Elex Hijacker

The Elex Hijacker is a Web browser hijacker that may take over a Web browser, change its homepage and other settings and prevent computer users from restoring their Web browser to its default setting. The Elex Hijacker may be associated with a variety of other unwanted symptoms. The main reason that makes the Elex Hijacker is considered a browser hijacker is because its main purpose is to take over a Web browser to force computer users to view certain websites repeatedly and open new Web browser windows and tabs while the computer users attempt to use their computers. The Elex Hijacker is promoted as a useful Web browser extension or add-on. However, PC security researchers have determined that the Elex Hijacker does not offer any useful or beneficial service. Rather, the Elex Hijacker is designed to make money at the expense of computer users by displaying advertisements or forcing them to visit websites related to their affiliate websites.

The Elex Hijacker may Expose Your Computer to Threatening Content

One of the main problems related to the Elex Hijacker is that computer users don't really have any control over the websites that their Web browser forces them to visit. This may cause computers to become infected with threats or other low-level threats as a result of the Elex Hijacker redirects or pop-ups. Essentially, the Elex Hijacker itself is a low-level threat, but various pop-up messages and affiliated websites may expose your computer to more threatening unwanted content. Another issue with the Elex Hijacker is that it may deliver large volumes of advertising content to computer users in the form of banners, inserted links, pop-up advertisements, and other unwanted advertisements added to the websites viewed on the affected Web browser. The Elex Hijacker may cause important performance issues on affected computers. If the Elex Hijacker is installed on your Web browser, this may increase the probability of crashing, freezing or a slower performance.

How the Elex Hijacker may Infect a Computer

One of the ways in which the Elex Hijacker may be distributed is by using typical threat deliver methods. Because of this, you should be well protected from the Elex Hijacker if your computer is safeguarded against threats, or if you have taken steps to avoid threats when browsing the Web. However, browser hijackers such as the Elex Hijacker may pass anti-malware protection. This is because the Elex Hijacker and other low-level threats also may be distributed by bundling them with other software. Computer users may be confused or surprised by the sudden appearance of the Elex Hijacker on their Web browser, which may happen right after they have installed software on their computers. However, the software is rarely the culprit. Rather, it is not uncommon for free programs to be bundled with components like the Elex Hijacker, often advertised as useful Web browser add-ons or extensions. Once the Elex Hijacker enters a computer, it may take the form of a browser toolbar or extension and interfere with the affected Web browser constantly.

Why the Elex Hijacker may be Bundled with Other Software

The most common way of distributing the Elex Hijacker and similar low-level threats is by bundling them with other software. Con artists may take popular free software and use custom installers or bundlers to include the Elex Hijacker or similar components along with the installation of that software. In most cases, the custom installers may be created to make it hard for computer users to realize that the Elex Hijacker or another unwanted component is being installed. The Elex Hijacker may be set to be installed by default, requiring computer users to opt out. The option to opt out of installing the Elex Hijacker also may be hidden behind a 'Custom Installation' or 'Advanced Installation' options. Computer users are advised to pay careful attention to the entire set up process when installing any new software.

SpyHunter Detects & Remove Elex Hijacker

Analysis Report

General information

Family Name:	Elex Hijacker
Signature status:	Self Signed

Known Samples

i

Known Samples

This section lists other file samples believed to be associated with this family.

MD5: 75eea2c64d18315c1594b8dcff08af8c SHA1: 764fa4baa8bdacd87c00c22979e60b1716930fd3 SHA256: 9E9689F259E2537A021D55895B4FCF015ADB1F8D9BD19E81968FB1F6A5817957 File Size: 309.13 KB, 309128 bytes

MD5: 462bcabe6467d6d7b6ca91fe00249810 SHA1: 186e4eebb66f1f6a875b4419573f3822060c031e SHA256: 7FEED78302B3A6D5A3CBF4ADDE042F6AF6F46E3793793D3DDF9A822786A44299 File Size: 1.54 MB, 1536696 bytes

MD5: 1e90afb2ae9c1b3860cc24a68dd54904 SHA1: bb5dae47380c6c9d5528c114e15f3bbc1af1021d SHA256: 19A40AE684A1B6548BAA5758D309625BA6FD211DF18EEE59D5F5BF9041E3C241 File Size: 770.22 KB, 770224 bytes

MD5: 382affca0b18c88e11092ef6ca189b95 SHA1: 8256d809ab0d8eeebca5a5ae156ef9900573eca8 SHA256: 664FB20556BC4775A31C13718AF0FBA3EB1B9FF7ABB7F791C364B9A3E89AA520 File Size: 1.50 MB, 1498552 bytes

MD5: ad6b6f53490746c3c62f3d3f176300d5 SHA1: 395c116d7cf1f2fd70d42a67dc8621e424ea4b4a SHA256: F3F01E19C6B98289D63BD30C5CEB6DA775F00EA385417FA6755545D8F41F20B6 File Size: 671.33 KB, 671328 bytes

Show More

MD5: ad6f38048314b3a1316c114ae8b8c480 SHA1: c937732ab7957c90cfc0f51aa62615429dcf4d51 SHA256: 3C7F766442DD72324ACC88E7DEF3DB48CF023F8E0DE1DDFAE91B591C28FC03E3 File Size: 302.91 KB, 302912 bytes

MD5: 9a61a82224f10e8bc144a681186d2921 SHA1: 4507dac70c5ccea0be4f838ec448a5558003968d SHA256: BFC02B669EBCF359257F0D923152AF97DAE118C39E19446A70CF4EA5074A67E7 File Size: 903.03 KB, 903032 bytes

MD5: 06a5be47c95c0831d5e477a2ffad444e SHA1: c89ec4ab61ff6286acd8e8e5d16b3f52917f2f83 SHA256: 9B6C082BB8D225C97EFB1E87D514283B56B427D966476D01A38FC160C9B20209 File Size: 646.33 KB, 646328 bytes

MD5: 03f8be4e6503f7ce0c7c87f79ba6c57b SHA1: be8f6c434c32907e537fdd537c288efce8eca842 SHA256: 1812F1FCB1F3860B1064C335C1764CBB60CD36C3C4D019F4AF90796D1A61E418 File Size: 473.94 KB, 473944 bytes

Windows Portable Executable Attributes

i

Windows Portable Executable Attributes

This section lists file attributes found within family samples. These attributes are extracted from the files’ Windows PE (Portable Executable) specification and various system flags. Portable Executable Attributes give malware researchers insight into a file’s functionality, executable details, platform and runtime environment.

• File doesn't have "Rich" header
• File doesn't have debug information
• File doesn't have exports table
• File doesn't have relocations information
• File has exports table
• File is 32-bit executable
• File is either console or GUI application
• File is GUI application (IMAGE_SUBSYSTEM_WINDOWS_GUI)
• File is Native application (NOT .NET application)
• File is not packed

Show More

• IMAGE_FILE_DLL is not set inside PE header (Executable)
• IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)

File Icons

i

File Icons

This section displays icon resources found within family samples. Malware often replicates icons commonly associated with legitimate software to mislead users into believing the malware is safe.

Windows PE Version Information

i

Windows PE Version Information

This section displays values and attributes that have been set in the Windows file version information data structure for samples within this family. To mislead users, malware actors often add fake version information mimicking legitimate software.

Name	Value
Comments	PANDA Viewer installer
Company Name	BANANA SUMMER LIMITED Beijing ELEX Technology Co. Ltd. File Syn HTabp.com One Syn Portmon/EE Real-skill.com
File Description	File Work FileWork_Bra HTabp PANDA Viewer installer Portmon/EE Real-skill Syn worker v9hometools
File Version	14.4.4.15 6.6.86.1691 6.6.86.1606 6.5.7605.1001 6.2.7602.1015 6,3,7601,1322 1.0.0.3 1.0.0.2
Internal Name	FileWork.exe HTabp.exe portmon.exe Real-skill.exe SynWork.exe v9home_tools.exe Worker.exe
Legal Copyright	(c) <Beijing ELEX Technology Co. Ltd.>. All rights reserved. Copyright (C) 2014 Copyright (C) HTabp.com 2010 Copyright (C) Real-skill System Link 2002 Copyright 2016 BANANA SUMMER LIMITED All rights reserved. One Syn Portmon/EE SynWork
Original Filename	FileWork.exe HTabp.exe portmon.exe Real-skill.exe SynWork.exe v9home_tools.exe Worker.exe
Product Name	548_sof 1511_smt_istartsurf 2002_cor_vi-view 3428_smt_istartsurf 3899_cornl_istartsurf padingpadingpadingpadingpadingpadingpadingpadingpadingpadingpadingpadingpadingpading PANDA Viewer installer v9hometools
Product Version	14.4.4.15 6.6.86.1691 6.6.86.1606 6.5.7605.1001 6.2.7602.1015 6,3,7601,1322 1.0.0.3

Digital Signatures

i

Digital Signatures

This section lists digital signatures that are attached to samples within this family. When analyzing and verifying digital signatures, it is important to confirm that the signature’s root authority is a well-known and trustworthy entity and that the status of the signature is good. Malware is often signed with non-trustworthy “Self Signed” digital signatures (which can be easily created by a malware author with no verification). Malware may also be signed by legitimate signatures that have an invalid status, and by signatures from questionable root authorities with fake or misleading “Signer” names.

Signer	Root	Status
Li Mo	DigiCert Assured ID Code Signing CA-1	Self Signed
Xiaoqing Liu	DigiCert Assured ID Code Signing CA-1	Self Signed
Shulan Hou	DigiCert SHA2 Assured ID Code Signing CA	Self Signed
Shenzhen Zhongxiao Trading Co.,Ltd.	GlobalSign	Root Not Trusted
Hefei Zhimingxingtong Software&Technology Co., Ltd.	GlobalSign CodeSigning CA - G2	Self Signed

Show More

Minidigital Technology Co., Limited	GlobalSign CodeSigning CA - G2	Self Signed
Beijing ELEX Technology Co.,Ltd	VeriSign Class 3 Code Signing 2010 CA	Self Signed
Yang Liwei	WoSign Class 2 Code Signing CA	Self Signed
Lei Rong	thawte SHA256 Code Signing CA	Self Signed

Block Information

i

Block Information

During analysis, EnigmaSoft breaks file samples into logical blocks for classification and comparison with other samples. Blocks can be used to generate malware detection rules and to group file samples into families based on shared source code, functionality and other distinguishing attributes and characteristics. This section lists a summary of this block data, as well as its classification by EnigmaSoft. A visual representation of the block data is also displayed, where available.

Similar Families

i

Similar Families

This section lists other families that share similarities with this family, based on EnigmaSoft’s analysis. Many malware families are created from the same malware toolkits and use the same packing and encryption techniques but uniquely extend functionality. Similar families may also share source code, attributes, icons, subcomponents, compromised and/or invalid digital signatures, and network characteristics. Researchers leverage these similarities to rapidly and effectively triage file samples and extend malware detection rules.

• Elex.J
• Elex.M

Files Modified

i

Files Modified

This section lists files that were created, modified, moved and/or deleted by samples in this family. File system activity can provide valuable insight into how malware functions on the operating system.

File	Attributes
\device\namedpipe	Generic Read,Write Attributes
\device\namedpipe	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\1287765\1287765.zipdir\mainlog\c89ec4ab61ff6286acd8e8e5d16b3f52917f2f83_000064_2025-12-19[20-34-50-586].log	Generic Read,Write Data,Write Attributes,Write extended,Append data
c:\users\user\appdata\local\temp\7e82590c-48c6-48bd-9dbb-bdcc68c3cbb8[i]\xldownload.dll	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\7e82590c-48c6-48bd-9dbb-bdcc68c3cbb8[i]\zlib1.dll	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nslbd4b.tmp\7za.exe	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nslbd4b.tmp\nsexec.dll	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nslbd4b.tmp\res.7z	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\nstd517.tmp	Generic Read,Write Data,Write Attributes,Write extended,Append data,Delete
c:\users\user\appdata\local\temp\pandaviewer\libdui.dll	Generic Write,Read Attributes

Show More

c:\users\user\appdata\local\temp\pandaviewer\pandaviewer.exe	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\pandaviewer\pandaviewerinstaller.exe	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\pandaviewer\pandaviewerserviceup.exe	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\pandaviewer\thumbnail.ico	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\pandaviewer\uninstall.exe	Generic Write,Read Attributes

Registry Modifications

i

Registry Modifications

This section lists registry keys and values that were created, modified and/or deleted by samples in this family. Windows Registry activity can provide valuable insight into malware functionality. Additionally, malware often creates registry values to allow itself to automatically start and indefinitely persist after an initial infection has compromised the system.

Key::Value	Data	API Name
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe	ꖙ촉童ǜ	RegNtPreCreateKey

Windows API Usage

i

Windows API Usage

This section lists Windows API calls that are used by the samples in this family. Windows API usage analysis is a valuable tool that can help identify malicious activity, such as keylogging, security privilege escalation, data encryption, data exfiltration, interference with antivirus software, and network request manipulation.

Category	API
Anti Debug	IsDebuggerPresent OutputDebugString
User Data Access	GetUserObjectInformation
Process Manipulation Evasion	NtUnmapViewOfSection ZwMapViewOfSection
Process Shell Execute	CreateProcess
Other Suspicious	AdjustTokenPrivileges SetWindowsHookEx
Network Winsock2	WSAStartup
Network Winsock	closesocket connect freeaddrinfo getaddrinfo socket
Syscall Use	ntdll.dll!NtAccessCheck ntdll.dll!NtAlertThreadByThreadId ntdll.dll!NtAlpcSendWaitReceivePort ntdll.dll!NtApphelpCacheControl ntdll.dll!NtClearEvent ntdll.dll!NtClose ntdll.dll!NtConnectPort ntdll.dll!NtCreateEvent ntdll.dll!NtCreateFile ntdll.dll!NtCreateMutant Show More ntdll.dll!NtCreateSection ntdll.dll!NtCreateSemaphore ntdll.dll!NtDuplicateObject ntdll.dll!NtDuplicateToken ntdll.dll!NtEnumerateValueKey ntdll.dll!NtFreeVirtualMemory ntdll.dll!NtMapViewOfSection ntdll.dll!NtOpenFile ntdll.dll!NtOpenKey ntdll.dll!NtOpenKeyEx ntdll.dll!NtOpenProcessToken ntdll.dll!NtOpenProcessTokenEx ntdll.dll!NtOpenSection ntdll.dll!NtOpenSemaphore ntdll.dll!NtOpenThreadTokenEx ntdll.dll!NtProtectVirtualMemory ntdll.dll!NtQueryAttributesFile ntdll.dll!NtQueryInformationProcess ntdll.dll!NtQueryInformationThread ntdll.dll!NtQueryInformationToken ntdll.dll!NtQueryKey ntdll.dll!NtQueryPerformanceCounter ntdll.dll!NtQuerySecurityAttributesToken ntdll.dll!NtQueryValueKey ntdll.dll!NtQueryVirtualMemory ntdll.dll!NtQueryVolumeInformationFile ntdll.dll!NtQueryWnfStateData ntdll.dll!NtReleaseMutant ntdll.dll!NtReleaseSemaphore ntdll.dll!NtReleaseWorkerFactoryWorker ntdll.dll!NtRequestWaitReplyPort ntdll.dll!NtSetEvent ntdll.dll!NtSetInformationProcess ntdll.dll!NtSetInformationVirtualMemory ntdll.dll!NtSetInformationWorkerFactory ntdll.dll!NtSubscribeWnfStateChange ntdll.dll!NtTestAlert ntdll.dll!NtTraceControl ntdll.dll!NtUnmapViewOfSection ntdll.dll!NtUnmapViewOfSectionEx ntdll.dll!NtWaitForAlertByThreadId ntdll.dll!NtWaitForSingleObject ntdll.dll!NtWaitForWorkViaWorkerFactory ntdll.dll!NtWaitLowEventPair ntdll.dll!NtWorkerFactoryWorkerReady ntdll.dll!NtWriteFile UNKNOWN

Shell Command Execution

i

Shell Command Execution

This section lists Windows shell commands that are run by the samples in this family. Windows Shell commands are often leveraged by malware for nefarious purposes and can be used to elevate security privileges, download and launch other malware, exploit vulnerabilities, collect and exfiltrate data, and hide malicious activity.

"C:\Users\Xrdjitfi\AppData\Local\Temp\PandaViewer\PandaViewerinstaller.exe"

"C:\Users\Jeirhhui\AppData\Local\Temp\nslBD4B.tmp\7za.exe" e res.7z -ppswd00 -o.\ -aoa