File name:

x40f44d2f66c7cfc9ccc6b10b1b31b1aa305afafeee664417344f72bd74cbcf36.exe

Full analysis: https://app.any.run/tasks/01158a79-b5f3-49ff-9014-e3bb940281c0
Verdict: Malicious activity
Threats:

Stealc is a stealer malware that targets victims’ sensitive data, which it exfiltrates from browsers, messaging apps, and other software. The malware is equipped with advanced features, including fingerprinting, control panel, evasion mechanisms, string obfuscation, etc. Stealc establishes persistence and communicates with its C2 server through HTTP POST requests.

Malware Trends Tracker     >>>
Analysis date: April 03, 2026, 04:05:34
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
stealc
stealer
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 13 sections
MD5:

8F265354174C253FBD077CCAE776DF09

SHA1:

66BC389F7163150B15CDCAE9BFE04DC4461914A4

SHA256:

40F44D2F66C7CFC9CCC6B10B1B31B1AA305AFAFEEE664417344F72BD74CBCF36

SSDEEP:

49152:hVjhjVUMLZAiZ+J9EueHebQIzAqRJruoIQ9dsKXBHOxb+fMqCSqDjnZAiWsOs:htgMV9s9EueHqR4oIijXBHIzZ9P

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • STEALC has been detected

      • x40f44d2f66c7cfc9ccc6b10b1b31b1aa305afafeee664417344f72bd74cbcf36.exe (PID: 8100)

    • STEALC mutex has been found

      • x40f44d2f66c7cfc9ccc6b10b1b31b1aa305afafeee664417344f72bd74cbcf36.exe (PID: 8100)

  • SUSPICIOUS

    • Windows Defender mutex has been found

      • x40f44d2f66c7cfc9ccc6b10b1b31b1aa305afafeee664417344f72bd74cbcf36.exe (PID: 8100)

  • INFO

    • Checks supported languages

      • x40f44d2f66c7cfc9ccc6b10b1b31b1aa305afafeee664417344f72bd74cbcf36.exe (PID: 8100)

    • Creates files or folders in the user directory

      • WerFault.exe (PID: 4312)

    • Reads the computer name

      • x40f44d2f66c7cfc9ccc6b10b1b31b1aa305afafeee664417344f72bd74cbcf36.exe (PID: 8100)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.dll | Win32 Dynamic Link Library (generic) (38.3)
.exe | Win32 Executable (generic) (26.3)
.exe | Clipper DOS Executable (11.7)
.exe | Generic Win/DOS Executable (11.6)
.exe | DOS Executable Generic (11.6)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2022:08:09 00:11:21+00:00
ImageFileCharacteristics: No relocs, Executable, 32-bit
PEType: PE32
LinkerVersion: 10
CodeSize: 204288
InitializedDataSize: 3815936
UninitializedDataSize: -
EntryPoint: 0x95f3
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows GUI
FileVersionNumber: 25.0.0.0
ProductVersionNumber: 61.0.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Unknown (0373)
CharacterSet: Unknown (63B6)
FileDescriptions: Buttiskamf
InternalName: Bastard.exe
LegalTrademark1: Fascal
OriginalFileName: Lameros.exe
ProductName: Jadocka
ProductVersion: 57.38.26
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
136
Monitored processes
3
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #STEALC x40f44d2f66c7cfc9ccc6b10b1b31b1aa305afafeee664417344f72bd74cbcf36.exe slui.exe werfault.exe

Process information

PID
CMD
Path
Indicators
Parent process
4312C:\WINDOWS\SysWOW64\WerFault.exe -u -p 8100 -s 380C:\Windows\SysWOW64\WerFault.exe
x40f44d2f66c7cfc9ccc6b10b1b31b1aa305afafeee664417344f72bd74cbcf36.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
6988C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
8100"C:\Users\admin\Desktop\x40f44d2f66c7cfc9ccc6b10b1b31b1aa305afafeee664417344f72bd74cbcf36.exe" C:\Users\admin\Desktop\x40f44d2f66c7cfc9ccc6b10b1b31b1aa305afafeee664417344f72bd74cbcf36.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221225501
Modules
Images
c:\users\admin\desktop\x40f44d2f66c7cfc9ccc6b10b1b31b1aa305afafeee664417344f72bd74cbcf36.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
Total events
9 343
Read events
9 342
Write events
1
Delete events
0

Modification events

(PID) Process:(6988) slui.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\3d\52C64B7E
Operation:writeName:@%SystemRoot%\System32\sppcomapi.dll,-3200
Value:
Software Licensing
Executable files
0
Suspicious files
2
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
4312WerFault.exeC:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_x40f44d2f66c7cfc_53d59be27f25ca676d4b28c5b0fa35e7ac5f4e4_36c7b69e_8834a471-b58d-48e4-aadb-396836a5990d\Report.wer
MD5:
SHA256:
4312WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WER1BC1.tmp.dmpbinary
MD5:EEE7899F9114A8BB3A1749EB22C6FE38
SHA256:728DC888029AE320873B38074122F67142AB9065EF550D72561BECBEA7B58F77
4312WerFault.exeC:\Users\admin\AppData\Local\CrashDumps\x40f44d2f66c7cfc9ccc6b10b1b31b1aa305afafeee664417344f72bd74cbcf36.exe.8100.dmpbinary
MD5:B769DA8F251A160C32858B9B4FF01427
SHA256:7695487D7FAFF391E22D871AAD425EDFD1AB815D9D2C6C7F3B509C617F0D9B79
4312WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WER1C20.tmp.WERInternalMetadata.xmlxml
MD5:A4B611CAE988D7407F8BBD40881C8FD9
SHA256:63B1AA1A52DA511BEEE856C58EC3A8D2349C52AB368D558B8D5BE474DD5A2995
4312WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WER1C5F.tmp.xmlxml
MD5:D58FBADC52AF7D99B0F3FF781781DA60
SHA256:17533884AF88895EB97D3A43622CB9749AD75689E27C8F345D1AFF27DE537FF9
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
15
TCP/UDP connections
22
DNS requests
10
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5484
svchost.exe
GET
304
20.73.194.208:443
https://settings-win.data.microsoft.com/settings/v3.0/WSD/WaasMedic?os=Windows&osVer=10.0.19041.1.amd64fre.vb_release.191206-&appVer=10.0.19041.3758&ring=Retail&sku=48&deviceClass=Windows.Desktop&locale=en-US&deviceId=BAD99146-31D3-4EC6-A1A4-BE76F32BA5D4
US
whitelisted
5276
MoUsoCoreWorker.exe
GET
304
20.73.194.208:443
https://settings-win.data.microsoft.com/settings/v3.0/wsd/muse?ProcessorClockSpeed=3094&FlightIds=&UpdateOfferedDays=4294967295&BranchReadinessLevel=CB&OEMManufacturerName=DELL&IsCloudDomainJoined=0&ProcessorIdentifier=AMD64%20Family%2023%20Model%201%20Stepping%202&sku=48&ActivationChannel=Retail&AttrDataVer=186&IsMDMEnrolled=0&ProcessorCores=6&ProcessorModel=AMD%20Ryzen%205%203500%206-Core%20Processor&TotalPhysicalRAM=6144&PrimaryDiskType=4294967295&FlightingBranchName=&ChassisTypeId=1&OEMModelNumber=DELL&SystemVolumeTotalCapacity=260281&sampleId=95271487&deviceClass=Windows.Desktop&App=muse&DisableDualScan=0&AppVer=10.0&OEMSubModel=J5CR&locale=en-US&IsAlwaysOnAlwaysConnectedCapable=0&ms=0&DefaultUserRegion=244&UpdateServiceUrl=http%3A%2F%2Fneverupdatewindows10.com&osVer=10.0.19045.4046.amd64fre.vb_release.191206-1406&os=windows&deviceId=s%3ABAD99146-31D3-4EC6-A1A4-BE76F32BA5D4&DeferQualityUpdatePeriodInDays=0&ring=Retail&DeferFeatureUpdatePeriodInDays=30
US
whitelisted
5484
svchost.exe
GET
200
23.59.18.102:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
US
binary
814 b
whitelisted
5484
svchost.exe
GET
200
23.216.77.42:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
NL
binary
825 b
whitelisted
3280
svchost.exe
GET
200
23.59.18.102:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.3.crl
US
binary
813 b
whitelisted
6988
slui.exe
POST
500
48.192.1.65:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
US
text
512 b
whitelisted
3280
svchost.exe
GET
200
23.59.18.102:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
US
binary
409 b
whitelisted
3280
svchost.exe
GET
200
23.59.18.102:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
US
binary
419 b
whitelisted
3280
svchost.exe
GET
200
23.216.77.6:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl
NL
binary
824 b
whitelisted
3280
svchost.exe
GET
200
23.59.18.102:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.3.crl
US
binary
400 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
5484
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
4
System
192.168.100.255:137
Not routed
whitelisted
5276
MoUsoCoreWorker.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
7988
slui.exe
48.192.1.65:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
4
System
192.168.100.255:138
Not routed
whitelisted
5484
svchost.exe
23.216.77.42:80
crl.microsoft.com
AKAMAI-ASN1
NL
whitelisted
5484
svchost.exe
23.59.18.102:80
www.microsoft.com
AKAMAI-AS
US
whitelisted
5276
MoUsoCoreWorker.exe
23.59.18.102:80
www.microsoft.com
AKAMAI-AS
US
whitelisted
5276
MoUsoCoreWorker.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
5484
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
  • 51.104.136.2
whitelisted
activation-v2.sls.microsoft.com
  • 48.192.1.65
whitelisted
google.com
  • 142.251.20.113
  • 142.251.20.102
  • 142.251.20.138
  • 142.251.20.101
  • 142.251.20.139
  • 142.251.20.100
whitelisted
crl.microsoft.com
  • 23.216.77.42
  • 23.216.77.6
  • 23.216.77.28
whitelisted
www.microsoft.com
  • 23.59.18.102
whitelisted
watson.events.data.microsoft.com
  • 172.178.240.162
whitelisted
self.events.data.microsoft.com
  • 20.189.173.10
whitelisted

Threats

PID
Process
Class
Message
5484
svchost.exe
Unknown Traffic
ET USER_AGENTS Microsoft Dr Watson User-Agent (MSDW)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
x40f44d2f66c7cfc9ccc6b10b1b31b1aa305afafeee664417344f72bd74cbcf36.exe