File name:

2025-05-26_c0e474bb8b71f19d60927362751eeb19_amadey_black-basta_elex_floxif_hellokitty_hijackloader_luca-stealer_swisyn

Full analysis: https://app.any.run/tasks/ccfe120d-ef20-49b7-b1b6-61f5b5881435
Verdict: Malicious activity
Analysis date: May 26, 2025, 08:56:56
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
jeefo
auto-reg
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 3 sections
MD5:

C0E474BB8B71F19D60927362751EEB19

SHA1:

FD891E99476B40F6D1CF6CD7EC74BAC131A0DA4E

SHA256:

92FBF61EBB9488FF723D23F2E0C4875F4BFE7E33FBAC5E895B2C1437BA80F0F1

SSDEEP:

98304:5c4kRcoMOtnvdO/eor4usJRnX2hTjcbngG4BNhw9xK+EGZ/VFqG0gS5J5G:gR

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • JEEFO has been detected

      • svchost.exe (PID: 7708)
      • explorer.exe (PID: 7632)
      • 2025-05-26_c0e474bb8b71f19d60927362751eeb19_amadey_black-basta_elex_floxif_hellokitty_hijackloader_luca-stealer_swisyn.exe (PID: 7516)
      • 2025-05-26_c0e474bb8b71f19d60927362751eeb19_amadey_black-basta_elex_floxif_hellokitty_hijackloader_luca-stealer_swisyn.exe  (PID: 7540)

    • Changes the autorun value in the registry

      • svchost.exe (PID: 7708)

  • SUSPICIOUS

    • Creates or modifies Windows services

      • svchost.exe (PID: 7708)

    • Starts application with an unusual extension

      • 2025-05-26_c0e474bb8b71f19d60927362751eeb19_amadey_black-basta_elex_floxif_hellokitty_hijackloader_luca-stealer_swisyn.exe (PID: 7516)

    • Executable content was dropped or overwritten

      • 2025-05-26_c0e474bb8b71f19d60927362751eeb19_amadey_black-basta_elex_floxif_hellokitty_hijackloader_luca-stealer_swisyn.exe (PID: 7516)
      • 2025-05-26_c0e474bb8b71f19d60927362751eeb19_amadey_black-basta_elex_floxif_hellokitty_hijackloader_luca-stealer_swisyn.exe  (PID: 7540)
      • explorer.exe (PID: 7632)

    • Process drops legitimate windows executable

      • 2025-05-26_c0e474bb8b71f19d60927362751eeb19_amadey_black-basta_elex_floxif_hellokitty_hijackloader_luca-stealer_swisyn.exe  (PID: 7540)

  • INFO

    • Checks supported languages

      • 2025-05-26_c0e474bb8b71f19d60927362751eeb19_amadey_black-basta_elex_floxif_hellokitty_hijackloader_luca-stealer_swisyn.exe (PID: 7516)
      • 2025-05-26_c0e474bb8b71f19d60927362751eeb19_amadey_black-basta_elex_floxif_hellokitty_hijackloader_luca-stealer_swisyn.exe  (PID: 7540)

    • Create files in a temporary directory

      • 2025-05-26_c0e474bb8b71f19d60927362751eeb19_amadey_black-basta_elex_floxif_hellokitty_hijackloader_luca-stealer_swisyn.exe (PID: 7516)
      • 2025-05-26_c0e474bb8b71f19d60927362751eeb19_amadey_black-basta_elex_floxif_hellokitty_hijackloader_luca-stealer_swisyn.exe  (PID: 7540)

    • The sample compiled with english language support

      • 2025-05-26_c0e474bb8b71f19d60927362751eeb19_amadey_black-basta_elex_floxif_hellokitty_hijackloader_luca-stealer_swisyn.exe (PID: 7516)
      • 2025-05-26_c0e474bb8b71f19d60927362751eeb19_amadey_black-basta_elex_floxif_hellokitty_hijackloader_luca-stealer_swisyn.exe  (PID: 7540)
      • explorer.exe (PID: 7632)

    • Creates files in the program directory

      • 2025-05-26_c0e474bb8b71f19d60927362751eeb19_amadey_black-basta_elex_floxif_hellokitty_hijackloader_luca-stealer_swisyn.exe  (PID: 7540)

    • Launch of the file from Registry key

      • svchost.exe (PID: 7708)

    • Manual execution by a user

      • svchost.exe (PID: 7296)
      • explorer.exe (PID: 8176)

    • Checks proxy server information

      • slui.exe (PID: 8128)

    • Reads the software policy settings

      • slui.exe (PID: 8128)

    • Reads the computer name

      • 2025-05-26_c0e474bb8b71f19d60927362751eeb19_amadey_black-basta_elex_floxif_hellokitty_hijackloader_luca-stealer_swisyn.exe  (PID: 7540)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (52.9)
.exe | Generic Win/DOS Executable (23.5)
.exe | DOS Executable Generic (23.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2013:04:01 07:08:22+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 106496
InitializedDataSize: 12288
UninitializedDataSize: -
EntryPoint: 0x290c
OSVersion: 4
ImageVersion: 1
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 1.0.0.0
ProductVersionNumber: 1.0.0.0
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
ProductName: Project1
FileVersion: 1
ProductVersion: 1
InternalName: TJprojMain
OriginalFileName: TJprojMain.exe
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
132
Monitored processes
8
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #JEEFO 2025-05-26_c0e474bb8b71f19d60927362751eeb19_amadey_black-basta_elex_floxif_hellokitty_hijackloader_luca-stealer_swisyn.exe #JEEFO 2025-05-26_c0e474bb8b71f19d60927362751eeb19_amadey_black-basta_elex_floxif_hellokitty_hijackloader_luca-stealer_swisyn.exe  explorer.exe no specs svchost.exe no specs slui.exe explorer.exe no specs svchost.exe no specs 2025-05-26_c0e474bb8b71f19d60927362751eeb19_amadey_black-basta_elex_floxif_hellokitty_hijackloader_luca-stealer_swisyn.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
7296c:\windows\resources\svchost.exe ROC:\Windows\Resources\svchost.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Version:
1.00
Modules
Images
c:\windows\resources\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
7468"C:\Users\admin\Desktop\2025-05-26_c0e474bb8b71f19d60927362751eeb19_amadey_black-basta_elex_floxif_hellokitty_hijackloader_luca-stealer_swisyn.exe" C:\Users\admin\Desktop\2025-05-26_c0e474bb8b71f19d60927362751eeb19_amadey_black-basta_elex_floxif_hellokitty_hijackloader_luca-stealer_swisyn.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Version:
1.00
Modules
Images
c:\users\admin\desktop\2025-05-26_c0e474bb8b71f19d60927362751eeb19_amadey_black-basta_elex_floxif_hellokitty_hijackloader_luca-stealer_swisyn.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
7516"C:\Users\admin\Desktop\2025-05-26_c0e474bb8b71f19d60927362751eeb19_amadey_black-basta_elex_floxif_hellokitty_hijackloader_luca-stealer_swisyn.exe" C:\Users\admin\Desktop\2025-05-26_c0e474bb8b71f19d60927362751eeb19_amadey_black-basta_elex_floxif_hellokitty_hijackloader_luca-stealer_swisyn.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Version:
1.00
Modules
Images
c:\users\admin\desktop\2025-05-26_c0e474bb8b71f19d60927362751eeb19_amadey_black-basta_elex_floxif_hellokitty_hijackloader_luca-stealer_swisyn.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvbvm60.dll
7540c:\users\admin\desktop\2025-05-26_c0e474bb8b71f19d60927362751eeb19_amadey_black-basta_elex_floxif_hellokitty_hijackloader_luca-stealer_swisyn.exe  C:\Users\admin\Desktop\2025-05-26_c0e474bb8b71f19d60927362751eeb19_amadey_black-basta_elex_floxif_hellokitty_hijackloader_luca-stealer_swisyn.exe 
2025-05-26_c0e474bb8b71f19d60927362751eeb19_amadey_black-basta_elex_floxif_hellokitty_hijackloader_luca-stealer_swisyn.exe
User:
admin
Integrity Level:
HIGH
Version:
1.00
Modules
Images
c:\users\admin\desktop\2025-05-26_c0e474bb8b71f19d60927362751eeb19_amadey_black-basta_elex_floxif_hellokitty_hijackloader_luca-stealer_swisyn.exe 
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvbvm60.dll
7632c:\windows\resources\themes\explorer.exeC:\Windows\Resources\Themes\explorer.exe
User:
admin
Integrity Level:
HIGH
Version:
1.00
7708c:\windows\resources\svchost.exeC:\Windows\Resources\svchost.exe
User:
admin
Integrity Level:
HIGH
Version:
1.00
8128C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
8176c:\windows\resources\themes\explorer.exe ROC:\Windows\Resources\Themes\explorer.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Version:
1.00
Modules
Images
c:\windows\resources\themes\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
Total events
3 415
Read events
3 405
Write events
10
Delete events
0

Modification events

(PID) Process:(7540) 2025-05-26_c0e474bb8b71f19d60927362751eeb19_amadey_black-basta_elex_floxif_hellokitty_hijackloader_luca-stealer_swisyn.exe Key:HKEY_CURRENT_USER\SOFTWARE\VB and VBA Program Settings\Explorer\Process
Operation:writeName:LO
Value:
1
(PID) Process:(7516) 2025-05-26_c0e474bb8b71f19d60927362751eeb19_amadey_black-basta_elex_floxif_hellokitty_hijackloader_luca-stealer_swisyn.exeKey:HKEY_CURRENT_USER\SOFTWARE\VB and VBA Program Settings\Explorer\Process
Operation:writeName:LO
Value:
1
(PID) Process:(7708) svchost.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Schedule
Operation:writeName:Start
Value:
2
(PID) Process:(7708) svchost.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess
Operation:writeName:Start
Value:
4
(PID) Process:(7708) svchost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce
Operation:writeName:Explorer
Value:
c:\windows\resources\themes\explorer.exe RO
(PID) Process:(7708) svchost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce
Operation:writeName:Svchost
Value:
c:\windows\resources\svchost.exe RO
Executable files
6
Suspicious files
2
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
75402025-05-26_c0e474bb8b71f19d60927362751eeb19_amadey_black-basta_elex_floxif_hellokitty_hijackloader_luca-stealer_swisyn.exe C:\Users\admin\AppData\Local\Temp\A1D26E2\C6401D881D74.tmpexecutable
MD5:369B54990D6E76920AAA5476484C7229
SHA256:1D3E356CFCC3DA34ED7F90A2573A89C701118487B8F4C11F719B3AB14B6B401E
75402025-05-26_c0e474bb8b71f19d60927362751eeb19_amadey_black-basta_elex_floxif_hellokitty_hijackloader_luca-stealer_swisyn.exe C:\Program Files\Common Files\System\symsrv.dllexecutable
MD5:7574CF2C64F35161AB1292E2F532AABF
SHA256:DE055A89DE246E629A8694BDE18AF2B1605E4B9B493C7E4AEF669DD67ACF5085
75162025-05-26_c0e474bb8b71f19d60927362751eeb19_amadey_black-basta_elex_floxif_hellokitty_hijackloader_luca-stealer_swisyn.exeC:\Windows\Resources\Themes\icsys.icn.exeexecutable
MD5:C4640C8F49C4339CD6DDBC1458F45BD6
SHA256:615928F2DA239FEC14E8CF471A4608872C1F79F67FD9DB0B457E66EA8ED35243
75162025-05-26_c0e474bb8b71f19d60927362751eeb19_amadey_black-basta_elex_floxif_hellokitty_hijackloader_luca-stealer_swisyn.exeC:\Users\admin\Desktop\2025-05-26_c0e474bb8b71f19d60927362751eeb19_amadey_black-basta_elex_floxif_hellokitty_hijackloader_luca-stealer_swisyn.exe executable
MD5:410C3528AA6AF6972C80A4EA05401F48
SHA256:7B66782D026B3079FCBE9784CD5046E0E6AAF8EF0381F9F87129EF6D87CC7606
75402025-05-26_c0e474bb8b71f19d60927362751eeb19_amadey_black-basta_elex_floxif_hellokitty_hijackloader_luca-stealer_swisyn.exe C:\Windows\Resources\Themes\icsys.icn.exeexecutable
MD5:C4640C8F49C4339CD6DDBC1458F45BD6
SHA256:615928F2DA239FEC14E8CF471A4608872C1F79F67FD9DB0B457E66EA8ED35243
7632explorer.exeC:\Windows\Resources\spoolsv.exeexecutable
MD5:8A4CF2172AF7B132E8BC6B729F1C79EE
SHA256:4511813A67DE105C3C41B34B9AFA4AF28F879C4E55516B7496E14ADAB4F5601D
75402025-05-26_c0e474bb8b71f19d60927362751eeb19_amadey_black-basta_elex_floxif_hellokitty_hijackloader_luca-stealer_swisyn.exe C:\Users\admin\AppData\Local\Temp\~DFB43339B3B74EE0BC.TMPbinary
MD5:AC738BBEFB7C62095B42263A3CA61CF4
SHA256:22148C3654E50472D95B5DC3C16AFEFA46C8CC7EF00A46144F7542F35683F10F
75162025-05-26_c0e474bb8b71f19d60927362751eeb19_amadey_black-basta_elex_floxif_hellokitty_hijackloader_luca-stealer_swisyn.exeC:\Users\admin\AppData\Local\Temp\~DFAA016AFE0D3374B9.TMPbinary
MD5:584AEE7B5EC2AF0095C46A87059DA1BA
SHA256:DD5C279C3D8233915FE61BD6BB4CB05D51AB360BB60F7B37E3BA815BE0EAA3E3
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
20
DNS requests
7
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4108
RUXIMICS.exe
GET
200
23.216.77.6:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4108
RUXIMICS.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
POST
500
40.91.76.224:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
POST
500
40.91.76.224:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
192.168.100.255:137
whitelisted
4108
RUXIMICS.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
4108
RUXIMICS.exe
23.216.77.6:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4108
RUXIMICS.exe
2.23.246.101:80
www.microsoft.com
Ooredoo Q.S.C.
QA
whitelisted
4756
slui.exe
40.91.76.224:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
8128
slui.exe
40.91.76.224:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
whitelisted
google.com
  • 142.250.185.174
whitelisted
crl.microsoft.com
  • 23.216.77.6
  • 23.216.77.28
whitelisted
www.microsoft.com
  • 2.23.246.101
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
2025-05-26_c0e474bb8b71f19d60927362751eeb19_amadey_black-basta_elex_floxif_hellokitty_hijackloader_luca-stealer_swisyn