File name:

2025-06-19_3e2aeefae71b83c6d7d8cc8e8772fd1b_elex_hijackloader_stealc_stop_tofsee

Full analysis: https://app.any.run/tasks/ad139048-2f34-4853-bdec-b23b6c45c98d
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: June 19, 2025, 06:34:13
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
loader
auto-download
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 3 sections
MD5:

3E2AEEFAE71B83C6D7D8CC8E8772FD1B

SHA1:

230187F098EF9EE31B7C852F76B78E1270E7382C

SHA256:

A1CBBA9CAE1385ACC9240C307902A8DF77CBA7807A6B6DBB12093F6A67A7A288

SSDEEP:

49152:QtfGrRCpfAbsnVAvdaFNAcrch0P5pUwt9ZX6Ao1xDuWpUtaCPr+sgLKNNWJxQNuF:QtfGrRCpfAbgkeb6Ao1F7pUtRPr+sYKo

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Starts application with an unusual extension

      • 2025-06-19_3e2aeefae71b83c6d7d8cc8e8772fd1b_elex_hijackloader_stealc_stop_tofsee.exe (PID: 1604)

    • Executable content was dropped or overwritten

      • 2025-06-19_3e2aeefae71b83c6d7d8cc8e8772fd1b_elex_hijackloader_stealc_stop_tofsee.exe (PID: 1604)
      • 2025-06-19_3e2aeefae71b83c6d7d8cc8e8772fd1b_elex_hijackloader_stealc_stop_tofsee.exe  (PID: 6704)

    • Starts itself from another location

      • 2025-06-19_3e2aeefae71b83c6d7d8cc8e8772fd1b_elex_hijackloader_stealc_stop_tofsee.exe (PID: 1604)

    • Reads security settings of Internet Explorer

      • 2025-06-19_3e2aeefae71b83c6d7d8cc8e8772fd1b_elex_hijackloader_stealc_stop_tofsee.exe  (PID: 6704)
      • BlueStacksInstaller.exe (PID: 2976)
      • BlueStacksInstaller.exe (PID: 6216)

    • Reads the date of Windows installation

      • BlueStacksInstaller.exe (PID: 2976)

    • Application launched itself

      • BlueStacksInstaller.exe (PID: 2976)

    • The process executes via Task Scheduler

      • default-browser-agent.exe (PID: 4168)

    • Loads DLL from Mozilla Firefox

      • default-browser-agent.exe (PID: 4168)

  • INFO

    • Checks supported languages

      • 2025-06-19_3e2aeefae71b83c6d7d8cc8e8772fd1b_elex_hijackloader_stealc_stop_tofsee.exe (PID: 1604)
      • 2025-06-19_3e2aeefae71b83c6d7d8cc8e8772fd1b_elex_hijackloader_stealc_stop_tofsee.exe  (PID: 6704)
      • icsys.icn.exe (PID: 1156)
      • BlueStacksInstaller.exe (PID: 2976)
      • HD-CheckCpu.exe (PID: 6756)
      • BlueStacksInstaller.exe (PID: 6216)
      • HD-CheckCpu.exe (PID: 2804)
      • identity_helper.exe (PID: 7716)
      • HD-CheckCpu.exe (PID: 6016)

    • Creates files or folders in the user directory

      • 2025-06-19_3e2aeefae71b83c6d7d8cc8e8772fd1b_elex_hijackloader_stealc_stop_tofsee.exe (PID: 1604)
      • BlueStacksInstaller.exe (PID: 2976)

    • The sample compiled with english language support

      • 2025-06-19_3e2aeefae71b83c6d7d8cc8e8772fd1b_elex_hijackloader_stealc_stop_tofsee.exe (PID: 1604)
      • msedge.exe (PID: 6584)
      • msedge.exe (PID: 2348)

    • Reads the computer name

      • 2025-06-19_3e2aeefae71b83c6d7d8cc8e8772fd1b_elex_hijackloader_stealc_stop_tofsee.exe (PID: 1604)
      • 2025-06-19_3e2aeefae71b83c6d7d8cc8e8772fd1b_elex_hijackloader_stealc_stop_tofsee.exe  (PID: 6704)
      • icsys.icn.exe (PID: 1156)
      • BlueStacksInstaller.exe (PID: 2976)
      • BlueStacksInstaller.exe (PID: 6216)
      • identity_helper.exe (PID: 7716)

    • Create files in a temporary directory

      • 2025-06-19_3e2aeefae71b83c6d7d8cc8e8772fd1b_elex_hijackloader_stealc_stop_tofsee.exe (PID: 1604)
      • 2025-06-19_3e2aeefae71b83c6d7d8cc8e8772fd1b_elex_hijackloader_stealc_stop_tofsee.exe  (PID: 6704)
      • icsys.icn.exe (PID: 1156)
      • BlueStacksInstaller.exe (PID: 6216)

    • Process checks computer location settings

      • 2025-06-19_3e2aeefae71b83c6d7d8cc8e8772fd1b_elex_hijackloader_stealc_stop_tofsee.exe  (PID: 6704)
      • BlueStacksInstaller.exe (PID: 2976)

    • Reads Environment values

      • BlueStacksInstaller.exe (PID: 2976)
      • BlueStacksInstaller.exe (PID: 6216)
      • identity_helper.exe (PID: 7716)

    • Disables trace logs

      • BlueStacksInstaller.exe (PID: 2976)
      • BlueStacksInstaller.exe (PID: 6216)

    • Checks proxy server information

      • BlueStacksInstaller.exe (PID: 2976)
      • BlueStacksInstaller.exe (PID: 6216)
      • slui.exe (PID: 6264)
      • explorer.exe (PID: 4772)

    • Reads the software policy settings

      • BlueStacksInstaller.exe (PID: 2976)
      • BlueStacksInstaller.exe (PID: 6216)
      • explorer.exe (PID: 4772)
      • slui.exe (PID: 6264)

    • Reads the machine GUID from the registry

      • BlueStacksInstaller.exe (PID: 2976)
      • BlueStacksInstaller.exe (PID: 6216)

    • Failed to create an executable file in Windows directory

      • icsys.icn.exe (PID: 1156)

    • Application launched itself

      • msedge.exe (PID: 3588)
      • msedge.exe (PID: 6748)
      • msedge.exe (PID: 6584)
      • firefox.exe (PID: 7072)

    • Manual execution by a user

      • msedge.exe (PID: 6584)

    • Reads security settings of Internet Explorer

      • explorer.exe (PID: 4772)

    • Executable content was dropped or overwritten

      • msedge.exe (PID: 2348)
      • msedge.exe (PID: 6584)

    • Launching a file from the Downloads directory

      • msedge.exe (PID: 6584)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (52.9)
.exe | Generic Win/DOS Executable (23.5)
.exe | DOS Executable Generic (23.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2011:06:14 19:01:16+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 176128
InitializedDataSize: 12288
UninitializedDataSize: -
EntryPoint: 0x3670
OSVersion: 4
ImageVersion: 1
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 1.0.0.0
ProductVersionNumber: 1.0.0.0
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
CompanyName: Microsoft
ProductName: Win
FileVersion: 1
ProductVersion: 1
InternalName: Win
OriginalFileName: Win.exe
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
191
Monitored processes
56
Malicious processes
0
Suspicious processes
2

Behavior graph

Click at the process to see the details
start 2025-06-19_3e2aeefae71b83c6d7d8cc8e8772fd1b_elex_hijackloader_stealc_stop_tofsee.exe 2025-06-19_3e2aeefae71b83c6d7d8cc8e8772fd1b_elex_hijackloader_stealc_stop_tofsee.exe  icsys.icn.exe no specs bluestacksinstaller.exe hd-checkcpu.exe no specs conhost.exe no specs bluestacksinstaller.exe hd-checkcpu.exe no specs conhost.exe no specs hd-checkcpu.exe no specs conhost.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs identity_helper.exe no specs identity_helper.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs slui.exe msedge.exe no specs msedge.exe no specs explorer.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs default-browser-agent.exe no specs firefox.exe no specs firefox.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1068"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --disable-quic --string-annotations --always-read-main-dll --field-trial-handle=5476,i,18435209261269016575,8456501527706626878,262144 --variations-seed-version --mojo-platform-channel-handle=5020 /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
133.0.3065.92
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\133.0.3065.92\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1100"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --disable-quic --string-annotations --always-read-main-dll --field-trial-handle=5060,i,18435209261269016575,8456501527706626878,262144 --variations-seed-version --mojo-platform-channel-handle=6656 /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
133.0.3065.92
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\133.0.3065.92\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1156C:\Users\admin\AppData\Local\icsys.icn.exeC:\Users\admin\AppData\Local\icsys.icn.exe2025-06-19_3e2aeefae71b83c6d7d8cc8e8772fd1b_elex_hijackloader_stealc_stop_tofsee.exe
User:
admin
Company:
Microsoft
Integrity Level:
MEDIUM
Exit code:
0
Version:
1.00
Modules
Images
c:\users\admin\appdata\local\icsys.icn.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvbvm60.dll
1604"C:\Users\admin\Desktop\2025-06-19_3e2aeefae71b83c6d7d8cc8e8772fd1b_elex_hijackloader_stealc_stop_tofsee.exe" C:\Users\admin\Desktop\2025-06-19_3e2aeefae71b83c6d7d8cc8e8772fd1b_elex_hijackloader_stealc_stop_tofsee.exe
explorer.exe
User:
admin
Company:
Microsoft
Integrity Level:
MEDIUM
Exit code:
0
Version:
1.00
Modules
Images
c:\users\admin\desktop\2025-06-19_3e2aeefae71b83c6d7d8cc8e8772fd1b_elex_hijackloader_stealc_stop_tofsee.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvbvm60.dll
2348"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --disable-quic --string-annotations --always-read-main-dll --field-trial-handle=2220,i,18435209261269016575,8456501527706626878,262144 --variations-seed-version --mojo-platform-channel-handle=2436 /prefetch:3C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
msedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Version:
133.0.3065.92
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\133.0.3065.92\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2620"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3532,i,18435209261269016575,8456501527706626878,262144 --variations-seed-version --mojo-platform-channel-handle=3556 /prefetch:1C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Version:
133.0.3065.92
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\133.0.3065.92\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2804"C:\Users\admin\AppData\Local\Temp\7zS03A86F27\HD-CheckCpu.exe" --cmd checkSSE4C:\Users\admin\AppData\Local\Temp\7zS03A86F27\HD-CheckCpu.exeBlueStacksInstaller.exe
User:
admin
Integrity Level:
HIGH
Exit code:
1
Modules
Images
c:\users\admin\appdata\local\temp\7zs03a86f27\hd-checkcpu.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\kernel.appcore.dll
2804"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2388,i,13776180545016547453,15651866717961608182,262144 --variations-seed-version --mojo-platform-channel-handle=2380 /prefetch:2C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
133.0.3065.92
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\133.0.3065.92\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2836"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --disable-quic --string-annotations --always-read-main-dll --field-trial-handle=5852,i,18435209261269016575,8456501527706626878,262144 --variations-seed-version --mojo-platform-channel-handle=1688 /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
133.0.3065.92
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\133.0.3065.92\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2976"C:\Users\admin\AppData\Local\Temp\7zS03A86F27\BlueStacksInstaller.exe" C:\Users\admin\AppData\Local\Temp\7zS03A86F27\BlueStacksInstaller.exe
2025-06-19_3e2aeefae71b83c6d7d8cc8e8772fd1b_elex_hijackloader_stealc_stop_tofsee.exe 
User:
admin
Company:
now.gg, Inc.
Integrity Level:
MEDIUM
Description:
MSI App Player Installer
Version:
5.12.120.6303
Modules
Images
c:\users\admin\appdata\local\temp\7zs03a86f27\bluestacksinstaller.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
Total events
23 977
Read events
23 909
Write events
64
Delete events
4

Modification events

(PID) Process:(1604) 2025-06-19_3e2aeefae71b83c6d7d8cc8e8772fd1b_elex_hijackloader_stealc_stop_tofsee.exeKey:HKEY_CURRENT_USER\SOFTWARE\VB and VBA Program Settings\Explorer\Process
Operation:writeName:LO
Value:
1
(PID) Process:(4772) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:0000000000040300
Operation:writeName:VirtualDesktop
Value:
10000000303044563096AFED4A643448A750FA41CFC7F708
(PID) Process:(4772) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Shell\Bags\1\Desktop
Operation:writeName:IconLayouts
Value:
00000000000000000000000000000000030001000100010012000000000000002C000000000000003A003A007B00360034003500460046003000340030002D0035003000380031002D0031003000310042002D0039004600300038002D003000300041004100300030003200460039003500340045007D003E002000200000001000000000000000430043006C00650061006E00650072002E006C006E006B003E0020007C0000001500000000000000410064006F006200650020004100630072006F006200610074002E006C006E006B003E0020007C00000014000000000000006600610073007400660065006100740075007200650064002E007200740066003E002000200000000F00000000000000460069007200650066006F0078002E006C006E006B003E0020007C000000150000000000000047006F006F0067006C00650020004300680072006F006D0065002E006C006E006B003E0020007C000000180000000000000056004C00430020006D006500640069006100200070006C0061007900650072002E006C006E006B003E0020007C00000016000000000000004D006900630072006F0073006F0066007400200045006400670065002E006C006E006B003E0020007C000000140000000000000061006300740069006F006E007300760061006C00750065002E006A00700067003E002000200000001A0000000000000063006F006C006C0065006300740069006F006E00700072006100630074006900630065002E006A00700067003E002000200000001400000000000000670072006100700068006900630073006C006F00730074002E0070006E0067003E00200020000000170000000000000069006C006C0069006E006F006900730063006F006E00740065006E0074002E007200740066003E002000200000001B00000000000000730065006C006500630074006500640072006500670075006C006100740069006F006E0073002E007200740066003E002000200000001500000000000000730065007400740069006E0067007300660075006C006C0079002E007200740066003E002000200000001200000000000000730069006D0070006C00650065006C00730065002E007200740066003E00200020000000150000000000000074006500610063006800650072006200650074007400650072002E007200740066003E00200020000000120000000000000077006800790064006900730065006100730065002E006A00700067003E00200020000000580000000000000032003000320035002D00300036002D00310039005F00330065003200610065006500660061006500370031006200380033006300360064003700640038006300630038006500380037003700320066006400310062005F0065006C00650078005F00680069006A00610063006B006C006F0061006400650072005F0073007400650061006C0063005F00730074006F0070005F0074006F0066007300650065002E006500780065003E00200020000000010000000000000002000100000000000000000001000000000000000200010000000000000000001100000006000000010000001200000000000000000000000000000000000000803F0000004008000000803F000040400900000000000000404003000000803F000080400A000000803F0000A0400B0000000040000000000C00000000400000803F0D0000000040000000400E0000000040000040400F0000000040000080401000000000000000803F01000000000000000040020000000000000080400400000000000000A04005000000803F0000000006000000803F0000803F0700000000400000A0401100
(PID) Process:(4772) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Shell\Bags\1\Desktop
Operation:writeName:IconNameVersion
Value:
1
(PID) Process:(4772) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\OneDrive\Accounts
Operation:writeName:LastUpdate
Value:
6EAF536800000000
(PID) Process:(4772) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:0000000000040300
Operation:delete keyName:(default)
Value:
(PID) Process:(1156) icsys.icn.exeKey:HKEY_CURRENT_USER\SOFTWARE\VB and VBA Program Settings\Explorer\Process
Operation:writeName:LO
Value:
1
(PID) Process:(2976) BlueStacksInstaller.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\BlueStacksInstaller_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(2976) BlueStacksInstaller.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\BlueStacksInstaller_RASAPI32
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(2976) BlueStacksInstaller.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\BlueStacksInstaller_RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
Executable files
15
Suspicious files
491
Text files
118
Unknown types
42

Dropped files

PID
Process
Filename
Type
16042025-06-19_3e2aeefae71b83c6d7d8cc8e8772fd1b_elex_hijackloader_stealc_stop_tofsee.exeC:\Users\admin\Desktop\2025-06-19_3e2aeefae71b83c6d7d8cc8e8772fd1b_elex_hijackloader_stealc_stop_tofsee.exe executable
MD5:98341684249EDAE864B1ED61C1B0FD7C
SHA256:AB28A0F279D19C9C0C507A677B74616971F3E443277F0709BB619FEFFE40DAF7
67042025-06-19_3e2aeefae71b83c6d7d8cc8e8772fd1b_elex_hijackloader_stealc_stop_tofsee.exe C:\Users\admin\AppData\Local\Temp\7zS03A86F27\Assets\exit_close.pngimage
MD5:26EB04B9E0105A7B121EA9C6601BBF2A
SHA256:7AAEF329BA9FA052791D1A09F127551289641EA743BABA171DE55FAA30EC1157
67042025-06-19_3e2aeefae71b83c6d7d8cc8e8772fd1b_elex_hijackloader_stealc_stop_tofsee.exe C:\Users\admin\AppData\Local\Temp\7zS03A86F27\Assets\close_red_click.pngimage
MD5:955CD2C28A755D5488987EEBBF36B1B3
SHA256:D2A45B8D92DDD7F4C6A9A21F22936FBA0A2FFAC101EFEB98B9B14810DE09FBA0
67042025-06-19_3e2aeefae71b83c6d7d8cc8e8772fd1b_elex_hijackloader_stealc_stop_tofsee.exe C:\Users\admin\AppData\Local\Temp\7zS03A86F27\Assets\close_red.pngimage
MD5:3759FDF92C29556E5740A6282507E1F9
SHA256:8CD75E91BE69CF7CC6E6979C14B394A11FE683BE7B62D5163DA1073BB568B7D9
67042025-06-19_3e2aeefae71b83c6d7d8cc8e8772fd1b_elex_hijackloader_stealc_stop_tofsee.exe C:\Users\admin\AppData\Local\Temp\7zS03A86F27\Assets\checked_gray.pngimage
MD5:F5273EDA49F641257CCB5FC5235CEE80
SHA256:FC88B72393B58799AD747A988B76C1B9D8CE3DBAEDFD0463E74D6A33BE0878B6
67042025-06-19_3e2aeefae71b83c6d7d8cc8e8772fd1b_elex_hijackloader_stealc_stop_tofsee.exe C:\Users\admin\AppData\Local\Temp\7zS03A86F27\Assets\backicon.pngimage
MD5:BB32B6C0CB2FD3B9329F0813E1B4239D
SHA256:77533707194F691AF85E6C990D852B949C09018378C8F9D87763B54B1C118F67
4772explorer.exeC:\Users\admin\AppData\Local\Microsoft\PenWorkspace\DiscoverCacheData.datbinary
MD5:E49C56350AEDF784BFE00E444B879672
SHA256:A8BD235303668981563DFB5AAE338CB802817C4060E2C199B7C84901D57B7E1E
67042025-06-19_3e2aeefae71b83c6d7d8cc8e8772fd1b_elex_hijackloader_stealc_stop_tofsee.exe C:\Users\admin\AppData\Local\Temp\7zS03A86F27\Assets\custom_click.pngimage
MD5:64D86C1B50F8A81D97D2E52E6AE0C8F2
SHA256:7431781037F422688265D141FEC19F85BD6FFC230FEF6FE7373DF31015AC0994
67042025-06-19_3e2aeefae71b83c6d7d8cc8e8772fd1b_elex_hijackloader_stealc_stop_tofsee.exe C:\Users\admin\AppData\Local\Temp\7zS03A86F27\Assets\close_red_hover.pngimage
MD5:DD9E35EDE730F30E85538E20525A8468
SHA256:0B1D12BCE748CDAB6FB9550278E60EB993D74BF9AE877995C68099C3CDA68A8A
67042025-06-19_3e2aeefae71b83c6d7d8cc8e8772fd1b_elex_hijackloader_stealc_stop_tofsee.exe C:\Users\admin\AppData\Local\Temp\7zS03A86F27\Assets\custom.pngimage
MD5:07C7F00C7498D32E8045C1A0EDA0727D
SHA256:8EAAB641D186F93F50D2D2BBAE6AC5B3C937CA30665BF916321A35C83253ECA3
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
180
TCP/UDP connections
134
DNS requests
108
Threats
18

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
13.32.121.53:443
https://cloud.bluestacks.com/api/getcountryforip
unknown
binary
49 b
whitelisted
GET
301
13.32.99.23:443
https://cdn3.bluestacks.com/downloads/windows/bsx/msi5/10.0.30.6340/557aaefb8a0f401f873cc7b1d5375c01/BSX-Setup_10.0.30.6340.exe
unknown
5944
MoUsoCoreWorker.exe
GET
200
23.53.40.178:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
POST
200
13.32.121.127:443
https://cloud.bluestacks.com/bs3/stats/unified_install_stats
unknown
whitelisted
GET
200
13.32.121.53:443
https://cloud.bluestacks.com/api/getcountryforip
unknown
binary
49 b
whitelisted
3388
RUXIMICS.exe
GET
200
23.53.40.178:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1268
svchost.exe
GET
200
23.53.40.178:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
POST
200
13.32.121.33:443
https://cloud.bluestacks.com/bs3/stats/unified_install_stats
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
23.222.10.99:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1268
svchost.exe
GET
200
23.222.10.99:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
5944
MoUsoCoreWorker.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
1268
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3388
RUXIMICS.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
2976
BlueStacksInstaller.exe
34.160.86.181:443
cloud.bluestacks.com
GOOGLE
US
whitelisted
5944
MoUsoCoreWorker.exe
23.53.40.178:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
1268
svchost.exe
23.53.40.178:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
3388
RUXIMICS.exe
23.53.40.178:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
6216
BlueStacksInstaller.exe
34.160.86.181:443
cloud.bluestacks.com
GOOGLE
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
  • 20.73.194.208
whitelisted
google.com
  • 142.250.185.174
whitelisted
cloud.bluestacks.com
  • 34.160.86.181
whitelisted
crl.microsoft.com
  • 23.53.40.178
  • 23.53.40.176
whitelisted
www.microsoft.com
  • 23.222.10.99
whitelisted
cdn3.bluestacks.com
  • 13.32.99.23
  • 13.32.99.107
  • 13.32.99.33
  • 13.32.99.85
shared
ak-build.bluestacks.com
  • 23.53.40.48
  • 23.53.40.42
whitelisted
edge.microsoft.com
  • 150.171.28.11
  • 150.171.27.11
whitelisted
config.edge.skype.com
  • 13.107.42.16
whitelisted
www.bluestacks.com
  • 13.32.121.53
  • 13.32.121.15
  • 13.32.121.33
  • 13.32.121.127
whitelisted

Threats

PID
Process
Class
Message
2348
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] Google Hosted Libraries (ajax .googleapis .com)
2348
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] Google Hosted Libraries (ajax .googleapis .com)
2348
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] jQuery JavaScript Library Code Loaded (code .jquery .com)
2348
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] jQuery JavaScript Library Code Loaded (code .jquery .com)
2348
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] BootstrapCDN (maxcdn .bootstrapcdn .com)
2348
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] Google Tag Manager analytics (googletagmanager .com)
2348
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] BootstrapCDN (maxcdn .bootstrapcdn .com)
2348
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] Google Tag Manager analytics (googletagmanager .com)
2348
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] Google Tag Manager analytics (googletagmanager .com)
2348
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] Google Tag Manager analytics (googletagmanager .com)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
2025-06-19_3e2aeefae71b83c6d7d8cc8e8772fd1b_elex_hijackloader_stealc_stop_tofsee