File name:

2025-04-15_43592cf6555395d59cdaf1656724f4f8_black-basta_elex_hijackloader_luca-stealer_swisyn

Full analysis: https://app.any.run/tasks/2c5abcb4-1fab-44d3-9845-069f5cf0ae7e
Verdict: Malicious activity
Analysis date: April 15, 2025, 05:26:47
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
jeefo
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 3 sections
MD5:

43592CF6555395D59CDAF1656724F4F8

SHA1:

8180586B1C8001BC772C8E093817F837813942CE

SHA256:

B55FAF0CD44203D821973EA9DE4EE50EC6915A83EE8393763471578055264EFC

SSDEEP:

98304:5cJWWgAN8OG/jc1p1lNRYqhxC9W2pq6vJiUaqk8Nzf/r1KsDdDeu6g5zGJz3f6zK:/Mw4

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • JEEFO has been detected

      • icsys.icn.exe (PID: 1348)
      • explorer.exe (PID: 5956)
      • 2025-04-15_43592cf6555395d59cdaf1656724f4f8_black-basta_elex_hijackloader_luca-stealer_swisyn.exe (PID: 672)
      • updater.exe (PID: 5544)
      • updater.exe (PID: 6272)
      • svchost.exe (PID: 7012)

    • Changes the autorun value in the registry

      • svchost.exe (PID: 7012)
      • explorer.exe (PID: 5956)
      • setup.exe (PID: 7472)

  • SUSPICIOUS

    • The process creates files with name similar to system file names

      • icsys.icn.exe (PID: 1348)
      • spoolsv.exe (PID: 5048)

    • Starts itself from another location

      • icsys.icn.exe (PID: 1348)
      • explorer.exe (PID: 5956)
      • svchost.exe (PID: 7012)
      • spoolsv.exe (PID: 5048)
      • 2025-04-15_43592cf6555395d59cdaf1656724f4f8_black-basta_elex_hijackloader_luca-stealer_swisyn.exe (PID: 672)

    • Executable content was dropped or overwritten

      • icsys.icn.exe (PID: 1348)
      • explorer.exe (PID: 5956)
      • spoolsv.exe (PID: 5048)
      • updater.exe (PID: 5544)
      • updater.exe (PID: 6272)
      • 135.0.7049.85_chrome_installer.exe (PID: 7448)
      • setup.exe (PID: 7472)
      • 2025-04-15_43592cf6555395d59cdaf1656724f4f8_black-basta_elex_hijackloader_luca-stealer_swisyn.exe (PID: 672)

    • Application launched itself

      • updater.exe (PID: 5544)
      • updater.exe (PID: 6272)
      • updater.exe (PID: 5008)
      • setup.exe (PID: 7472)
      • setup.exe (PID: 7560)
      • updater.exe (PID: 1188)

    • Executes as Windows Service

      • updater.exe (PID: 6272)
      • updater.exe (PID: 5008)
      • updater.exe (PID: 1188)

    • Reads security settings of Internet Explorer

      • updater.exe (PID: 5544)

    • Creates or modifies Windows services

      • svchost.exe (PID: 7012)

    • Creates a software uninstall entry

      • setup.exe (PID: 7472)
      • chrome.exe (PID: 7668)

    • Starts application with an unusual extension

      • 2025-04-15_43592cf6555395d59cdaf1656724f4f8_black-basta_elex_hijackloader_luca-stealer_swisyn.exe (PID: 672)

    • Searches for installed software

      • setup.exe (PID: 7472)

  • INFO

    • Checks supported languages

      • 2025-04-15_43592cf6555395d59cdaf1656724f4f8_black-basta_elex_hijackloader_luca-stealer_swisyn.exe  (PID: 4488)
      • icsys.icn.exe (PID: 1348)
      • explorer.exe (PID: 5956)
      • 2025-04-15_43592cf6555395d59cdaf1656724f4f8_black-basta_elex_hijackloader_luca-stealer_swisyn.exe (PID: 672)
      • updater.exe (PID: 4040)
      • updater.exe (PID: 5544)
      • spoolsv.exe (PID: 5048)
      • svchost.exe (PID: 7012)
      • spoolsv.exe (PID: 5124)
      • updater.exe (PID: 6272)
      • updater.exe (PID: 2616)
      • updater.exe (PID: 5124)
      • updater.exe (PID: 5008)
      • 135.0.7049.85_chrome_installer.exe (PID: 7448)
      • setup.exe (PID: 7492)
      • setup.exe (PID: 7560)
      • setup.exe (PID: 7580)
      • setup.exe (PID: 7472)
      • updater.exe (PID: 1188)
      • elevation_service.exe (PID: 7948)
      • updater.exe (PID: 6272)

    • Creates files in the program directory

      • 2025-04-15_43592cf6555395d59cdaf1656724f4f8_black-basta_elex_hijackloader_luca-stealer_swisyn.exe  (PID: 4488)
      • updater.exe (PID: 4040)
      • updater.exe (PID: 5544)
      • updater.exe (PID: 6272)
      • updater.exe (PID: 5008)
      • setup.exe (PID: 7472)
      • setup.exe (PID: 7560)
      • updater.exe (PID: 1188)

    • Create files in a temporary directory

      • icsys.icn.exe (PID: 1348)
      • explorer.exe (PID: 5956)
      • spoolsv.exe (PID: 5048)
      • spoolsv.exe (PID: 5124)
      • svchost.exe (PID: 7012)
      • updater.exe (PID: 5544)
      • 2025-04-15_43592cf6555395d59cdaf1656724f4f8_black-basta_elex_hijackloader_luca-stealer_swisyn.exe (PID: 672)

    • Reads the computer name

      • updater.exe (PID: 5544)
      • updater.exe (PID: 6272)
      • svchost.exe (PID: 7012)
      • updater.exe (PID: 5008)
      • 2025-04-15_43592cf6555395d59cdaf1656724f4f8_black-basta_elex_hijackloader_luca-stealer_swisyn.exe (PID: 672)
      • 135.0.7049.85_chrome_installer.exe (PID: 7448)
      • setup.exe (PID: 7472)
      • setup.exe (PID: 7560)
      • explorer.exe (PID: 5956)
      • 2025-04-15_43592cf6555395d59cdaf1656724f4f8_black-basta_elex_hijackloader_luca-stealer_swisyn.exe  (PID: 4488)
      • elevation_service.exe (PID: 7948)
      • updater.exe (PID: 1188)

    • The sample compiled with english language support

      • 2025-04-15_43592cf6555395d59cdaf1656724f4f8_black-basta_elex_hijackloader_luca-stealer_swisyn.exe (PID: 672)
      • updater.exe (PID: 5544)
      • updater.exe (PID: 6272)
      • 135.0.7049.85_chrome_installer.exe (PID: 7448)
      • setup.exe (PID: 7472)

    • Process checks whether UAC notifications are on

      • updater.exe (PID: 5544)
      • updater.exe (PID: 6272)
      • updater.exe (PID: 5008)
      • updater.exe (PID: 1188)

    • Reads the software policy settings

      • updater.exe (PID: 5544)
      • updater.exe (PID: 5008)
      • slui.exe (PID: 7408)
      • updater.exe (PID: 1188)

    • Reads the machine GUID from the registry

      • updater.exe (PID: 5008)
      • updater.exe (PID: 5544)
      • updater.exe (PID: 1188)

    • Creates files or folders in the user directory

      • updater.exe (PID: 5544)

    • Checks proxy server information

      • updater.exe (PID: 5544)
      • slui.exe (PID: 7408)

    • Manual execution by a user

      • chrome.exe (PID: 7668)

    • Application launched itself

      • chrome.exe (PID: 7668)

    • Executes as Windows Service

      • elevation_service.exe (PID: 7948)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (52.9)
.exe | Generic Win/DOS Executable (23.5)
.exe | DOS Executable Generic (23.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2013:04:01 07:08:22+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 106496
InitializedDataSize: 12288
UninitializedDataSize: -
EntryPoint: 0x290c
OSVersion: 4
ImageVersion: 1
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 1.0.0.0
ProductVersionNumber: 1.0.0.0
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
ProductName: Project1
FileVersion: 1
ProductVersion: 1
InternalName: TJprojMain
OriginalFileName: TJprojMain.exe
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
186
Monitored processes
59
Malicious processes
11
Suspicious processes
1

Behavior graph

Click at the process to see the details
start #JEEFO 2025-04-15_43592cf6555395d59cdaf1656724f4f8_black-basta_elex_hijackloader_luca-stealer_swisyn.exe 2025-04-15_43592cf6555395d59cdaf1656724f4f8_black-basta_elex_hijackloader_luca-stealer_swisyn.exe  no specs #JEEFO icsys.icn.exe #JEEFO explorer.exe #JEEFO updater.exe updater.exe no specs spoolsv.exe #JEEFO svchost.exe #JEEFO updater.exe spoolsv.exe no specs updater.exe no specs updater.exe updater.exe no specs slui.exe 135.0.7049.85_chrome_installer.exe setup.exe setup.exe no specs setup.exe no specs setup.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe elevation_service.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs updater.exe updater.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs 2025-04-15_43592cf6555395d59cdaf1656724f4f8_black-basta_elex_hijackloader_luca-stealer_swisyn.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
496"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --disable-quic --field-trial-handle=1976,i,17938075139674322934,4013168693613734874,262144 --variations-seed-version --mojo-platform-channel-handle=6372 /prefetch:8C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Exit code:
0
Version:
135.0.7049.85
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
672"C:\Users\admin\Desktop\2025-04-15_43592cf6555395d59cdaf1656724f4f8_black-basta_elex_hijackloader_luca-stealer_swisyn.exe" C:\Users\admin\Desktop\2025-04-15_43592cf6555395d59cdaf1656724f4f8_black-basta_elex_hijackloader_luca-stealer_swisyn.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Version:
1.00
Modules
Images
c:\users\admin\desktop\2025-04-15_43592cf6555395d59cdaf1656724f4f8_black-basta_elex_hijackloader_luca-stealer_swisyn.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvbvm60.dll
960"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=1976,i,17938075139674322934,4013168693613734874,262144 --variations-seed-version --mojo-platform-channel-handle=4448 /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Version:
135.0.7049.85
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\135.0.7049.85\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
1072"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --disable-quic --field-trial-handle=1976,i,17938075139674322934,4013168693613734874,262144 --variations-seed-version --mojo-platform-channel-handle=7140 /prefetch:8C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Exit code:
0
Version:
135.0.7049.85
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
1188"C:\Program Files (x86)\Google\GoogleUpdater\137.0.7115.0\updater.exe" --system --windows-service --service=updateC:\Program Files (x86)\Google\GoogleUpdater\137.0.7115.0\updater.exe
services.exe
User:
SYSTEM
Company:
Google LLC
Integrity Level:
SYSTEM
Description:
Google Updater (x86)
Exit code:
0
Version:
137.0.7115.0
Modules
Images
c:\program files (x86)\google\googleupdater\137.0.7115.0\updater.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
1280"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --disable-quic --field-trial-handle=1976,i,17938075139674322934,4013168693613734874,262144 --variations-seed-version --mojo-platform-channel-handle=6404 /prefetch:8C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
135.0.7049.85
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\135.0.7049.85\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
1328"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=1976,i,17938075139674322934,4013168693613734874,262144 --variations-seed-version --mojo-platform-channel-handle=3356 /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Version:
135.0.7049.85
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\135.0.7049.85\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
1348C:\Windows\Resources\Themes\icsys.icn.exeC:\Windows\Resources\Themes\icsys.icn.exe
2025-04-15_43592cf6555395d59cdaf1656724f4f8_black-basta_elex_hijackloader_luca-stealer_swisyn.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Version:
1.00
Modules
Images
c:\windows\resources\themes\icsys.icn.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvbvm60.dll
1388"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=1976,i,17938075139674322934,4013168693613734874,262144 --variations-seed-version --mojo-platform-channel-handle=3308 /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
135.0.7049.85
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
1676"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --disable-quic --field-trial-handle=1976,i,17938075139674322934,4013168693613734874,262144 --variations-seed-version --mojo-platform-channel-handle=5144 /prefetch:8C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
135.0.7049.85
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\135.0.7049.85\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
Total events
28 569
Read events
28 290
Write events
245
Delete events
34

Modification events

(PID) Process:(672) 2025-04-15_43592cf6555395d59cdaf1656724f4f8_black-basta_elex_hijackloader_luca-stealer_swisyn.exeKey:HKEY_CURRENT_USER\SOFTWARE\VB and VBA Program Settings\Explorer\Process
Operation:writeName:LO
Value:
1
(PID) Process:(1348) icsys.icn.exeKey:HKEY_CURRENT_USER\SOFTWARE\VB and VBA Program Settings\Explorer\Process
Operation:writeName:LO
Value:
1
(PID) Process:(6272) updater.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Google\Update\ClientState\{44fc7fe2-65ce-487c-93f4-edee46eeaaab}
Operation:writeName:pv
Value:
137.0.7115.0
(PID) Process:(6272) updater.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8A1D4361-2C08-4700-A351-3EAA9CBFF5E4}
Operation:delete keyName:(default)
Value:
(PID) Process:(6272) updater.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8A1D4361-2C08-4700-A351-3EAA9CBFF5E4}\Elevation
Operation:delete keyName:(default)
Value:
(PID) Process:(6272) updater.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8A1D4361-2C08-4700-A351-3EAA9CBFF5E4}\LocalServer32
Operation:delete keyName:(default)
Value:
(PID) Process:(6272) updater.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8A1D4361-2C08-4700-A351-3EAA9CBFF5E4}\ProgID
Operation:delete keyName:(default)
Value:
(PID) Process:(6272) updater.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8A1D4361-2C08-4700-A351-3EAA9CBFF5E4}\VersionIndependentProgID
Operation:delete keyName:(default)
Value:
(PID) Process:(6272) updater.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{534F5323-3569-4F42-919D-1E1CF93E5BF6}
Operation:delete keyName:(default)
Value:
(PID) Process:(6272) updater.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{534F5323-3569-4F42-919D-1E1CF93E5BF6}\ProgID
Operation:delete keyName:(default)
Value:
Executable files
14
Suspicious files
144
Text files
68
Unknown types
2

Dropped files

PID
Process
Filename
Type
44882025-04-15_43592cf6555395d59cdaf1656724f4f8_black-basta_elex_hijackloader_luca-stealer_swisyn.exe C:\Windows\SystemTemp\Google4488_1722264511\UPDATER.PACKED.7Z
MD5:
SHA256:
5956explorer.exeC:\Windows\Resources\spoolsv.exeexecutable
MD5:0D76248CFAFD957FC3C4DF9922D22D77
SHA256:1F238BDE25CD9B428B8A3A7287A5F4FDF5B1C6D3EEEF4444D3A81DCFE85F9C9C
1348icsys.icn.exeC:\Windows\Resources\Themes\explorer.exeexecutable
MD5:03C60119C20E1AC2586D57EC6403B4E2
SHA256:CC4195C81E2B0E8FD5D7C1182C5A1C2CC1E667F64E089AA54A33623BBD3FA490
6722025-04-15_43592cf6555395d59cdaf1656724f4f8_black-basta_elex_hijackloader_luca-stealer_swisyn.exeC:\Windows\Resources\Themes\icsys.icn.exeexecutable
MD5:2A0E0BE1412ED982732A3B5E70509763
SHA256:B848DE93920B2EF78E8AF4782B67E1639DE59D7F4FF336E43033D86E0C16963F
5544updater.exeC:\Program Files (x86)\Google\GoogleUpdater\137.0.7115.0\updater.exeexecutable
MD5:7E0B8E35886A5E72E469A02A7F2D1CC6
SHA256:CF097F99005B6FD2732C3E429972909C46CE06046F6569784A439A481D1B410B
5544updater.exeC:\Program Files (x86)\Google\GoogleUpdater\137.0.7115.0\uninstall.cmdtext
MD5:FBC297EE9060D4256192E4EDB98CAD1B
SHA256:099592FFA867124D16C0C6D868AF1214FD2B7180FA76E4EEE01ABF2A5CF8F044
5544updater.exeC:\Program Files (x86)\Google\GoogleUpdater\137.0.7115.0\Crashpad\settings.datbinary
MD5:4D476674DFC9B3C52BE3560D4A79BACF
SHA256:472735E36C4D8D0D2B43F6EB462DE115C0921BAA6641A65E36B0B2577B28D4BD
6722025-04-15_43592cf6555395d59cdaf1656724f4f8_black-basta_elex_hijackloader_luca-stealer_swisyn.exeC:\Users\admin\Desktop\2025-04-15_43592cf6555395d59cdaf1656724f4f8_black-basta_elex_hijackloader_luca-stealer_swisyn.exe executable
MD5:988AE621E34A23E8AE9E80862F92E172
SHA256:E32A543EF21CA6E10CC48F751887F45F612F100C4A9F7A88EB39ED3F2A400386
5544updater.exeC:\Program Files (x86)\Google\GoogleUpdater\prefs.jsonbinary
MD5:90AB3119EF40DCA9AA4301DD86230249
SHA256:316F94D57488D2FCC1B4DF4C72B2C8CCA98DE88816E6400C67300AF1FD401CCF
5048spoolsv.exeC:\Windows\Resources\svchost.exeexecutable
MD5:11F33C001BB40DA955CCF8E1170F289A
SHA256:A62503DBA9DCF5859557F3944FEB51C04B4E369D72B21B360DA74BCB943BF46D
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
38
TCP/UDP connections
52
DNS requests
34
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5008
updater.exe
GET
200
34.104.35.123:80
http://edgedl.me.gvt1.com/edgedl/release2/chrome/mtgl4pv3x5mbcrbsdcnc3rctp4_135.0.7049.85/-8a69d345-d564-463c-aff1-a69d9e530f96-_135.0.7049.85_all_k2h3m242oimh5kxnl55lko4vze.crx3
unknown
whitelisted
7940
chrome.exe
GET
200
142.250.186.78:80
http://clients2.google.com/time/1/current?cup2key=8:reEsfctrxz_asVzCYObe007ORwM1g_CHN9l87zEKC7w&cup2hreq=e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
unknown
whitelisted
OPTIONS
200
216.58.206.74:443
https://ogads-pa.clients6.google.com/$rpc/google.internal.onegoogle.asyncdata.v1.AsyncDataService/GetAsyncData
unknown
GET
200
142.250.186.78:443
https://apis.google.com/_/scs/abc-static/_/js/k=gapi.gapi.en.24R2mrw_td8.O/m=gapi_iframes,googleapis_client/rt=j/sv=1/d=1/ed=1/rs=AHpOoo9vR1rNwOjC3PXOxUlyKiCwNBv2Fg/cb=gapi.loaded_0
unknown
POST
500
40.91.76.224:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
GET
200
142.250.181.228:443
https://dl.google.com/update2/installers/icons/%7B8a69d345-d564-463c-aff1-a69d9e530f96%7D.bmp?lang=en-US
unknown
image
6.52 Kb
whitelisted
POST
200
142.250.186.67:443
https://update.googleapis.com/service/update2/json?cup2key=15:2WNF5S6FnK8GdUkS72Vi-yzltQYGwJN1jqqq1qxWpcs&cup2hreq=828b9c51613b4683d0dd51ac2e79a8d46e8b5b1fbfd02545374f544e816034d4
unknown
text
706 Kb
whitelisted
GET
200
142.250.186.131:443
https://clientservices.googleapis.com/chrome-variations/seed?osname=win&channel=stable&milestone=135
unknown
compressed
44.4 Kb
whitelisted
POST
200
142.250.186.67:443
https://update.googleapis.com/service/update2/json
unknown
text
242 b
whitelisted
GET
200
142.250.185.202:443
https://safebrowsingohttpgateway.googleapis.com/v1/ohttp/hpkekeyconfig?key=AIzaSyA2KlwBX3mkFo30om9LUFYQhpqLoa_BNhE
unknown
binary
41 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
5008
updater.exe
142.250.184.195:443
update.googleapis.com
GOOGLE
US
whitelisted
5544
updater.exe
216.58.206.78:443
dl.google.com
GOOGLE
US
whitelisted
5008
updater.exe
34.104.35.123:80
edgedl.me.gvt1.com
GOOGLE
US
whitelisted
2384
slui.exe
20.83.72.98:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
7940
chrome.exe
142.250.186.131:443
clientservices.googleapis.com
GOOGLE
US
whitelisted
7940
chrome.exe
142.250.186.78:80
google.com
GOOGLE
US
whitelisted
7940
chrome.exe
142.250.186.132:443
www.google.com
GOOGLE
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
whitelisted
google.com
  • 142.250.186.78
whitelisted
update.googleapis.com
  • 142.250.184.195
  • 142.250.186.67
whitelisted
dl.google.com
  • 216.58.206.78
whitelisted
edgedl.me.gvt1.com
  • 34.104.35.123
whitelisted
activation-v2.sls.microsoft.com
  • 20.83.72.98
whitelisted
www.google.com
  • 142.250.186.132
whitelisted
clients2.google.com
  • 142.250.186.78
whitelisted
clientservices.googleapis.com
  • 142.250.186.131
whitelisted
safebrowsingohttpgateway.googleapis.com
  • 142.250.181.234
  • 142.250.185.106
  • 142.250.185.74
  • 142.250.186.74
  • 142.250.184.202
  • 172.217.16.202
  • 142.250.186.138
  • 142.250.185.234
  • 142.250.185.138
  • 142.250.185.170
  • 142.250.185.202
  • 216.58.212.170
  • 142.250.186.170
  • 216.58.206.42
  • 142.250.186.106
  • 142.250.186.42
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
2025-04-15_43592cf6555395d59cdaf1656724f4f8_black-basta_elex_hijackloader_luca-stealer_swisyn