File name:

2025-05-16_a404ccc4809c79b57e733d4add4abe91_black-basta_elex_gcleaner_hijackloader

Full analysis: https://app.any.run/tasks/172ff03e-a7ea-49e3-bf46-0309dad3dc24
Verdict: Malicious activity
Analysis date: May 16, 2025, 01:57:25
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
scan
smbscan
yero
worm
upx
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 8 sections
MD5:

A404CCC4809C79B57E733D4ADD4ABE91

SHA1:

ECC0DBD059115CC79287206CBAEF3FA5538038A1

SHA256:

DC732D5E548AA8F819FAF822EE64B2AA3386129A7F153D1EEAFEFB0E48E23B5B

SSDEEP:

98304:vRL11elcVBlBtUamvTLd9uRKKd994h5sn6gNEkdfaTgmHie1qKaYVwfuYEiXOfea:MlcVBlzI1IruYEiXX/PK9

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • YERO mutex has been found

      • 2025-05-16_a404ccc4809c79b57e733d4add4abe91_black-basta_elex_gcleaner_hijackloader.exe (PID: 7560)

    • YERO has been detected

      • 2025-05-16_a404ccc4809c79b57e733d4add4abe91_black-basta_elex_gcleaner_hijackloader.exe (PID: 7560)

    • SMBSCAN has been detected (SURICATA)

      • 2025-05-16_a404ccc4809c79b57e733d4add4abe91_black-basta_elex_gcleaner_hijackloader.exe (PID: 7560)
      • System (PID: 4)

    • Attempting to scan the network

      • 2025-05-16_a404ccc4809c79b57e733d4add4abe91_black-basta_elex_gcleaner_hijackloader.exe (PID: 7560)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • 2025-05-16_a404ccc4809c79b57e733d4add4abe91_black-basta_elex_gcleaner_hijackloader.exe (PID: 7560)

    • Reads security settings of Internet Explorer

      • 2025-05-16_a404ccc4809c79b57e733d4add4abe91_black-basta_elex_gcleaner_hijackloader.exe (PID: 7560)

    • Uses pipe srvsvc via SMB (transferring data)

      • 2025-05-16_a404ccc4809c79b57e733d4add4abe91_black-basta_elex_gcleaner_hijackloader.exe (PID: 7560)

    • Potential Corporate Privacy Violation

      • 2025-05-16_a404ccc4809c79b57e733d4add4abe91_black-basta_elex_gcleaner_hijackloader.exe (PID: 7560)
      • System (PID: 4)

    • The process creates files with name similar to system file names

      • 2025-05-16_a404ccc4809c79b57e733d4add4abe91_black-basta_elex_gcleaner_hijackloader.exe (PID: 7560)

  • INFO

    • Checks supported languages

      • 2025-05-16_a404ccc4809c79b57e733d4add4abe91_black-basta_elex_gcleaner_hijackloader.exe (PID: 7560)

    • Reads the computer name

      • 2025-05-16_a404ccc4809c79b57e733d4add4abe91_black-basta_elex_gcleaner_hijackloader.exe (PID: 7560)

    • Checks proxy server information

      • 2025-05-16_a404ccc4809c79b57e733d4add4abe91_black-basta_elex_gcleaner_hijackloader.exe (PID: 7560)
      • slui.exe (PID: 5772)

    • Creates files or folders in the user directory

      • 2025-05-16_a404ccc4809c79b57e733d4add4abe91_black-basta_elex_gcleaner_hijackloader.exe (PID: 7560)

    • UPX packer has been detected

      • 2025-05-16_a404ccc4809c79b57e733d4add4abe91_black-basta_elex_gcleaner_hijackloader.exe (PID: 7560)

    • Reads the software policy settings

      • slui.exe (PID: 5772)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable Borland Delphi 5 (76.1)
.exe | InstallShield setup (7.2)
.exe | UPX compressed Win32 Executable (4.5)
.exe | Win32 EXE Yoda's Crypter (4.4)
.exe | Win32 Executable Delphi generic (2.3)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 1992:06:19 22:22:17+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi
PEType: PE32
LinkerVersion: 2.25
CodeSize: 32768
InitializedDataSize: 16896
UninitializedDataSize: -
EntryPoint: 0x8c40
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
126
Monitored processes
3
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #SMBSCAN 2025-05-16_a404ccc4809c79b57e733d4add4abe91_black-basta_elex_gcleaner_hijackloader.exe #SMBSCAN system slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
4System
[System Process]
User:
SYSTEM
Integrity Level:
SYSTEM
5772C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
7560"C:\Users\admin\Desktop\2025-05-16_a404ccc4809c79b57e733d4add4abe91_black-basta_elex_gcleaner_hijackloader.exe" C:\Users\admin\Desktop\2025-05-16_a404ccc4809c79b57e733d4add4abe91_black-basta_elex_gcleaner_hijackloader.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\desktop\2025-05-16_a404ccc4809c79b57e733d4add4abe91_black-basta_elex_gcleaner_hijackloader.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
Total events
4 517
Read events
4 517
Write events
0
Delete events
0

Modification events

No data
Executable files
225
Suspicious files
0
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
75602025-05-16_a404ccc4809c79b57e733d4add4abe91_black-basta_elex_gcleaner_hijackloader.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcroCEF\SingleClientServicesUpdater.exe-
MD5:
SHA256:
75602025-05-16_a404ccc4809c79b57e733d4add4abe91_black-basta_elex_gcleaner_hijackloader.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\acrocef_1\SingleClientServicesUpdater.exe-
MD5:
SHA256:
75602025-05-16_a404ccc4809c79b57e733d4add4abe91_black-basta_elex_gcleaner_hijackloader.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\ADelRCP.exe-executable
MD5:7741E88C23BC42CE93F35F664E4EC253
SHA256:83B81987CDF6BD9D3433B1D391B79E8E355A3C9A166A8B379BA5A228FA2EF919
75602025-05-16_a404ccc4809c79b57e733d4add4abe91_black-basta_elex_gcleaner_hijackloader.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcroBroker.exe-executable
MD5:05DDB9C9E424531AA09866926356EB51
SHA256:DC23491A96A6D7E40C01B35EDFDA8BA603A67E4320E5D1AEDF12032C06229AD5
75602025-05-16_a404ccc4809c79b57e733d4add4abe91_black-basta_elex_gcleaner_hijackloader.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcroTextExtractor.exe-executable
MD5:58CF3E81E37ECAA0D54A54BBA7DBAC3A
SHA256:DD2F45772AD540186748C8E88F08E0061EBBEEE878971EA1817E35D5B8BAD634
75602025-05-16_a404ccc4809c79b57e733d4add4abe91_black-basta_elex_gcleaner_hijackloader.exeC:\Users\admin\AppData\Local\VirtualStore\Windows\SysWOW64\fsb.stbexecutable
MD5:280B12E4717C3A7CF2C39561B30BC9E6
SHA256:F6AB4BA25B6075AA5A76D006C434E64CAD37FDB2FF242C848C98FAD5167A1BFC
75602025-05-16_a404ccc4809c79b57e733d4add4abe91_black-basta_elex_gcleaner_hijackloader.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\CRLogTransport.exe-executable
MD5:FED304B4CDDC88A9AFF71086F3CCE123
SHA256:176E844E7CAECA69F8E978CF2E3D51E98256ADF8A53A2B21286E7CD371451DB1
75602025-05-16_a404ccc4809c79b57e733d4add4abe91_black-basta_elex_gcleaner_hijackloader.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\CCleaner\CCleaner.exe-
MD5:
SHA256:
75602025-05-16_a404ccc4809c79b57e733d4add4abe91_black-basta_elex_gcleaner_hijackloader.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\CCleaner\CCleaner64.exe-
MD5:
SHA256:
75602025-05-16_a404ccc4809c79b57e733d4add4abe91_black-basta_elex_gcleaner_hijackloader.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe-executable
MD5:AB588B09D521A8FE71DF38CF8B972876
SHA256:DD93AA69BEF9DA90337D44A9381E09B5473619ED4772BAB5A3C660C1AD45B1EE
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
9
TCP/UDP connections
1 244
DNS requests
17
Threats
9

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5024
RUXIMICS.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5024
RUXIMICS.exe
GET
200
2.16.164.120:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
3888
SIHClient.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
3888
SIHClient.exe
GET
200
23.53.40.176:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl
unknown
whitelisted
3888
SIHClient.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
3888
SIHClient.exe
GET
200
23.53.40.176:80
http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl
unknown
whitelisted
3888
SIHClient.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
3888
SIHClient.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.2.crl
unknown
whitelisted
3888
SIHClient.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.2.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
5024
RUXIMICS.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
192.168.100.255:137
whitelisted
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
7560
2025-05-16_a404ccc4809c79b57e733d4add4abe91_black-basta_elex_gcleaner_hijackloader.exe
192.169.76.120:139
MONSTERBROADBAND
US
unknown
7560
2025-05-16_a404ccc4809c79b57e733d4add4abe91_black-basta_elex_gcleaner_hijackloader.exe
148.138.204.200:139
SE
unknown
7560
2025-05-16_a404ccc4809c79b57e733d4add4abe91_black-basta_elex_gcleaner_hijackloader.exe
188.155.25.138:139
Sunrise GmbH
CH
unknown
7560
2025-05-16_a404ccc4809c79b57e733d4add4abe91_black-basta_elex_gcleaner_hijackloader.exe
47.149.59.38:139
FRONTIER-FRTR
US
unknown
7560
2025-05-16_a404ccc4809c79b57e733d4add4abe91_black-basta_elex_gcleaner_hijackloader.exe
125.164.211.106:139
PT Telekomunikasi Indonesia
ID
unknown

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
  • 51.104.136.2
whitelisted
google.com
  • 142.250.186.142
whitelisted
uk.undernet.org
unknown
crl.microsoft.com
  • 2.16.164.120
  • 2.16.164.49
  • 23.53.40.176
  • 23.53.40.178
whitelisted
client.wns.windows.com
  • 172.211.123.250
  • 172.211.123.248
whitelisted
www.microsoft.com
  • 95.101.149.131
  • 2.23.246.101
whitelisted
slscr.update.microsoft.com
  • 52.149.20.212
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 13.95.31.18
whitelisted
activation-v2.sls.microsoft.com
  • 20.83.72.98
whitelisted
nexusrules.officeapps.live.com
  • 52.111.236.23
whitelisted

Threats

PID
Process
Class
Message
7560
2025-05-16_a404ccc4809c79b57e733d4add4abe91_black-basta_elex_gcleaner_hijackloader.exe
Potential Corporate Privacy Violation
POLICY [ANY.RUN] Attempting to scan SMB servers outside a home network
4
System
Potential Corporate Privacy Violation
POLICY [ANY.RUN] Attempting to scan SMB servers outside a home network
4
System
Potential Corporate Privacy Violation
POLICY [ANY.RUN] Attempting to scan SMB servers outside a home network
4
System
Potential Corporate Privacy Violation
POLICY [ANY.RUN] Attempting to scan SMB servers outside a home network
4
System
Potential Corporate Privacy Violation
POLICY [ANY.RUN] Attempting to scan SMB servers outside a home network
4
System
Potential Corporate Privacy Violation
POLICY [ANY.RUN] Attempting to scan SMB servers outside a home network
7560
2025-05-16_a404ccc4809c79b57e733d4add4abe91_black-basta_elex_gcleaner_hijackloader.exe
Potential Corporate Privacy Violation
POLICY [ANY.RUN] Attempting to scan SMB servers outside a home network
7560
2025-05-16_a404ccc4809c79b57e733d4add4abe91_black-basta_elex_gcleaner_hijackloader.exe
Potential Corporate Privacy Violation
POLICY [ANY.RUN] Attempting to scan SMB servers outside a home network
4
System
Potential Corporate Privacy Violation
POLICY [ANY.RUN] Attempting to scan SMB servers outside a home network
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
2025-05-16_a404ccc4809c79b57e733d4add4abe91_black-basta_elex_gcleaner_hijackloader