File name:

2025-06-01_ffd5f52012fdec8aca81f500546abea6_amadey_black-basta_elex_floxif_hellokitty_hijackloader

Full analysis: https://app.any.run/tasks/1932cfff-5a26-4690-8853-8c2aa1e9d9a0
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: June 01, 2025, 19:09:05
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
loader
upx
auto-reg
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 5 sections
MD5:

FFD5F52012FDEC8ACA81F500546ABEA6

SHA1:

5AA21EA9E445A8FABDC73760329B403AAEC7D257

SHA256:

5A1C4FC955B79EA097E6194AF74513A34C1477CA4B6F9E36E6C72535546FC743

SSDEEP:

49152:E0xNv1zPFk4Q3C9fvSR4PKYhfneLmYvoSiGb1sL6hZrl7eyG3lEmLSAto8s73ZxS:3DtO4Q3C9CSP1Oj3b2L67rlslE2Sco8h

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Executing a file with an untrusted certificate

      • 2025-06-01_ffd5f52012fdec8aca81f500546abea6_amadey_black-basta_elex_floxif_hellokitty_hijackloader.exe (PID: 7360)
      • GoogleUpdateSetup.exe (PID: 7388)

    • Connects to the CnC server

      • 2025-06-01_ffd5f52012fdec8aca81f500546abea6_amadey_black-basta_elex_floxif_hellokitty_hijackloader.exe (PID: 7360)
      • GoogleUpdateSetup.exe (PID: 7388)

    • Changes the autorun value in the registry

      • setup.exe (PID: 8176)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • 2025-06-01_ffd5f52012fdec8aca81f500546abea6_amadey_black-basta_elex_floxif_hellokitty_hijackloader.exe (PID: 7360)
      • GoogleUpdateSetup.exe (PID: 7388)
      • 137.0.7151.56_chrome_installer.exe (PID: 8164)
      • setup.exe (PID: 8176)

    • Process drops legitimate windows executable

      • 2025-06-01_ffd5f52012fdec8aca81f500546abea6_amadey_black-basta_elex_floxif_hellokitty_hijackloader.exe (PID: 7360)
      • GoogleUpdateSetup.exe (PID: 7388)

    • Reads security settings of Internet Explorer

      • GoogleUpdate.exe (PID: 7320)
      • 2025-06-01_ffd5f52012fdec8aca81f500546abea6_amadey_black-basta_elex_floxif_hellokitty_hijackloader.exe (PID: 7360)
      • GoogleUpdate.exe (PID: 6040)
      • GoogleUpdate.exe (PID: 6392)
      • GoogleUpdateSetup.exe (PID: 7388)

    • Contacting a server suspected of hosting an CnC

      • 2025-06-01_ffd5f52012fdec8aca81f500546abea6_amadey_black-basta_elex_floxif_hellokitty_hijackloader.exe (PID: 7360)
      • GoogleUpdateSetup.exe (PID: 7388)

    • Potential Corporate Privacy Violation

      • svchost.exe (PID: 1812)

    • Process requests binary or script from the Internet

      • svchost.exe (PID: 1812)

    • There is functionality for taking screenshot (YARA)

      • GoogleUpdate.exe (PID: 7320)
      • GoogleUpdate.exe (PID: 6392)
      • GoogleUpdate.exe (PID: 6040)

    • Application launched itself

      • setup.exe (PID: 8176)
      • setup.exe (PID: 6564)
      • GoogleUpdate.exe (PID: 6392)

    • Searches for installed software

      • setup.exe (PID: 8176)

    • Creates a software uninstall entry

      • setup.exe (PID: 8176)

  • INFO

    • The sample compiled with english language support

      • 2025-06-01_ffd5f52012fdec8aca81f500546abea6_amadey_black-basta_elex_floxif_hellokitty_hijackloader.exe (PID: 7360)
      • GoogleUpdateSetup.exe (PID: 7388)
      • svchost.exe (PID: 1812)
      • 137.0.7151.56_chrome_installer.exe (PID: 8164)
      • setup.exe (PID: 8176)

    • Failed to create an executable file in Windows directory

      • 2025-06-01_ffd5f52012fdec8aca81f500546abea6_amadey_black-basta_elex_floxif_hellokitty_hijackloader.exe (PID: 7360)

    • Reads the computer name

      • 2025-06-01_ffd5f52012fdec8aca81f500546abea6_amadey_black-basta_elex_floxif_hellokitty_hijackloader.exe (PID: 7360)
      • GoogleUpdate.exe (PID: 7320)
      • GoogleUpdateSetup.exe (PID: 7388)
      • GoogleUpdate.exe (PID: 4920)
      • GoogleUpdate.exe (PID: 6040)
      • GoogleUpdate.exe (PID: 5228)
      • GoogleUpdate.exe (PID: 6392)
      • 137.0.7151.56_chrome_installer.exe (PID: 8164)
      • setup.exe (PID: 8176)
      • setup.exe (PID: 6564)

    • Checks supported languages

      • 2025-06-01_ffd5f52012fdec8aca81f500546abea6_amadey_black-basta_elex_floxif_hellokitty_hijackloader.exe (PID: 7360)
      • GoogleUpdate.exe (PID: 7320)
      • GoogleUpdateSetup.exe (PID: 7388)
      • GoogleUpdate.exe (PID: 4920)
      • GoogleUpdate.exe (PID: 5228)
      • GoogleUpdate.exe (PID: 6040)
      • GoogleUpdate.exe (PID: 6392)
      • 137.0.7151.56_chrome_installer.exe (PID: 8164)
      • setup.exe (PID: 8176)
      • setup.exe (PID: 7604)
      • setup.exe (PID: 6564)
      • setup.exe (PID: 4188)
      • GoogleUpdateOnDemand.exe (PID: 6436)
      • GoogleUpdate.exe (PID: 7704)
      • GoogleUpdate.exe (PID: 7584)

    • Create files in a temporary directory

      • 2025-06-01_ffd5f52012fdec8aca81f500546abea6_amadey_black-basta_elex_floxif_hellokitty_hijackloader.exe (PID: 7360)
      • GoogleUpdateSetup.exe (PID: 7388)
      • svchost.exe (PID: 1812)
      • GoogleUpdate.exe (PID: 6392)

    • The sample compiled with arabic language support

      • 2025-06-01_ffd5f52012fdec8aca81f500546abea6_amadey_black-basta_elex_floxif_hellokitty_hijackloader.exe (PID: 7360)
      • GoogleUpdateSetup.exe (PID: 7388)

    • The sample compiled with czech language support

      • 2025-06-01_ffd5f52012fdec8aca81f500546abea6_amadey_black-basta_elex_floxif_hellokitty_hijackloader.exe (PID: 7360)
      • GoogleUpdateSetup.exe (PID: 7388)

    • The sample compiled with german language support

      • 2025-06-01_ffd5f52012fdec8aca81f500546abea6_amadey_black-basta_elex_floxif_hellokitty_hijackloader.exe (PID: 7360)
      • GoogleUpdateSetup.exe (PID: 7388)

    • The sample compiled with bulgarian language support

      • 2025-06-01_ffd5f52012fdec8aca81f500546abea6_amadey_black-basta_elex_floxif_hellokitty_hijackloader.exe (PID: 7360)
      • GoogleUpdateSetup.exe (PID: 7388)

    • The sample compiled with spanish language support

      • 2025-06-01_ffd5f52012fdec8aca81f500546abea6_amadey_black-basta_elex_floxif_hellokitty_hijackloader.exe (PID: 7360)
      • GoogleUpdateSetup.exe (PID: 7388)

    • The sample compiled with french language support

      • 2025-06-01_ffd5f52012fdec8aca81f500546abea6_amadey_black-basta_elex_floxif_hellokitty_hijackloader.exe (PID: 7360)
      • GoogleUpdateSetup.exe (PID: 7388)

    • The sample compiled with japanese language support

      • 2025-06-01_ffd5f52012fdec8aca81f500546abea6_amadey_black-basta_elex_floxif_hellokitty_hijackloader.exe (PID: 7360)
      • GoogleUpdateSetup.exe (PID: 7388)

    • The sample compiled with Indonesian language support

      • 2025-06-01_ffd5f52012fdec8aca81f500546abea6_amadey_black-basta_elex_floxif_hellokitty_hijackloader.exe (PID: 7360)
      • GoogleUpdateSetup.exe (PID: 7388)

    • The sample compiled with Italian language support

      • 2025-06-01_ffd5f52012fdec8aca81f500546abea6_amadey_black-basta_elex_floxif_hellokitty_hijackloader.exe (PID: 7360)
      • GoogleUpdateSetup.exe (PID: 7388)

    • The sample compiled with korean language support

      • 2025-06-01_ffd5f52012fdec8aca81f500546abea6_amadey_black-basta_elex_floxif_hellokitty_hijackloader.exe (PID: 7360)
      • GoogleUpdateSetup.exe (PID: 7388)

    • The sample compiled with polish language support

      • 2025-06-01_ffd5f52012fdec8aca81f500546abea6_amadey_black-basta_elex_floxif_hellokitty_hijackloader.exe (PID: 7360)
      • GoogleUpdateSetup.exe (PID: 7388)

    • The sample compiled with portuguese language support

      • 2025-06-01_ffd5f52012fdec8aca81f500546abea6_amadey_black-basta_elex_floxif_hellokitty_hijackloader.exe (PID: 7360)
      • GoogleUpdateSetup.exe (PID: 7388)

    • The sample compiled with slovak language support

      • 2025-06-01_ffd5f52012fdec8aca81f500546abea6_amadey_black-basta_elex_floxif_hellokitty_hijackloader.exe (PID: 7360)
      • GoogleUpdateSetup.exe (PID: 7388)

    • The sample compiled with russian language support

      • 2025-06-01_ffd5f52012fdec8aca81f500546abea6_amadey_black-basta_elex_floxif_hellokitty_hijackloader.exe (PID: 7360)
      • GoogleUpdateSetup.exe (PID: 7388)

    • Process checks computer location settings

      • GoogleUpdate.exe (PID: 7320)
      • GoogleUpdate.exe (PID: 6040)

    • The sample compiled with swedish language support

      • 2025-06-01_ffd5f52012fdec8aca81f500546abea6_amadey_black-basta_elex_floxif_hellokitty_hijackloader.exe (PID: 7360)
      • GoogleUpdateSetup.exe (PID: 7388)

    • The sample compiled with chinese language support

      • 2025-06-01_ffd5f52012fdec8aca81f500546abea6_amadey_black-basta_elex_floxif_hellokitty_hijackloader.exe (PID: 7360)
      • GoogleUpdateSetup.exe (PID: 7388)

    • The sample compiled with turkish language support

      • 2025-06-01_ffd5f52012fdec8aca81f500546abea6_amadey_black-basta_elex_floxif_hellokitty_hijackloader.exe (PID: 7360)
      • GoogleUpdateSetup.exe (PID: 7388)

    • Checks proxy server information

      • 2025-06-01_ffd5f52012fdec8aca81f500546abea6_amadey_black-basta_elex_floxif_hellokitty_hijackloader.exe (PID: 7360)
      • GoogleUpdate.exe (PID: 6392)
      • GoogleUpdateSetup.exe (PID: 7388)
      • GoogleUpdate.exe (PID: 5228)
      • slui.exe (PID: 7424)

    • Creates files in the program directory

      • GoogleUpdateSetup.exe (PID: 7388)
      • GoogleUpdate.exe (PID: 6040)
      • GoogleUpdate.exe (PID: 4920)
      • GoogleUpdate.exe (PID: 5228)
      • GoogleUpdate.exe (PID: 6392)
      • 137.0.7151.56_chrome_installer.exe (PID: 8164)
      • setup.exe (PID: 8176)
      • setup.exe (PID: 6564)

    • Reads the software policy settings

      • GoogleUpdate.exe (PID: 5228)
      • GoogleUpdate.exe (PID: 6392)
      • slui.exe (PID: 7424)

    • Reads the machine GUID from the registry

      • GoogleUpdate.exe (PID: 5228)
      • GoogleUpdate.exe (PID: 6392)

    • Creates files or folders in the user directory

      • GoogleUpdate.exe (PID: 6392)

    • UPX packer has been detected

      • 2025-06-01_ffd5f52012fdec8aca81f500546abea6_amadey_black-basta_elex_floxif_hellokitty_hijackloader.exe (PID: 7360)
      • GoogleUpdateSetup.exe (PID: 7388)

    • Launch of the file from Registry key

      • setup.exe (PID: 8176)

    • Application launched itself

      • chrmstp.exe (PID: 7544)
      • chrmstp.exe (PID: 8104)

    • Manual execution by a user

      • chrmstp.exe (PID: 8104)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (76.4)
.exe | Win32 Executable (generic) (12.4)
.exe | Generic Win/DOS Executable (5.5)
.exe | DOS Executable Generic (5.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2022:08:18 21:51:07+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 14.2
CodeSize: 95232
InitializedDataSize: 1302016
UninitializedDataSize: -
EntryPoint: 0x4f0e
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows GUI
FileVersionNumber: 1.3.36.152
ProductVersionNumber: 1.3.36.152
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: Google LLC
FileDescription: Google Update Setup
FileVersion: 1.3.36.152
InternalName: Google Update Setup
LegalCopyright: Copyright 2018 Google LLC
OriginalFileName: GoogleUpdateSetup.exe
ProductName: Google Update
ProductVersion: 1.3.36.152
LanguageId: en
No data.
screenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
145
Monitored processes
21
Malicious processes
5
Suspicious processes
2

Behavior graph

Click at the process to see the details
start 2025-06-01_ffd5f52012fdec8aca81f500546abea6_amadey_black-basta_elex_floxif_hellokitty_hijackloader.exe googleupdate.exe no specs googleupdatesetup.exe googleupdate.exe no specs googleupdate.exe no specs googleupdate.exe googleupdate.exe svchost.exe 137.0.7151.56_chrome_installer.exe setup.exe setup.exe no specs slui.exe setup.exe no specs setup.exe no specs googleupdate.exe no specs googleupdateondemand.exe no specs googleupdate.exe no specs chrmstp.exe no specs chrmstp.exe no specs chrmstp.exe no specs chrmstp.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1812C:\WINDOWS\System32\svchost.exe -k netsvcs -p -s BITSC:\Windows\System32\svchost.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
2384"C:\Program Files\Google\Chrome\Application\137.0.7151.56\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\WINDOWS\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=137.0.7151.56 --initial-client-data=0x2e4,0x2e8,0x2ec,0x2c0,0x2f0,0x7ff6ec867ae0,0x7ff6ec867aec,0x7ff6ec867af8C:\Program Files\Google\Chrome\Application\137.0.7151.56\Installer\chrmstp.exechrmstp.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome Installer
Exit code:
0
Version:
137.0.7151.56
Modules
Images
c:\program files\google\chrome\application\137.0.7151.56\installer\chrmstp.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\acgenral.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
4188"C:\Program Files (x86)\Google\Update\Install\{F4AF7FF4-875F-429F-B21E-6151FF35B44C}\CR_9FC03.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\WINDOWS\SystemTemp\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=137.0.7151.56 --initial-client-data=0x28c,0x290,0x294,0x268,0x298,0x7ff7174d7ae0,0x7ff7174d7aec,0x7ff7174d7af8C:\Program Files (x86)\Google\Update\Install\{F4AF7FF4-875F-429F-B21E-6151FF35B44C}\CR_9FC03.tmp\setup.exesetup.exe
User:
admin
Company:
Google LLC
Integrity Level:
HIGH
Description:
Google Chrome Installer
Exit code:
0
Version:
137.0.7151.56
Modules
Images
c:\program files (x86)\google\update\install\{f4af7ff4-875f-429f-b21e-6151ff35b44c}\cr_9fc03.tmp\setup.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\acgenral.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
4200"C:\Program Files\Google\Chrome\Application\137.0.7151.56\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\WINDOWS\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=137.0.7151.56 --initial-client-data=0x2f8,0x2fc,0x300,0x2d4,0x304,0x7ff6ec867ae0,0x7ff6ec867aec,0x7ff6ec867af8C:\Program Files\Google\Chrome\Application\137.0.7151.56\Installer\chrmstp.exechrmstp.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome Installer
Exit code:
0
Version:
137.0.7151.56
Modules
Images
c:\program files\google\chrome\application\137.0.7151.56\installer\chrmstp.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\acgenral.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
4920"C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /healthcheckC:\Program Files (x86)\Google\Update\GoogleUpdate.exeGoogleUpdate.exe
User:
admin
Company:
Google LLC
Integrity Level:
HIGH
Description:
Google Installer
Exit code:
0
Version:
1.3.36.51
Modules
Images
c:\program files (x86)\google\update\googleupdate.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
5228"C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4zNi4xNTIiIHNoZWxsX3ZlcnNpb249IjEuMy4zNi41MSIgaXNtYWNoaW5lPSIxIiBzZXNzaW9uaWQ9IntERDRCRkIzQy1FQTYwLTQ0MTYtODA3Mi1CQUQzNjY5MEI4OUR9IiB1c2VyaWQ9Ins2MDQ0MTI0QS1EMUM4LTRCNEItQjFBQS0yNkI3N0ZGMDdERkJ9IiBpbnN0YWxsc291cmNlPSJ0YWdnZWRtaSIgcmVxdWVzdGlkPSJ7NjRGQjkzRTQtNTlBMi00QzdELTk5RkMtNTUyNkE1REJBMUNFfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBwaHlzbWVtb3J5PSI0IiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjE5MDQ1LjQwNDYiIHNwPSIiIGFyY2g9Ing2NCIvPjxhcHAgYXBwaWQ9Ins0MzBGRDREMC1CNzI5LTRGNjEtQUEzNC05MTUyNjQ4MTc5OUR9IiB2ZXJzaW9uPSIxLjMuMzYuMzcyIiBuZXh0dmVyc2lvbj0iMS4zLjM2LjE1MiIgbGFuZz0iZnIiIGJyYW5kPSJQTkpKIiBjbGllbnQ9IiIgaWlkPSJ7Q0I0NURDQTgtRjY3Ri1CMTJBLTM3RTQtODhGQkY1QTBDNUI2fSI-PGV2ZW50IGV2ZW50dHlwZT0iMiIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgaW5zdGFsbF90aW1lX21zPSIxMjUiLz48L2FwcD48L3JlcXVlc3Q-C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
GoogleUpdate.exe
User:
admin
Company:
Google LLC
Integrity Level:
HIGH
Description:
Google Installer
Exit code:
0
Version:
1.3.36.51
Modules
Images
c:\program files (x86)\google\update\googleupdate.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
6040"C:\Program Files (x86)\Google\Temp\GUM8E1.tmp\GoogleUpdate.exe" /installsource taggedmi /install "appguid={8A69D345-D564-463C-AFF1-A69D9E530F96}&iid={CB45DCA8-F67F-B12A-37E4-88FBF5A0C5B6}&lang=fr&browser=5&usagestats=1&appname=Google%20Chrome&needsadmin=prefers&ap=x64-stable-statsdef_1&brand=PNJJ&installdataindex=empty" /installelevatedC:\Program Files (x86)\Google\Temp\GUM8E1.tmp\GoogleUpdate.exeGoogleUpdateSetup.exe
User:
admin
Company:
Google LLC
Integrity Level:
HIGH
Description:
Google Installer
Version:
1.3.36.151
Modules
Images
c:\program files (x86)\google\temp\gum8e1.tmp\googleupdate.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
6392"C:\Program Files (x86)\Google\Update\GoogleUpdate.exe" /handoff "appguid={8A69D345-D564-463C-AFF1-A69D9E530F96}&iid={CB45DCA8-F67F-B12A-37E4-88FBF5A0C5B6}&lang=fr&browser=5&usagestats=1&appname=Google%20Chrome&needsadmin=prefers&ap=x64-stable-statsdef_1&brand=PNJJ&installdataindex=empty" /installsource taggedmi /sessionid "{DD4BFB3C-EA60-4416-8072-BAD36690B89D}"C:\Program Files (x86)\Google\Update\GoogleUpdate.exe
GoogleUpdate.exe
User:
admin
Company:
Google LLC
Integrity Level:
HIGH
Description:
Google Installer
Version:
1.3.36.51
Modules
Images
c:\program files (x86)\google\update\googleupdate.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
6436"C:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateOnDemand.exe" -EmbeddingC:\Program Files (x86)\Google\Update\1.3.36.372\GoogleUpdateOnDemand.exesvchost.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Update
Exit code:
0
Version:
1.3.36.371
Modules
Images
c:\program files (x86)\google\update\1.3.36.372\googleupdateondemand.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\shlwapi.dll
6564"C:\Program Files (x86)\Google\Update\Install\{F4AF7FF4-875F-429F-B21E-6151FF35B44C}\CR_9FC03.tmp\setup.exe" --channel=stable --system-level --verbose-logging --create-shortcuts=2 --install-level=1C:\Program Files (x86)\Google\Update\Install\{F4AF7FF4-875F-429F-B21E-6151FF35B44C}\CR_9FC03.tmp\setup.exesetup.exe
User:
admin
Company:
Google LLC
Integrity Level:
HIGH
Description:
Google Chrome Installer
Exit code:
73
Version:
137.0.7151.56
Modules
Images
c:\program files (x86)\google\update\install\{f4af7ff4-875f-429f-b21e-6151ff35b44c}\cr_9fc03.tmp\setup.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\acgenral.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
Total events
18 741
Read events
16 993
Write events
1 733
Delete events
15

Modification events

(PID) Process:(7320) GoogleUpdate.exeKey:HKEY_CURRENT_USER\SOFTWARE\Google\Update
Operation:delete valueName:uid
Value:
(PID) Process:(7320) GoogleUpdate.exeKey:HKEY_CURRENT_USER\SOFTWARE\Google\Update
Operation:delete valueName:old-uid
Value:
(PID) Process:(7360) 2025-06-01_ffd5f52012fdec8aca81f500546abea6_amadey_black-basta_elex_floxif_hellokitty_hijackloader.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(7360) 2025-06-01_ffd5f52012fdec8aca81f500546abea6_amadey_black-basta_elex_floxif_hellokitty_hijackloader.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(7360) 2025-06-01_ffd5f52012fdec8aca81f500546abea6_amadey_black-basta_elex_floxif_hellokitty_hijackloader.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(6040) GoogleUpdate.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Google\Update\ClientStateMedium\{8A69D345-D564-463C-AFF1-A69D9E530F96}
Operation:delete valueName:usagestats
Value:
(PID) Process:(4920) GoogleUpdate.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Google\Update\uid
Operation:writeName:GPd4b5bu
Value:
(PID) Process:(6392) GoogleUpdate.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(6392) GoogleUpdate.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(6392) GoogleUpdate.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
Executable files
154
Suspicious files
12
Text files
10
Unknown types
0

Dropped files

PID
Process
Filename
Type
73602025-06-01_ffd5f52012fdec8aca81f500546abea6_amadey_black-basta_elex_floxif_hellokitty_hijackloader.exeC:\Users\admin\AppData\Local\Temp\GUM3D1.tmp\GoogleUpdateBroker.exeexecutable
MD5:9482267D8E065D5C3CFE30C69B41B30C
SHA256:23085B1BBB7D7B175EE9C4FC9DB4E7DD8981A3F5246CD864AB178C53C0612758
73602025-06-01_ffd5f52012fdec8aca81f500546abea6_amadey_black-basta_elex_floxif_hellokitty_hijackloader.exeC:\Users\admin\AppData\Local\Temp\conres.dllexecutable
MD5:7574CF2C64F35161AB1292E2F532AABF
SHA256:DE055A89DE246E629A8694BDE18AF2B1605E4B9B493C7E4AEF669DD67ACF5085
73602025-06-01_ffd5f52012fdec8aca81f500546abea6_amadey_black-basta_elex_floxif_hellokitty_hijackloader.exeC:\Users\admin\AppData\Local\Temp\GUM3D1.tmp\GoogleUpdateOnDemand.exeexecutable
MD5:27A531BE4E959F1D7772133949832A10
SHA256:09B9F613621FA39C97DE92265FB886BE93BE5B37FE0985C54EB358EFBF8BEFE3
73602025-06-01_ffd5f52012fdec8aca81f500546abea6_amadey_black-basta_elex_floxif_hellokitty_hijackloader.exeC:\Users\admin\AppData\Local\Temp\GUM3D1.tmp\GoogleUpdate.exeexecutable
MD5:54A010C60BE10B65EEE5506720FCCABB
SHA256:9A4B728A0B652056CBD312DD917ADC08C72C89B6F666472F4E3D59A1B8039D89
73602025-06-01_ffd5f52012fdec8aca81f500546abea6_amadey_black-basta_elex_floxif_hellokitty_hijackloader.exeC:\Users\admin\AppData\Local\Temp\GUM3D1.tmp\GoogleUpdateComRegisterShell64.exeexecutable
MD5:067C069E3A48184C32333EBBD152EB01
SHA256:55F4339688F1E72F5DA0819ABAA1D1F0630F39C496EC1EA0AD8E3458C8DF6B02
73602025-06-01_ffd5f52012fdec8aca81f500546abea6_amadey_black-basta_elex_floxif_hellokitty_hijackloader.exeC:\Users\admin\AppData\Local\Temp\GUM3D1.tmp\psmachine.dllexecutable
MD5:6F8C2545DB99475C8B4EA9AFD98955F8
SHA256:AF1EC35CBD24C870E3719C49561C1D570BB9A4BF144E6AE990029281DB4944CE
73602025-06-01_ffd5f52012fdec8aca81f500546abea6_amadey_black-basta_elex_floxif_hellokitty_hijackloader.exeC:\Users\admin\AppData\Local\Temp\GUM3D1.tmp\GoogleCrashHandler.exeexecutable
MD5:381C22092074255A291F4C9946A5C28F
SHA256:C94DCB40543CB405474597C7E7C9D8EF558B1422797752625DB9CA4FAF53689C
73602025-06-01_ffd5f52012fdec8aca81f500546abea6_amadey_black-basta_elex_floxif_hellokitty_hijackloader.exeC:\Users\admin\AppData\Local\Temp\GUM3D1.tmp\psuser_64.dllexecutable
MD5:2675A38FE7B48677E505A07FDC1D86B1
SHA256:E15E482093707962FD86DD51026E713DD0B88DFBEAAFCB1C38CDF597CDA81555
73602025-06-01_ffd5f52012fdec8aca81f500546abea6_amadey_black-basta_elex_floxif_hellokitty_hijackloader.exeC:\Users\admin\AppData\Local\Temp\GUM3D1.tmp\psmachine_64.dllexecutable
MD5:B005CCEAAEB80C98FC111F17F6900C4C
SHA256:42EE3C4F26D73887162A536F5D7C6670C57D1A9DF7EBFC3AC531FBC9D2957802
73602025-06-01_ffd5f52012fdec8aca81f500546abea6_amadey_black-basta_elex_floxif_hellokitty_hijackloader.exeC:\Users\admin\AppData\Local\Temp\GUM3D1.tmp\GoogleCrashHandler64.exeexecutable
MD5:F1DE10A8B9909A4AF635112C8866D534
SHA256:5DF635FD14558C0A25CEECD2AD51FBC0D129A8FE681D36ECC9E7254AE0E0A40E
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
23
TCP/UDP connections
27
DNS requests
20
Threats
15

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
4616
RUXIMICS.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4616
RUXIMICS.exe
GET
200
184.24.77.18:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
7388
GoogleUpdateSetup.exe
GET
200
76.223.54.146:80
http://www.aieov.com/logo.gif
unknown
malicious
POST
200
142.250.186.131:443
https://update.googleapis.com/service/update2
unknown
xml
233 b
whitelisted
POST
200
142.250.186.131:443
https://update.googleapis.com/service/update2?cup2key=13:hLnO4xlKOqZu3Q-t381qoh5FicueycGpQ3mDcbRxqHk&cup2hreq=caf7eea05e67af6764a6c8ccf266136ea1f1cdbbfbfb69839af44e42963a6ce7
unknown
xml
701 Kb
whitelisted
GET
200
142.250.181.228:443
https://dl.google.com/update2/installers/icons/%7B8A69D345-D564-463C-AFF1-A69D9E530F96%7D.bmp
unknown
image
6.52 Kb
whitelisted
7388
GoogleUpdateSetup.exe
GET
200
76.223.54.146:80
http://www.aieov.com/logo.gif
unknown
malicious
7360
2025-06-01_ffd5f52012fdec8aca81f500546abea6_amadey_black-basta_elex_floxif_hellokitty_hijackloader.exe
GET
200
76.223.54.146:80
http://www.aieov.com/logo.gif
unknown
malicious
7388
GoogleUpdateSetup.exe
GET
200
76.223.54.146:80
http://www.aieov.com/logo.gif
unknown
malicious
7388
GoogleUpdateSetup.exe
GET
200
76.223.54.146:80
http://www.aieov.com/logo.gif
unknown
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4616
RUXIMICS.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
5496
MoUsoCoreWorker.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
4616
RUXIMICS.exe
184.24.77.18:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4616
RUXIMICS.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
7360
2025-06-01_ffd5f52012fdec8aca81f500546abea6_amadey_black-basta_elex_floxif_hellokitty_hijackloader.exe
76.223.54.146:80
www.aieov.com
AMAZON-02
US
malicious
5496
MoUsoCoreWorker.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5228
GoogleUpdate.exe
142.250.186.131:443
update.googleapis.com
GOOGLE
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
  • 4.231.128.59
whitelisted
google.com
  • 142.250.186.174
whitelisted
crl.microsoft.com
  • 184.24.77.18
  • 184.24.77.31
  • 184.24.77.37
  • 184.24.77.34
  • 184.24.77.40
  • 184.24.77.4
  • 184.24.77.12
  • 184.24.77.10
  • 184.24.77.16
whitelisted
www.microsoft.com
  • 23.35.229.160
whitelisted
5isohu.com
whitelisted
www.aieov.com
  • 76.223.54.146
  • 13.248.169.48
malicious
update.googleapis.com
  • 142.250.186.131
whitelisted
dl.google.com
  • 142.250.186.46
whitelisted
edgedl.me.gvt1.com
  • 34.104.35.123
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted

Threats

PID
Process
Class
Message
7360
2025-06-01_ffd5f52012fdec8aca81f500546abea6_amadey_black-basta_elex_floxif_hellokitty_hijackloader.exe
Malware Command and Control Activity Detected
MALWARE [ANY.RUN] Possible Floxif CnC Communication
1812
svchost.exe
Potential Corporate Privacy Violation
ET INFO PE EXE or DLL Windows file download HTTP
1812
svchost.exe
Misc activity
ET INFO EXE - Served Attached HTTP
1812
svchost.exe
Misc activity
ET INFO Packed Executable Download
7388
GoogleUpdateSetup.exe
Malware Command and Control Activity Detected
MALWARE [ANY.RUN] Possible Floxif CnC Communication
7360
2025-06-01_ffd5f52012fdec8aca81f500546abea6_amadey_black-basta_elex_floxif_hellokitty_hijackloader.exe
Malware Command and Control Activity Detected
MALWARE [ANY.RUN] Possible Floxif CnC Communication
7388
GoogleUpdateSetup.exe
Malware Command and Control Activity Detected
MALWARE [ANY.RUN] Possible Floxif CnC Communication
7360
2025-06-01_ffd5f52012fdec8aca81f500546abea6_amadey_black-basta_elex_floxif_hellokitty_hijackloader.exe
Malware Command and Control Activity Detected
MALWARE [ANY.RUN] Possible Floxif CnC Communication
7388
GoogleUpdateSetup.exe
Malware Command and Control Activity Detected
MALWARE [ANY.RUN] Possible Floxif CnC Communication
7360
2025-06-01_ffd5f52012fdec8aca81f500546abea6_amadey_black-basta_elex_floxif_hellokitty_hijackloader.exe
Malware Command and Control Activity Detected
MALWARE [ANY.RUN] Possible Floxif CnC Communication
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
2025-06-01_ffd5f52012fdec8aca81f500546abea6_amadey_black-basta_elex_floxif_hellokitty_hijackloader