File name:

x5f660f7e1d3855e5633eb086c74ed0594eefb948339e611aa7b0fbf5c629cb8a.exe

Full analysis: https://app.any.run/tasks/afaeeb71-8f68-4117-a572-eb18dbc39748
Verdict: Malicious activity
Threats:

Stealc is a stealer malware that targets victims’ sensitive data, which it exfiltrates from browsers, messaging apps, and other software. The malware is equipped with advanced features, including fingerprinting, control panel, evasion mechanisms, string obfuscation, etc. Stealc establishes persistence and communicates with its C2 server through HTTP POST requests.

Malware Trends Tracker     >>>
Analysis date: June 05, 2026, 03:00:05
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
stealer
stealc
vidar
golang
rust
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (GUI) x86-64, for MS Windows, 9 sections
MD5:

EDDADFE6FCC0A83EE7A34E707AE14F3A

SHA1:

BD1936B57842A0D2A410DA0860C786835F674E2C

SHA256:

5F660F7E1D3855E5633EB086C74ED0594EEFB948339E611AA7B0FBF5C629CB8A

SSDEEP:

98304:qqSMenjRcAIie0DqSpLg6fs/q6OIBu3nTD6I6RmnODUNVPiDaf16LyWV9tFUCi/K:kQfUfiD8c4LM

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Executing a file with an untrusted certificate

      • x5f660f7e1d3855e5633eb086c74ed0594eefb948339e611aa7b0fbf5c629cb8a.exe (PID: 4672)

    • Actions looks like stealing of personal data

      • x5f660f7e1d3855e5633eb086c74ed0594eefb948339e611aa7b0fbf5c629cb8a.exe (PID: 4672)

    • STEALC has been detected (SURICATA)

      • x5f660f7e1d3855e5633eb086c74ed0594eefb948339e611aa7b0fbf5c629cb8a.exe (PID: 4672)

    • Steals credentials from Web Browsers

      • x5f660f7e1d3855e5633eb086c74ed0594eefb948339e611aa7b0fbf5c629cb8a.exe (PID: 4672)

    • VIDAR has been detected (SURICATA)

      • x5f660f7e1d3855e5633eb086c74ed0594eefb948339e611aa7b0fbf5c629cb8a.exe (PID: 4672)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • x5f660f7e1d3855e5633eb086c74ed0594eefb948339e611aa7b0fbf5c629cb8a.exe (PID: 4672)

    • Reads the date of Windows installation

      • x5f660f7e1d3855e5633eb086c74ed0594eefb948339e611aa7b0fbf5c629cb8a.exe (PID: 4672)

    • Searches for installed software

      • x5f660f7e1d3855e5633eb086c74ed0594eefb948339e611aa7b0fbf5c629cb8a.exe (PID: 4672)

    • Contacting a server suspected of hosting an CnC

      • x5f660f7e1d3855e5633eb086c74ed0594eefb948339e611aa7b0fbf5c629cb8a.exe (PID: 4672)

    • Possible stealing from password managers

      • x5f660f7e1d3855e5633eb086c74ed0594eefb948339e611aa7b0fbf5c629cb8a.exe (PID: 4672)

    • Possible stealing from crypto wallets

      • x5f660f7e1d3855e5633eb086c74ed0594eefb948339e611aa7b0fbf5c629cb8a.exe (PID: 4672)

    • Possible stealing of email data

      • x5f660f7e1d3855e5633eb086c74ed0594eefb948339e611aa7b0fbf5c629cb8a.exe (PID: 4672)

    • Possible stealing from browsers

      • x5f660f7e1d3855e5633eb086c74ed0594eefb948339e611aa7b0fbf5c629cb8a.exe (PID: 4672)

    • The process verifies whether the antivirus software is installed

      • x5f660f7e1d3855e5633eb086c74ed0594eefb948339e611aa7b0fbf5c629cb8a.exe (PID: 4672)

    • Possible stealing of FTP data

      • x5f660f7e1d3855e5633eb086c74ed0594eefb948339e611aa7b0fbf5c629cb8a.exe (PID: 4672)

    • Possible stealing of cloud data

      • x5f660f7e1d3855e5633eb086c74ed0594eefb948339e611aa7b0fbf5c629cb8a.exe (PID: 4672)

  • INFO

    • Checks supported languages

      • x5f660f7e1d3855e5633eb086c74ed0594eefb948339e611aa7b0fbf5c629cb8a.exe (PID: 4672)
      • Eyidm.exe (PID: 4932)
      • identity_helper.exe (PID: 3960)

    • Create files in a temporary directory

      • x5f660f7e1d3855e5633eb086c74ed0594eefb948339e611aa7b0fbf5c629cb8a.exe (PID: 4672)

    • Reads the computer name

      • Eyidm.exe (PID: 4932)
      • x5f660f7e1d3855e5633eb086c74ed0594eefb948339e611aa7b0fbf5c629cb8a.exe (PID: 4672)
      • identity_helper.exe (PID: 3960)

    • Reads product name

      • x5f660f7e1d3855e5633eb086c74ed0594eefb948339e611aa7b0fbf5c629cb8a.exe (PID: 4672)

    • Reads Environment values

      • x5f660f7e1d3855e5633eb086c74ed0594eefb948339e611aa7b0fbf5c629cb8a.exe (PID: 4672)
      • identity_helper.exe (PID: 3960)

    • Reads CPU info

      • x5f660f7e1d3855e5633eb086c74ed0594eefb948339e611aa7b0fbf5c629cb8a.exe (PID: 4672)

    • Process checks computer location settings

      • x5f660f7e1d3855e5633eb086c74ed0594eefb948339e611aa7b0fbf5c629cb8a.exe (PID: 4672)

    • Reads security settings of Internet Explorer

      • x5f660f7e1d3855e5633eb086c74ed0594eefb948339e611aa7b0fbf5c629cb8a.exe (PID: 4672)

    • Reads the machine GUID from the registry

      • x5f660f7e1d3855e5633eb086c74ed0594eefb948339e611aa7b0fbf5c629cb8a.exe (PID: 4672)

    • Application launched itself

      • chrome.exe (PID: 8340)
      • chrome.exe (PID: 8912)
      • msedge.exe (PID: 2524)
      • msedge.exe (PID: 6816)
      • msedge.exe (PID: 8624)
      • msedge.exe (PID: 7276)

    • Application based on Golang

      • x5f660f7e1d3855e5633eb086c74ed0594eefb948339e611aa7b0fbf5c629cb8a.exe (PID: 4672)

    • Application based on Rust

      • x5f660f7e1d3855e5633eb086c74ed0594eefb948339e611aa7b0fbf5c629cb8a.exe (PID: 4672)
      • Eyidm.exe (PID: 4932)

    • There is functionality for taking screenshot (YARA)

      • Eyidm.exe (PID: 4932)
      • x5f660f7e1d3855e5633eb086c74ed0594eefb948339e611aa7b0fbf5c629cb8a.exe (PID: 4672)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (3.6)
.exe | Win32 EXE PECompact compressed (v2.x) (3.5)
.exe | Win32 EXE PECompact compressed (generic) (3.5)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 1970:01:01 09:38:02+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 3
CodeSize: 617472
InitializedDataSize: 54784
UninitializedDataSize: -
EntryPoint: 0x7b740
OSVersion: 6.1
ImageVersion: 1
SubsystemVersion: 6.1
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
199
Monitored processes
45
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #STEALC x5f660f7e1d3855e5633eb086c74ed0594eefb948339e611aa7b0fbf5c629cb8a.exe eyidm.exe slui.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs identity_helper.exe no specs identity_helper.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2016"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --disable-quic --string-annotations --always-read-main-dll --field-trial-handle=1452,i,7468833566224562671,4837151045304506020,262144 --variations-seed-version --mojo-platform-channel-handle=2652 /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
133.0.3065.92
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\133.0.3065.92\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2340"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.127 --initial-client-data=0x220,0x224,0x228,0x90,0x22c,0x7ffe256dfff8,0x7ffe256e0004,0x7ffe256e0010C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Exit code:
0
Version:
133.0.6943.127
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
2524"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-first-run --disable-gpu about:blankC:\Program Files (x86)\Microsoft\Edge\Application\msedge.exex5f660f7e1d3855e5633eb086c74ed0594eefb948339e611aa7b0fbf5c629cb8a.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Exit code:
0
Version:
133.0.3065.92
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\program files (x86)\microsoft\edge\application\133.0.3065.92\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
2724"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=3 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3552,i,7468833566224562671,4837151045304506020,262144 --variations-seed-version --mojo-platform-channel-handle=3564 /prefetch:1C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
133.0.3065.92
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\133.0.3065.92\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
3108"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --extension-process --renderer-sub-type=extension --pdf-upsell-enabled --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=3 --enable-main-frame-before-activation --renderer-client-id=7 --always-read-main-dll --field-trial-handle=4116,i,7468833566224562671,4837151045304506020,262144 --variations-seed-version --mojo-platform-channel-handle=4124 /prefetch:2C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
133.0.3065.92
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\133.0.3065.92\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
3200"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --disable-quic --string-annotations --always-read-main-dll --field-trial-handle=6212,i,1695351079609157940,16615103499719651748,262144 --variations-seed-version --mojo-platform-channel-handle=6292 /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
133.0.3065.92
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\133.0.3065.92\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
3416"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --disable-quic --string-annotations --always-read-main-dll --field-trial-handle=4808,i,1695351079609157940,16615103499719651748,262144 --variations-seed-version --mojo-platform-channel-handle=4456 /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
133.0.3065.92
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\133.0.3065.92\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
3960"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.92\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --disable-quic --string-annotations --always-read-main-dll --field-trial-handle=5660,i,1695351079609157940,16615103499719651748,262144 --variations-seed-version --mojo-platform-channel-handle=5624 /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.92\identity_helper.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
PWA Identity Proxy Host
Exit code:
0
Version:
133.0.3065.92
Modules
Images
c:\program files (x86)\microsoft\edge\application\133.0.3065.92\identity_helper.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
4228"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --disable-quic --string-annotations --always-read-main-dll --field-trial-handle=6124,i,1695351079609157940,16615103499719651748,262144 --variations-seed-version --mojo-platform-channel-handle=6368 /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
133.0.3065.92
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\133.0.3065.92\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
4592"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --disable-quic --string-annotations --field-trial-handle=2092,i,7514056635260304543,6119646220489184963,262144 --variations-seed-version=20251218-201203.402000 --mojo-platform-channel-handle=2208 /prefetch:3C:\Program Files\Google\Chrome\Application\chrome.exe
chrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Exit code:
0
Version:
133.0.6943.127
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
Total events
7 545
Read events
7 543
Write events
2
Delete events
0

Modification events

(PID) Process:(9104) slui.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\3d\52C64B7E
Operation:writeName:@%SystemRoot%\System32\sppcomapi.dll,-3200
Value:
Software Licensing
(PID) Process:(4672) x5f660f7e1d3855e5633eb086c74ed0594eefb948339e611aa7b0fbf5c629cb8a.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
Operation:writeName:TS_26b799fa
Value:
17DA686
Executable files
1
Suspicious files
72
Text files
319
Unknown types
0

Dropped files

PID
Process
Filename
Type
8340chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\ClientCertificates\LOG.old~RF15d77d.TMP
MD5:
SHA256:
8340chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\ClientCertificates\LOG.old
MD5:
SHA256:
8340chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SegmentInfoDB\LOG.old~RF15d78d.TMP
MD5:
SHA256:
8340chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SegmentInfoDB\LOG.old
MD5:
SHA256:
8340chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\parcel_tracking_db\LOG.old~RF15d78d.TMP
MD5:
SHA256:
8340chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\PersistentOriginTrials\LOG.old~RF15d78d.TMP
MD5:
SHA256:
8340chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\PersistentOriginTrials\LOG.old
MD5:
SHA256:
8340chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\commerce_subscription_db\LOG.old~RF15d79d.TMP
MD5:
SHA256:
8340chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\parcel_tracking_db\LOG.old
MD5:
SHA256:
8340chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\commerce_subscription_db\LOG.old
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
195
TCP/UDP connections
69
DNS requests
58
Threats
76

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5836
svchost.exe
GET
200
23.216.77.6:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
NL
binary
825 b
whitelisted
4672
x5f660f7e1d3855e5633eb086c74ed0594eefb948339e611aa7b0fbf5c629cb8a.exe
POST
200
192.168.1.2:443
https://mub.matriculaflix.com/
unknown
text
2.27 Kb
unknown
5836
svchost.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
US
binary
814 b
whitelisted
5276
MoUsoCoreWorker.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
US
binary
814 b
whitelisted
9104
slui.exe
POST
500
192.168.1.2:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
whitelisted
9104
slui.exe
POST
500
48.192.1.65:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
US
xml
512 b
whitelisted
4672
x5f660f7e1d3855e5633eb086c74ed0594eefb948339e611aa7b0fbf5c629cb8a.exe
GET
200
192.168.1.2:443
https://telegram.me/g75rit
unknown
4672
x5f660f7e1d3855e5633eb086c74ed0594eefb948339e611aa7b0fbf5c629cb8a.exe
GET
200
149.154.167.99:443
https://telegram.me/g75rit
VG
html
12.0 Kb
unknown
4672
x5f660f7e1d3855e5633eb086c74ed0594eefb948339e611aa7b0fbf5c629cb8a.exe
POST
200
192.168.1.2:443
https://mub.matriculaflix.com/
unknown
text
43 b
unknown
4672
x5f660f7e1d3855e5633eb086c74ed0594eefb948339e611aa7b0fbf5c629cb8a.exe
POST
200
188.114.97.3:443
https://mub.matriculaflix.com/
US
text
43 b
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
Not routed
whitelisted
5276
MoUsoCoreWorker.exe
48.209.138.189:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
2.16.241.218:443
AKAMAI-ASN1
NL
whitelisted
2968
slui.exe
48.192.1.65:443
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
4
System
192.168.100.255:138
Not routed
whitelisted
5836
svchost.exe
48.209.138.189:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
5836
svchost.exe
23.216.77.6:80
crl.microsoft.com
AKAMAI-ASN1
NL
whitelisted
5836
svchost.exe
88.221.169.152:80
www.microsoft.com
AKAMAI-AS
US
whitelisted
5276
MoUsoCoreWorker.exe
88.221.169.152:80
www.microsoft.com
AKAMAI-AS
US
whitelisted
9104
slui.exe
48.192.1.65:443
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
crl.microsoft.com
  • 23.216.77.6
  • 23.216.77.28
whitelisted
www.microsoft.com
  • 88.221.169.152
whitelisted
google.com
  • 192.178.183.102
  • 192.178.183.113
  • 192.178.183.101
  • 192.178.183.138
  • 192.178.183.139
  • 192.178.183.100
whitelisted
settings-win.data.microsoft.com
  • 48.209.138.189
whitelisted
telegram.me
  • 149.154.167.99
whitelisted
mub.matriculaflix.com
  • 188.114.97.3
  • 188.114.96.3
unknown
safebrowsingohttpgateway.googleapis.com
  • 142.250.154.95
  • 142.251.20.95
  • 142.251.110.95
  • 142.251.14.95
  • 142.251.13.95
  • 142.251.127.95
  • 192.178.183.95
whitelisted
clients2.google.com
  • 142.250.154.113
  • 142.250.154.100
  • 142.250.154.138
  • 142.250.154.139
  • 142.250.154.101
  • 142.250.154.102
whitelisted
clientservices.googleapis.com
  • 142.251.14.113
  • 142.251.14.139
  • 142.251.14.101
  • 142.251.14.138
  • 142.251.14.102
  • 142.251.14.100
whitelisted
accounts.google.com
  • 142.251.127.84
whitelisted

Threats

PID
Process
Class
Message
A Network Trojan was detected
ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M1
4672
x5f660f7e1d3855e5633eb086c74ed0594eefb948339e611aa7b0fbf5c629cb8a.exe
A Network Trojan was detected
ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M1
Malware Command and Control Activity Detected
ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2
4672
x5f660f7e1d3855e5633eb086c74ed0594eefb948339e611aa7b0fbf5c629cb8a.exe
Malware Command and Control Activity Detected
ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2
Malware Command and Control Activity Detected
ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1
4672
x5f660f7e1d3855e5633eb086c74ed0594eefb948339e611aa7b0fbf5c629cb8a.exe
Malware Command and Control Activity Detected
ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1
Malware Command and Control Activity Detected
ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2
Malware Command and Control Activity Detected
ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2
4672
x5f660f7e1d3855e5633eb086c74ed0594eefb948339e611aa7b0fbf5c629cb8a.exe
Malware Command and Control Activity Detected
ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2
Malware Command and Control Activity Detected
ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2
Process
Message
Eyidm.exe
WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.
Eyidm.exe
WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
x5f660f7e1d3855e5633eb086c74ed0594eefb948339e611aa7b0fbf5c629cb8a.exe