File name:

2025-06-21_766f51768c22c8595e32b55c671c1773_black-basta_elex_hijackloader

Full analysis: https://app.any.run/tasks/358a1dce-2288-40f7-824d-def89c256aa4
Verdict: Malicious activity
Analysis date: June 21, 2025, 09:59:23
OS: Windows 10 Professional (build: 19044, 64 bit)
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 2 sections
MD5:

766F51768C22C8595E32B55C671C1773

SHA1:

51623078507501A850DB9B1D9EAF4220E6EFE491

SHA256:

C74A4B6FC3594DDEB2AFD4269FCEFB21B44FE0C78E0F15C956692E668D0BCC14

SSDEEP:

49152:492X5xd4X5Rl+JbXEM3lZmslTY8ranKtLzfObDdEFP304YY3EVJzb3boSwijiGNM:c5T8rjAbpENaUOW+XGMw

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Starts NET.EXE for service management

      • 2025-06-21_766f51768c22c8595e32b55c671c1773_black-basta_elex_hijackloader.exe (PID: 1568)
      • net.exe (PID: 504)

  • SUSPICIOUS

    • Modifies hosts file to alter network resolution

      • 2025-06-21_766f51768c22c8595e32b55c671c1773_black-basta_elex_hijackloader.exe (PID: 1568)

    • Executable content was dropped or overwritten

      • 2025-06-21_766f51768c22c8595e32b55c671c1773_black-basta_elex_hijackloader.exe (PID: 1568)
      • cmd.exe (PID: 1712)

    • Executing commands from a ".bat" file

      • 2025-06-21_766f51768c22c8595e32b55c671c1773_black-basta_elex_hijackloader.exe (PID: 1568)

    • Starts CMD.EXE for commands execution

      • 2025-06-21_766f51768c22c8595e32b55c671c1773_black-basta_elex_hijackloader.exe (PID: 1568)

    • Executes application which crashes

      • 2025-06-21_766f51768c22c8595e32b55c671c1773_black-basta_elex_hijackloader.exe (PID: 5908)

  • INFO

    • Checks supported languages

      • 2025-06-21_766f51768c22c8595e32b55c671c1773_black-basta_elex_hijackloader.exe (PID: 1568)
      • 2025-06-21_766f51768c22c8595e32b55c671c1773_black-basta_elex_hijackloader.exe (PID: 5908)

    • The sample compiled with chinese language support

      • 2025-06-21_766f51768c22c8595e32b55c671c1773_black-basta_elex_hijackloader.exe (PID: 1568)

    • Failed to create an executable file in Windows directory

      • 2025-06-21_766f51768c22c8595e32b55c671c1773_black-basta_elex_hijackloader.exe (PID: 1568)

    • Create files in a temporary directory

      • 2025-06-21_766f51768c22c8595e32b55c671c1773_black-basta_elex_hijackloader.exe (PID: 1568)

    • Checks proxy server information

      • WerFault.exe (PID: 6620)
      • slui.exe (PID: 4864)

    • Creates files or folders in the user directory

      • WerFault.exe (PID: 6620)

    • Reads the software policy settings

      • WerFault.exe (PID: 6620)
      • slui.exe (PID: 4864)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | DOS Executable Generic (100)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 0000:00:00 00:00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 0.37
CodeSize: 66560
InitializedDataSize: 37888
UninitializedDataSize: -
EntryPoint: 0x361ec
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 1.0.0.0
ProductVersionNumber: 1.0.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Chinese (Simplified)
CharacterSet: Windows, Chinese (Simplified)
CompanyName: -
FileDescription: -
FileVersion: 1.0.0.0
InternalName: -
LegalCopyright: -
LegalTrademarks: -
OriginalFileName: -
ProductName: -
ProductVersion: 1.0.0.0
Comments: -
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
144
Monitored processes
9
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start 2025-06-21_766f51768c22c8595e32b55c671c1773_black-basta_elex_hijackloader.exe net.exe no specs conhost.exe no specs net1.exe no specs cmd.exe conhost.exe no specs 2025-06-21_766f51768c22c8595e32b55c671c1773_black-basta_elex_hijackloader.exe werfault.exe slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
504net stop "Kingsoft AntiVirus Service"C:\Windows\SysWOW64\net.exe2025-06-21_766f51768c22c8595e32b55c671c1773_black-basta_elex_hijackloader.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Net Command
Exit code:
2
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\net.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
1568"C:\Users\admin\Desktop\2025-06-21_766f51768c22c8595e32b55c671c1773_black-basta_elex_hijackloader.exe" C:\Users\admin\Desktop\2025-06-21_766f51768c22c8595e32b55c671c1773_black-basta_elex_hijackloader.exe
explorer.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
MEDIUM
Description:
Adobe AcroCEF
Exit code:
0
Version:
23.8.20533.0
Modules
Images
c:\users\admin\desktop\2025-06-21_766f51768c22c8595e32b55c671c1773_black-basta_elex_hijackloader.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
1712C:\WINDOWS\system32\cmd.exe /c C:\Users\admin\AppData\Local\Temp\$a6CD3.batC:\Windows\SysWOW64\cmd.exe
2025-06-21_766f51768c22c8595e32b55c671c1773_black-basta_elex_hijackloader.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
1
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
3864\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exenet.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
4864C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
5084C:\WINDOWS\system32\net1 stop "Kingsoft AntiVirus Service"C:\Windows\SysWOW64\net1.exenet.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Net Command
Exit code:
2
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\net1.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\sechost.dll
5908"C:\Users\admin\Desktop\2025-06-21_766f51768c22c8595e32b55c671c1773_black-basta_elex_hijackloader.exe"C:\Users\admin\Desktop\2025-06-21_766f51768c22c8595e32b55c671c1773_black-basta_elex_hijackloader.exe
cmd.exe
User:
admin
Company:
Adobe Systems Incorporated
Integrity Level:
MEDIUM
Description:
Adobe AcroCEF
Exit code:
3228369022
Version:
23.8.20533.0
Modules
Images
c:\users\admin\desktop\2025-06-21_766f51768c22c8595e32b55c671c1773_black-basta_elex_hijackloader.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
6620C:\WINDOWS\system32\WerFault.exe -u -p 5908 -s 428C:\Windows\System32\WerFault.exe
2025-06-21_766f51768c22c8595e32b55c671c1773_black-basta_elex_hijackloader.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\oleaut32.dll
7164\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
9 680
Read events
9 680
Write events
0
Delete events
0

Modification events

No data
Executable files
2
Suspicious files
2
Text files
3
Unknown types
0

Dropped files

PID
Process
Filename
Type
6620WerFault.exeC:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_2025-06-21_766f5_2534ccec97c1dd4da1fc88d742180232ba7efc_2f62fc74_443a5199-dbf2-4a7b-8203-e402485f5cfa\Report.wer
MD5:
SHA256:
15682025-06-21_766f51768c22c8595e32b55c671c1773_black-basta_elex_hijackloader.exeC:\Users\admin\AppData\Local\Temp\$a6CD3.battext
MD5:342C91CCAA6E463A729F0E7C2BBEF2BA
SHA256:E469FF53B15B776FE74497B54D939DFC7E6CF06E52BE7294792E0567755E1CC9
6620WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WER707F.tmp.xmlxml
MD5:309134BC01BDCAE897F172BCEF4EAD57
SHA256:660D6348B7032E4D88F8A43BFB12BD3003AB15077AA954DAF6F47C88F0D6093D
6620WerFault.exeC:\Users\admin\AppData\Local\CrashDumps\2025-06-21_766f51768c22c8595e32b55c671c1773_black-basta_elex_hijackloader.exe.5908.dmpbinary
MD5:11F3059A3999081F3B61FB89FABB6E8D
SHA256:85644F5D43BEEFDF9B99CA1B6C77D512C4A7721762ECAD829795DB9DE8560FC0
1712cmd.exeC:\Users\admin\Desktop\2025-06-21_766f51768c22c8595e32b55c671c1773_black-basta_elex_hijackloader.exeexecutable
MD5:CD53C61345139DD549495633C7195A9D
SHA256:2B2538D62A3D95CAA1EAAF402DDA55E9B0DC66E5A0B8F6C8FD3042550E48D56D
15682025-06-21_766f51768c22c8595e32b55c671c1773_black-basta_elex_hijackloader.exeC:\Users\admin\Desktop\2025-06-21_766f51768c22c8595e32b55c671c1773_black-basta_elex_hijackloader.exe.exeexecutable
MD5:CD53C61345139DD549495633C7195A9D
SHA256:2B2538D62A3D95CAA1EAAF402DDA55E9B0DC66E5A0B8F6C8FD3042550E48D56D
6620WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WER704F.tmp.WERInternalMetadata.xmlxml
MD5:D7CA9BB3C5711787DFE670987A28362D
SHA256:E505F20A9A029F66A94501CFAC405182D8F3E87AD417551743F53BA37F90C43E
6620WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WER6F83.tmp.dmpbinary
MD5:1E7F320C220782C25ECDBC0B081B1322
SHA256:F2FFEC4BD2449FF3C1418272118E7497BECC4B771D33EAC1213E90B6B4671091
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
30
TCP/UDP connections
41
DNS requests
20
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5944
MoUsoCoreWorker.exe
GET
200
23.53.40.178:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1268
svchost.exe
GET
200
23.53.40.178:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
4920
RUXIMICS.exe
GET
200
23.53.40.178:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1268
svchost.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4920
RUXIMICS.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
POST
200
40.126.31.73:443
https://login.live.com/RST2.srf
unknown
xml
1.24 Kb
whitelisted
POST
200
40.126.32.134:443
https://login.live.com/RST2.srf
unknown
xml
11.1 Kb
whitelisted
POST
200
20.190.160.131:443
https://login.live.com/RST2.srf
unknown
xml
11.1 Kb
whitelisted
POST
200
40.126.32.72:443
https://login.live.com/RST2.srf
unknown
xml
10.3 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
5944
MoUsoCoreWorker.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
1268
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4920
RUXIMICS.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
5944
MoUsoCoreWorker.exe
23.53.40.178:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
1268
svchost.exe
23.53.40.178:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4920
RUXIMICS.exe
23.53.40.178:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5944
MoUsoCoreWorker.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
1268
svchost.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
  • 40.127.240.158
whitelisted
google.com
  • 142.250.186.174
whitelisted
crl.microsoft.com
  • 23.53.40.178
  • 23.53.40.176
  • 2.19.11.120
  • 2.19.11.105
whitelisted
www.microsoft.com
  • 23.35.229.160
  • 2.23.246.101
whitelisted
watson.events.data.microsoft.com
  • 20.42.73.29
whitelisted
client.wns.windows.com
  • 172.211.123.249
whitelisted
login.live.com
  • 40.126.31.73
  • 40.126.31.2
  • 40.126.31.71
  • 40.126.31.0
  • 20.190.159.23
  • 40.126.31.67
  • 20.190.159.131
  • 20.190.159.2
whitelisted
nexusrules.officeapps.live.com
  • 52.111.236.22
whitelisted
slscr.update.microsoft.com
  • 20.109.210.53
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 20.3.187.198
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
2025-06-21_766f51768c22c8595e32b55c671c1773_black-basta_elex_hijackloader