File name:

2025-06-21_be3976d90424b3d36a7d6df80b759fbb_black-basta_elex_gcleaner_hijackloader

Full analysis: https://app.any.run/tasks/db6d2019-6f42-4925-9da5-0204bd573d66
Verdict: Malicious activity
Analysis date: June 21, 2025, 11:22:49
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
scan
smbscan
yero
worm
upx
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed, 3 sections
MD5:

BE3976D90424B3D36A7D6DF80B759FBB

SHA1:

49FB92F15FEAD2851B527DDCE81B18B293F7B8D1

SHA256:

333D48D4E32A1A0676B657D505126C33B7A5189D6FBBE0DE70DD7A7E846C7412

SSDEEP:

98304:yR2RqjT91+886JNZKYWU0T9awINMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMv:wm

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • YERO has been detected

      • 2025-06-21_be3976d90424b3d36a7d6df80b759fbb_black-basta_elex_gcleaner_hijackloader.exe (PID: 2580)
      • tmp1534859.exe (PID: 5644)

    • YERO mutex has been found

      • tmp1534859.exe (PID: 5644)

    • Attempting to scan the network

      • tmp1534859.exe (PID: 5644)

    • SMBSCAN has been detected (SURICATA)

      • tmp1534859.exe (PID: 5644)
      • System (PID: 4)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • 2025-06-21_be3976d90424b3d36a7d6df80b759fbb_black-basta_elex_gcleaner_hijackloader.exe (PID: 2580)
      • tmp1534859.exe (PID: 5644)

    • Drops 7-zip archiver for unpacking

      • 2025-06-21_be3976d90424b3d36a7d6df80b759fbb_black-basta_elex_gcleaner_hijackloader.exe (PID: 2580)

    • Reads security settings of Internet Explorer

      • tmp1534859.exe (PID: 5644)

    • The process creates files with name similar to system file names

      • tmp1534859.exe (PID: 5644)

    • Uses pipe srvsvc via SMB (transferring data)

      • tmp1534859.exe (PID: 5644)

    • Potential Corporate Privacy Violation

      • tmp1534859.exe (PID: 5644)
      • System (PID: 4)

  • INFO

    • Checks supported languages

      • 2025-06-21_be3976d90424b3d36a7d6df80b759fbb_black-basta_elex_gcleaner_hijackloader.exe (PID: 2580)
      • tmp1534859.exe (PID: 5644)
      • tmp1534953.exe (PID: 6640)

    • Create files in a temporary directory

      • 2025-06-21_be3976d90424b3d36a7d6df80b759fbb_black-basta_elex_gcleaner_hijackloader.exe (PID: 2580)

    • The sample compiled with english language support

      • 2025-06-21_be3976d90424b3d36a7d6df80b759fbb_black-basta_elex_gcleaner_hijackloader.exe (PID: 2580)

    • Reads the computer name

      • tmp1534859.exe (PID: 5644)

    • Checks proxy server information

      • tmp1534859.exe (PID: 5644)
      • slui.exe (PID: 6700)

    • Creates files or folders in the user directory

      • tmp1534859.exe (PID: 5644)

    • UPX packer has been detected

      • tmp1534859.exe (PID: 5644)

    • Reads the software policy settings

      • slui.exe (PID: 6700)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 EXE PECompact compressed (generic) (18.1)
.exe | UPX compressed Win32 Executable (11.8)
.exe | Win32 EXE Yoda's Crypter (11.6)
.dll | Win32 Dynamic Link Library (generic) (2.8)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 1992:06:19 22:22:17+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi
PEType: PE32
LinkerVersion: 2.25
CodeSize: 12288
InitializedDataSize: 4096
UninitializedDataSize: 106496
EntryPoint: 0x1cee0
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
136
Monitored processes
6
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #YERO 2025-06-21_be3976d90424b3d36a7d6df80b759fbb_black-basta_elex_gcleaner_hijackloader.exe #SMBSCAN tmp1534859.exe tmp1534953.exe no specs conhost.exe no specs slui.exe #SMBSCAN system

Process information

PID
CMD
Path
Indicators
Parent process
4System
[System Process]
User:
SYSTEM
Integrity Level:
SYSTEM
2580"C:\Users\admin\Desktop\2025-06-21_be3976d90424b3d36a7d6df80b759fbb_black-basta_elex_gcleaner_hijackloader.exe" C:\Users\admin\Desktop\2025-06-21_be3976d90424b3d36a7d6df80b759fbb_black-basta_elex_gcleaner_hijackloader.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\desktop\2025-06-21_be3976d90424b3d36a7d6df80b759fbb_black-basta_elex_gcleaner_hijackloader.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
3520\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exetmp1534953.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
5644C:\Users\admin\AppData\Local\Temp\tmp1534859.exeC:\Users\admin\AppData\Local\Temp\tmp1534859.exe
2025-06-21_be3976d90424b3d36a7d6df80b759fbb_black-basta_elex_gcleaner_hijackloader.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\appdata\local\temp\tmp1534859.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
6640C:\Users\admin\AppData\Local\Temp\tmp1534953.exeC:\Users\admin\AppData\Local\Temp\tmp1534953.exe2025-06-21_be3976d90424b3d36a7d6df80b759fbb_black-basta_elex_gcleaner_hijackloader.exe
User:
admin
Company:
Igor Pavlov
Integrity Level:
MEDIUM
Description:
7-Zip Console
Exit code:
0
Version:
23.01
Modules
Images
c:\users\admin\appdata\local\temp\tmp1534953.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
6700C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
Total events
4 083
Read events
4 083
Write events
0
Delete events
0

Modification events

No data
Executable files
216
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
25802025-06-21_be3976d90424b3d36a7d6df80b759fbb_black-basta_elex_gcleaner_hijackloader.exeC:\Users\admin\AppData\Local\Temp\tmp1534968.exe
MD5:
SHA256:
5644tmp1534859.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe-
MD5:
SHA256:
5644tmp1534859.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe-
MD5:
SHA256:
25802025-06-21_be3976d90424b3d36a7d6df80b759fbb_black-basta_elex_gcleaner_hijackloader.exeC:\Users\admin\AppData\Local\Temp\tmp1534859.exeexecutable
MD5:2437D314B5848AF5EF72F96BBFC87D39
SHA256:A11B7EDA0C0CFEB86616DF83965982394FEBBBBCD5BD27272E2AE9F55844FA91
5644tmp1534859.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe-executable
MD5:50C8EAACD8E6F6649E073F29708B165B
SHA256:C713B9BB1671E58454B1A9C2227DEE4F9E2443E79BA594DF7A4392DD57C59F14
5644tmp1534859.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe-executable
MD5:7EEC1ADE5659C19C4B55F8F768FB800F
SHA256:ABDBB294475CC950BB0C8CC113A3AF51A118F2D84FE1869A3B98385A43C1E41C
5644tmp1534859.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe-executable
MD5:940F885A1489A0F3AE1BDFCEA19B9952
SHA256:31B47024A86B930A770EA53ABEDFEC2F734A491C030563DFC46EB1DD43866A55
5644tmp1534859.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe-executable
MD5:7FE9338167155BD3E49A3D84955CABB5
SHA256:36B69EEB57FB482791A765D772307D3220E1C77E954DD1D69BD31BCD5F6C03FC
5644tmp1534859.exeC:\Users\admin\AppData\Local\VirtualStore\Windows\SysWOW64\fsb.tmpexecutable
MD5:2437D314B5848AF5EF72F96BBFC87D39
SHA256:A11B7EDA0C0CFEB86616DF83965982394FEBBBBCD5BD27272E2AE9F55844FA91
25802025-06-21_be3976d90424b3d36a7d6df80b759fbb_black-basta_elex_gcleaner_hijackloader.exeC:\Users\admin\AppData\Local\Temp\tmp1534953.exeexecutable
MD5:9A1DD1D96481D61934DCC2D568971D06
SHA256:8CEBB25E240DB3B6986FCAED6BC0B900FA09DAD763A56FB71273529266C5C525
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
8
TCP/UDP connections
823
DNS requests
7
Threats
26

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1268
svchost.exe
GET
200
23.53.40.176:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
6672
RUXIMICS.exe
GET
200
23.53.40.176:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
23.53.40.176:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1268
svchost.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
6672
RUXIMICS.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
POST
500
40.91.76.224:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
POST
500
40.91.76.224:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
1268
svchost.exe
51.124.78.146:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
5944
MoUsoCoreWorker.exe
51.124.78.146:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
6672
RUXIMICS.exe
51.124.78.146:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
1268
svchost.exe
23.53.40.176:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
6672
RUXIMICS.exe
23.53.40.176:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5944
MoUsoCoreWorker.exe
23.53.40.176:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
1268
svchost.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
6672
RUXIMICS.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.186.78
whitelisted
crl.microsoft.com
  • 23.53.40.176
  • 23.53.40.178
whitelisted
uk.undernet.org
unknown
www.microsoft.com
  • 23.35.229.160
whitelisted
settings-win.data.microsoft.com
  • 51.104.136.2
whitelisted
activation-v2.sls.microsoft.com
  • 20.83.72.98
whitelisted
self.events.data.microsoft.com
  • 13.89.179.10
whitelisted

Threats

PID
Process
Class
Message
5644
tmp1534859.exe
Potential Corporate Privacy Violation
POLICY [ANY.RUN] Attempting to scan SMB servers outside a home network
5644
tmp1534859.exe
Potential Corporate Privacy Violation
POLICY [ANY.RUN] Attempting to scan SMB servers outside a home network
5644
tmp1534859.exe
Potential Corporate Privacy Violation
POLICY [ANY.RUN] Attempting to scan SMB servers outside a home network
5644
tmp1534859.exe
Potential Corporate Privacy Violation
POLICY [ANY.RUN] Attempting to scan SMB servers outside a home network
5644
tmp1534859.exe
Potential Corporate Privacy Violation
POLICY [ANY.RUN] Attempting to scan SMB servers outside a home network
5644
tmp1534859.exe
Potential Corporate Privacy Violation
POLICY [ANY.RUN] Attempting to scan SMB servers outside a home network
5644
tmp1534859.exe
Potential Corporate Privacy Violation
POLICY [ANY.RUN] Attempting to scan SMB servers outside a home network
5644
tmp1534859.exe
Potential Corporate Privacy Violation
POLICY [ANY.RUN] Attempting to scan SMB servers outside a home network
5644
tmp1534859.exe
Potential Corporate Privacy Violation
POLICY [ANY.RUN] Attempting to scan SMB servers outside a home network
5644
tmp1534859.exe
Potential Corporate Privacy Violation
POLICY [ANY.RUN] Attempting to scan SMB servers outside a home network
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
2025-06-21_be3976d90424b3d36a7d6df80b759fbb_black-basta_elex_gcleaner_hijackloader