File name:

2025-05-16_08a7b69e0ca5bd6bd6b2b1e8bd785b1b_black-basta_elex_gcleaner_hijackloader

Full analysis: https://app.any.run/tasks/ba6b1df5-3ca1-4a9f-8767-ddb153871f80
Verdict: Malicious activity
Analysis date: May 16, 2025, 03:28:56
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
scan
smbscan
yero
worm
upx
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed, 3 sections
MD5:

08A7B69E0CA5BD6BD6B2B1E8BD785B1B

SHA1:

2188E69DBA8DDCA7A40F832662D09A9F78EDEBAB

SHA256:

BEE42FEDA1FC4FFC6B14A06BE8C86ADDD923DD212ACF7A39BF7540D674F5FAF5

SSDEEP:

98304:yRGRL11elcVBlBtUamvTLd9uRKKd494h5sn6gNEkdfaTgmHie1qKaYVwfuYEiXO/:YlcVBlzI1XruYEiXX/PK

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • YERO has been detected

      • 2025-05-16_08a7b69e0ca5bd6bd6b2b1e8bd785b1b_black-basta_elex_gcleaner_hijackloader.exe (PID: 7404)
      • tmp1098750.exe (PID: 7424)

    • YERO mutex has been found

      • tmp1098750.exe (PID: 7424)

    • Attempting to scan the network

      • tmp1098750.exe (PID: 7424)
      • System (PID: 4)

    • SMBSCAN has been detected (SURICATA)

      • tmp1098750.exe (PID: 7424)
      • System (PID: 4)

  • SUSPICIOUS

    • Drops 7-zip archiver for unpacking

      • 2025-05-16_08a7b69e0ca5bd6bd6b2b1e8bd785b1b_black-basta_elex_gcleaner_hijackloader.exe (PID: 7404)

    • Executable content was dropped or overwritten

      • 2025-05-16_08a7b69e0ca5bd6bd6b2b1e8bd785b1b_black-basta_elex_gcleaner_hijackloader.exe (PID: 7404)
      • tmp1098750.exe (PID: 7424)

    • Reads security settings of Internet Explorer

      • tmp1098750.exe (PID: 7424)

    • Uses pipe srvsvc via SMB (transferring data)

      • tmp1098750.exe (PID: 7424)

    • The process creates files with name similar to system file names

      • tmp1098750.exe (PID: 7424)

    • Potential Corporate Privacy Violation

      • tmp1098750.exe (PID: 7424)
      • System (PID: 4)

  • INFO

    • Checks supported languages

      • 2025-05-16_08a7b69e0ca5bd6bd6b2b1e8bd785b1b_black-basta_elex_gcleaner_hijackloader.exe (PID: 7404)
      • tmp1098750.exe (PID: 7424)
      • tmp1098906.exe (PID: 7444)

    • Create files in a temporary directory

      • 2025-05-16_08a7b69e0ca5bd6bd6b2b1e8bd785b1b_black-basta_elex_gcleaner_hijackloader.exe (PID: 7404)

    • The sample compiled with english language support

      • 2025-05-16_08a7b69e0ca5bd6bd6b2b1e8bd785b1b_black-basta_elex_gcleaner_hijackloader.exe (PID: 7404)

    • Reads the computer name

      • tmp1098750.exe (PID: 7424)

    • Checks proxy server information

      • tmp1098750.exe (PID: 7424)

    • Creates files or folders in the user directory

      • tmp1098750.exe (PID: 7424)

    • UPX packer has been detected

      • tmp1098750.exe (PID: 7424)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | InstallShield setup (37.8)
.exe | UPX compressed Win32 Executable (23.7)
.exe | Win32 EXE Yoda's Crypter (23.3)
.dll | Win32 Dynamic Link Library (generic) (5.7)
.exe | Win32 Executable (generic) (3.9)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 1992:06:19 22:22:17+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi
PEType: PE32
LinkerVersion: 2.25
CodeSize: 12288
InitializedDataSize: 4096
UninitializedDataSize: 106496
EntryPoint: 0x1cee0
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
133
Monitored processes
6
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #YERO 2025-05-16_08a7b69e0ca5bd6bd6b2b1e8bd785b1b_black-basta_elex_gcleaner_hijackloader.exe #SMBSCAN tmp1098750.exe tmp1098906.exe no specs conhost.exe no specs #SMBSCAN system slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
4System
[System Process]
User:
SYSTEM
Integrity Level:
SYSTEM
7404"C:\Users\admin\Desktop\2025-05-16_08a7b69e0ca5bd6bd6b2b1e8bd785b1b_black-basta_elex_gcleaner_hijackloader.exe" C:\Users\admin\Desktop\2025-05-16_08a7b69e0ca5bd6bd6b2b1e8bd785b1b_black-basta_elex_gcleaner_hijackloader.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\desktop\2025-05-16_08a7b69e0ca5bd6bd6b2b1e8bd785b1b_black-basta_elex_gcleaner_hijackloader.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
7424C:\Users\admin\AppData\Local\Temp\tmp1098750.exeC:\Users\admin\AppData\Local\Temp\tmp1098750.exe
2025-05-16_08a7b69e0ca5bd6bd6b2b1e8bd785b1b_black-basta_elex_gcleaner_hijackloader.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\appdata\local\temp\tmp1098750.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
7444C:\Users\admin\AppData\Local\Temp\tmp1098906.exeC:\Users\admin\AppData\Local\Temp\tmp1098906.exe2025-05-16_08a7b69e0ca5bd6bd6b2b1e8bd785b1b_black-basta_elex_gcleaner_hijackloader.exe
User:
admin
Company:
Igor Pavlov
Integrity Level:
MEDIUM
Description:
7-Zip Console
Exit code:
0
Version:
23.01
Modules
Images
c:\users\admin\appdata\local\temp\tmp1098906.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
7444C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
7452\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exetmp1098906.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
4 762
Read events
4 762
Write events
0
Delete events
0

Modification events

No data
Executable files
228
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
74042025-05-16_08a7b69e0ca5bd6bd6b2b1e8bd785b1b_black-basta_elex_gcleaner_hijackloader.exeC:\Users\admin\AppData\Local\Temp\tmp1099000.exe
MD5:
SHA256:
7424tmp1098750.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe-
MD5:
SHA256:
7424tmp1098750.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe-
MD5:
SHA256:
74042025-05-16_08a7b69e0ca5bd6bd6b2b1e8bd785b1b_black-basta_elex_gcleaner_hijackloader.exeC:\Users\admin\AppData\Local\Temp\tmp1098906.exeexecutable
MD5:9A1DD1D96481D61934DCC2D568971D06
SHA256:8CEBB25E240DB3B6986FCAED6BC0B900FA09DAD763A56FB71273529266C5C525
7424tmp1098750.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe-executable
MD5:5E0DD133E3957C6E0EE3DAB61D2E3984
SHA256:0AFA7EA5F7FAF0E66939D58812906F23701EC5BF8BEBF53A0B255AF0C70C5026
7424tmp1098750.exeC:\Users\admin\AppData\Local\VirtualStore\Windows\SysWOW64\fsb.stbexecutable
MD5:280B12E4717C3A7CF2C39561B30BC9E6
SHA256:F6AB4BA25B6075AA5A76D006C434E64CAD37FDB2FF242C848C98FAD5167A1BFC
7424tmp1098750.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe-executable
MD5:F71C7C4C7A2508B3DDF5EB5B6C46333E
SHA256:E153FDB43455C6B1706E1D02640CD4AD3D3C32A02E26A8CEF4719D4F0994EF6A
7424tmp1098750.exeC:\Users\admin\AppData\Local\VirtualStore\Windows\SysWOW64\fsb.tmpexecutable
MD5:92E5FCB0E540DB5DEFBFED73D7857DC4
SHA256:B00D2A9558038EFDDAE9BD09D49FF0E17C9E4D30B1450C5361F1B796FCD289E9
7424tmp1098750.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe-executable
MD5:EFD8631A55DF47187DEDD6421273FCDC
SHA256:F3431938BFE954E35BD7DDA92F0D4392C2CC0A61710387A1B1BB541EFB3BC3A6
7424tmp1098750.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe-executable
MD5:5354EA6D13FE1E93C45F71232874E9D8
SHA256:5563EB4B3390C8FE5B3EF40168FEAF88AFB8E3642B081420FD3CF0CD8A5D05DC
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
11
TCP/UDP connections
1 275
DNS requests
21
Threats
9

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2104
svchost.exe
GET
200
23.53.40.178:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
2564
RUXIMICS.exe
GET
200
23.53.40.178:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
2104
svchost.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
3676
SIHClient.exe
GET
200
23.53.40.176:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl
unknown
whitelisted
3676
SIHClient.exe
GET
200
23.53.40.176:80
http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl
unknown
whitelisted
3676
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
3676
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
2564
RUXIMICS.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
3676
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
3676
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.2.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2104
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
2564
RUXIMICS.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
7424
tmp1098750.exe
209.104.126.211:139
TELUS Communications
CA
unknown
7424
tmp1098750.exe
33.108.90.119:139
DNIC-AS-00749
US
unknown
7424
tmp1098750.exe
86.247.144.107:139
Orange
FR
unknown
7424
tmp1098750.exe
192.65.234.118:139
ROGERS-COMMUNICATIONS
CA
unknown

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 20.73.194.208
  • 4.231.128.59
  • 51.104.136.2
whitelisted
google.com
  • 216.58.206.78
whitelisted
uk.undernet.org
unknown
client.wns.windows.com
  • 172.211.123.250
whitelisted
crl.microsoft.com
  • 23.53.40.178
  • 23.53.40.176
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
login.live.com
  • 40.126.31.73
  • 40.126.31.0
  • 40.126.31.3
  • 40.126.31.130
  • 40.126.31.71
  • 40.126.31.128
  • 40.126.31.131
  • 20.190.159.68
whitelisted
slscr.update.microsoft.com
  • 172.202.163.200
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 40.69.42.241
whitelisted
activation-v2.sls.microsoft.com
  • 20.83.72.98
  • 40.91.76.224
whitelisted

Threats

PID
Process
Class
Message
7424
tmp1098750.exe
Potential Corporate Privacy Violation
POLICY [ANY.RUN] Attempting to scan SMB servers outside a home network
4
System
Potential Corporate Privacy Violation
POLICY [ANY.RUN] Attempting to scan SMB servers outside a home network
4
System
Potential Corporate Privacy Violation
POLICY [ANY.RUN] Attempting to scan SMB servers outside a home network
4
System
Potential Corporate Privacy Violation
POLICY [ANY.RUN] Attempting to scan SMB servers outside a home network
4
System
Potential Corporate Privacy Violation
POLICY [ANY.RUN] Attempting to scan SMB servers outside a home network
4
System
Potential Corporate Privacy Violation
POLICY [ANY.RUN] Attempting to scan SMB servers outside a home network
7424
tmp1098750.exe
Potential Corporate Privacy Violation
POLICY [ANY.RUN] Attempting to scan SMB servers outside a home network
7424
tmp1098750.exe
Potential Corporate Privacy Violation
POLICY [ANY.RUN] Attempting to scan SMB servers outside a home network
4
System
Potential Corporate Privacy Violation
POLICY [ANY.RUN] Attempting to scan SMB servers outside a home network
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
2025-05-16_08a7b69e0ca5bd6bd6b2b1e8bd785b1b_black-basta_elex_gcleaner_hijackloader