File name:

2025-05-17_87b7d071d6136e3071efb8c64f296cb4_amadey_black-basta_darkgate_elex_gcleaner_hawkeye_hijackloader_smoke-loader

Full analysis: https://app.any.run/tasks/f40ed562-ba10-49b9-b124-1c595eed8321
Verdict: Malicious activity
Analysis date: May 17, 2025, 20:37:05
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
canbis
worm
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 8 sections
MD5:

87B7D071D6136E3071EFB8C64F296CB4

SHA1:

E8656F7F673314A923FB38F8F7338123A7FFA2EB

SHA256:

05B1DF7A279C163436F583D65AF35868F87006449C916DBE954EE7A2AFFDB9D3

SSDEEP:

98304:zSYpVEm5sn6gNEkdfaTgmHihuRB3FKFfpRBVnf9D0ks+Zo8Y1F2qaVhKffn7YAx+:taABbYdn

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • CANBIS mutex has been found

      • 2025-05-17_87b7d071d6136e3071efb8c64f296cb4_amadey_black-basta_darkgate_elex_gcleaner_hawkeye_hijackloader_smoke-loader.exe (PID: 6372)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • 2025-05-17_87b7d071d6136e3071efb8c64f296cb4_amadey_black-basta_darkgate_elex_gcleaner_hawkeye_hijackloader_smoke-loader.exe (PID: 6372)

    • Executable content was dropped or overwritten

      • 2025-05-17_87b7d071d6136e3071efb8c64f296cb4_amadey_black-basta_darkgate_elex_gcleaner_hawkeye_hijackloader_smoke-loader.exe (PID: 6372)

    • Executes application which crashes

      • 2192128433.exe (PID: 1188)

  • INFO

    • Checks supported languages

      • 2025-05-17_87b7d071d6136e3071efb8c64f296cb4_amadey_black-basta_darkgate_elex_gcleaner_hawkeye_hijackloader_smoke-loader.exe (PID: 6372)
      • 2192128433.exe (PID: 1188)

    • Reads the computer name

      • 2025-05-17_87b7d071d6136e3071efb8c64f296cb4_amadey_black-basta_darkgate_elex_gcleaner_hawkeye_hijackloader_smoke-loader.exe (PID: 6372)

    • Process checks computer location settings

      • 2025-05-17_87b7d071d6136e3071efb8c64f296cb4_amadey_black-basta_darkgate_elex_gcleaner_hawkeye_hijackloader_smoke-loader.exe (PID: 6372)

    • Failed to create an executable file in Windows directory

      • 2025-05-17_87b7d071d6136e3071efb8c64f296cb4_amadey_black-basta_darkgate_elex_gcleaner_hawkeye_hijackloader_smoke-loader.exe (PID: 6372)

    • Creates files or folders in the user directory

      • WerFault.exe (PID: 4608)

    • Checks proxy server information

      • slui.exe (PID: 728)

    • Reads the software policy settings

      • slui.exe (PID: 728)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable Borland Delphi 7 (57.2)
.exe | Win32 Executable Borland Delphi 5 (38.8)
.exe | Win32 Executable Delphi generic (1.2)
.scr | Windows screen saver (1.1)
.dll | Win32 Dynamic Link Library (generic) (0.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 1992:06:19 22:22:17+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi
PEType: PE32
LinkerVersion: 2.25
CodeSize: 46080
InitializedDataSize: 7680
UninitializedDataSize: -
EntryPoint: 0xc254
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
129
Monitored processes
4
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #CANBIS 2025-05-17_87b7d071d6136e3071efb8c64f296cb4_amadey_black-basta_darkgate_elex_gcleaner_hawkeye_hijackloader_smoke-loader.exe 2192128433.exe werfault.exe no specs slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
728C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
1188"C:\Users\admin\Desktop\2192128433.exe" C:\Users\admin\Desktop\2192128433.exe
2025-05-17_87b7d071d6136e3071efb8c64f296cb4_amadey_black-basta_darkgate_elex_gcleaner_hawkeye_hijackloader_smoke-loader.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
MEDIUM
Description:
Adobe AcroCEF
Exit code:
3228369022
Version:
22.3.20322.0
Modules
Images
c:\users\admin\desktop\2192128433.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
4608C:\WINDOWS\system32\WerFault.exe -u -p 1188 -s 424C:\Windows\System32\WerFault.exe2192128433.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\oleaut32.dll
6372"C:\Users\admin\Desktop\2025-05-17_87b7d071d6136e3071efb8c64f296cb4_amadey_black-basta_darkgate_elex_gcleaner_hawkeye_hijackloader_smoke-loader.exe" C:\Users\admin\Desktop\2025-05-17_87b7d071d6136e3071efb8c64f296cb4_amadey_black-basta_darkgate_elex_gcleaner_hawkeye_hijackloader_smoke-loader.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
5
Modules
Images
c:\users\admin\desktop\2025-05-17_87b7d071d6136e3071efb8c64f296cb4_amadey_black-basta_darkgate_elex_gcleaner_hawkeye_hijackloader_smoke-loader.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
Total events
5 738
Read events
5 738
Write events
0
Delete events
0

Modification events

No data
Executable files
2
Suspicious files
3
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
4608WerFault.exeC:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_2192128433.exe_b6bc6b511cb48184699aebae5cd3ddd0ea2b19_a8c35ee5_18677cfc-f58e-4831-a31f-71630ddcdd9a\Report.wer
MD5:
SHA256:
63722025-05-17_87b7d071d6136e3071efb8c64f296cb4_amadey_black-basta_darkgate_elex_gcleaner_hawkeye_hijackloader_smoke-loader.exeC:\Users\admin\Desktop\7243353592.exeexecutable
MD5:87B7D071D6136E3071EFB8C64F296CB4
SHA256:05B1DF7A279C163436F583D65AF35868F87006449C916DBE954EE7A2AFFDB9D3
4608WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WERCA47.tmp.dmpbinary
MD5:8E7249C0189696C197A1D3DC7123838B
SHA256:4BA3EEDFCF6E0F919244999285A55F51D86E169BE1469794C0C23D9AD4344802
63722025-05-17_87b7d071d6136e3071efb8c64f296cb4_amadey_black-basta_darkgate_elex_gcleaner_hawkeye_hijackloader_smoke-loader.exeC:\Users\admin\Desktop\2192128433.exeexecutable
MD5:A0034AE0DB27A89E0ABB91B050F3E0D3
SHA256:44EBE486D667239804B19F07571400066E1EE154FEDA415774A1837B70958BDB
4608WerFault.exeC:\Users\admin\AppData\Local\CrashDumps\2192128433.exe.1188.dmpbinary
MD5:D5F41F801F9BE9FBF51823498710DB91
SHA256:A2B59CE453D301E79A7D3D5C4C401322E63A38F1238A2DEFFB28AEEF02F010ED
4608WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WERCAF5.tmp.xmlxml
MD5:AE8025F66EA39891EDCB6788654C1CC9
SHA256:0F8C6CB5B60663F01D2A2B586A66D63C2A7914E02DD29B1FDA0A08CE6FD8923C
4608WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WERCAD5.tmp.WERInternalMetadata.xmlbinary
MD5:7BB09F2DE598716B5741520B28A10499
SHA256:BAB8FF99D542316C2DCDF6062AEEF895D765492E8D3C061C9D9D29CF9404532A
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
21
DNS requests
7
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4996
RUXIMICS.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4996
RUXIMICS.exe
GET
200
23.48.23.167:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4996
RUXIMICS.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:137
whitelisted
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4996
RUXIMICS.exe
23.48.23.167:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4996
RUXIMICS.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
4892
slui.exe
40.91.76.224:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
728
slui.exe
40.91.76.224:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
  • 4.231.128.59
whitelisted
google.com
  • 142.250.181.238
whitelisted
uk.undernet.org
unknown
crl.microsoft.com
  • 23.48.23.167
  • 23.48.23.162
  • 23.48.23.143
  • 23.48.23.169
  • 23.48.23.166
  • 23.48.23.141
  • 23.48.23.156
  • 23.48.23.173
  • 23.48.23.164
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
2025-05-17_87b7d071d6136e3071efb8c64f296cb4_amadey_black-basta_darkgate_elex_gcleaner_hawkeye_hijackloader_smoke-loader