File name:	2025-08-01_657d7c80c6a26dee90f11902300bf678_black-basta_elex_vidar.exe
Full analysis:	https://app.any.run/tasks/da0b24e9-5c85-4de5-92ec-cfa79bab0b3e
Verdict:	Malicious activity
Analysis date:	August 01, 2025, 04:48:17
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	zombie
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, 3 sections
MD5:	657D7C80C6A26DEE90F11902300BF678
SHA1:	DF36FB943CC4B638FFC254630191499ADF7C7FFB
SHA256:	51B4C890A01033D70F3837AAFB0DF2696826137B3C1AF59B5D4847A05FF8FC14
SSDEEP:	12288:mgza9B0lSlaT9pcMXBTARnbi1lHA4jIXVLkoOt/Gk7p:RrDTxbcXVLkht/V7p

.scr	\|	Windows screen saver (46.4)
.dll	\|	Win32 Dynamic Link Library (generic) (23.3)
.exe	\|	Win32 Executable (generic) (15.9)
.exe	\|	Generic Win/DOS Executable (7)
.exe	\|	DOS Executable Generic (7)

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2011:03:15 04:06:07+00:00
ImageFileCharacteristics:	No relocs, Executable, No line numbers, No symbols, 32-bit, No debug
PEType:	PE32
LinkerVersion:	6
CodeSize:	13483
InitializedDataSize:	12288
UninitializedDataSize:	-
EntryPoint:	0x2130
OSVersion:	4
ImageVersion:	-
SubsystemVersion:	4
Subsystem:	Windows GUI

PID	Process	Filename		Type
2664	2025-08-01_657d7c80c6a26dee90f11902300bf678_black-basta_elex_vidar.exe			—
		MD5:—	SHA256:—
2664	2025-08-01_657d7c80c6a26dee90f11902300bf678_black-basta_elex_vidar.exe	C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\A3DUtils.dll.tmp		executable
		MD5:506001DAB52C5304E8AB1CDF52C9700D	SHA256:1632793596B06BFB30DB313358F01973E3B3805EA2FABFB271AE9FB99348F878
2664	2025-08-01_657d7c80c6a26dee90f11902300bf678_black-basta_elex_vidar.exe	C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\acrobat.tlb.tmp		executable
		MD5:E410391B6AEC50D67F75EC0AF77991D7	SHA256:ED9DFE7B7B4AB8C4B383B7881E9E68D2EDA79C680DDB0009C05E9B1B8FE8BBF6
2664	2025-08-01_657d7c80c6a26dee90f11902300bf678_black-basta_elex_vidar.exe	C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatInfo.exe.tmp		executable
		MD5:ACE624D8D8375F1AD12803AEBB720C72	SHA256:7A789B67E48079317090EF0B995B5C9EB5BF67FD8F63D26BA5835683712144E0
2664	2025-08-01_657d7c80c6a26dee90f11902300bf678_black-basta_elex_vidar.exe	C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\1494870C-9912-C184-4CC9-B401-A53F4D8DE290.pdf.tmp		executable
		MD5:4C423FDF5393E24E242FC615F5555C1E	SHA256:797AFFFDBED5C107ABE58EAB7CBED1403607F31FA1234EB5F8DCC7BFBF1DC20B
2664	2025-08-01_657d7c80c6a26dee90f11902300bf678_black-basta_elex_vidar.exe	C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\ACE.dll.tmp		executable
		MD5:A6C7C9E7CEDEE582DB723A0565071C96	SHA256:A825CDE63262BB54DBA614511E793EE9584C949D4B94D04E542921C647D11152
2664	2025-08-01_657d7c80c6a26dee90f11902300bf678_black-basta_elex_vidar.exe	C:\Users\admin\AppData\Local\VirtualStore\BOOTNXT.tmp		executable
		MD5:FA515E5E81C744B56F8A46FFDED90E10	SHA256:188D8751DA82884D6A906F9332430AAA63163FCDDEB1B865FDE687DF978B9E8F
2664	2025-08-01_657d7c80c6a26dee90f11902300bf678_black-basta_elex_vidar.exe	C:\Users\admin\AppData\Local\VirtualStore\bootTel.dat.tmp		executable
		MD5:6A5244A0714F59D3D36C67284283CB45	SHA256:E5202D64E82F7FF680169AF1478F729F735EDD1AB8D54E005A6C2BB104BB1E63
2664	2025-08-01_657d7c80c6a26dee90f11902300bf678_black-basta_elex_vidar.exe	C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\Acrobat.exe.tmp		executable
		MD5:928606B85457DD723E946BFB6175DAA1	SHA256:77B201DD51746526582B9B69CAD06D38B2A6E07163B5671EF1B14A72DEC76D74
2664	2025-08-01_657d7c80c6a26dee90f11902300bf678_black-basta_elex_vidar.exe	C:\Users\admin\AppData\Local\VirtualStore\Program Files\Adobe\Acrobat DC\Acrobat\AcrobatRes.dll.tmp		executable
		MD5:8BA3A89E2CF3A388046B753A60727BC5	SHA256:D39A404C74D74DDDD738E1B48B5E255398B38670D2D57DC19AB1AEFE09606EB4

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
1268	svchost.exe	GET	200	23.216.77.28:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
2040	RUXIMICS.exe	GET	200	23.216.77.28:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
5944	MoUsoCoreWorker.exe	GET	200	23.216.77.28:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
1268	svchost.exe	GET	200	95.101.149.131:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
5944	MoUsoCoreWorker.exe	GET	200	95.101.149.131:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
2040	RUXIMICS.exe	GET	200	95.101.149.131:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
—	—	POST	200	20.190.160.14:443	https://login.live.com/RST2.srf	unknown	xml	1.24 Kb	whitelisted
—	—	POST	400	20.190.160.66:443	https://login.live.com/ppsecure/deviceaddcredential.srf	unknown	text	203 b	whitelisted
—	—	POST	400	20.190.160.20:443	https://login.live.com/ppsecure/deviceaddcredential.srf	unknown	text	203 b	whitelisted
—	—	POST	400	40.126.32.138:443	https://login.live.com/ppsecure/deviceaddcredential.srf	unknown	—	—	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	whitelisted
1268	svchost.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
5944	MoUsoCoreWorker.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
2040	RUXIMICS.exe	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
1268	svchost.exe	23.216.77.28:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
5944	MoUsoCoreWorker.exe	23.216.77.28:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
2040	RUXIMICS.exe	23.216.77.28:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
1268	svchost.exe	95.101.149.131:80	www.microsoft.com	Akamai International B.V.	NL	whitelisted
5944	MoUsoCoreWorker.exe	95.101.149.131:80	www.microsoft.com	Akamai International B.V.	NL	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	40.127.240.158 51.124.78.146 52.167.17.97 20.73.194.208 51.104.136.2	whitelisted
google.com	142.250.186.110	whitelisted
crl.microsoft.com	23.216.77.28 23.216.77.42 23.216.77.6	whitelisted
www.microsoft.com	95.101.149.131 184.30.21.171	whitelisted
login.live.com	20.190.159.4 20.190.159.131 20.190.159.129 40.126.31.0 40.126.31.69 40.126.31.129 20.190.159.0 20.190.159.128	whitelisted
slscr.update.microsoft.com	74.178.76.128	whitelisted
fe3cr.delivery.mp.microsoft.com	52.165.164.15	whitelisted
client.wns.windows.com	172.211.123.248	whitelisted
self.events.data.microsoft.com	51.11.192.48	whitelisted
activation-v2.sls.microsoft.com	40.91.76.224 20.83.72.98	whitelisted

General Info

2025-08-01_657d7c80c6a26dee90f11902300bf678_black-basta_elex_vidar.exe

657D7C80C6A26DEE90F11902300BF678

DF36FB943CC4B638FFC254630191499ADF7C7FFB

51B4C890A01033D70F3837AAFB0DF2696826137B3C1AF59B5D4847A05FF8FC14

12288:mgza9B0lSlaT9pcMXBTARnbi1lHA4jIXVLkoOt/Gk7p:RrDTxbcXVLkht/V7p

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

ZOMBIE has been detected (YARA)

SUSPICIOUS

Executable content was dropped or overwritten

The process creates files with name similar to system file names

Creates file in the systems drive root

INFO

Checks supported languages

Checks proxy server information

Reads the software policy settings

Creates files or folders in the user directory

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings