File name:

2025-04-15_43592cf6555395d59cdaf1656724f4f8_black-basta_elex_hijackloader_luca-stealer_swisyn

Full analysis: https://app.any.run/tasks/2c5abcb4-1fab-44d3-9845-069f5cf0ae7e
Verdict: Malicious activity
Analysis date: April 15, 2025, 05:26:47
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
jeefo
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 3 sections
MD5:

43592CF6555395D59CDAF1656724F4F8

SHA1:

8180586B1C8001BC772C8E093817F837813942CE

SHA256:

B55FAF0CD44203D821973EA9DE4EE50EC6915A83EE8393763471578055264EFC

SSDEEP:

98304:5cJWWgAN8OG/jc1p1lNRYqhxC9W2pq6vJiUaqk8Nzf/r1KsDdDeu6g5zGJz3f6zK:/Mw4

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • JEEFO has been detected

      • 2025-04-15_43592cf6555395d59cdaf1656724f4f8_black-basta_elex_hijackloader_luca-stealer_swisyn.exe (PID: 672)
      • icsys.icn.exe (PID: 1348)
      • explorer.exe (PID: 5956)
      • updater.exe (PID: 5544)
      • updater.exe (PID: 6272)
      • svchost.exe (PID: 7012)

    • Changes the autorun value in the registry

      • explorer.exe (PID: 5956)
      • svchost.exe (PID: 7012)
      • setup.exe (PID: 7472)

  • SUSPICIOUS

    • Starts application with an unusual extension

      • 2025-04-15_43592cf6555395d59cdaf1656724f4f8_black-basta_elex_hijackloader_luca-stealer_swisyn.exe (PID: 672)

    • Executable content was dropped or overwritten

      • 2025-04-15_43592cf6555395d59cdaf1656724f4f8_black-basta_elex_hijackloader_luca-stealer_swisyn.exe (PID: 672)
      • icsys.icn.exe (PID: 1348)
      • explorer.exe (PID: 5956)
      • spoolsv.exe (PID: 5048)
      • updater.exe (PID: 5544)
      • updater.exe (PID: 6272)
      • 135.0.7049.85_chrome_installer.exe (PID: 7448)
      • setup.exe (PID: 7472)

    • Starts itself from another location

      • 2025-04-15_43592cf6555395d59cdaf1656724f4f8_black-basta_elex_hijackloader_luca-stealer_swisyn.exe (PID: 672)
      • icsys.icn.exe (PID: 1348)
      • spoolsv.exe (PID: 5048)
      • explorer.exe (PID: 5956)
      • svchost.exe (PID: 7012)

    • The process creates files with name similar to system file names

      • icsys.icn.exe (PID: 1348)
      • spoolsv.exe (PID: 5048)

    • Application launched itself

      • updater.exe (PID: 5544)
      • updater.exe (PID: 6272)
      • updater.exe (PID: 5008)
      • setup.exe (PID: 7472)
      • setup.exe (PID: 7560)
      • updater.exe (PID: 1188)

    • Executes as Windows Service

      • updater.exe (PID: 6272)
      • updater.exe (PID: 5008)
      • updater.exe (PID: 1188)

    • Reads security settings of Internet Explorer

      • updater.exe (PID: 5544)

    • Creates or modifies Windows services

      • svchost.exe (PID: 7012)

    • Creates a software uninstall entry

      • setup.exe (PID: 7472)
      • chrome.exe (PID: 7668)

    • Searches for installed software

      • setup.exe (PID: 7472)

  • INFO

    • Create files in a temporary directory

      • 2025-04-15_43592cf6555395d59cdaf1656724f4f8_black-basta_elex_hijackloader_luca-stealer_swisyn.exe (PID: 672)
      • icsys.icn.exe (PID: 1348)
      • explorer.exe (PID: 5956)
      • spoolsv.exe (PID: 5048)
      • svchost.exe (PID: 7012)
      • spoolsv.exe (PID: 5124)
      • updater.exe (PID: 5544)

    • Checks supported languages

      • 2025-04-15_43592cf6555395d59cdaf1656724f4f8_black-basta_elex_hijackloader_luca-stealer_swisyn.exe (PID: 672)
      • 2025-04-15_43592cf6555395d59cdaf1656724f4f8_black-basta_elex_hijackloader_luca-stealer_swisyn.exe  (PID: 4488)
      • icsys.icn.exe (PID: 1348)
      • explorer.exe (PID: 5956)
      • updater.exe (PID: 5544)
      • spoolsv.exe (PID: 5048)
      • updater.exe (PID: 4040)
      • spoolsv.exe (PID: 5124)
      • updater.exe (PID: 6272)
      • updater.exe (PID: 2616)
      • svchost.exe (PID: 7012)
      • updater.exe (PID: 5124)
      • updater.exe (PID: 5008)
      • 135.0.7049.85_chrome_installer.exe (PID: 7448)
      • setup.exe (PID: 7472)
      • setup.exe (PID: 7492)
      • setup.exe (PID: 7560)
      • setup.exe (PID: 7580)
      • elevation_service.exe (PID: 7948)
      • updater.exe (PID: 1188)
      • updater.exe (PID: 6272)

    • The sample compiled with english language support

      • 2025-04-15_43592cf6555395d59cdaf1656724f4f8_black-basta_elex_hijackloader_luca-stealer_swisyn.exe (PID: 672)
      • updater.exe (PID: 5544)
      • updater.exe (PID: 6272)
      • 135.0.7049.85_chrome_installer.exe (PID: 7448)
      • setup.exe (PID: 7472)

    • Creates files in the program directory

      • 2025-04-15_43592cf6555395d59cdaf1656724f4f8_black-basta_elex_hijackloader_luca-stealer_swisyn.exe  (PID: 4488)
      • updater.exe (PID: 5544)
      • updater.exe (PID: 4040)
      • updater.exe (PID: 5008)
      • updater.exe (PID: 6272)
      • setup.exe (PID: 7472)
      • setup.exe (PID: 7560)
      • updater.exe (PID: 1188)

    • Reads the computer name

      • 2025-04-15_43592cf6555395d59cdaf1656724f4f8_black-basta_elex_hijackloader_luca-stealer_swisyn.exe  (PID: 4488)
      • updater.exe (PID: 5544)
      • updater.exe (PID: 6272)
      • svchost.exe (PID: 7012)
      • 2025-04-15_43592cf6555395d59cdaf1656724f4f8_black-basta_elex_hijackloader_luca-stealer_swisyn.exe (PID: 672)
      • updater.exe (PID: 5008)
      • 135.0.7049.85_chrome_installer.exe (PID: 7448)
      • setup.exe (PID: 7472)
      • setup.exe (PID: 7560)
      • elevation_service.exe (PID: 7948)
      • explorer.exe (PID: 5956)
      • updater.exe (PID: 1188)

    • Process checks whether UAC notifications are on

      • updater.exe (PID: 5544)
      • updater.exe (PID: 6272)
      • updater.exe (PID: 5008)
      • updater.exe (PID: 1188)

    • Checks proxy server information

      • updater.exe (PID: 5544)
      • slui.exe (PID: 7408)

    • Reads the machine GUID from the registry

      • updater.exe (PID: 5008)
      • updater.exe (PID: 5544)
      • updater.exe (PID: 1188)

    • Reads the software policy settings

      • updater.exe (PID: 5544)
      • updater.exe (PID: 5008)
      • slui.exe (PID: 7408)
      • updater.exe (PID: 1188)

    • Creates files or folders in the user directory

      • updater.exe (PID: 5544)

    • Executes as Windows Service

      • elevation_service.exe (PID: 7948)

    • Manual execution by a user

      • chrome.exe (PID: 7668)

    • Application launched itself

      • chrome.exe (PID: 7668)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (52.9)
.exe | Generic Win/DOS Executable (23.5)
.exe | DOS Executable Generic (23.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2013:04:01 07:08:22+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 106496
InitializedDataSize: 12288
UninitializedDataSize: -
EntryPoint: 0x290c
OSVersion: 4
ImageVersion: 1
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 1.0.0.0
ProductVersionNumber: 1.0.0.0
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
ProductName: Project1
FileVersion: 1
ProductVersion: 1
InternalName: TJprojMain
OriginalFileName: TJprojMain.exe
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
186
Monitored processes
59
Malicious processes
11
Suspicious processes
1

Behavior graph

Click at the process to see the details
start #JEEFO 2025-04-15_43592cf6555395d59cdaf1656724f4f8_black-basta_elex_hijackloader_luca-stealer_swisyn.exe 2025-04-15_43592cf6555395d59cdaf1656724f4f8_black-basta_elex_hijackloader_luca-stealer_swisyn.exe  no specs #JEEFO icsys.icn.exe #JEEFO explorer.exe #JEEFO updater.exe updater.exe no specs spoolsv.exe #JEEFO svchost.exe #JEEFO updater.exe spoolsv.exe no specs updater.exe no specs updater.exe updater.exe no specs slui.exe 135.0.7049.85_chrome_installer.exe setup.exe setup.exe no specs setup.exe no specs setup.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe elevation_service.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs updater.exe updater.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs 2025-04-15_43592cf6555395d59cdaf1656724f4f8_black-basta_elex_hijackloader_luca-stealer_swisyn.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
496"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --disable-quic --field-trial-handle=1976,i,17938075139674322934,4013168693613734874,262144 --variations-seed-version --mojo-platform-channel-handle=6372 /prefetch:8C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Exit code:
0
Version:
135.0.7049.85
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
672"C:\Users\admin\Desktop\2025-04-15_43592cf6555395d59cdaf1656724f4f8_black-basta_elex_hijackloader_luca-stealer_swisyn.exe" C:\Users\admin\Desktop\2025-04-15_43592cf6555395d59cdaf1656724f4f8_black-basta_elex_hijackloader_luca-stealer_swisyn.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Version:
1.00
Modules
Images
c:\users\admin\desktop\2025-04-15_43592cf6555395d59cdaf1656724f4f8_black-basta_elex_hijackloader_luca-stealer_swisyn.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvbvm60.dll
960"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=1976,i,17938075139674322934,4013168693613734874,262144 --variations-seed-version --mojo-platform-channel-handle=4448 /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Version:
135.0.7049.85
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\135.0.7049.85\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
1072"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --disable-quic --field-trial-handle=1976,i,17938075139674322934,4013168693613734874,262144 --variations-seed-version --mojo-platform-channel-handle=7140 /prefetch:8C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Exit code:
0
Version:
135.0.7049.85
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
1188"C:\Program Files (x86)\Google\GoogleUpdater\137.0.7115.0\updater.exe" --system --windows-service --service=updateC:\Program Files (x86)\Google\GoogleUpdater\137.0.7115.0\updater.exe
services.exe
User:
SYSTEM
Company:
Google LLC
Integrity Level:
SYSTEM
Description:
Google Updater (x86)
Exit code:
0
Version:
137.0.7115.0
Modules
Images
c:\program files (x86)\google\googleupdater\137.0.7115.0\updater.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
1280"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --disable-quic --field-trial-handle=1976,i,17938075139674322934,4013168693613734874,262144 --variations-seed-version --mojo-platform-channel-handle=6404 /prefetch:8C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
135.0.7049.85
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\135.0.7049.85\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
1328"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=1976,i,17938075139674322934,4013168693613734874,262144 --variations-seed-version --mojo-platform-channel-handle=3356 /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Version:
135.0.7049.85
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\135.0.7049.85\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
1348C:\Windows\Resources\Themes\icsys.icn.exeC:\Windows\Resources\Themes\icsys.icn.exe
2025-04-15_43592cf6555395d59cdaf1656724f4f8_black-basta_elex_hijackloader_luca-stealer_swisyn.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Version:
1.00
Modules
Images
c:\windows\resources\themes\icsys.icn.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvbvm60.dll
1388"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=1976,i,17938075139674322934,4013168693613734874,262144 --variations-seed-version --mojo-platform-channel-handle=3308 /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
135.0.7049.85
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
1676"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --disable-quic --field-trial-handle=1976,i,17938075139674322934,4013168693613734874,262144 --variations-seed-version --mojo-platform-channel-handle=5144 /prefetch:8C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
135.0.7049.85
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\135.0.7049.85\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
Total events
28 569
Read events
28 290
Write events
245
Delete events
34

Modification events

(PID) Process:(672) 2025-04-15_43592cf6555395d59cdaf1656724f4f8_black-basta_elex_hijackloader_luca-stealer_swisyn.exeKey:HKEY_CURRENT_USER\SOFTWARE\VB and VBA Program Settings\Explorer\Process
Operation:writeName:LO
Value:
1
(PID) Process:(1348) icsys.icn.exeKey:HKEY_CURRENT_USER\SOFTWARE\VB and VBA Program Settings\Explorer\Process
Operation:writeName:LO
Value:
1
(PID) Process:(6272) updater.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Google\Update\ClientState\{44fc7fe2-65ce-487c-93f4-edee46eeaaab}
Operation:writeName:pv
Value:
137.0.7115.0
(PID) Process:(6272) updater.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8A1D4361-2C08-4700-A351-3EAA9CBFF5E4}
Operation:delete keyName:(default)
Value:
(PID) Process:(6272) updater.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8A1D4361-2C08-4700-A351-3EAA9CBFF5E4}\Elevation
Operation:delete keyName:(default)
Value:
(PID) Process:(6272) updater.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8A1D4361-2C08-4700-A351-3EAA9CBFF5E4}\LocalServer32
Operation:delete keyName:(default)
Value:
(PID) Process:(6272) updater.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8A1D4361-2C08-4700-A351-3EAA9CBFF5E4}\ProgID
Operation:delete keyName:(default)
Value:
(PID) Process:(6272) updater.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8A1D4361-2C08-4700-A351-3EAA9CBFF5E4}\VersionIndependentProgID
Operation:delete keyName:(default)
Value:
(PID) Process:(6272) updater.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{534F5323-3569-4F42-919D-1E1CF93E5BF6}
Operation:delete keyName:(default)
Value:
(PID) Process:(6272) updater.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{534F5323-3569-4F42-919D-1E1CF93E5BF6}\ProgID
Operation:delete keyName:(default)
Value:
Executable files
14
Suspicious files
144
Text files
68
Unknown types
2

Dropped files

PID
Process
Filename
Type
44882025-04-15_43592cf6555395d59cdaf1656724f4f8_black-basta_elex_hijackloader_luca-stealer_swisyn.exe C:\Windows\SystemTemp\Google4488_1722264511\UPDATER.PACKED.7Z
MD5:
SHA256:
6722025-04-15_43592cf6555395d59cdaf1656724f4f8_black-basta_elex_hijackloader_luca-stealer_swisyn.exeC:\Windows\Resources\Themes\icsys.icn.exeexecutable
MD5:2A0E0BE1412ED982732A3B5E70509763
SHA256:B848DE93920B2EF78E8AF4782B67E1639DE59D7F4FF336E43033D86E0C16963F
6272updater.exeC:\Program Files (x86)\Google\GoogleUpdater\prefs.json~RF10d17b.TMPbinary
MD5:90AB3119EF40DCA9AA4301DD86230249
SHA256:316F94D57488D2FCC1B4DF4C72B2C8CCA98DE88816E6400C67300AF1FD401CCF
6272updater.exeC:\Program Files (x86)\Google\Update\GoogleUpdate.exeexecutable
MD5:7E0B8E35886A5E72E469A02A7F2D1CC6
SHA256:CF097F99005B6FD2732C3E429972909C46CE06046F6569784A439A481D1B410B
5544updater.exeC:\Program Files (x86)\Google\GoogleUpdater\prefs.jsonbinary
MD5:90AB3119EF40DCA9AA4301DD86230249
SHA256:316F94D57488D2FCC1B4DF4C72B2C8CCA98DE88816E6400C67300AF1FD401CCF
5544updater.exeC:\Program Files (x86)\Google\GoogleUpdater\56e2718d-3185-4d0f-bf03-21e0848755eb.tmpbinary
MD5:90AB3119EF40DCA9AA4301DD86230249
SHA256:316F94D57488D2FCC1B4DF4C72B2C8CCA98DE88816E6400C67300AF1FD401CCF
6722025-04-15_43592cf6555395d59cdaf1656724f4f8_black-basta_elex_hijackloader_luca-stealer_swisyn.exeC:\Users\admin\Desktop\2025-04-15_43592cf6555395d59cdaf1656724f4f8_black-basta_elex_hijackloader_luca-stealer_swisyn.exe executable
MD5:988AE621E34A23E8AE9E80862F92E172
SHA256:E32A543EF21CA6E10CC48F751887F45F612F100C4A9F7A88EB39ED3F2A400386
5124spoolsv.exeC:\Users\admin\AppData\Local\Temp\~DF94D36C3AE45CEF80.TMPbinary
MD5:AC0E4704725B4B94A7FC11D13DC5413F
SHA256:A910095955A9B248E87E7EBF65B07D99411646809C0A1690E00E6A5597BD87B6
6722025-04-15_43592cf6555395d59cdaf1656724f4f8_black-basta_elex_hijackloader_luca-stealer_swisyn.exeC:\Users\admin\AppData\Local\Temp\~DF314828C41A800939.TMPbinary
MD5:381D9CE27FC77195E177D10E4BFF8F96
SHA256:5F195CD46041FF81BCB440F8259796067CED2921FA54C1304CCEEC8E74A7A9CA
5048spoolsv.exeC:\Users\admin\AppData\Local\Temp\~DFDFE9E64F550F5D86.TMPbinary
MD5:6D9907A9EA35D12B58C9898D7886E860
SHA256:771AA3F2925D421C0FA8FC6997AD5FB8D782B0F7A5C0AEE721765069CAA05FFA
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
38
TCP/UDP connections
52
DNS requests
34
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5008
updater.exe
GET
200
34.104.35.123:80
http://edgedl.me.gvt1.com/edgedl/release2/chrome/mtgl4pv3x5mbcrbsdcnc3rctp4_135.0.7049.85/-8a69d345-d564-463c-aff1-a69d9e530f96-_135.0.7049.85_all_k2h3m242oimh5kxnl55lko4vze.crx3
unknown
whitelisted
7940
chrome.exe
GET
200
142.250.186.78:80
http://clients2.google.com/time/1/current?cup2key=8:reEsfctrxz_asVzCYObe007ORwM1g_CHN9l87zEKC7w&cup2hreq=e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
unknown
whitelisted
OPTIONS
200
216.58.206.74:443
https://ogads-pa.clients6.google.com/$rpc/google.internal.onegoogle.asyncdata.v1.AsyncDataService/GetAsyncData
unknown
unknown
GET
200
142.250.186.78:443
https://apis.google.com/_/scs/abc-static/_/js/k=gapi.gapi.en.24R2mrw_td8.O/m=gapi_iframes,googleapis_client/rt=j/sv=1/d=1/ed=1/rs=AHpOoo9vR1rNwOjC3PXOxUlyKiCwNBv2Fg/cb=gapi.loaded_0
unknown
unknown
POST
200
142.250.186.67:443
https://update.googleapis.com/service/update2/json?cup2key=15:2WNF5S6FnK8GdUkS72Vi-yzltQYGwJN1jqqq1qxWpcs&cup2hreq=828b9c51613b4683d0dd51ac2e79a8d46e8b5b1fbfd02545374f544e816034d4
unknown
text
706 Kb
whitelisted
GET
200
142.250.181.228:443
https://dl.google.com/update2/installers/icons/%7B8a69d345-d564-463c-aff1-a69d9e530f96%7D.bmp?lang=en-US
unknown
image
6.52 Kb
whitelisted
GET
301
142.250.186.164:443
https://www.google.com/chrome/v2/whats-new/?version=135
unknown
html
249 b
whitelisted
POST
500
40.91.76.224:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
GET
200
142.250.186.131:443
https://clientservices.googleapis.com/chrome-variations/seed?osname=win&channel=stable&milestone=135
unknown
compressed
44.4 Kb
whitelisted
GET
200
142.250.186.164:443
https://www.google.com/complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyA2KlwBX3mkFo30om9LUFYQhpqLoa_BNhE
unknown
text
9.19 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
5008
updater.exe
142.250.184.195:443
update.googleapis.com
GOOGLE
US
whitelisted
5544
updater.exe
216.58.206.78:443
dl.google.com
GOOGLE
US
whitelisted
5008
updater.exe
34.104.35.123:80
edgedl.me.gvt1.com
GOOGLE
US
whitelisted
2384
slui.exe
20.83.72.98:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
7940
chrome.exe
142.250.186.131:443
clientservices.googleapis.com
GOOGLE
US
whitelisted
7940
chrome.exe
142.250.186.78:80
google.com
GOOGLE
US
whitelisted
7940
chrome.exe
142.250.186.132:443
www.google.com
GOOGLE
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
whitelisted
google.com
  • 142.250.186.78
whitelisted
update.googleapis.com
  • 142.250.184.195
  • 142.250.186.67
whitelisted
dl.google.com
  • 216.58.206.78
whitelisted
edgedl.me.gvt1.com
  • 34.104.35.123
whitelisted
activation-v2.sls.microsoft.com
  • 20.83.72.98
whitelisted
www.google.com
  • 142.250.186.132
whitelisted
clients2.google.com
  • 142.250.186.78
whitelisted
clientservices.googleapis.com
  • 142.250.186.131
whitelisted
safebrowsingohttpgateway.googleapis.com
  • 142.250.181.234
  • 142.250.185.106
  • 142.250.185.74
  • 142.250.186.74
  • 142.250.184.202
  • 172.217.16.202
  • 142.250.186.138
  • 142.250.185.234
  • 142.250.185.138
  • 142.250.185.170
  • 142.250.185.202
  • 216.58.212.170
  • 142.250.186.170
  • 216.58.206.42
  • 142.250.186.106
  • 142.250.186.42
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
2025-04-15_43592cf6555395d59cdaf1656724f4f8_black-basta_elex_hijackloader_luca-stealer_swisyn