8eba3d1056b1_black-basta_elex_gcleaner_hijackloader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-07-04_e37be1089c7fab683aad8eba3d1056b1_black-basta_elex_gcleaner_hijackloader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-07-04_e37be1089c7fab683aad8eba3d1056b1_black-basta_elex_gcleaner_hijackloader.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1972 wrote to memory of 4720 N/A C:\Users\Admin\AppData\Local\Temp\2025-07-04_e37be1089c7fab683aad8eba3d1056b1_black-basta_elex_gcleaner_hijackloader.exe C:\Windows\SysWOW64\net.exe
PID 1972 wrote to memory of 4720 N/A C:\Users\Admin\AppData\Local\Temp\2025-07-04_e37be1089c7fab683aad8eba3d1056b1_black-basta_elex_gcleaner_hijackloader.exe C:\Windows\SysWOW64\net.exe
PID 1972 wrote to memory of 4720 N/A C:\Users\Admin\AppData\Local\Temp\2025-07-04_e37be1089c7fab683aad8eba3d1056b1_black-basta_elex_gcleaner_hijackloader.exe C:\Windows\SysWOW64\net.exe
PID 4720 wrote to memory of 1532 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 4720 wrote to memory of 1532 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 4720 wrote to memory of 1532 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1972 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\2025-07-04_e37be1089c7fab683aad8eba3d1056b1_black-basta_elex_gcleaner_hijackloader.exe C:\Windows\SysWOW64\cmd.exe
PID 1972 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\2025-07-04_e37be1089c7fab683aad8eba3d1056b1_black-basta_elex_gcleaner_hijackloader.exe C:\Windows\SysWOW64\cmd.exe
PID 1972 wrote to memory of 2544 N/A C:\Users\Admin\AppData\Local\Temp\2025-07-04_e37be1089c7fab683aad8eba3d1056b1_black-basta_elex_gcleaner_hijackloader.exe C:\Windows\SysWOW64\cmd.exe
PID 1972 wrote to memory of 3276 N/A C:\Users\Admin\AppData\Local\Temp\2025-07-04_e37be1089c7fab683aad8eba3d1056b1_black-basta_elex_gcleaner_hijackloader.exe C:\Windows\Logo1_.exe
PID 1972 wrote to memory of 3276 N/A C:\Users\Admin\AppData\Local\Temp\2025-07-04_e37be1089c7fab683aad8eba3d1056b1_black-basta_elex_gcleaner_hijackloader.exe C:\Windows\Logo1_.exe
PID 1972 wrote to memory of 3276 N/A C:\Users\Admin\AppData\Local\Temp\2025-07-04_e37be1089c7fab683aad8eba3d1056b1_black-basta_elex_gcleaner_hijackloader.exe C:\Windows\Logo1_.exe
PID 3276 wrote to memory of 1076 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 3276 wrote to memory of 1076 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 3276 wrote to memory of 1076 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 4088 wrote to memory of 4240 N/A C:\Windows\system32\cmd.exe C:\Windows\uninstall\rundl132.exe
PID 4088 wrote to memory of 4240 N/A C:\Windows\system32\cmd.exe C:\Windows\uninstall\rundl132.exe
PID 4088 wrote to memory of 4240 N/A C:\Windows\system32\cmd.exe C:\Windows\uninstall\rundl132.exe
PID 1076 wrote to memory of 1880 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1076 wrote to memory of 1880 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1076 wrote to memory of 1880 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2544 wrote to memory of 4712 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2025-07-04_e37be1089c7fab683aad8eba3d1056b1_black-basta_elex_gcleaner_hijackloader.exe
PID 2544 wrote to memory of 4712 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2025-07-04_e37be1089c7fab683aad8eba3d1056b1_black-basta_elex_gcleaner_hijackloader.exe
PID 3276 wrote to memory of 1600 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 3276 wrote to memory of 1600 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 3276 wrote to memory of 1600 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 1600 wrote to memory of 2612 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1600 wrote to memory of 2612 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1600 wrote to memory of 2612 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3276 wrote to memory of 3452 N/A C:\Windows\Logo1_.exe C:\Windows\Explorer.EXE
PID 3276 wrote to memory of 3452 N/A C:\Windows\Logo1_.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\2025-07-04_e37be1089c7fab683aad8eba3d1056b1_black-basta_elex_gcleaner_hijackloader.exe

"C:\Users\Admin\AppData\Local\Temp\2025-07-04_e37be1089c7fab683aad8eba3d1056b1_black-basta_elex_gcleaner_hijackloader.exe"

C:\Windows\SysWOW64\net.exe

net stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Windows\uninstall\rundl132.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a8CBF.bat

C:\Windows\Logo1_.exe

C:\Windows\Logo1_.exe

C:\Windows\SysWOW64\net.exe

net stop "Kingsoft AntiVirus Service"

C:\Windows\uninstall\rundl132.exe

C:\Windows\uninstall\rundl132.exe

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"

C:\Users\Admin\AppData\Local\Temp\2025-07-04_e37be1089c7fab683aad8eba3d1056b1_black-basta_elex_gcleaner_hijackloader.exe

"C:\Users\Admin\AppData\Local\Temp\2025-07-04_e37be1089c7fab683aad8eba3d1056b1_black-basta_elex_gcleaner_hijackloader.exe"

C:\Windows\SysWOW64\net.exe

net stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"

Network

Country Destination Domain Proto
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.180.3:80 c.pki.goog tcp

Files

C:\Windows\Logo1_.exe

MD5 158256700cf45ccb837c95bdcc23deb9
SHA1 15015b19f7de288090b945bf41565aad334206e9
SHA256 a3e00a8beb5ae7fac43bd717d283691286141d3cf038d90630849dd21d1baa1a
SHA512 67c4e13f7e4b44b932f6e588adce291df60749d9e183b169e7b48d812e3d99b5afb11fddc625fe9c38f88795a86e815c3d9171ccfd768a10fad14653e0a45aa6

C:\Windows\system32\drivers\etc\hosts

MD5 6f4adf207ef402d9ef40c6aa52ffd245
SHA1 4b05b495619c643f02e278dede8f5b1392555a57
SHA256 d9704dab05e988be3e5e7b7c020bb9814906d11bb9c31ad80d4ed1316f6bc94e
SHA512 a6306bd200a26ea78192ae5b00cc49cfab3fba025fe7233709a4e62db0f9ed60030dce22b34afe57aad86a098c9a8c44e080cedc43227cb87ef4690baec35b47

memory/1972-10-0x0000000000400000-0x0000000000429000-memory.dmp

memory/4240-14-0x0000000000400000-0x0000000000429000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$a8CBF.bat

MD5 b792e02cc89f64619452eb4f4e5e15d2
SHA1 6424b29546fd3fbccd736a945f4ca03f326dc424
SHA256 3d6def87069cd7200c95d1f13b4ed820279235f50daf2eca0187725c1373f41e
SHA512 8f1d8b2b21b6b3919c5c7ae7dd552c3c78f2d6e8339a680ac4ec4f0765005eab241d1201a1b9b8c977517763ed93de985039e6345fb6129c78567543e4a98a51

C:\Users\Admin\AppData\Local\Temp\2025-07-04_e37be1089c7fab683aad8eba3d1056b1_black-basta_elex_gcleaner_hijackloader.exe.exe

MD5 cca5f1a4afe1a8c35b880549b7c63a81
SHA1 0a9e9f2b3eec58b0e5ddcdb0ec87777334ed2976
SHA256 0e466adcd2306c77b3b56c2b117efb948f022d2d2a9e153cbfa23632f7332efe
SHA512 f844c5a42204947a10aaaaa7a6ae24cabd6f8e8802c12050a5ec4f8b1edb6f011317a78c902a31a4801e4087a1dc54458a5d36190fc5f6d855c278eb1e86fefc

memory/3276-20-0x0000000000400000-0x0000000000429000-memory.dmp

C:\Program Files\7-Zip\RCX220C.tmp

MD5 4389811b49284e06042f88e80b46d0c3
SHA1 1ae13c15927cee471080e1f57458e8484938ed30
SHA256 a53608ecec5158f888a3ce8363f9b71839495656104717281a817678b01fe70c
SHA512 bcbdb71f5c87922da1b44a310cc7d60f546883eea530d4fbb73f61a09b363dfaaf47f078f7d65f8a63b09566f73a7c937e6e0d3f8a04ff119efcc7168321e49b

C:\Program Files\Java\jdk-1.8\bin\RCX22FC.tmp

MD5 31ee44bbaab8e799a8c8481ceb1fc3dc
SHA1 d2032040b871a6bde19411132a9303c0c80041a1
SHA256 6852953f0de0f88dce6964f5eee76f1da94ddaf83bea292b3dc2be0f92d51aca
SHA512 b0fd36658523e6de9566586778d7f9fc5209745278bb84dc9b0a16d3fba429f32301b02eecb120af3fb82004e04f816f6d2d7ff3be7ff437eadf2a8a6285ec40

C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe.Exe

MD5 8553786eeb74ad0108cbc6088633f422
SHA1 1c126143005ae9698904e637d7a71c42ae55583e
SHA256 12dc8fb700d3a68b22d66fa0866ed50db715c7aa707d0bf5bac390102337e7c0
SHA512 9e2cc02842391f282e302a11e817b926e907111d5507fae433dfc29b037d52d89f5c2d4b3bbe46501f1e61ba3527663446354ff8394b7ec1efb8c405c22e7545

C:\Program Files\Mozilla Firefox\RCX261E.tmp

MD5 cc25207fbe38a021e4888d2f74f1521b
SHA1 38baa7e66b2e3b13e3305422a56d7e02116a696d
SHA256 d27d7402232716b563183e79023aed19d240952326cb8c97e50cfd89a874b438
SHA512 6f0c4d35697dfa68387a6fd9e7fb98c97b630d440ac490819fee6924be093dbaba13df41dc7f23cc0c23ab427b6f4cdefa28350ef70f7727cc24d858936ad421

memory/3276-663-0x0000000000400000-0x0000000000429000-memory.dmp

C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\RCX2F41.tmp

MD5 42abd6418c18632af368b5f00d30ed6b
SHA1 24c4ffbbc4a2f1aa8639fc06bf378c8fadaea939
SHA256 eedef1c34f09db98366600f36622049a2d7572f7ce92d1b3a8d504f8806a4bbd
SHA512 af420b0c8736f40994b14e576cc7acb661442a13036d6fab8dcffbcde2a1a786d4c9d5efa116e4e21d5de108c3d4f39a32e02d53b78218396eb7681731a99b88

C:\Program Files (x86)\Google\Update\RCX2FF3.tmp

MD5 1fba2715ae2d2ce107c85ac8606e36e5
SHA1 2b5272f8aab4f4ea246dc923c2090371dc4cb921
SHA256 649f9b5ff0e324ddb544058c9bad0872e89a72766b8abf0840dbb504bcb8099f
SHA512 2410930a03a5577eb899bbbae7b100c3793765c27dca2356693095632834dc402c99f8f60c995c32b09044ab65dcf4d3d4931d37a3cd726eaeb1f050a978fa09

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\RCX3044.tmp

MD5 dde25734ea4e682bea092bbabae511c5
SHA1 869c1d3c957e51e80393d00156be1b52046e5da9
SHA256 bff943ae1447badd683a293249a81ecc438dbd9100b98aa7b0b910d8e3bfb906
SHA512 1d4758ab813cf248ff7c5d7f927984708e73216072532bdcc23770af99172a63c665b3ab23b45b5cdda12d848b9f0bf82a5cff86ccad8acb8b22c76b206c1864

C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\RCX30F4.tmp

MD5 cf1795d577bbf2e80bf0efd93d91effa
SHA1 dea26943ec8212f5d8ffa8880e04cc80f49f765a
SHA256 93103455a5ba410d2a730c3a453d4fb21ca9b3cb3841f08ff4ecb2aa95b181a4
SHA512 8998c2fa87e009b206b5e17a5e00a32886b9c8963255401f5ee29d21050ff1cc959448cc3aa7b02a2b0e35d292919697063ee86542d3c48fe13439dc67867154

C:\Program Files (x86)\Mozilla Maintenance Service\RCX32D1.tmp

MD5 e65d32f7b7fdd5d71b47bb0d978be3fb
SHA1 610cf8160c9be206a03e214c1817375d3d00d35a
SHA256 42afb65cf5e2135050a35c36171195f1ba6b5c34b9e920b0b9edb907c5de420e
SHA512 c33bbeb02077828a3bd7ed7861768373523c205f3dd53e9e69b7a7dcd9f665ded4eb857be7398d8af7abb08a5065a2dd457272f3d3b10d850d181e2fc20db352

C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\RCX36F8.tmp

MD5 ae140b54368c51b6e8930493db4cee22
SHA1 52064bf58c1d9fb9f463587213b78f345375c924
SHA256 b0a46de4ecd585d695d00b6e952b01c6933034d3e4de47093bb42cd7d0f302e5
SHA512 ebadc7c358a041d700e4248e0ee5fe306d9fa24de59df3c2cc531eee331b696daf5cb0d99fbd9fc8c25765b850397aa3e7205f7d376d42b2c29ab69c061c976e

memory/3276-1314-0x0000000000400000-0x0000000000429000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2025-07-04 12:09

Reported

2025-07-04 12:12

Platform

win11-20250619-en

Max time kernel

149s

Max time network

104s

Command Line

C:\Windows\Explorer.EXE

Signatures

Renames multiple (256) files with added filename extension

ransomware

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\2025-07-04_e37be1089c7fab683aad8eba3d1056b1_black-basta_elex_gcleaner_hijackloader.exe N/A
File opened for modification C:\Windows\system32\drivers\etc\hosts C:\Windows\Logo1_.exe N/A
File opened for modification C:\Windows\system32\drivers\etc\hosts C:\Windows\uninstall\rundl132.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\load = "C:\\Windows\\uninstall\\rundl132.exe" C:\Users\Admin\AppData\Local\Temp\2025-07-04_e37be1089c7fab683aad8eba3d1056b1_black-basta_elex_gcleaner_hijackloader.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\load = "C:\\Windows\\uninstall\\rundl132.exe" C:\Windows\Logo1_.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\K: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\J: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\I: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\G: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Z: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Y: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\T: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\S: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\H: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\W: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Q: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\O: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\N: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\E: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\V: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\U: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\R: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\L: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\X: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\P: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\M: C:\Windows\Logo1_.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\createdump.exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe.Exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe.Exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\RCX123A.tmp C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe.Exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_196812\javaws.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\RCX1D2F.tmp C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\createdump.exe.Exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe.Exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\javacpl.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\keytool.exe.Exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Microsoft Office\root\Client\AppVLP.exe.Exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe.Exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe.Exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\pwahelper.exe.Exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe.Exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\filecompare.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\cookie_exporter.exe.Exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe.Exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevated_tracing_service.exe.Exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe.Exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe.Exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\jabswitch.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\private_browsing.exe.Exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe.Exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\identity_helper.exe.Exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\msedge_proxy.exe.Exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\createdump.exe.Exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\createdump.exe.Exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\keytool.exe.Exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe.Exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Client\AppVDllSurrogate64.exe.Exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\MSOHTMED.EXE C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\RCX11C5.tmp C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jjs.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\orbd.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Paint_10.2104.17.0_x64__8wekyb3d8bbwe\PaintApp\mspaint.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\WindowsApps\MicrosoftWindows.Client.WebExperience_321.14700.0.9_x64__cw5n1h2txyewy\Dashboard\Widgets.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\RCX1BBB.tmp C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevated_tracing_service.exe.Exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\identity_helper.exe.Exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdeps.exe.Exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jmap.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Client\AppVDllSurrogate32.exe.Exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.40978.0_x64__8wekyb3d8bbwe\codecpacks.heif.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\BHO\ie_to_edge_stub.exe.Exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\cookie_exporter.exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\cookie_exporter.exe.Exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\identity_helper.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\chrome_proxy.exe.Exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\133.0.6943.60\Installer\setup.exe.Exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe.Exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Common.DBConnection64.exe.Exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.WindowsTerminal_1.6.10571.0_x64__8wekyb3d8bbwe\WindowsTerminal.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe.Exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\tnameserv.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\OLicenseHeartbeat.exe C:\Windows\Logo1_.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\uninstall\rundl132.exe C:\Windows\Logo1_.exe N/A
File created C:\Windows\RichDll.dll C:\Windows\Logo1_.exe N/A
File created C:\Windows\uninstall\rundl132.exe C:\Users\Admin\AppData\Local\Temp\2025-07-04_e37be1089c7fab683aad8eba3d1056b1_black-basta_elex_gcleaner_hijackloader.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\2025-07-04_e37be1089c7fab683aad8eba3d1056b1_black-basta_elex_gcleaner_hijackloader.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2025-07-04_e37be1089c7fab683aad8eba3d1056b1_black-basta_elex_gcleaner_hijackloader.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\uninstall\rundl132.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Logo1_.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-07-04_e37be1089c7fab683aad8eba3d1056b1_black-basta_elex_gcleaner_hijackloader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-07-04_e37be1089c7fab683aad8eba3d1056b1_black-basta_elex_gcleaner_hijackloader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-07-04_e37be1089c7fab683aad8eba3d1056b1_black-basta_elex_gcleaner_hijackloader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-07-04_e37be1089c7fab683aad8eba3d1056b1_black-basta_elex_gcleaner_hijackloader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-07-04_e37be1089c7fab683aad8eba3d1056b1_black-basta_elex_gcleaner_hijackloader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-07-04_e37be1089c7fab683aad8eba3d1056b1_black-basta_elex_gcleaner_hijackloader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-07-04_e37be1089c7fab683aad8eba3d1056b1_black-basta_elex_gcleaner_hijackloader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-07-04_e37be1089c7fab683aad8eba3d1056b1_black-basta_elex_gcleaner_hijackloader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-07-04_e37be1089c7fab683aad8eba3d1056b1_black-basta_elex_gcleaner_hijackloader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-07-04_e37be1089c7fab683aad8eba3d1056b1_black-basta_elex_gcleaner_hijackloader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-07-04_e37be1089c7fab683aad8eba3d1056b1_black-basta_elex_gcleaner_hijackloader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-07-04_e37be1089c7fab683aad8eba3d1056b1_black-basta_elex_gcleaner_hijackloader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-07-04_e37be1089c7fab683aad8eba3d1056b1_black-basta_elex_gcleaner_hijackloader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-07-04_e37be1089c7fab683aad8eba3d1056b1_black-basta_elex_gcleaner_hijackloader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-07-04_e37be1089c7fab683aad8eba3d1056b1_black-basta_elex_gcleaner_hijackloader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-07-04_e37be1089c7fab683aad8eba3d1056b1_black-basta_elex_gcleaner_hijackloader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-07-04_e37be1089c7fab683aad8eba3d1056b1_black-basta_elex_gcleaner_hijackloader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-07-04_e37be1089c7fab683aad8eba3d1056b1_black-basta_elex_gcleaner_hijackloader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-07-04_e37be1089c7fab683aad8eba3d1056b1_black-basta_elex_gcleaner_hijackloader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-07-04_e37be1089c7fab683aad8eba3d1056b1_black-basta_elex_gcleaner_hijackloader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-07-04_e37be1089c7fab683aad8eba3d1056b1_black-basta_elex_gcleaner_hijackloader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-07-04_e37be1089c7fab683aad8eba3d1056b1_black-basta_elex_gcleaner_hijackloader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-07-04_e37be1089c7fab683aad8eba3d1056b1_black-basta_elex_gcleaner_hijackloader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-07-04_e37be1089c7fab683aad8eba3d1056b1_black-basta_elex_gcleaner_hijackloader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-07-04_e37be1089c7fab683aad8eba3d1056b1_black-basta_elex_gcleaner_hijackloader.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2025-07-04_e37be1089c7fab683aad8eba3d1056b1_black-basta_elex_gcleaner_hijackloader.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 536 wrote to memory of 6100 N/A C:\Users\Admin\AppData\Local\Temp\2025-07-04_e37be1089c7fab683aad8eba3d1056b1_black-basta_elex_gcleaner_hijackloader.exe C:\Windows\SysWOW64\net.exe
PID 536 wrote to memory of 6100 N/A C:\Users\Admin\AppData\Local\Temp\2025-07-04_e37be1089c7fab683aad8eba3d1056b1_black-basta_elex_gcleaner_hijackloader.exe C:\Windows\SysWOW64\net.exe
PID 536 wrote to memory of 6100 N/A C:\Users\Admin\AppData\Local\Temp\2025-07-04_e37be1089c7fab683aad8eba3d1056b1_black-basta_elex_gcleaner_hijackloader.exe C:\Windows\SysWOW64\net.exe
PID 6100 wrote to memory of 2168 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 6100 wrote to memory of 2168 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 6100 wrote to memory of 2168 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 536 wrote to memory of 4020 N/A C:\Users\Admin\AppData\Local\Temp\2025-07-04_e37be1089c7fab683aad8eba3d1056b1_black-basta_elex_gcleaner_hijackloader.exe C:\Windows\SysWOW64\cmd.exe
PID 536 wrote to memory of 4020 N/A C:\Users\Admin\AppData\Local\Temp\2025-07-04_e37be1089c7fab683aad8eba3d1056b1_black-basta_elex_gcleaner_hijackloader.exe C:\Windows\SysWOW64\cmd.exe
PID 536 wrote to memory of 4020 N/A C:\Users\Admin\AppData\Local\Temp\2025-07-04_e37be1089c7fab683aad8eba3d1056b1_black-basta_elex_gcleaner_hijackloader.exe C:\Windows\SysWOW64\cmd.exe
PID 536 wrote to memory of 1464 N/A C:\Users\Admin\AppData\Local\Temp\2025-07-04_e37be1089c7fab683aad8eba3d1056b1_black-basta_elex_gcleaner_hijackloader.exe C:\Windows\Logo1_.exe
PID 536 wrote to memory of 1464 N/A C:\Users\Admin\AppData\Local\Temp\2025-07-04_e37be1089c7fab683aad8eba3d1056b1_black-basta_elex_gcleaner_hijackloader.exe C:\Windows\Logo1_.exe
PID 536 wrote to memory of 1464 N/A C:\Users\Admin\AppData\Local\Temp\2025-07-04_e37be1089c7fab683aad8eba3d1056b1_black-basta_elex_gcleaner_hijackloader.exe C:\Windows\Logo1_.exe
PID 1464 wrote to memory of 3092 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 1464 wrote to memory of 3092 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 1464 wrote to memory of 3092 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 6092 wrote to memory of 5288 N/A C:\Windows\system32\cmd.exe C:\Windows\uninstall\rundl132.exe
PID 6092 wrote to memory of 5288 N/A C:\Windows\system32\cmd.exe C:\Windows\uninstall\rundl132.exe
PID 6092 wrote to memory of 5288 N/A C:\Windows\system32\cmd.exe C:\Windows\uninstall\rundl132.exe
PID 4020 wrote to memory of 3172 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2025-07-04_e37be1089c7fab683aad8eba3d1056b1_black-basta_elex_gcleaner_hijackloader.exe
PID 4020 wrote to memory of 3172 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\2025-07-04_e37be1089c7fab683aad8eba3d1056b1_black-basta_elex_gcleaner_hijackloader.exe
PID 3092 wrote to memory of 5780 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3092 wrote to memory of 5780 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3092 wrote to memory of 5780 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1464 wrote to memory of 3460 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 1464 wrote to memory of 3460 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 1464 wrote to memory of 3460 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 3460 wrote to memory of 4856 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3460 wrote to memory of 4856 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3460 wrote to memory of 4856 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1464 wrote to memory of 3264 N/A C:\Windows\Logo1_.exe C:\Windows\Explorer.EXE
PID 1464 wrote to memory of 3264 N/A C:\Windows\Logo1_.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\2025-07-04_e37be1089c7fab683aad8eba3d1056b1_black-basta_elex_gcleaner_hijackloader.exe

"C:\Users\Admin\AppData\Local\Temp\2025-07-04_e37be1089c7fab683aad8eba3d1056b1_black-basta_elex_gcleaner_hijackloader.exe"

C:\Windows\SysWOW64\net.exe

net stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Windows\uninstall\rundl132.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a79C4.bat

C:\Windows\Logo1_.exe

C:\Windows\Logo1_.exe

C:\Windows\SysWOW64\net.exe

net stop "Kingsoft AntiVirus Service"

C:\Windows\uninstall\rundl132.exe

C:\Windows\uninstall\rundl132.exe

C:\Users\Admin\AppData\Local\Temp\2025-07-04_e37be1089c7fab683aad8eba3d1056b1_black-basta_elex_gcleaner_hijackloader.exe

"C:\Users\Admin\AppData\Local\Temp\2025-07-04_e37be1089c7fab683aad8eba3d1056b1_black-basta_elex_gcleaner_hijackloader.exe"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\net.exe

net stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"

Network

Files

C:\Windows\Logo1_.exe

MD5 158256700cf45ccb837c95bdcc23deb9
SHA1 15015b19f7de288090b945bf41565aad334206e9
SHA256 a3e00a8beb5ae7fac43bd717d283691286141d3cf038d90630849dd21d1baa1a
SHA512 67c4e13f7e4b44b932f6e588adce291df60749d9e183b169e7b48d812e3d99b5afb11fddc625fe9c38f88795a86e815c3d9171ccfd768a10fad14653e0a45aa6

C:\Windows\system32\drivers\etc\hosts

MD5 6f4adf207ef402d9ef40c6aa52ffd245
SHA1 4b05b495619c643f02e278dede8f5b1392555a57
SHA256 d9704dab05e988be3e5e7b7c020bb9814906d11bb9c31ad80d4ed1316f6bc94e
SHA512 a6306bd200a26ea78192ae5b00cc49cfab3fba025fe7233709a4e62db0f9ed60030dce22b34afe57aad86a098c9a8c44e080cedc43227cb87ef4690baec35b47

memory/536-10-0x0000000000400000-0x0000000000429000-memory.dmp

memory/5288-14-0x0000000000400000-0x0000000000429000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$a79C4.bat

MD5 78bd4d9c81bf1eeea16059b5b4dea671
SHA1 8b46b92aedb70d876dcd67d6ed23418be7f4eae5
SHA256 6610be08b0ee01fc2688dba0256632b1f338a8aa27e8eb97d674dde4656efda0
SHA512 8362d2dff9afca2e54681e1ec9aa4037be8fcf573bf2269583f5316d3fae7b0f7bb9fe49da48fbd72e20d49462205ee410a585a429e9e6070e5c2bf7391fa31d

C:\Users\Admin\AppData\Local\Temp\2025-07-04_e37be1089c7fab683aad8eba3d1056b1_black-basta_elex_gcleaner_hijackloader.exe.exe

MD5 cca5f1a4afe1a8c35b880549b7c63a81
SHA1 0a9e9f2b3eec58b0e5ddcdb0ec87777334ed2976
SHA256 0e466adcd2306c77b3b56c2b117efb948f022d2d2a9e153cbfa23632f7332efe
SHA512 f844c5a42204947a10aaaaa7a6ae24cabd6f8e8802c12050a5ec4f8b1edb6f011317a78c902a31a4801e4087a1dc54458a5d36190fc5f6d855c278eb1e86fefc

memory/1464-20-0x0000000000400000-0x0000000000429000-memory.dmp

C:\Program Files\7-Zip\RCXF3E.tmp

MD5 15beeb489f50a52c6c383d9ba297a30f
SHA1 ebf6f2ddbcf4906de755c33439aba8d6129c4412
SHA256 2011a62b52abbf698504bb5acda15d7fe115ed464311a80f5ae7a49cc3367133
SHA512 78c3f1d7872f2f9c331c6bc15f96b4d30e698a9ff2dfd0f2514ef1eccfcae148cb889806bd88f0b33f6c247d425da2329771187aa84c7c9c49b79b968bd7d8b9

C:\Program Files\Java\jdk-1.8\bin\RCX1001.tmp

MD5 31ee44bbaab8e799a8c8481ceb1fc3dc
SHA1 d2032040b871a6bde19411132a9303c0c80041a1
SHA256 6852953f0de0f88dce6964f5eee76f1da94ddaf83bea292b3dc2be0f92d51aca
SHA512 b0fd36658523e6de9566586778d7f9fc5209745278bb84dc9b0a16d3fba429f32301b02eecb120af3fb82004e04f816f6d2d7ff3be7ff437eadf2a8a6285ec40

C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\RCX11C6.tmp

MD5 815d89fb8fecaf4255602b12142f0162
SHA1 8977cd9e441a4af07df70c08465367d0f69866ff
SHA256 94928b91b3a30ac1e1c4f037ba8294943b7b2d1286df3b994c0d28d2d50a8ee7
SHA512 7ab583ee8d330b0a2fc71ab64649759e25858c23b707801ab5d8aa7b811ce4f37edd048728daac5b7790a11c72f744fec37dda418f7ae0adff6310592e6fa0b9

C:\Program Files\Mozilla Firefox\uninstall\RCX123B.tmp

MD5 e65d32f7b7fdd5d71b47bb0d978be3fb
SHA1 610cf8160c9be206a03e214c1817375d3d00d35a
SHA256 42afb65cf5e2135050a35c36171195f1ba6b5c34b9e920b0b9edb907c5de420e
SHA512 c33bbeb02077828a3bd7ed7861768373523c205f3dd53e9e69b7a7dcd9f665ded4eb857be7398d8af7abb08a5065a2dd457272f3d3b10d850d181e2fc20db352

memory/1464-659-0x0000000000400000-0x0000000000429000-memory.dmp

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RCX1984.tmp

MD5 c41bb9cefac868d0fa09898933b44049
SHA1 b6034d44fbd235d92ac5a8dc5cc1af21d3e88086
SHA256 a689b767857bf0b1b30b8c7d243782c6b26e660b022073b3ec564f5d23a278cb
SHA512 029af8ebc2631d0362ce52cb0bcbbce57a86d7985324701783db85d1247503188b6dc8feffff2067a9b11598f8b30606c79855a6ff741bdf05c1b98501323cd9

C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\RCX1B8A.tmp

MD5 42abd6418c18632af368b5f00d30ed6b
SHA1 24c4ffbbc4a2f1aa8639fc06bf378c8fadaea939
SHA256 eedef1c34f09db98366600f36622049a2d7572f7ce92d1b3a8d504f8806a4bbd
SHA512 af420b0c8736f40994b14e576cc7acb661442a13036d6fab8dcffbcde2a1a786d4c9d5efa116e4e21d5de108c3d4f39a32e02d53b78218396eb7681731a99b88

C:\Program Files (x86)\Google\Update\RCX1C1D.tmp

MD5 1fba2715ae2d2ce107c85ac8606e36e5
SHA1 2b5272f8aab4f4ea246dc923c2090371dc4cb921
SHA256 649f9b5ff0e324ddb544058c9bad0872e89a72766b8abf0840dbb504bcb8099f
SHA512 2410930a03a5577eb899bbbae7b100c3793765c27dca2356693095632834dc402c99f8f60c995c32b09044ab65dcf4d3d4931d37a3cd726eaeb1f050a978fa09

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\RCX1C6D.tmp

MD5 dde25734ea4e682bea092bbabae511c5
SHA1 869c1d3c957e51e80393d00156be1b52046e5da9
SHA256 bff943ae1447badd683a293249a81ecc438dbd9100b98aa7b0b910d8e3bfb906
SHA512 1d4758ab813cf248ff7c5d7f927984708e73216072532bdcc23770af99172a63c665b3ab23b45b5cdda12d848b9f0bf82a5cff86ccad8acb8b22c76b206c1864

C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\RCX1D1E.tmp

MD5 cf1795d577bbf2e80bf0efd93d91effa
SHA1 dea26943ec8212f5d8ffa8880e04cc80f49f765a
SHA256 93103455a5ba410d2a730c3a453d4fb21ca9b3cb3841f08ff4ecb2aa95b181a4
SHA512 8998c2fa87e009b206b5e17a5e00a32886b9c8963255401f5ee29d21050ff1cc959448cc3aa7b02a2b0e35d292919697063ee86542d3c48fe13439dc67867154

C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\setup.exe.Exe

MD5 2b080b07c5d28342b014c7af3f3b5f69
SHA1 62fd16564225a347fc2e6de8eb0bf5fcf487287b
SHA256 e5b0ca86c43d3244a8850d29173e0a016ceffe1d0f904ad8f5e5091d6bbae7b3
SHA512 dfeb721ec85b81d4a70444d55d17902e03f4fad2624717c84eafa63a2ee0bbaf4012cddf978e9e514f716f22dbe137a2c8911d97f8a63f6fd37ed5708b3c6bb7

memory/1464-1317-0x0000000000400000-0x0000000000429000-memory.dmp