File name:

2025-05-16_a404ccc4809c79b57e733d4add4abe91_black-basta_elex_gcleaner_hijackloader

Full analysis: https://app.any.run/tasks/172ff03e-a7ea-49e3-bf46-0309dad3dc24
Verdict: Malicious activity
Analysis date: May 16, 2025, 01:57:25
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
scan
smbscan
yero
worm
upx
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 8 sections
MD5:

A404CCC4809C79B57E733D4ADD4ABE91

SHA1:

ECC0DBD059115CC79287206CBAEF3FA5538038A1

SHA256:

DC732D5E548AA8F819FAF822EE64B2AA3386129A7F153D1EEAFEFB0E48E23B5B

SSDEEP:

98304:vRL11elcVBlBtUamvTLd9uRKKd994h5sn6gNEkdfaTgmHie1qKaYVwfuYEiXOfea:MlcVBlzI1IruYEiXX/PK9

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • YERO has been detected

      • 2025-05-16_a404ccc4809c79b57e733d4add4abe91_black-basta_elex_gcleaner_hijackloader.exe (PID: 7560)

    • YERO mutex has been found

      • 2025-05-16_a404ccc4809c79b57e733d4add4abe91_black-basta_elex_gcleaner_hijackloader.exe (PID: 7560)

    • Attempting to scan the network

      • 2025-05-16_a404ccc4809c79b57e733d4add4abe91_black-basta_elex_gcleaner_hijackloader.exe (PID: 7560)

    • SMBSCAN has been detected (SURICATA)

      • System (PID: 4)
      • 2025-05-16_a404ccc4809c79b57e733d4add4abe91_black-basta_elex_gcleaner_hijackloader.exe (PID: 7560)

  • SUSPICIOUS

    • Uses pipe srvsvc via SMB (transferring data)

      • 2025-05-16_a404ccc4809c79b57e733d4add4abe91_black-basta_elex_gcleaner_hijackloader.exe (PID: 7560)

    • Executable content was dropped or overwritten

      • 2025-05-16_a404ccc4809c79b57e733d4add4abe91_black-basta_elex_gcleaner_hijackloader.exe (PID: 7560)

    • Reads security settings of Internet Explorer

      • 2025-05-16_a404ccc4809c79b57e733d4add4abe91_black-basta_elex_gcleaner_hijackloader.exe (PID: 7560)

    • Potential Corporate Privacy Violation

      • 2025-05-16_a404ccc4809c79b57e733d4add4abe91_black-basta_elex_gcleaner_hijackloader.exe (PID: 7560)
      • System (PID: 4)

    • The process creates files with name similar to system file names

      • 2025-05-16_a404ccc4809c79b57e733d4add4abe91_black-basta_elex_gcleaner_hijackloader.exe (PID: 7560)

  • INFO

    • Reads the computer name

      • 2025-05-16_a404ccc4809c79b57e733d4add4abe91_black-basta_elex_gcleaner_hijackloader.exe (PID: 7560)

    • Reads the software policy settings

      • slui.exe (PID: 5772)

    • Checks supported languages

      • 2025-05-16_a404ccc4809c79b57e733d4add4abe91_black-basta_elex_gcleaner_hijackloader.exe (PID: 7560)

    • Creates files or folders in the user directory

      • 2025-05-16_a404ccc4809c79b57e733d4add4abe91_black-basta_elex_gcleaner_hijackloader.exe (PID: 7560)

    • UPX packer has been detected

      • 2025-05-16_a404ccc4809c79b57e733d4add4abe91_black-basta_elex_gcleaner_hijackloader.exe (PID: 7560)

    • Checks proxy server information

      • slui.exe (PID: 5772)
      • 2025-05-16_a404ccc4809c79b57e733d4add4abe91_black-basta_elex_gcleaner_hijackloader.exe (PID: 7560)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable Borland Delphi 5 (76.1)
.exe | InstallShield setup (7.2)
.exe | UPX compressed Win32 Executable (4.5)
.exe | Win32 EXE Yoda's Crypter (4.4)
.exe | Win32 Executable Delphi generic (2.3)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 1992:06:19 22:22:17+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi
PEType: PE32
LinkerVersion: 2.25
CodeSize: 32768
InitializedDataSize: 16896
UninitializedDataSize: -
EntryPoint: 0x8c40
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
126
Monitored processes
3
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #SMBSCAN 2025-05-16_a404ccc4809c79b57e733d4add4abe91_black-basta_elex_gcleaner_hijackloader.exe #SMBSCAN system slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
4System
[System Process]
User:
SYSTEM
Integrity Level:
SYSTEM
5772C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
7560"C:\Users\admin\Desktop\2025-05-16_a404ccc4809c79b57e733d4add4abe91_black-basta_elex_gcleaner_hijackloader.exe" C:\Users\admin\Desktop\2025-05-16_a404ccc4809c79b57e733d4add4abe91_black-basta_elex_gcleaner_hijackloader.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\desktop\2025-05-16_a404ccc4809c79b57e733d4add4abe91_black-basta_elex_gcleaner_hijackloader.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
Total events
4 517
Read events
4 517
Write events
0
Delete events
0

Modification events

No data
Executable files
225
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
75602025-05-16_a404ccc4809c79b57e733d4add4abe91_black-basta_elex_gcleaner_hijackloader.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe-
MD5:
SHA256:
75602025-05-16_a404ccc4809c79b57e733d4add4abe91_black-basta_elex_gcleaner_hijackloader.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe-
MD5:
SHA256:
75602025-05-16_a404ccc4809c79b57e733d4add4abe91_black-basta_elex_gcleaner_hijackloader.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\acrobat_sl.exe-executable
MD5:529F4CC5DE1703296517D83459FA8CD4
SHA256:2B88B7D0993B2EFBE84ED20FB759648A77140E2C145AC4D688D747CF943462F8
75602025-05-16_a404ccc4809c79b57e733d4add4abe91_black-basta_elex_gcleaner_hijackloader.exeC:\Users\admin\AppData\Local\VirtualStore\Windows\SysWOW64\fsb.tmpexecutable
MD5:A404CCC4809C79B57E733D4ADD4ABE91
SHA256:DC732D5E548AA8F819FAF822EE64B2AA3386129A7F153D1EEAFEFB0E48E23B5B
75602025-05-16_a404ccc4809c79b57e733d4add4abe91_black-basta_elex_gcleaner_hijackloader.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe-executable
MD5:05DDB9C9E424531AA09866926356EB51
SHA256:DC23491A96A6D7E40C01B35EDFDA8BA603A67E4320E5D1AEDF12032C06229AD5
75602025-05-16_a404ccc4809c79b57e733d4add4abe91_black-basta_elex_gcleaner_hijackloader.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\AcroCEF.exe-executable
MD5:31AC268FEA1BB3C56C3C5ABA1AAC4F96
SHA256:2258F33D8C302D93C090CF65D9408B17D83C216827A781BF954198665D185EA1
75602025-05-16_a404ccc4809c79b57e733d4add4abe91_black-basta_elex_gcleaner_hijackloader.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\NGL\cefWorkflow\adobe_licensing_wf_helper_acro.exe-executable
MD5:7F89F2EE26CDD3CE4423BBA777CE0714
SHA256:1D25D0F94EBDAEE7FDC80FCD166DC7B8C7F9F95E3A512954754B13AA8F4CB59C
75602025-05-16_a404ccc4809c79b57e733d4add4abe91_black-basta_elex_gcleaner_hijackloader.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\CCleaner\CCleaner.exe-
MD5:
SHA256:
75602025-05-16_a404ccc4809c79b57e733d4add4abe91_black-basta_elex_gcleaner_hijackloader.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\CCleaner\CCleaner64.exe-
MD5:
SHA256:
75602025-05-16_a404ccc4809c79b57e733d4add4abe91_black-basta_elex_gcleaner_hijackloader.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe-executable
MD5:D9C7FF32ABD5114CD0F7B631934DA21D
SHA256:DE8967ECA3D75FA18A27E43A2D0C7187962DBD8D61D397F8F449BE1FA3D74041
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
9
TCP/UDP connections
1 244
DNS requests
17
Threats
9

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3888
SIHClient.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.2.crl
unknown
whitelisted
3888
SIHClient.exe
GET
200
23.53.40.176:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl
unknown
whitelisted
5024
RUXIMICS.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
3888
SIHClient.exe
GET
200
23.53.40.176:80
http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl
unknown
whitelisted
3888
SIHClient.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
3888
SIHClient.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.2.crl
unknown
whitelisted
3888
SIHClient.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
5024
RUXIMICS.exe
GET
200
2.16.164.120:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
3888
SIHClient.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
5024
RUXIMICS.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
192.168.100.255:137
whitelisted
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
7560
2025-05-16_a404ccc4809c79b57e733d4add4abe91_black-basta_elex_gcleaner_hijackloader.exe
192.169.76.120:139
MONSTERBROADBAND
US
unknown
7560
2025-05-16_a404ccc4809c79b57e733d4add4abe91_black-basta_elex_gcleaner_hijackloader.exe
148.138.204.200:139
SE
unknown
7560
2025-05-16_a404ccc4809c79b57e733d4add4abe91_black-basta_elex_gcleaner_hijackloader.exe
188.155.25.138:139
Sunrise GmbH
CH
unknown
7560
2025-05-16_a404ccc4809c79b57e733d4add4abe91_black-basta_elex_gcleaner_hijackloader.exe
47.149.59.38:139
FRONTIER-FRTR
US
unknown
7560
2025-05-16_a404ccc4809c79b57e733d4add4abe91_black-basta_elex_gcleaner_hijackloader.exe
125.164.211.106:139
PT Telekomunikasi Indonesia
ID
unknown

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
  • 51.104.136.2
whitelisted
google.com
  • 142.250.186.142
whitelisted
uk.undernet.org
unknown
crl.microsoft.com
  • 2.16.164.120
  • 2.16.164.49
  • 23.53.40.176
  • 23.53.40.178
whitelisted
client.wns.windows.com
  • 172.211.123.250
  • 172.211.123.248
whitelisted
www.microsoft.com
  • 95.101.149.131
  • 2.23.246.101
whitelisted
slscr.update.microsoft.com
  • 52.149.20.212
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 13.95.31.18
whitelisted
activation-v2.sls.microsoft.com
  • 20.83.72.98
whitelisted
nexusrules.officeapps.live.com
  • 52.111.236.23
whitelisted

Threats

PID
Process
Class
Message
7560
2025-05-16_a404ccc4809c79b57e733d4add4abe91_black-basta_elex_gcleaner_hijackloader.exe
Potential Corporate Privacy Violation
POLICY [ANY.RUN] Attempting to scan SMB servers outside a home network
4
System
Potential Corporate Privacy Violation
POLICY [ANY.RUN] Attempting to scan SMB servers outside a home network
4
System
Potential Corporate Privacy Violation
POLICY [ANY.RUN] Attempting to scan SMB servers outside a home network
4
System
Potential Corporate Privacy Violation
POLICY [ANY.RUN] Attempting to scan SMB servers outside a home network
4
System
Potential Corporate Privacy Violation
POLICY [ANY.RUN] Attempting to scan SMB servers outside a home network
4
System
Potential Corporate Privacy Violation
POLICY [ANY.RUN] Attempting to scan SMB servers outside a home network
7560
2025-05-16_a404ccc4809c79b57e733d4add4abe91_black-basta_elex_gcleaner_hijackloader.exe
Potential Corporate Privacy Violation
POLICY [ANY.RUN] Attempting to scan SMB servers outside a home network
7560
2025-05-16_a404ccc4809c79b57e733d4add4abe91_black-basta_elex_gcleaner_hijackloader.exe
Potential Corporate Privacy Violation
POLICY [ANY.RUN] Attempting to scan SMB servers outside a home network
4
System
Potential Corporate Privacy Violation
POLICY [ANY.RUN] Attempting to scan SMB servers outside a home network
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
2025-05-16_a404ccc4809c79b57e733d4add4abe91_black-basta_elex_gcleaner_hijackloader