URL:

https://downloadstep.com/go/08a742f2-0a36-4a00-a979-885700e3028c

Full analysis: https://app.any.run/tasks/777e6f9d-fb50-46e4-b764-1ca065b58349
Verdict: Malicious activity
Threats:

Stealc is a stealer malware that targets victims’ sensitive data, which it exfiltrates from browsers, messaging apps, and other software. The malware is equipped with advanced features, including fingerprinting, control panel, evasion mechanisms, string obfuscation, etc. Stealc establishes persistence and communicates with its C2 server through HTTP POST requests.

Malware Trends Tracker     >>>
Analysis date: August 13, 2024, 15:38:34
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
alfac2
stealer
stealc
Indicators:
MD5:

67DA1984A95420C4B093C046C42ADB3D

SHA1:

033609801794159EC74DCAE1699E7A0DC9B6FC6E

SHA256:

4586127D2ADC9DB412A3C04E728290C237A018CA39253D408D06812F29790A03

SSDEEP:

3:N8SE4mVyTKJK00aPVj4YE:2SyyTKF0aPKYE

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Scans artifacts that could help determine the target

      • mshta.exe (PID: 5624)

    • Run PowerShell with an invisible window

      • powershell.exe (PID: 5744)

    • Changes powershell execution policy (Unrestricted)

      • mshta.exe (PID: 5624)

    • Gets or sets the initialization vector for the symmetric algorithm (POWERSHELL)

      • powershell.exe (PID: 5744)

    • Uses AES cipher (POWERSHELL)

      • powershell.exe (PID: 5744)

    • Gets or sets the symmetric key that is used for encryption and decryption (POWERSHELL)

      • powershell.exe (PID: 5744)

    • Dynamically loads an assembly (POWERSHELL)

      • powershell.exe (PID: 5744)

    • Downloads the requested resource (POWERSHELL)

      • powershell.exe (PID: 5744)

    • ALFAC2 has been detected (YARA)

      • WinCatalog.exe (PID: 1080)

    • Connects to the CnC server

      • BitLockerToGo.exe (PID: 8020)

    • Stealers network behavior

      • BitLockerToGo.exe (PID: 8020)

    • STEALC has been detected (SURICATA)

      • BitLockerToGo.exe (PID: 8020)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • cookie_exporter.exe (PID: 7680)
      • BitLockerToGo.exe (PID: 8020)

    • Detected use of alternative data streams (AltDS)

      • powershell.exe (PID: 6040)

    • The process bypasses the loading of PowerShell profile settings

      • mshta.exe (PID: 5624)

    • Starts POWERSHELL.EXE for commands execution

      • mshta.exe (PID: 5624)

    • Probably obfuscated PowerShell command line is found

      • mshta.exe (PID: 5624)

    • Process drops legitimate windows executable

      • mshta.exe (PID: 5624)
      • powershell.exe (PID: 5744)

    • Drops the executable file immediately after the start

      • mshta.exe (PID: 5624)
      • powershell.exe (PID: 5744)

    • Gets or sets the security protocol (POWERSHELL)

      • powershell.exe (PID: 5744)

    • Extracts files to a directory (POWERSHELL)

      • powershell.exe (PID: 5744)

    • Writes data into a file (POWERSHELL)

      • powershell.exe (PID: 5744)

    • Cryptography encrypted command line is found

      • powershell.exe (PID: 5744)

    • Gets file extension (POWERSHELL)

      • powershell.exe (PID: 5744)

    • Executable content was dropped or overwritten

      • powershell.exe (PID: 5744)
      • mshta.exe (PID: 5624)

    • There is functionality for communication over UDP network (YARA)

      • WinCatalog.exe (PID: 1080)

    • Windows Defender mutex has been found

      • BitLockerToGo.exe (PID: 8020)

    • Contacting a server suspected of hosting an CnC

      • BitLockerToGo.exe (PID: 8020)

    • Connects to the server without a host name

      • BitLockerToGo.exe (PID: 8020)

  • INFO

    • Application launched itself

      • msedge.exe (PID: 6804)

    • Reads Microsoft Office registry keys

      • msedge.exe (PID: 6804)

    • Checks supported languages

      • identity_helper.exe (PID: 7712)
      • cookie_exporter.exe (PID: 7680)
      • TextInputHost.exe (PID: 5032)
      • WinCatalog.exe (PID: 1080)
      • BitLockerToGo.exe (PID: 8020)

    • Reads the computer name

      • identity_helper.exe (PID: 7712)
      • cookie_exporter.exe (PID: 7680)
      • TextInputHost.exe (PID: 5032)
      • BitLockerToGo.exe (PID: 8020)

    • Reads Environment values

      • identity_helper.exe (PID: 7712)
      • cookie_exporter.exe (PID: 7680)

    • Checks proxy server information

      • cookie_exporter.exe (PID: 7680)
      • mshta.exe (PID: 5624)
      • powershell.exe (PID: 5744)
      • BitLockerToGo.exe (PID: 8020)

    • Reads Internet Explorer settings

      • mshta.exe (PID: 5624)

    • Manual execution by a user

      • powershell.exe (PID: 6040)

    • Checks whether the specified file exists (POWERSHELL)

      • powershell.exe (PID: 5744)

    • Gets data length (POWERSHELL)

      • powershell.exe (PID: 5744)

    • Disables trace logs

      • powershell.exe (PID: 5744)

    • The executable file from the user directory is run by the Powershell process

      • WinCatalog.exe (PID: 1080)

    • Checks if a key exists in the options dictionary (POWERSHELL)

      • powershell.exe (PID: 5744)

    • Creates files or folders in the user directory

      • BitLockerToGo.exe (PID: 8020)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
200
Monitored processes
62
Malicious processes
5
Suspicious processes
0

Behavior graph

Click at the process to see the details
start iexplore.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs identity_helper.exe no specs identity_helper.exe no specs msedge.exe no specs cookie_exporter.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs textinputhost.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs powershell.exe no specs conhost.exe no specs msedge.exe no specs mshta.exe powershell.exe conhost.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs rundll32.exe no specs msedge.exe no specs THREAT wincatalog.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs #STEALC bitlockertogo.exe msedge.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
188"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=6620 --field-trial-handle=2368,i,1997467974032180467,8179533305666452976,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
304"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --no-appcompat-clear --mojo-platform-channel-handle=5968 --field-trial-handle=2368,i,1997467974032180467,8179533305666452976,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
460"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=6520 --field-trial-handle=2368,i,1997467974032180467,8179533305666452976,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
644"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.3636 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAABEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=7068 --field-trial-handle=2368,i,1997467974032180467,8179533305666452976,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1080"C:\Users\admin\AppData\Local\Temp\WinCatalog.exe" C:\Users\admin\AppData\Local\Temp\WinCatalog.exe
powershell.exe
User:
admin
Company:
WinCatalog
Integrity Level:
MEDIUM
Description:
WinCatalog Setup
Exit code:
666
Version:
7.14.1564
Modules
Images
c:\users\admin\appdata\local\temp\wincatalog.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\winmm.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
1344"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=7408 --field-trial-handle=2368,i,1997467974032180467,8179533305666452976,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1636"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=6764 --field-trial-handle=2368,i,1997467974032180467,8179533305666452976,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2080"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=6496 --field-trial-handle=2368,i,1997467974032180467,8179533305666452976,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2396"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=35 --mojo-platform-channel-handle=4576 --field-trial-handle=2368,i,1997467974032180467,8179533305666452976,262144 --variations-seed-version /prefetch:1C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2616"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=3848 --field-trial-handle=2368,i,1997467974032180467,8179533305666452976,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
34 954
Read events
34 535
Write events
412
Delete events
7

Modification events

(PID) Process:(6628) iexplore.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\UrlBlock
Operation:writeName:L1WatermarkLowPart
Value:
0
(PID) Process:(6628) iexplore.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\UrlBlock
Operation:writeName:L1WatermarkHighPart
Value:
0
(PID) Process:(6628) iexplore.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\UrlBlock
Operation:writeName:NextCheckForUpdateLowDateTime
Value:
0
(PID) Process:(6628) iexplore.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\UrlBlock
Operation:writeName:NextCheckForUpdateHighDateTime
Value:
0
(PID) Process:(6628) iexplore.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\UrlBlock
Operation:writeName:NextCheckForUpdateLowDateTime
Value:
(PID) Process:(6628) iexplore.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\UrlBlock
Operation:writeName:NextCheckForUpdateHighDateTime
Value:
31124886
(PID) Process:(6628) iexplore.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(6628) iexplore.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(6628) iexplore.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(6628) iexplore.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main
Operation:writeName:CompatibilityFlags
Value:
0
Executable files
18
Suspicious files
502
Text files
133
Unknown types
49

Dropped files

PID
Process
Filename
Type
6804msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\parcel_tracking_db\LOG.old~RFe5d7d.TMP
MD5:
SHA256:
6804msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\commerce_subscription_db\LOG.old~RFe5d7d.TMP
MD5:
SHA256:
6804msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\discounts_db\LOG.old~RFe5d7d.TMP
MD5:
SHA256:
6804msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\commerce_subscription_db\LOG.old
MD5:
SHA256:
6804msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\discounts_db\LOG.old
MD5:
SHA256:
6804msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\PersistentOriginTrials\LOG.old~RFe5d8d.TMP
MD5:
SHA256:
6804msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\PersistentOriginTrials\LOG.old
MD5:
SHA256:
6804msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\parcel_tracking_db\LOG.old
MD5:
SHA256:
6804msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\EdgePushStorageWithConnectTokenAndKey\LOG.old~RFe5d8d.TMP
MD5:
SHA256:
6804msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\EdgePushStorageWithConnectTokenAndKey\LOG.old
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
39
TCP/UDP connections
114
DNS requests
109
Threats
4

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1248
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
5336
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
6148
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
5336
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
5336
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEApDqVCbATUviZV57HIIulA%3D
unknown
whitelisted
6344
svchost.exe
HEAD
200
152.199.19.161:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/39631034-5b64-4aa8-813e-46d47f5abfa3?P1=1724140096&P2=404&P3=2&P4=U%2fcbY0Jk8eqcbVppkUmoAiGjL9x3Ab8yeKGeKueynpG0Ak5sQwjPa6m4sowTHfoS%2bZjXlN0Y9xlmhWOeGB9Lzw%3d%3d
unknown
whitelisted
6344
svchost.exe
GET
206
152.199.19.161:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/39631034-5b64-4aa8-813e-46d47f5abfa3?P1=1724140096&P2=404&P3=2&P4=U%2fcbY0Jk8eqcbVppkUmoAiGjL9x3Ab8yeKGeKueynpG0Ak5sQwjPa6m4sowTHfoS%2bZjXlN0Y9xlmhWOeGB9Lzw%3d%3d
unknown
whitelisted
6344
svchost.exe
GET
206
152.199.19.161:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/39631034-5b64-4aa8-813e-46d47f5abfa3?P1=1724140096&P2=404&P3=2&P4=U%2fcbY0Jk8eqcbVppkUmoAiGjL9x3Ab8yeKGeKueynpG0Ak5sQwjPa6m4sowTHfoS%2bZjXlN0Y9xlmhWOeGB9Lzw%3d%3d
unknown
whitelisted
6344
svchost.exe
GET
206
152.199.19.161:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/39631034-5b64-4aa8-813e-46d47f5abfa3?P1=1724140096&P2=404&P3=2&P4=U%2fcbY0Jk8eqcbVppkUmoAiGjL9x3Ab8yeKGeKueynpG0Ak5sQwjPa6m4sowTHfoS%2bZjXlN0Y9xlmhWOeGB9Lzw%3d%3d
unknown
whitelisted
6344
svchost.exe
GET
206
152.199.19.161:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/39631034-5b64-4aa8-813e-46d47f5abfa3?P1=1724140096&P2=404&P3=2&P4=U%2fcbY0Jk8eqcbVppkUmoAiGjL9x3Ab8yeKGeKueynpG0Ak5sQwjPa6m4sowTHfoS%2bZjXlN0Y9xlmhWOeGB9Lzw%3d%3d
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
239.255.255.250:1900
whitelisted
1536
RUXIMICS.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
5336
SearchApp.exe
104.126.37.162:443
www.bing.com
Akamai International B.V.
DE
unknown
20.190.159.64:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
40.113.110.67:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
1248
svchost.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted
1248
svchost.exe
20.190.159.64:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5336
SearchApp.exe
192.229.221.95:80
ocsp.digicert.com
EDGECAST
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
  • 4.231.128.59
whitelisted
google.com
  • 142.250.185.174
whitelisted
www.bing.com
  • 104.126.37.162
  • 104.126.37.154
  • 104.126.37.160
  • 104.126.37.153
  • 104.126.37.170
  • 104.126.37.145
  • 104.126.37.171
  • 104.126.37.139
  • 104.126.37.146
  • 104.126.37.178
  • 104.126.37.168
  • 104.126.37.184
  • 104.126.37.177
  • 104.126.37.128
  • 104.126.37.131
  • 104.126.37.130
  • 104.126.37.155
  • 104.126.37.137
whitelisted
login.live.com
  • 20.190.159.64
  • 20.190.159.73
  • 40.126.31.69
  • 20.190.159.68
  • 20.190.159.71
  • 20.190.159.75
  • 40.126.31.73
  • 20.190.159.4
whitelisted
client.wns.windows.com
  • 40.113.110.67
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
downloadstep.com
  • 35.158.71.179
  • 52.28.208.227
  • 3.70.16.242
unknown
config.edge.skype.com
  • 13.107.42.16
whitelisted
edge.microsoft.com
  • 13.107.21.239
  • 204.79.197.239
whitelisted
edge-mobile-static.azureedge.net
  • 13.107.246.45
whitelisted

Threats

PID
Process
Class
Message
7044
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] Cloudflare content delivery network (cdnjs .cloudflare .com)
7044
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] Cloudflare content delivery network (cdnjs .cloudflare .com)
8020
BitLockerToGo.exe
Malware Command and Control Activity Detected
STEALER [ANY.RUN] Stealc HTTP POST Request
8020
BitLockerToGo.exe
Malware Command and Control Activity Detected
ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
https://downloadstep.com/go/08a742f2-0a36-4a00-a979-885700e3028c