File name:

2025-06-21_ec81a660efcdb89abd7e67ccf7a82991_black-basta_elex_gcleaner_hijackloader

Full analysis: https://app.any.run/tasks/3454bd07-a63f-41b3-ab0c-2f0a1107afce
Verdict: Malicious activity
Analysis date: June 21, 2025, 22:44:28
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
scan
smbscan
yero
worm
upx
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 8 sections
MD5:

EC81A660EFCDB89ABD7E67CCF7A82991

SHA1:

7AFFBDE4CE3B45B8E155D4A4083572BFD80D63A7

SHA256:

92F6DD414DE9694A10AEA34A07C0D9BC01989D6963C730FB3A5E1FE8BBC01E7B

SSDEEP:

98304:9RqjT91+886JNZKYWU0T9awINMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM0:8mz

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • YERO has been detected

      • 2025-06-21_ec81a660efcdb89abd7e67ccf7a82991_black-basta_elex_gcleaner_hijackloader.exe (PID: 6532)

    • YERO mutex has been found

      • 2025-06-21_ec81a660efcdb89abd7e67ccf7a82991_black-basta_elex_gcleaner_hijackloader.exe (PID: 6532)

    • Attempting to scan the network

      • 2025-06-21_ec81a660efcdb89abd7e67ccf7a82991_black-basta_elex_gcleaner_hijackloader.exe (PID: 6532)

    • SMBSCAN has been detected (SURICATA)

      • 2025-06-21_ec81a660efcdb89abd7e67ccf7a82991_black-basta_elex_gcleaner_hijackloader.exe (PID: 6532)
      • System (PID: 4)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • 2025-06-21_ec81a660efcdb89abd7e67ccf7a82991_black-basta_elex_gcleaner_hijackloader.exe (PID: 6532)

    • Reads security settings of Internet Explorer

      • 2025-06-21_ec81a660efcdb89abd7e67ccf7a82991_black-basta_elex_gcleaner_hijackloader.exe (PID: 6532)

    • The process creates files with name similar to system file names

      • 2025-06-21_ec81a660efcdb89abd7e67ccf7a82991_black-basta_elex_gcleaner_hijackloader.exe (PID: 6532)

    • Uses pipe srvsvc via SMB (transferring data)

      • 2025-06-21_ec81a660efcdb89abd7e67ccf7a82991_black-basta_elex_gcleaner_hijackloader.exe (PID: 6532)

    • Potential Corporate Privacy Violation

      • System (PID: 4)
      • 2025-06-21_ec81a660efcdb89abd7e67ccf7a82991_black-basta_elex_gcleaner_hijackloader.exe (PID: 6532)

  • INFO

    • Reads the computer name

      • 2025-06-21_ec81a660efcdb89abd7e67ccf7a82991_black-basta_elex_gcleaner_hijackloader.exe (PID: 6532)

    • Checks supported languages

      • 2025-06-21_ec81a660efcdb89abd7e67ccf7a82991_black-basta_elex_gcleaner_hijackloader.exe (PID: 6532)

    • Checks proxy server information

      • 2025-06-21_ec81a660efcdb89abd7e67ccf7a82991_black-basta_elex_gcleaner_hijackloader.exe (PID: 6532)
      • slui.exe (PID: 6776)

    • Creates files or folders in the user directory

      • 2025-06-21_ec81a660efcdb89abd7e67ccf7a82991_black-basta_elex_gcleaner_hijackloader.exe (PID: 6532)

    • UPX packer has been detected

      • 2025-06-21_ec81a660efcdb89abd7e67ccf7a82991_black-basta_elex_gcleaner_hijackloader.exe (PID: 6532)

    • Reads the software policy settings

      • slui.exe (PID: 6776)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable Borland Delphi 5 (60.1)
.exe | InstallShield setup (5.7)
.exe | Win32 EXE PECompact compressed (generic) (5.5)
.exe | UPX compressed Win32 Executable (3.6)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 1992:06:19 22:22:17+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi
PEType: PE32
LinkerVersion: 2.25
CodeSize: 32768
InitializedDataSize: 16896
UninitializedDataSize: -
EntryPoint: 0x8c40
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
132
Monitored processes
3
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #SMBSCAN 2025-06-21_ec81a660efcdb89abd7e67ccf7a82991_black-basta_elex_gcleaner_hijackloader.exe slui.exe #SMBSCAN system

Process information

PID
CMD
Path
Indicators
Parent process
4System
[System Process]
User:
SYSTEM
Integrity Level:
SYSTEM
6532"C:\Users\admin\Desktop\2025-06-21_ec81a660efcdb89abd7e67ccf7a82991_black-basta_elex_gcleaner_hijackloader.exe" C:\Users\admin\Desktop\2025-06-21_ec81a660efcdb89abd7e67ccf7a82991_black-basta_elex_gcleaner_hijackloader.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\desktop\2025-06-21_ec81a660efcdb89abd7e67ccf7a82991_black-basta_elex_gcleaner_hijackloader.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
6776C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
Total events
3 852
Read events
3 852
Write events
0
Delete events
0

Modification events

No data
Executable files
213
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
65322025-06-21_ec81a660efcdb89abd7e67ccf7a82991_black-basta_elex_gcleaner_hijackloader.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe-
MD5:
SHA256:
65322025-06-21_ec81a660efcdb89abd7e67ccf7a82991_black-basta_elex_gcleaner_hijackloader.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe-
MD5:
SHA256:
65322025-06-21_ec81a660efcdb89abd7e67ccf7a82991_black-basta_elex_gcleaner_hijackloader.exeC:\Users\admin\AppData\Local\VirtualStore\Windows\SysWOW64\fsb.tmpexecutable
MD5:EC81A660EFCDB89ABD7E67CCF7A82991
SHA256:92F6DD414DE9694A10AEA34A07C0D9BC01989D6963C730FB3A5E1FE8BBC01E7B
65322025-06-21_ec81a660efcdb89abd7e67ccf7a82991_black-basta_elex_gcleaner_hijackloader.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe-executable
MD5:849E4B12980A803E3223CA8AD3146A0B
SHA256:80E49BC7628A3A7ECA75E559AF6797BCE23195349C5D95287042E581805CD372
65322025-06-21_ec81a660efcdb89abd7e67ccf7a82991_black-basta_elex_gcleaner_hijackloader.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe-executable
MD5:6514C66CF2933D95A63FCB3E7962D766
SHA256:C26DE48C5C507BFB9489B85DB63C02232F3471EA9C8FDA175DF0E0B10F960C7A
65322025-06-21_ec81a660efcdb89abd7e67ccf7a82991_black-basta_elex_gcleaner_hijackloader.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\AcroCEF.exe-executable
MD5:D09AD7FA7F34E3068981D1A496338E58
SHA256:0E02EDB1E7A412E7940EC7E1D4A651CD92BF167C1FA378FEDE6BF3038F124312
65322025-06-21_ec81a660efcdb89abd7e67ccf7a82991_black-basta_elex_gcleaner_hijackloader.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe-executable
MD5:99DAA626083524426B19C73CEFEC4AC0
SHA256:BE8E60C90F3F68DF2DAB6BADB485E444AD55489EECBBC8A465A070A1B169243B
65322025-06-21_ec81a660efcdb89abd7e67ccf7a82991_black-basta_elex_gcleaner_hijackloader.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\CCleaner\CCleaner.exe-
MD5:
SHA256:
65322025-06-21_ec81a660efcdb89abd7e67ccf7a82991_black-basta_elex_gcleaner_hijackloader.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\CCleaner\CCleaner64.exe-
MD5:
SHA256:
65322025-06-21_ec81a660efcdb89abd7e67ccf7a82991_black-basta_elex_gcleaner_hijackloader.exeC:\Users\admin\AppData\Local\VirtualStore\Windows\SysWOW64\fsb.stbexecutable
MD5:280B12E4717C3A7CF2C39561B30BC9E6
SHA256:F6AB4BA25B6075AA5A76D006C434E64CAD37FDB2FF242C848C98FAD5167A1BFC
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
8
TCP/UDP connections
821
DNS requests
8
Threats
26

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5944
MoUsoCoreWorker.exe
GET
200
184.25.50.10:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1268
svchost.exe
GET
200
184.25.50.10:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1268
svchost.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5232
RUXIMICS.exe
GET
200
184.25.50.10:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5232
RUXIMICS.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
POST
500
20.83.72.98:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
POST
500
20.83.72.98:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1268
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
5944
MoUsoCoreWorker.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5232
RUXIMICS.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
1268
svchost.exe
184.25.50.10:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5944
MoUsoCoreWorker.exe
184.25.50.10:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5232
RUXIMICS.exe
184.25.50.10:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
1268
svchost.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
6532
2025-06-21_ec81a660efcdb89abd7e67ccf7a82991_black-basta_elex_gcleaner_hijackloader.exe
71.56.190.246:139
COMCAST-7922
US
unknown

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
  • 51.124.78.146
whitelisted
google.com
  • 142.250.185.238
whitelisted
crl.microsoft.com
  • 184.25.50.10
  • 184.25.50.8
whitelisted
uk.undernet.org
unknown
www.microsoft.com
  • 95.101.149.131
whitelisted
activation-v2.sls.microsoft.com
  • 20.83.72.98
whitelisted
self.events.data.microsoft.com
  • 13.89.179.11
whitelisted

Threats

PID
Process
Class
Message
6532
2025-06-21_ec81a660efcdb89abd7e67ccf7a82991_black-basta_elex_gcleaner_hijackloader.exe
Potential Corporate Privacy Violation
POLICY [ANY.RUN] Attempting to scan SMB servers outside a home network
6532
2025-06-21_ec81a660efcdb89abd7e67ccf7a82991_black-basta_elex_gcleaner_hijackloader.exe
Potential Corporate Privacy Violation
POLICY [ANY.RUN] Attempting to scan SMB servers outside a home network
6532
2025-06-21_ec81a660efcdb89abd7e67ccf7a82991_black-basta_elex_gcleaner_hijackloader.exe
Potential Corporate Privacy Violation
POLICY [ANY.RUN] Attempting to scan SMB servers outside a home network
6532
2025-06-21_ec81a660efcdb89abd7e67ccf7a82991_black-basta_elex_gcleaner_hijackloader.exe
Potential Corporate Privacy Violation
POLICY [ANY.RUN] Attempting to scan SMB servers outside a home network
6532
2025-06-21_ec81a660efcdb89abd7e67ccf7a82991_black-basta_elex_gcleaner_hijackloader.exe
Potential Corporate Privacy Violation
POLICY [ANY.RUN] Attempting to scan SMB servers outside a home network
6532
2025-06-21_ec81a660efcdb89abd7e67ccf7a82991_black-basta_elex_gcleaner_hijackloader.exe
Potential Corporate Privacy Violation
POLICY [ANY.RUN] Attempting to scan SMB servers outside a home network
6532
2025-06-21_ec81a660efcdb89abd7e67ccf7a82991_black-basta_elex_gcleaner_hijackloader.exe
Potential Corporate Privacy Violation
POLICY [ANY.RUN] Attempting to scan SMB servers outside a home network
6532
2025-06-21_ec81a660efcdb89abd7e67ccf7a82991_black-basta_elex_gcleaner_hijackloader.exe
Potential Corporate Privacy Violation
POLICY [ANY.RUN] Attempting to scan SMB servers outside a home network
6532
2025-06-21_ec81a660efcdb89abd7e67ccf7a82991_black-basta_elex_gcleaner_hijackloader.exe
Potential Corporate Privacy Violation
POLICY [ANY.RUN] Attempting to scan SMB servers outside a home network
6532
2025-06-21_ec81a660efcdb89abd7e67ccf7a82991_black-basta_elex_gcleaner_hijackloader.exe
Potential Corporate Privacy Violation
POLICY [ANY.RUN] Attempting to scan SMB servers outside a home network
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
2025-06-21_ec81a660efcdb89abd7e67ccf7a82991_black-basta_elex_gcleaner_hijackloader