File name:

2025-05-16_4cdc95b0cbf92289c9cd2593f56c7e76_black-basta_elex_gcleaner_hijackloader

Full analysis: https://app.any.run/tasks/f1e41f01-4dd6-4c88-b32f-212f778cc6b7
Verdict: Malicious activity
Analysis date: May 17, 2025, 00:08:45
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
scan
smbscan
yero
worm
upx
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 8 sections
MD5:

4CDC95B0CBF92289C9CD2593F56C7E76

SHA1:

E78EA9630D9096FFADE792B714C8858DA4DBB770

SHA256:

BF08AF7027734CBB6EE0D43C7F1B8FF6454EEEF52767C34213A1518F1214EF56

SSDEEP:

98304:vRL11elcVBlBtUamvTLd9uRKKd494h5sn6gNEkdfaTgmHie1qKaYVwfuYEiXOfe4:MlcVBlzI1XruYEiXX/PK

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • YERO mutex has been found

      • 2025-05-16_4cdc95b0cbf92289c9cd2593f56c7e76_black-basta_elex_gcleaner_hijackloader.exe (PID: 7648)

    • YERO has been detected

      • 2025-05-16_4cdc95b0cbf92289c9cd2593f56c7e76_black-basta_elex_gcleaner_hijackloader.exe (PID: 7648)

    • Attempting to scan the network

      • 2025-05-16_4cdc95b0cbf92289c9cd2593f56c7e76_black-basta_elex_gcleaner_hijackloader.exe (PID: 7648)
      • System (PID: 4)

    • SMBSCAN has been detected (SURICATA)

      • 2025-05-16_4cdc95b0cbf92289c9cd2593f56c7e76_black-basta_elex_gcleaner_hijackloader.exe (PID: 7648)
      • System (PID: 4)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • 2025-05-16_4cdc95b0cbf92289c9cd2593f56c7e76_black-basta_elex_gcleaner_hijackloader.exe (PID: 7648)

    • Reads security settings of Internet Explorer

      • 2025-05-16_4cdc95b0cbf92289c9cd2593f56c7e76_black-basta_elex_gcleaner_hijackloader.exe (PID: 7648)

    • Uses pipe srvsvc via SMB (transferring data)

      • 2025-05-16_4cdc95b0cbf92289c9cd2593f56c7e76_black-basta_elex_gcleaner_hijackloader.exe (PID: 7648)

    • The process creates files with name similar to system file names

      • 2025-05-16_4cdc95b0cbf92289c9cd2593f56c7e76_black-basta_elex_gcleaner_hijackloader.exe (PID: 7648)

    • Potential Corporate Privacy Violation

      • 2025-05-16_4cdc95b0cbf92289c9cd2593f56c7e76_black-basta_elex_gcleaner_hijackloader.exe (PID: 7648)
      • System (PID: 4)

  • INFO

    • Checks supported languages

      • 2025-05-16_4cdc95b0cbf92289c9cd2593f56c7e76_black-basta_elex_gcleaner_hijackloader.exe (PID: 7648)

    • Reads the computer name

      • 2025-05-16_4cdc95b0cbf92289c9cd2593f56c7e76_black-basta_elex_gcleaner_hijackloader.exe (PID: 7648)

    • Checks proxy server information

      • 2025-05-16_4cdc95b0cbf92289c9cd2593f56c7e76_black-basta_elex_gcleaner_hijackloader.exe (PID: 7648)
      • slui.exe (PID: 4696)

    • Creates files or folders in the user directory

      • 2025-05-16_4cdc95b0cbf92289c9cd2593f56c7e76_black-basta_elex_gcleaner_hijackloader.exe (PID: 7648)

    • UPX packer has been detected

      • 2025-05-16_4cdc95b0cbf92289c9cd2593f56c7e76_black-basta_elex_gcleaner_hijackloader.exe (PID: 7648)

    • Reads the software policy settings

      • slui.exe (PID: 4696)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable Borland Delphi 5 (76.1)
.exe | InstallShield setup (7.2)
.exe | UPX compressed Win32 Executable (4.5)
.exe | Win32 EXE Yoda's Crypter (4.4)
.exe | Win32 Executable Delphi generic (2.3)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 1992:06:19 22:22:17+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi
PEType: PE32
LinkerVersion: 2.25
CodeSize: 32768
InitializedDataSize: 16896
UninitializedDataSize: -
EntryPoint: 0x8c40
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
128
Monitored processes
3
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #SMBSCAN 2025-05-16_4cdc95b0cbf92289c9cd2593f56c7e76_black-basta_elex_gcleaner_hijackloader.exe #SMBSCAN system slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
4System
[System Process]
User:
SYSTEM
Integrity Level:
SYSTEM
4696C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
7648"C:\Users\admin\Desktop\2025-05-16_4cdc95b0cbf92289c9cd2593f56c7e76_black-basta_elex_gcleaner_hijackloader.exe" C:\Users\admin\Desktop\2025-05-16_4cdc95b0cbf92289c9cd2593f56c7e76_black-basta_elex_gcleaner_hijackloader.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\desktop\2025-05-16_4cdc95b0cbf92289c9cd2593f56c7e76_black-basta_elex_gcleaner_hijackloader.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
Total events
4 691
Read events
4 691
Write events
0
Delete events
0

Modification events

No data
Executable files
225
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
76482025-05-16_4cdc95b0cbf92289c9cd2593f56c7e76_black-basta_elex_gcleaner_hijackloader.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe-
MD5:
SHA256:
76482025-05-16_4cdc95b0cbf92289c9cd2593f56c7e76_black-basta_elex_gcleaner_hijackloader.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe-
MD5:
SHA256:
76482025-05-16_4cdc95b0cbf92289c9cd2593f56c7e76_black-basta_elex_gcleaner_hijackloader.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe-executable
MD5:6AB68DB6C7A52AC24D9413132DF23FC8
SHA256:F9A9BF8B6AA15D53AF8047AD69164C4266FD94E5BE3BB212AAA61678ADD038FB
76482025-05-16_4cdc95b0cbf92289c9cd2593f56c7e76_black-basta_elex_gcleaner_hijackloader.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe-executable
MD5:21808022D74FD9531660DEB176CA1F71
SHA256:D9B7C10D3404A9DE76490CABD8566B95DFD36A6C99006A3846673C85DC0CB683
76482025-05-16_4cdc95b0cbf92289c9cd2593f56c7e76_black-basta_elex_gcleaner_hijackloader.exeC:\Users\admin\AppData\Local\VirtualStore\Windows\SysWOW64\fsb.stbexecutable
MD5:280B12E4717C3A7CF2C39561B30BC9E6
SHA256:F6AB4BA25B6075AA5A76D006C434E64CAD37FDB2FF242C848C98FAD5167A1BFC
76482025-05-16_4cdc95b0cbf92289c9cd2593f56c7e76_black-basta_elex_gcleaner_hijackloader.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe-executable
MD5:1C8BADB9CD6B037D4C6B843821CB6796
SHA256:6A0F4A0870EB752FCED3A800DD2FA8F114B9E35811AF58616F689B73D5D47EA0
76482025-05-16_4cdc95b0cbf92289c9cd2593f56c7e76_black-basta_elex_gcleaner_hijackloader.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\CRWindowsClientService.exe-executable
MD5:E5D5B320D81709646D367A7F67398E0A
SHA256:FABAC00AE76FAB901E9A5FF6A2783C3A40B6DA23D7DF0E1FACB51355BB86D434
76482025-05-16_4cdc95b0cbf92289c9cd2593f56c7e76_black-basta_elex_gcleaner_hijackloader.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\CCleaner\CCleaner.exe-
MD5:
SHA256:
76482025-05-16_4cdc95b0cbf92289c9cd2593f56c7e76_black-basta_elex_gcleaner_hijackloader.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\CCleaner\CCleaner64.exe-
MD5:
SHA256:
76482025-05-16_4cdc95b0cbf92289c9cd2593f56c7e76_black-basta_elex_gcleaner_hijackloader.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\ADNotificationManager.exe-executable
MD5:CFF5B508B584313A69B173D95FFB596A
SHA256:6FECEBAEA7ED95E180EE4C96194E6881DB9BD39523502E5F37C0B6EDE5A8FEAB
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
1 240
DNS requests
8
Threats
12

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2104
svchost.exe
GET
200
2.16.164.120:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4996
RUXIMICS.exe
GET
200
2.16.164.120:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
2104
svchost.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4996
RUXIMICS.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
2104
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4996
RUXIMICS.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
7648
2025-05-16_4cdc95b0cbf92289c9cd2593f56c7e76_black-basta_elex_gcleaner_hijackloader.exe
130.220.118.106:139
Australian Academic and Research Network AARNet
AU
unknown
7648
2025-05-16_4cdc95b0cbf92289c9cd2593f56c7e76_black-basta_elex_gcleaner_hijackloader.exe
192.169.104.100:139
ZEN-ECN
IN
unknown
7648
2025-05-16_4cdc95b0cbf92289c9cd2593f56c7e76_black-basta_elex_gcleaner_hijackloader.exe
135.247.177.69:139
LUCENT-CIO
US
unknown
7648
2025-05-16_4cdc95b0cbf92289c9cd2593f56c7e76_black-basta_elex_gcleaner_hijackloader.exe
137.117.2.72:139
MICROSOFT-CORP-MSN-AS-BLOCK
US
unknown
7648
2025-05-16_4cdc95b0cbf92289c9cd2593f56c7e76_black-basta_elex_gcleaner_hijackloader.exe
214.239.103.44:139
DNIC-ASBLK-00721-00726
US
unknown

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
  • 51.104.136.2
whitelisted
google.com
  • 142.250.186.110
whitelisted
uk.undernet.org
unknown
crl.microsoft.com
  • 2.16.164.120
  • 2.16.164.49
whitelisted
www.microsoft.com
  • 95.101.149.131
whitelisted
activation-v2.sls.microsoft.com
  • 20.83.72.98
whitelisted

Threats

PID
Process
Class
Message
7648
2025-05-16_4cdc95b0cbf92289c9cd2593f56c7e76_black-basta_elex_gcleaner_hijackloader.exe
Potential Corporate Privacy Violation
POLICY [ANY.RUN] Attempting to scan SMB servers outside a home network
4
System
Potential Corporate Privacy Violation
POLICY [ANY.RUN] Attempting to scan SMB servers outside a home network
4
System
Potential Corporate Privacy Violation
POLICY [ANY.RUN] Attempting to scan SMB servers outside a home network
4
System
Potential Corporate Privacy Violation
POLICY [ANY.RUN] Attempting to scan SMB servers outside a home network
7648
2025-05-16_4cdc95b0cbf92289c9cd2593f56c7e76_black-basta_elex_gcleaner_hijackloader.exe
Misc Attack
ET DROP Spamhaus DROP Listed Traffic Inbound group 57
4
System
Potential Corporate Privacy Violation
POLICY [ANY.RUN] Attempting to scan SMB servers outside a home network
7648
2025-05-16_4cdc95b0cbf92289c9cd2593f56c7e76_black-basta_elex_gcleaner_hijackloader.exe
Misc Attack
ET DROP Spamhaus DROP Listed Traffic Inbound group 26
4
System
Potential Corporate Privacy Violation
POLICY [ANY.RUN] Attempting to scan SMB servers outside a home network
7648
2025-05-16_4cdc95b0cbf92289c9cd2593f56c7e76_black-basta_elex_gcleaner_hijackloader.exe
Potential Corporate Privacy Violation
POLICY [ANY.RUN] Attempting to scan SMB servers outside a home network
7648
2025-05-16_4cdc95b0cbf92289c9cd2593f56c7e76_black-basta_elex_gcleaner_hijackloader.exe
Misc Attack
ET DROP Spamhaus DROP Listed Traffic Inbound group 53
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
2025-05-16_4cdc95b0cbf92289c9cd2593f56c7e76_black-basta_elex_gcleaner_hijackloader