URL:

https://zone03.b-cdn.net/tr17

Full analysis: https://app.any.run/tasks/e731efa9-43db-438c-a070-e50d749b34a2
Verdict: Malicious activity
Threats:

Stealc is a stealer malware that targets victims’ sensitive data, which it exfiltrates from browsers, messaging apps, and other software. The malware is equipped with advanced features, including fingerprinting, control panel, evasion mechanisms, string obfuscation, etc. Stealc establishes persistence and communicates with its C2 server through HTTP POST requests.

Malware Trends Tracker     >>>
Analysis date: September 16, 2024, 09:22:42
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
stealc
stealer
Indicators:
MD5:

E17189F351395D4EB52CBAA4C85505EB

SHA1:

19428FFA735EFB2F644A44AB0C1C873F09600E88

SHA256:

00776E0F3E15400B6462A79137F26F10EA32A7EE9111E00250E9066BF28D3F57

SSDEEP:

3:N8eOML:2eO4

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Uses AES cipher (POWERSHELL)

      • powershell.exe (PID: 7624)
      • powershell.exe (PID: 7408)

    • Gets or sets the symmetric key that is used for encryption and decryption (POWERSHELL)

      • powershell.exe (PID: 7624)
      • powershell.exe (PID: 7408)

    • Run PowerShell with an invisible window

      • powershell.exe (PID: 7624)
      • powershell.exe (PID: 7408)

    • Changes powershell execution policy (Unrestricted)

      • mshta.exe (PID: 2700)
      • mshta.exe (PID: 7544)

    • Gets or sets the initialization vector for the symmetric algorithm (POWERSHELL)

      • powershell.exe (PID: 7624)
      • powershell.exe (PID: 7408)

    • Downloads the requested resource (POWERSHELL)

      • powershell.exe (PID: 7624)

    • Dynamically loads an assembly (POWERSHELL)

      • powershell.exe (PID: 7624)
      • powershell.exe (PID: 7408)

    • Stealers network behavior

      • BitLockerToGo.exe (PID: 7880)
      • BitLockerToGo.exe (PID: 1288)

    • STEALC has been detected (SURICATA)

      • BitLockerToGo.exe (PID: 7880)
      • BitLockerToGo.exe (PID: 1288)

    • Connects to the CnC server

      • BitLockerToGo.exe (PID: 7880)
      • BitLockerToGo.exe (PID: 1288)

    • STEALC has been detected (YARA)

      • XTUS.exe (PID: 7976)

    • StealC has been detected

      • BitLockerToGo.exe (PID: 7880)
      • BitLockerToGo.exe (PID: 1288)

  • SUSPICIOUS

    • Detected use of alternative data streams (AltDS)

      • powershell.exe (PID: 7624)

    • Extracts files to a directory (POWERSHELL)

      • powershell.exe (PID: 7624)
      • powershell.exe (PID: 7408)

    • Writes data into a file (POWERSHELL)

      • powershell.exe (PID: 7624)
      • powershell.exe (PID: 7408)

    • Executable content was dropped or overwritten

      • mshta.exe (PID: 2700)
      • powershell.exe (PID: 7624)

    • Cryptography encrypted command line is found

      • powershell.exe (PID: 7624)
      • powershell.exe (PID: 7408)

    • Starts POWERSHELL.EXE for commands execution

      • mshta.exe (PID: 2700)
      • mshta.exe (PID: 7544)

    • The process bypasses the loading of PowerShell profile settings

      • mshta.exe (PID: 2700)
      • mshta.exe (PID: 7544)

    • Probably obfuscated PowerShell command line is found

      • mshta.exe (PID: 2700)
      • mshta.exe (PID: 7544)

    • Gets file extension (POWERSHELL)

      • powershell.exe (PID: 7624)
      • powershell.exe (PID: 7408)

    • Reads security settings of Internet Explorer

      • BitLockerToGo.exe (PID: 7880)
      • BitLockerToGo.exe (PID: 1288)

    • Contacting a server suspected of hosting an CnC

      • BitLockerToGo.exe (PID: 7880)
      • BitLockerToGo.exe (PID: 1288)

    • Connects to the server without a host name

      • BitLockerToGo.exe (PID: 7880)
      • BitLockerToGo.exe (PID: 1288)

    • Windows Defender mutex has been found

      • BitLockerToGo.exe (PID: 1288)
      • BitLockerToGo.exe (PID: 7880)

  • INFO

    • The process uses the downloaded file

      • iexplore.exe (PID: 5624)
      • mshta.exe (PID: 2700)
      • powershell.exe (PID: 7624)
      • mshta.exe (PID: 7544)
      • powershell.exe (PID: 7408)

    • Executable content was dropped or overwritten

      • msedge.exe (PID: 5720)
      • msedge.exe (PID: 964)
      • msedge.exe (PID: 2264)

    • Reads the computer name

      • identity_helper.exe (PID: 7640)
      • XTUS.exe (PID: 1932)
      • BitLockerToGo.exe (PID: 7880)
      • XTUS.exe (PID: 7976)
      • BitLockerToGo.exe (PID: 1288)

    • Checks supported languages

      • identity_helper.exe (PID: 7640)
      • XTUS.exe (PID: 1932)
      • XTUS.exe (PID: 7976)
      • BitLockerToGo.exe (PID: 7880)
      • BitLockerToGo.exe (PID: 1288)

    • Reads Environment values

      • identity_helper.exe (PID: 7640)

    • Sends debugging messages

      • notepad++.exe (PID: 7912)

    • Manual execution by a user

      • notepad++.exe (PID: 7912)
      • cmd.exe (PID: 6244)

    • Reads Internet Explorer settings

      • mshta.exe (PID: 2700)
      • mshta.exe (PID: 7544)

    • Checks proxy server information

      • mshta.exe (PID: 2700)
      • powershell.exe (PID: 7624)
      • mshta.exe (PID: 7544)
      • BitLockerToGo.exe (PID: 7880)
      • BitLockerToGo.exe (PID: 1288)

    • Checks whether the specified file exists (POWERSHELL)

      • powershell.exe (PID: 7624)
      • powershell.exe (PID: 7408)

    • Application launched itself

      • msedge.exe (PID: 964)

    • The executable file from the user directory is run by the Powershell process

      • XTUS.exe (PID: 1932)
      • XTUS.exe (PID: 7976)

    • Checks if a key exists in the options dictionary (POWERSHELL)

      • powershell.exe (PID: 7624)
      • powershell.exe (PID: 7408)

    • Gets data length (POWERSHELL)

      • powershell.exe (PID: 7624)
      • powershell.exe (PID: 7408)

    • Disables trace logs

      • powershell.exe (PID: 7624)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 7408)

    • Creates files or folders in the user directory

      • BitLockerToGo.exe (PID: 1288)
      • BitLockerToGo.exe (PID: 7880)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
211
Monitored processes
79
Malicious processes
8
Suspicious processes
0

Behavior graph

Click at the process to see the details
start iexplore.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs identity_helper.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs identity_helper.exe no specs identity_helper.exe no specs msedge.exe no specs rundll32.exe no specs notepad++.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs cmd.exe no specs conhost.exe no specs mshta.exe powershell.exe conhost.exe no specs xtus.exe no specs msedge.exe no specs mshta.exe powershell.exe no specs conhost.exe no specs msedge.exe no specs #STEALC xtus.exe no specs #STEALC bitlockertogo.exe #STEALC bitlockertogo.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
208"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=8048 --field-trial-handle=2344,i,13581304114467510088,12800736254790589394,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
300"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=5472 --field-trial-handle=2344,i,13581304114467510088,12800736254790589394,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
304"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3524 --field-trial-handle=2344,i,13581304114467510088,12800736254790589394,262144 --variations-seed-version /prefetch:1C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
532"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=5524 --field-trial-handle=2344,i,13581304114467510088,12800736254790589394,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
964"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --from-ie-to-edge=8 -- "https://zone03.b-cdn.net/tr17"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1164"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=5284 --field-trial-handle=2344,i,13581304114467510088,12800736254790589394,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1288"C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe"C:\Windows\BitLockerDiscoveryVolumeContents\BitLockerToGo.exe
XTUS.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
BitLocker To Go Reader
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\bitlockerdiscoveryvolumecontents\bitlockertogo.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\advapi32.dll
1932"C:\Users\admin\AppData\Local\Temp\XTUS.exe" C:\Users\admin\AppData\Local\Temp\XTUS.exepowershell.exe
User:
admin
Company:
Intel Corporation
Integrity Level:
MEDIUM
Description:
Intel(R) Extreme Tuning Utility
Exit code:
666
Version:
7.14.2.14
Modules
Images
c:\users\admin\appdata\local\temp\xtus.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\bcryptprimitives.dll
c:\windows\syswow64\winmm.dll
2056"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --no-appcompat-clear --mojo-platform-channel-handle=7144 --field-trial-handle=2344,i,13581304114467510088,12800736254790589394,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2144"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=7904 --field-trial-handle=2344,i,13581304114467510088,12800736254790589394,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
22 339
Read events
22 280
Write events
59
Delete events
0

Modification events

(PID) Process:(5624) iexplore.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(5624) iexplore.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(5624) iexplore.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(5624) iexplore.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main
Operation:writeName:CompatibilityFlags
Value:
0
(PID) Process:(5624) iexplore.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones
Operation:writeName:SecuritySafe
Value:
1
(PID) Process:(5624) iexplore.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main
Operation:writeName:DisableFirstRunCustomize
Value:
1
(PID) Process:(964) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon
Operation:writeName:failed_count
Value:
0
(PID) Process:(964) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon
Operation:writeName:state
Value:
2
(PID) Process:(964) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon
Operation:writeName:state
Value:
1
(PID) Process:(964) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\StabilityMetrics
Operation:writeName:user_experience_metrics.stability.exited_cleanly
Value:
0
Executable files
22
Suspicious files
792
Text files
226
Unknown types
12

Dropped files

PID
Process
Filename
Type
964msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\commerce_subscription_db\LOG.old~RF12a1c6.TMP
MD5:
SHA256:
964msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\commerce_subscription_db\LOG.old
MD5:
SHA256:
964msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\discounts_db\LOG.old~RF12a1c6.TMP
MD5:
SHA256:
964msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\discounts_db\LOG.old
MD5:
SHA256:
964msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\parcel_tracking_db\LOG.old~RF12a1c6.TMP
MD5:
SHA256:
964msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\parcel_tracking_db\LOG.old
MD5:
SHA256:
964msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\EdgePushStorageWithConnectTokenAndKey\LOG.old~RF12a214.TMP
MD5:
SHA256:
964msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\EdgePushStorageWithConnectTokenAndKey\LOG.old
MD5:
SHA256:
964msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\PersistentOriginTrials\LOG.old~RF12a224.TMP
MD5:
SHA256:
964msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\PersistentOriginTrials\LOG.old
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
58
TCP/UDP connections
181
DNS requests
209
Threats
8

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D
unknown
whitelisted
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
4760
svchost.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
200
104.18.38.233:80
http://ocsp.usertrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTNMNJMNDqCqx8FcBWK16EHdimS6QQUU3m%2FWqorSs9UgOHYm8Cd8rIDZssCEH1bUSa0droR23QWC7xTDac%3D
unknown
whitelisted
2700
mshta.exe
GET
200
104.18.38.233:80
http://ocsp.comodoca.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRTtU9uFqgVGHhJwXZyWCNXmVR5ngQUoBEKIz6W8Qfs4q8p74Klf9AwpLQCEDlyRDr5IrdR19NsEN0xNZU%3D
unknown
whitelisted
1280
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
1280
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
GET
200
104.18.38.233:80
http://ocsp.sectigo.com/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRDC9IOTxN6GmyRjyTl2n4yTUczyAQUjYxexFStiuF36Zv5mwXhuAGNYeECEQCb80pEPlZ04x2fAu4YLy1O
unknown
whitelisted
6908
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
7760
svchost.exe
HEAD
200
23.48.23.7:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/a1310cb6-94be-46c6-b8dc-986450234260?P1=1726547963&P2=404&P3=2&P4=mQ%2baPinuPqWvLmmBhc40a3XujLazWXutm5oUrvOwp5b5KpbxnWDJNyphOLsZ8vIQf6L13pCAQK6kBxhTxKL3Sg%3d%3d
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2120
MoUsoCoreWorker.exe
51.124.78.146:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
6244
RUXIMICS.exe
51.124.78.146:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4760
svchost.exe
51.124.78.146:443
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
964
msedge.exe
239.255.255.250:1900
whitelisted
5720
msedge.exe
185.59.220.199:443
zone03.b-cdn.net
Datacamp Limited
DE
whitelisted
5720
msedge.exe
13.107.42.16:443
config.edge.skype.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
5720
msedge.exe
142.250.184.225:443
clients2.googleusercontent.com
GOOGLE
US
whitelisted
5720
msedge.exe
23.48.23.26:443
bzib.nelreports.net
Akamai International B.V.
DE
whitelisted
5720
msedge.exe
13.107.21.239:443
edge.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.185.142
whitelisted
zone03.b-cdn.net
  • 185.59.220.199
  • 138.199.37.225
whitelisted
config.edge.skype.com
  • 13.107.42.16
whitelisted
edge.microsoft.com
  • 13.107.21.239
  • 204.79.197.239
whitelisted
api.edgeoffer.microsoft.com
  • 94.245.104.56
whitelisted
business.bing.com
  • 13.107.6.158
whitelisted
edge-mobile-static.azureedge.net
  • 13.107.253.45
whitelisted
update.googleapis.com
  • 142.250.181.227
whitelisted
edgeservices.bing.com
  • 92.123.104.24
  • 92.123.104.30
  • 92.123.104.29
  • 92.123.104.26
  • 92.123.104.19
  • 92.123.104.31
  • 92.123.104.32
  • 92.123.104.20
  • 92.123.104.21
whitelisted
bzib.nelreports.net
  • 20.189.173.24
  • 23.48.23.26
  • 23.48.23.51
whitelisted

Threats

PID
Process
Class
Message
7880
BitLockerToGo.exe
Malware Command and Control Activity Detected
STEALER [ANY.RUN] Stealc HTTP POST Request
7880
BitLockerToGo.exe
Malware Command and Control Activity Detected
ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in
1288
BitLockerToGo.exe
Malware Command and Control Activity Detected
STEALER [ANY.RUN] Stealc HTTP POST Request
1288
BitLockerToGo.exe
Malware Command and Control Activity Detected
ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in
5720
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] Request to Azure content delivery network (aadcdn .msauth .net)
5720
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] Request to Azure content delivery network (aadcdn .msauth .net)
5720
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] Request to Azure content delivery network (aadcdn .msauth .net)
5720
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] Request to Azure content delivery network (aadcdn .msauth .net)
Process
Message
notepad++.exe
VerifyLibrary: C:\Program Files\Notepad++\SciLexer.dll
notepad++.exe
VerifyLibrary: certificate revocation checking is disabled
notepad++.exe
ED255D9151912E40DF048A56288E969A8D0DAFA3
notepad++.exe
VerifyLibrary: C:\Program Files\Notepad++\updater\gup.exe
notepad++.exe
VerifyLibrary: certificate revocation checking is disabled
notepad++.exe
VerifyLibrary: error while getting certificate informations
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
https://zone03.b-cdn.net/tr17