File name:

____st____r-v.4.266.exe

Full analysis: https://app.any.run/tasks/6b3a861f-17fa-40cb-8c3c-6b4027740ed8
Verdict: Malicious activity
Threats:

Stealc is a stealer malware that targets victims’ sensitive data, which it exfiltrates from browsers, messaging apps, and other software. The malware is equipped with advanced features, including fingerprinting, control panel, evasion mechanisms, string obfuscation, etc. Stealc establishes persistence and communicates with its C2 server through HTTP POST requests.

Malware Trends Tracker     >>>
Analysis date: June 04, 2026, 23:50:32
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
stealer
stealc
vidar
golang
attachments
attc-unc
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (GUI) x86-64, for MS Windows, 8 sections
MD5:

435A9971E4C53DE27734FABF34344F0E

SHA1:

EC8EACDB7A40B5B61C7BA1E44FF5280083CB3AD6

SHA256:

021E904F7E6B52AAAE9BDE641E71EE41D5C28698FDFD6612D5C472090F12B1CE

SSDEEP:

98304:C39vP8Bhsjwpb+HnuLSIPVL0JHtwdmjSJIr/aOWiuGhj9U6ERBjbq33q:++f

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Executing a file with an untrusted certificate

      • ____st____r-v.4.266.exe (PID: 5632)

    • Steals credentials from Web Browsers

      • ____st____r-v.4.266.exe (PID: 5632)

    • Actions looks like stealing of personal data

      • ____st____r-v.4.266.exe (PID: 5632)

    • STEALC has been detected (SURICATA)

      • ____st____r-v.4.266.exe (PID: 5632)

    • VIDAR has been detected (YARA)

      • ____st____r-v.4.266.exe (PID: 5632)

    • VIDAR has been detected (SURICATA)

      • ____st____r-v.4.266.exe (PID: 5632)

  • SUSPICIOUS

    • Possible stealing of email data

      • ____st____r-v.4.266.exe (PID: 5632)

    • Searches for installed software

      • ____st____r-v.4.266.exe (PID: 5632)

    • Possible stealing from crypto wallets

      • ____st____r-v.4.266.exe (PID: 5632)

    • Possible stealing from password managers

      • ____st____r-v.4.266.exe (PID: 5632)

    • Multiple wallet extension IDs have been found

      • ____st____r-v.4.266.exe (PID: 5632)

    • Contacting a server suspected of hosting an CnC

      • ____st____r-v.4.266.exe (PID: 5632)

    • Possible stealing of FTP data

      • ____st____r-v.4.266.exe (PID: 5632)

    • Possible stealing of cloud data

      • ____st____r-v.4.266.exe (PID: 5632)

  • INFO

    • Reads the computer name

      • ____st____r-v.4.266.exe (PID: 5632)
      • identity_helper.exe (PID: 7528)

    • Reads the machine GUID from the registry

      • ____st____r-v.4.266.exe (PID: 5632)

    • Checks supported languages

      • ____st____r-v.4.266.exe (PID: 5632)
      • identity_helper.exe (PID: 7528)

    • Reads Environment values

      • ____st____r-v.4.266.exe (PID: 5632)
      • identity_helper.exe (PID: 7528)

    • Reads product name

      • ____st____r-v.4.266.exe (PID: 5632)

    • Reads CPU info

      • ____st____r-v.4.266.exe (PID: 5632)

    • Application based on Golang

      • ____st____r-v.4.266.exe (PID: 5632)

    • Application launched itself

      • chrome.exe (PID: 1552)
      • chrome.exe (PID: 4156)
      • msedge.exe (PID: 2880)
      • msedge.exe (PID: 9188)
      • msedge.exe (PID: 8980)
      • msedge.exe (PID: 2876)

    • Create files in a temporary directory

      • ____st____r-v.4.266.exe (PID: 5632)

    • Launches file with unassociated extension

      • OpenWith.exe (PID: 6632)

    • Manual execution by a user

      • OpenWith.exe (PID: 6632)

    • Reads Microsoft Office registry keys

      • OpenWith.exe (PID: 6632)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Vidar

(PID) Process(5632) ____st____r-v.4.266.exe
BrowserExtensionsID (42)fiedbfgcleddlbcmgdigjgdfcggjcion
fmhmiaejopepamlcjkncpgpdjichnecm
oboonakemofpalcgghocfoadofidjkkk
lfochlioelphaglamdcakfjemolpichk
bfogiafebfohielmmehodmfbbebbbpei
blgcbajigpdfohpgcmbbfnphcgifjopc
bmhejbnmpamgfnomlahkonpanlkcfabg
bmikpgodpkclnkgmnpphehdgcimmided
bnfdmghkeppfadphbnkjcicejfepnbfe
bnfooenhhgcnhdkdjelgmmkpaemlnoek
caljgklbbfbcjjanaijlacgncafpegll
cnlhokffphohmfcddnibpohmkdfafdli
dbfoemgnkgieejfkaddieamagdfepnff
didegimhafipceonhjepacocaffmoppf
eajafomhmkipbjmfmhebemolkcicgfmd
eljmjmgjkbmpmfljlmklcfineebidmlo
fdfemjpbhpcjeadhbblfifdldedefnhe
fdjamakpfbbddfjaooikfcpapjohcfmg
fooolghllnmhmmndgjiamiiodkpenpbb
gejiddohjgogedgjnonbofjigllpkmbf
ghmbeldphafepmbegfdlkpapadhbakde
gmohoglkppnemohbcgjakmgengkeaphi
hfdkpbblioghdghhkdppipefbchgpohn
hifafgmccdpekplomjjkcfgodnhcellj
hldllnfgjbablcfcdcjldbbfopmohnda
hpcbfphmanablmeomioemmamedfffmpd
ibpjepoimpcdofeoalokgpjafnjonkpc
igkpcodhieompeloncfnbekccinhapdb
kfmlopbepahlcjbkfnnklglgibbopkbk
khhapgacijodhjokkcjmleaempmchlem
kmcfomidfpdkfieipokbalgegidffkal
lgbjhdkjmpgjgcbcdlhkokkckpjmedgc
mfgccjchihfkkindfppnaooecgfneiii
mfhbebgoclkghebffdldpobeajmbecfk
mlhdnjepakdfdaabohjgegnomlgeejep
mmhlniccooihdimnnjhamobppdhaolme
naepdomgkenhinolocfifgehidddafch
nhhldecdfagpbfggphklkaeiocfnaafm
njimencmbpfibibelblbbabiffimoajp
pnbabdldpneocemigmicebglmmfcjccm
oeljdldpnmdbchonielidgobddffflal
pnlccmojcmeohlpggmfnbbiapkmbliob
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (87.3)
.exe | Generic Win/DOS Executable (6.3)
.exe | DOS Executable Generic (6.3)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 0000:00:00 00:00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 3
CodeSize: 719872
InitializedDataSize: 61440
UninitializedDataSize: -
EntryPoint: 0x720e0
OSVersion: 6.1
ImageVersion: 1
SubsystemVersion: 6.1
Subsystem: Windows GUI
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
204
Monitored processes
48
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #STEALC ____st____r-v.4.266.exe slui.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs identity_helper.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs identity_helper.exe no specs identity_helper.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs openwith.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1112"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --disable-quic --string-annotations --always-read-main-dll --field-trial-handle=2532,i,8408838584628496417,8087387744505043524,262144 --variations-seed-version --mojo-platform-channel-handle=2692 /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
133.0.3065.92
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\133.0.3065.92\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1552"C:\Program Files\Google\Chrome\Application\chrome.exe" --no-first-run --disable-gpu about:blankC:\Program Files\Google\Chrome\Application\chrome.exe____st____r-v.4.266.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Exit code:
0
Version:
133.0.6943.127
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
2092"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=3 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=2336,i,8408838584628496417,8087387744505043524,262144 --variations-seed-version --mojo-platform-channel-handle=3608 /prefetch:1C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
133.0.3065.92
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\133.0.3065.92\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2324"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.127 --initial-client-data=0x230,0x234,0x238,0xac,0x23c,0x7ffe256dfff8,0x7ffe256e0004,0x7ffe256e0010C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Exit code:
0
Version:
133.0.6943.127
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
2392"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=3 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3748,i,10414598462167907266,15636822504987653182,262144 --variations-seed-version=20251218-201203.402000 --mojo-platform-channel-handle=3680 /prefetch:2C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
133.0.6943.127
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\133.0.6943.127\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
2876"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-first-run --disable-gpu about:blankC:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe____st____r-v.4.266.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Exit code:
0
Version:
133.0.3065.92
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\program files (x86)\microsoft\edge\application\133.0.3065.92\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
2880"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-first-run --disable-gpu about:blankC:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe____st____r-v.4.266.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Exit code:
0
Version:
133.0.3065.92
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\program files (x86)\microsoft\edge\application\133.0.3065.92\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
2940"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --disable-quic --string-annotations --field-trial-handle=1428,i,10414598462167907266,15636822504987653182,262144 --variations-seed-version=20251218-201203.402000 --mojo-platform-channel-handle=2340 /prefetch:8C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
133.0.6943.127
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\133.0.6943.127\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
3304"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.142 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.92 --initial-client-data=0x290,0x294,0x298,0x288,0x2a0,0x7ffe256bf208,0x7ffe256bf214,0x7ffe256bf220C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Exit code:
0
Version:
133.0.3065.92
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\133.0.3065.92\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
4112"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --disable-quic --onnx-enabled-for-ee --string-annotations --always-read-main-dll --field-trial-handle=4388,i,3316460807104500246,149676062818907352,262144 --variations-seed-version --mojo-platform-channel-handle=4468 /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
133.0.3065.92
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\133.0.3065.92\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
7 737
Read events
7 733
Write events
4
Delete events
0

Modification events

(PID) Process:(8748) slui.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\3d\52C64B7E
Operation:writeName:@%SystemRoot%\System32\sppcomapi.dll,-3200
Value:
Software Licensing
(PID) Process:(5632) ____st____r-v.4.266.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
Operation:writeName:TS_26b799fa
Value:
038C8BF
(PID) Process:(6632) OpenWith.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\3d\52C64B7E
Operation:writeName:@C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\oregres.dll,-205
Value:
Word
(PID) Process:(6632) OpenWith.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\3d\52C64B7E
Operation:writeName:@wmploc.dll,-102
Value:
Windows Media Player
Executable files
0
Suspicious files
72
Text files
326
Unknown types
0

Dropped files

PID
Process
Filename
Type
1552chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\ClientCertificates\LOG.old~RF15d9cf.TMP
MD5:
SHA256:
1552chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\ClientCertificates\LOG.old
MD5:
SHA256:
1552chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\PersistentOriginTrials\LOG.old~RF15d9ee.TMP
MD5:
SHA256:
1552chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\PersistentOriginTrials\LOG.old
MD5:
SHA256:
1552chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\discounts_db\LOG.old~RF15d9ee.TMP
MD5:
SHA256:
1552chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\discounts_db\LOG.old
MD5:
SHA256:
1552chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SegmentInfoDB\LOG.old~RF15d9fe.TMP
MD5:
SHA256:
1552chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\chrome_cart_db\LOG.old~RF15d9fe.TMP
MD5:
SHA256:
1552chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SegmentInfoDB\LOG.old
MD5:
SHA256:
1552chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\chrome_cart_db\LOG.old
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
250
TCP/UDP connections
95
DNS requests
75
Threats
72

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
POST
400
192.168.1.2:443
https://login.live.com/ppsecure/deviceaddcredential.srf
unknown
text
204 b
whitelisted
9108
svchost.exe
POST
400
20.190.160.20:443
https://login.live.com/ppsecure/deviceaddcredential.srf
US
text
204 b
whitelisted
9108
svchost.exe
POST
200
20.190.160.20:443
https://login.live.com/RST2.srf
US
xml
1.24 Kb
whitelisted
POST
400
192.168.1.2:443
https://login.live.com/ppsecure/deviceaddcredential.srf
unknown
text
204 b
whitelisted
9108
svchost.exe
POST
200
192.168.1.2:443
https://login.live.com/RST2.srf
unknown
xml
1.24 Kb
whitelisted
8252
svchost.exe
GET
200
23.52.181.212:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
US
binary
814 b
whitelisted
8252
svchost.exe
GET
200
2.16.164.49:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
NL
binary
825 b
whitelisted
5632
____st____r-v.4.266.exe
POST
200
192.168.1.2:443
https://95.217.238.25/
unknown
text
344 b
unknown
5632
____st____r-v.4.266.exe
POST
200
95.217.238.25:443
https://95.217.238.25/
DE
text
344 b
malicious
POST
400
192.168.1.2:443
https://login.live.com/ppsecure/deviceaddcredential.srf
unknown
text
204 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
48.209.138.168:443
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
4
System
192.168.100.255:137
Not routed
whitelisted
5276
MoUsoCoreWorker.exe
48.209.138.168:443
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
6832
slui.exe
48.192.1.64:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
92.123.104.34:443
www.bing.com
AKAMAI-ASN1
NL
whitelisted
4
System
192.168.100.255:138
Not routed
whitelisted
8252
svchost.exe
2.16.164.49:80
crl.microsoft.com
AKAMAI-ASN1
NL
whitelisted
8252
svchost.exe
23.52.181.212:80
www.microsoft.com
AKAMAI-AS
US
whitelisted
5276
MoUsoCoreWorker.exe
48.209.133.15:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
8252
svchost.exe
48.209.133.15:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
activation-v2.sls.microsoft.com
  • 48.192.1.64
whitelisted
www.bing.com
  • 92.123.104.34
  • 92.123.104.33
  • 92.123.104.60
  • 92.123.104.18
  • 92.123.104.50
  • 92.123.104.61
  • 92.123.104.31
  • 92.123.104.32
  • 92.123.104.38
  • 92.123.104.28
  • 92.123.104.59
whitelisted
crl.microsoft.com
  • 2.16.164.49
  • 2.16.164.120
whitelisted
www.microsoft.com
  • 23.52.181.212
  • 88.221.169.152
whitelisted
google.com
  • 142.251.110.101
  • 142.251.110.113
  • 142.251.110.100
  • 142.251.110.138
  • 142.251.110.102
  • 142.251.110.139
whitelisted
settings-win.data.microsoft.com
  • 48.209.133.15
  • 48.209.6.48
  • 48.209.138.189
whitelisted
client.wns.windows.com
  • 172.211.123.250
whitelisted
login.live.com
  • 20.190.160.20
  • 20.190.160.132
  • 40.126.32.138
  • 20.190.160.67
  • 40.126.32.136
  • 20.190.160.4
  • 20.190.160.14
  • 40.126.32.140
  • 40.126.31.129
  • 40.126.31.73
  • 40.126.31.128
  • 20.190.159.2
  • 20.190.159.129
  • 40.126.31.2
  • 20.190.159.75
  • 20.190.159.131
whitelisted
clients2.google.com
  • 142.250.154.100
  • 142.250.154.102
  • 142.250.154.139
  • 142.250.154.138
  • 142.250.154.101
  • 142.250.154.113
whitelisted
safebrowsingohttpgateway.googleapis.com
  • 142.251.110.95
  • 142.250.154.95
  • 142.251.14.95
  • 142.251.13.95
  • 192.178.183.95
  • 142.251.20.95
  • 142.251.127.95
whitelisted

Threats

PID
Process
Class
Message
A Network Trojan was detected
ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M1
5632
____st____r-v.4.266.exe
A Network Trojan was detected
ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M1
Malware Command and Control Activity Detected
ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2
5632
____st____r-v.4.266.exe
Malware Command and Control Activity Detected
ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2
Malware Command and Control Activity Detected
ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2
Malware Command and Control Activity Detected
ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2
A Network Trojan was detected
ET MALWARE Vidar Stealer Form Exfil
A Network Trojan was detected
ET MALWARE Vidar Stealer Form Exfil
Malware Command and Control Activity Detected
ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2
Malware Command and Control Activity Detected
ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
____st____r-v.4.266.exe