File name:

2025-04-24_1aea0ad4739fc3f38ddd67a2415ab98e_black-basta_elex_swisyn

Full analysis: https://app.any.run/tasks/9c8a9101-b744-444b-97b2-8e4a70dfb9d7
Verdict: Malicious activity
Analysis date: April 24, 2025, 19:15:32
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
jeefo
auto-reg
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 3 sections
MD5:

1AEA0AD4739FC3F38DDD67A2415AB98E

SHA1:

6E129F1B1A4A0CECDA16E95BFDE22F210470A6CC

SHA256:

2D023D6658FB56AA844891CCDB288C495575E545DD64B541D2BD195FD2E6E523

SSDEEP:

98304:5cwdMq0bg9ddHhyBwfOiq8d39EJhmPALKz6k:PzDXfOij/

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • JEEFO has been detected

      • 2025-04-24_1aea0ad4739fc3f38ddd67a2415ab98e_black-basta_elex_swisyn.exe (PID: 5728)
      • icsys.icn.exe (PID: 920)
      • explorer.exe (PID: 2088)
      • svchost.exe (PID: 6620)

    • Changes the autorun value in the registry

      • svchost.exe (PID: 6620)
      • explorer.exe (PID: 2088)

  • SUSPICIOUS

    • Starts application with an unusual extension

      • 2025-04-24_1aea0ad4739fc3f38ddd67a2415ab98e_black-basta_elex_swisyn.exe (PID: 5728)

    • Executable content was dropped or overwritten

      • 2025-04-24_1aea0ad4739fc3f38ddd67a2415ab98e_black-basta_elex_swisyn.exe (PID: 5728)
      • spoolsv.exe (PID: 6388)
      • icsys.icn.exe (PID: 920)
      • explorer.exe (PID: 2088)

    • Starts itself from another location

      • 2025-04-24_1aea0ad4739fc3f38ddd67a2415ab98e_black-basta_elex_swisyn.exe (PID: 5728)
      • spoolsv.exe (PID: 6388)
      • icsys.icn.exe (PID: 920)
      • explorer.exe (PID: 2088)
      • svchost.exe (PID: 6620)

    • The process creates files with name similar to system file names

      • icsys.icn.exe (PID: 920)
      • spoolsv.exe (PID: 6388)

    • Creates or modifies Windows services

      • svchost.exe (PID: 6620)

  • INFO

    • Checks supported languages

      • 2025-04-24_1aea0ad4739fc3f38ddd67a2415ab98e_black-basta_elex_swisyn.exe (PID: 5728)
      • 2025-04-24_1aea0ad4739fc3f38ddd67a2415ab98e_black-basta_elex_swisyn.exe  (PID: 1228)
      • spoolsv.exe (PID: 6388)
      • icsys.icn.exe (PID: 920)
      • explorer.exe (PID: 2088)
      • svchost.exe (PID: 6620)
      • spoolsv.exe (PID: 1616)

    • The sample compiled with english language support

      • 2025-04-24_1aea0ad4739fc3f38ddd67a2415ab98e_black-basta_elex_swisyn.exe (PID: 5728)

    • Create files in a temporary directory

      • 2025-04-24_1aea0ad4739fc3f38ddd67a2415ab98e_black-basta_elex_swisyn.exe (PID: 5728)
      • spoolsv.exe (PID: 6388)
      • icsys.icn.exe (PID: 920)
      • explorer.exe (PID: 2088)
      • svchost.exe (PID: 6620)
      • spoolsv.exe (PID: 1616)

    • Reads Environment values

      • 2025-04-24_1aea0ad4739fc3f38ddd67a2415ab98e_black-basta_elex_swisyn.exe  (PID: 1228)

    • Reads product name

      • 2025-04-24_1aea0ad4739fc3f38ddd67a2415ab98e_black-basta_elex_swisyn.exe  (PID: 1228)

    • Reads the computer name

      • 2025-04-24_1aea0ad4739fc3f38ddd67a2415ab98e_black-basta_elex_swisyn.exe  (PID: 1228)
      • svchost.exe (PID: 6620)

    • Auto-launch of the file from Registry key

      • explorer.exe (PID: 2088)
      • svchost.exe (PID: 6620)

    • Manual execution by a user

      • svchost.exe (PID: 2432)
      • explorer.exe (PID: 4784)

    • Checks proxy server information

      • slui.exe (PID: 5608)

    • Reads the software policy settings

      • slui.exe (PID: 5608)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (52.9)
.exe | Generic Win/DOS Executable (23.5)
.exe | DOS Executable Generic (23.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2013:04:01 07:08:22+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 106496
InitializedDataSize: 12288
UninitializedDataSize: -
EntryPoint: 0x290c
OSVersion: 4
ImageVersion: 1
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 1.0.0.0
ProductVersionNumber: 1.0.0.0
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
ProductName: Project1
FileVersion: 1
ProductVersion: 1
InternalName: TJprojMain
OriginalFileName: TJprojMain.exe
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
134
Monitored processes
11
Malicious processes
5
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #JEEFO 2025-04-24_1aea0ad4739fc3f38ddd67a2415ab98e_black-basta_elex_swisyn.exe 2025-04-24_1aea0ad4739fc3f38ddd67a2415ab98e_black-basta_elex_swisyn.exe  no specs #JEEFO icsys.icn.exe #JEEFO explorer.exe spoolsv.exe #JEEFO svchost.exe spoolsv.exe no specs svchost.exe no specs explorer.exe no specs slui.exe 2025-04-24_1aea0ad4739fc3f38ddd67a2415ab98e_black-basta_elex_swisyn.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
920C:\Windows\Resources\Themes\icsys.icn.exeC:\Windows\Resources\Themes\icsys.icn.exe
2025-04-24_1aea0ad4739fc3f38ddd67a2415ab98e_black-basta_elex_swisyn.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Version:
1.00
Modules
Images
c:\windows\resources\themes\icsys.icn.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvbvm60.dll
1228c:\users\admin\desktop\2025-04-24_1aea0ad4739fc3f38ddd67a2415ab98e_black-basta_elex_swisyn.exe  C:\Users\admin\Desktop\2025-04-24_1aea0ad4739fc3f38ddd67a2415ab98e_black-basta_elex_swisyn.exe 2025-04-24_1aea0ad4739fc3f38ddd67a2415ab98e_black-basta_elex_swisyn.exe
User:
admin
Company:
Sysinternals - www.sysinternals.com
Integrity Level:
HIGH
Description:
Autostart program viewer
Version:
14.09
Modules
Images
c:\users\admin\desktop\2025-04-24_1aea0ad4739fc3f38ddd67a2415ab98e_black-basta_elex_swisyn.exe 
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
1616c:\windows\resources\spoolsv.exe PRC:\Windows\Resources\spoolsv.exesvchost.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Version:
1.00
Modules
Images
c:\windows\resources\spoolsv.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvbvm60.dll
2088c:\windows\resources\themes\explorer.exeC:\Windows\Resources\Themes\explorer.exe
icsys.icn.exe
User:
admin
Integrity Level:
HIGH
Version:
1.00
Modules
Images
c:\windows\resources\themes\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvbvm60.dll
2432c:\windows\resources\svchost.exe ROC:\Windows\Resources\svchost.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Version:
1.00
Modules
Images
c:\windows\resources\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
4784c:\windows\resources\themes\explorer.exe ROC:\Windows\Resources\Themes\explorer.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Version:
1.00
Modules
Images
c:\windows\resources\themes\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
5452"C:\Users\admin\Desktop\2025-04-24_1aea0ad4739fc3f38ddd67a2415ab98e_black-basta_elex_swisyn.exe" C:\Users\admin\Desktop\2025-04-24_1aea0ad4739fc3f38ddd67a2415ab98e_black-basta_elex_swisyn.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Version:
1.00
Modules
Images
c:\users\admin\desktop\2025-04-24_1aea0ad4739fc3f38ddd67a2415ab98e_black-basta_elex_swisyn.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
5608C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
5728"C:\Users\admin\Desktop\2025-04-24_1aea0ad4739fc3f38ddd67a2415ab98e_black-basta_elex_swisyn.exe" C:\Users\admin\Desktop\2025-04-24_1aea0ad4739fc3f38ddd67a2415ab98e_black-basta_elex_swisyn.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Version:
1.00
Modules
Images
c:\users\admin\desktop\2025-04-24_1aea0ad4739fc3f38ddd67a2415ab98e_black-basta_elex_swisyn.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvbvm60.dll
6388c:\windows\resources\spoolsv.exe SEC:\Windows\Resources\spoolsv.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Version:
1.00
Modules
Images
c:\windows\resources\spoolsv.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvbvm60.dll
Total events
3 745
Read events
3 726
Write events
15
Delete events
4

Modification events

(PID) Process:(5728) 2025-04-24_1aea0ad4739fc3f38ddd67a2415ab98e_black-basta_elex_swisyn.exeKey:HKEY_CURRENT_USER\SOFTWARE\VB and VBA Program Settings\Explorer\Process
Operation:writeName:LO
Value:
1
(PID) Process:(2088) explorer.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce
Operation:writeName:Explorer
Value:
c:\windows\resources\themes\explorer.exe RO
(PID) Process:(2088) explorer.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce
Operation:writeName:Svchost
Value:
c:\windows\resources\svchost.exe RO
(PID) Process:(2088) explorer.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
Operation:delete valueName:Explorer
Value:
(PID) Process:(2088) explorer.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
Operation:delete valueName:Svchost
Value:
(PID) Process:(6620) svchost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce
Operation:writeName:Explorer
Value:
c:\windows\resources\themes\explorer.exe RO
(PID) Process:(6620) svchost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce
Operation:writeName:Svchost
Value:
c:\windows\resources\svchost.exe RO
(PID) Process:(6620) svchost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
Operation:delete valueName:Explorer
Value:
(PID) Process:(6620) svchost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
Operation:delete valueName:Svchost
Value:
(PID) Process:(920) icsys.icn.exeKey:HKEY_CURRENT_USER\SOFTWARE\VB and VBA Program Settings\Explorer\Process
Operation:writeName:LO
Value:
1
Executable files
5
Suspicious files
4
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
920icsys.icn.exeC:\Windows\Resources\Themes\explorer.exeexecutable
MD5:70FB60DF53DF91E59A11CDF730E632E2
SHA256:F45DE898E5BEAEDC88AAD27AE387CCED18A32EA6AE0A1F617DCE93099159D60B
1616spoolsv.exeC:\Users\admin\AppData\Local\Temp\~DF3780EDA4861BAF31.TMPbinary
MD5:4CB5EC9BEA0C64CD61D53013D8C8BA4B
SHA256:A5E08EEAC53A32E510E5E0FCAC2209768B56EB2789F05F3658CF9FF5C69FE78F
6388spoolsv.exeC:\Users\admin\AppData\Local\Temp\~DF6C56EF4FDC7E571A.TMPbinary
MD5:F783F52DA6193390752A99B5EB23CEBD
SHA256:297138D6193864195FB83A9CF07F95D26794DFF0846CF6DC4CC6489F5B0DAD16
57282025-04-24_1aea0ad4739fc3f38ddd67a2415ab98e_black-basta_elex_swisyn.exeC:\Users\admin\AppData\Local\Temp\~DFBC66DD8183FF4968.TMPbinary
MD5:A35E7AB4ADDF018B2F11588DC9B6DECA
SHA256:12EC126E7B273D92D58477026F22EF06B92FDFA05DD0D4E0CFB9A14D0F9CB77D
6388spoolsv.exeC:\Windows\Resources\svchost.exeexecutable
MD5:A1864E136BF2B7BFF5FB4EC317DB1694
SHA256:A51325447CECDE30F99D0D7344B69B7196B4FC66CB20280DCB67D72A702D2A8C
2088explorer.exeC:\Windows\Resources\spoolsv.exeexecutable
MD5:3C5336F491B33FFD6CAAD91903AB7D62
SHA256:5F71AC730E21848E4CCFF401E51174E0DC3FE59CE2D4ED8F53998298E3E5AD06
920icsys.icn.exeC:\Users\admin\AppData\Local\Temp\~DF0A79002D141E7B15.TMPbinary
MD5:48325F37A2153F204D7316C67136B858
SHA256:073EBAD746026458D405CAD2C1C79DB078639AE2FECA9C7D003DA033C693B5C7
57282025-04-24_1aea0ad4739fc3f38ddd67a2415ab98e_black-basta_elex_swisyn.exeC:\Windows\Resources\Themes\icsys.icn.exeexecutable
MD5:172A1D0EC566B481CA11A248ECE7CB6E
SHA256:FCF7B642A92B2EA897122AB68EE0EFB6831CD94E14E33D6FF4F72221C7F31A9F
57282025-04-24_1aea0ad4739fc3f38ddd67a2415ab98e_black-basta_elex_swisyn.exeC:\Users\admin\Desktop\2025-04-24_1aea0ad4739fc3f38ddd67a2415ab98e_black-basta_elex_swisyn.exe executable
MD5:2B2D8DF5FC1CAB874D05C4A820FBCDE3
SHA256:DAFFC7CBAFE070479CE877401A239CC46B8AC82E031CCC400A7E4A2E9226CD20
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
24
DNS requests
5
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5024
RUXIMICS.exe
GET
200
23.53.40.178:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5024
RUXIMICS.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
POST
500
40.91.76.224:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
POST
500
20.83.72.98:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
5024
RUXIMICS.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
5024
RUXIMICS.exe
23.53.40.178:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5024
RUXIMICS.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
1072
slui.exe
20.83.72.98:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
5608
slui.exe
20.83.72.98:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
whitelisted
google.com
  • 142.250.185.174
whitelisted
crl.microsoft.com
  • 23.53.40.178
  • 23.53.40.176
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
activation-v2.sls.microsoft.com
  • 20.83.72.98
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
2025-04-24_1aea0ad4739fc3f38ddd67a2415ab98e_black-basta_elex_swisyn