File name:

69f28a96c3b1f6636691345e01de8ddc54569c5fd479db676b457dc8da1b06aa.exe

Full analysis: https://app.any.run/tasks/863c2fb0-2c00-4a6c-85a2-9b5d0c7ae5c0
Verdict: Malicious activity
Threats:

Stealc is a stealer malware that targets victims’ sensitive data, which it exfiltrates from browsers, messaging apps, and other software. The malware is equipped with advanced features, including fingerprinting, control panel, evasion mechanisms, string obfuscation, etc. Stealc establishes persistence and communicates with its C2 server through HTTP POST requests.

Malware Trends Tracker     >>>
Analysis date: February 18, 2026, 12:47:35
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
stealer
stealc
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 5 sections
MD5:

9D33A9FDB8FB108DA2AA7E309A055D60

SHA1:

9A22ED53C9F7356930B5910AC5E5258D841EF4B0

SHA256:

69F28A96C3B1F6636691345E01DE8DDC54569C5FD479DB676B457DC8DA1B06AA

SSDEEP:

24576:2Lmm2RE+Kp9Qtj2Fg86Law+Hoc97ELc2h:2Lmm2RE+KbQtj2G86Law+Hoc97ELc2h

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • STEALC has been detected (SURICATA)

      • 69f28a96c3b1f6636691345e01de8ddc54569c5fd479db676b457dc8da1b06aa.exe (PID: 7704)

    • STEALC has been detected

      • 69f28a96c3b1f6636691345e01de8ddc54569c5fd479db676b457dc8da1b06aa.exe (PID: 7704)

  • SUSPICIOUS

    • Executes application which crashes

      • 69f28a96c3b1f6636691345e01de8ddc54569c5fd479db676b457dc8da1b06aa.exe (PID: 7704)

    • Contacting a server suspected of hosting an CnC

      • 69f28a96c3b1f6636691345e01de8ddc54569c5fd479db676b457dc8da1b06aa.exe (PID: 7704)

  • INFO

    • Creates files or folders in the user directory

      • WerFault.exe (PID: 6340)

    • Checks proxy server information

      • 69f28a96c3b1f6636691345e01de8ddc54569c5fd479db676b457dc8da1b06aa.exe (PID: 7704)
      • WerFault.exe (PID: 6340)
      • slui.exe (PID: 9040)

    • Reads security settings of Internet Explorer

      • 69f28a96c3b1f6636691345e01de8ddc54569c5fd479db676b457dc8da1b06aa.exe (PID: 7704)

    • Checks supported languages

      • 69f28a96c3b1f6636691345e01de8ddc54569c5fd479db676b457dc8da1b06aa.exe (PID: 7704)

    • Reads the computer name

      • 69f28a96c3b1f6636691345e01de8ddc54569c5fd479db676b457dc8da1b06aa.exe (PID: 7704)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | InstallShield setup (36.8)
.exe | Win32 Executable MS Visual C++ (generic) (26.6)
.exe | Win64 Executable (generic) (23.6)
.dll | Win32 Dynamic Link Library (generic) (5.6)
.exe | Win32 Executable (generic) (3.8)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2026:02:12 23:30:40+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 14.44
CodeSize: 335872
InitializedDataSize: 340992
UninitializedDataSize: -
EntryPoint: 0x19214
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
150
Monitored processes
3
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #STEALC 69f28a96c3b1f6636691345e01de8ddc54569c5fd479db676b457dc8da1b06aa.exe werfault.exe slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
6340C:\WINDOWS\SysWOW64\WerFault.exe -u -p 7704 -s 1280C:\Windows\SysWOW64\WerFault.exe
69f28a96c3b1f6636691345e01de8ddc54569c5fd479db676b457dc8da1b06aa.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
7704"C:\Users\admin\Desktop\69f28a96c3b1f6636691345e01de8ddc54569c5fd479db676b457dc8da1b06aa.exe" C:\Users\admin\Desktop\69f28a96c3b1f6636691345e01de8ddc54569c5fd479db676b457dc8da1b06aa.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226505
Modules
Images
c:\users\admin\desktop\69f28a96c3b1f6636691345e01de8ddc54569c5fd479db676b457dc8da1b06aa.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
9040C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
Total events
9 967
Read events
9 956
Write events
11
Delete events
0

Modification events

(PID) Process:(7704) 69f28a96c3b1f6636691345e01de8ddc54569c5fd479db676b457dc8da1b06aa.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(7704) 69f28a96c3b1f6636691345e01de8ddc54569c5fd479db676b457dc8da1b06aa.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(7704) 69f28a96c3b1f6636691345e01de8ddc54569c5fd479db676b457dc8da1b06aa.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(7704) 69f28a96c3b1f6636691345e01de8ddc54569c5fd479db676b457dc8da1b06aa.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(7704) 69f28a96c3b1f6636691345e01de8ddc54569c5fd479db676b457dc8da1b06aa.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(7704) 69f28a96c3b1f6636691345e01de8ddc54569c5fd479db676b457dc8da1b06aa.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(7704) 69f28a96c3b1f6636691345e01de8ddc54569c5fd479db676b457dc8da1b06aa.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
Executable files
0
Suspicious files
2
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
6340WerFault.exeC:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_69f28a96c3b1f663_17931873b36d182b591d2caf2fab3563aa31babb_f4d4b06e_80dca4fe-8f50-4de9-83fc-7c34435322bc\Report.wer
MD5:
SHA256:
6340WerFault.exeC:\Users\admin\AppData\Local\CrashDumps\69f28a96c3b1f6636691345e01de8ddc54569c5fd479db676b457dc8da1b06aa.exe.7704.dmpbinary
MD5:65AA156C3D695B8F0B71D3A89ABA08C9
SHA256:878DAC8936405383C7CB7DC0DEFA3933076AE9FAFE1DD3DF6A2100B39F6DF40F
6340WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WER6138.tmp.dmpbinary
MD5:5FAF30DF0F7561A290E40E437F46CA99
SHA256:4D76F779A69B0F8541FE5B0F507AB1EA42DDA7B54B0E2F4F00EFD31A3A9031C8
6340WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WER61C6.tmp.WERInternalMetadata.xmlxml
MD5:2F6E32D9C75B3906AB55FD2D65214332
SHA256:F963C83F9B5D4B6F0CDF94FFA225705FB82A387AA9A609D6FC13AA452635D458
6340WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WER61E6.tmp.xmlxml
MD5:93D49C40FD64540A2B927FD945093BB3
SHA256:174714DAF8F2D012F4F8731E728798AA29A0BE25B8FBCDC2705B82EA69112F5F
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
63
TCP/UDP connections
55
DNS requests
23
Threats
2

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
7212
RUXIMICS.exe
GET
304
20.73.194.208:443
https://settings-win.data.microsoft.com/settings/v3.0/WSD/RUXIM?os=Windows&osVer=10.0.19045.4046.amd64fre.vb_release.191206-1406&sku=48&deviceClass=Windows.Desktop&locale=en-US&deviceId=s:BAD99146-31D3-4EC6-A1A4-BE76F32BA5D4&sampleId=s:95271487&appVer=10.0.19041.3623&OSVersionFull=10.0.19045.4046.amd64fre.vb_release.191206-1406&FlightRing=Retail&AttrDataVer=186&App=RUXIM&AppVer=&DeviceFamily=Windows.Desktop
unknown
whitelisted
6768
MoUsoCoreWorker.exe
GET
304
20.73.194.208:443
https://settings-win.data.microsoft.com/settings/v3.0/wsd/muse?ProcessorClockSpeed=3094&FlightIds=&UpdateOfferedDays=4294967295&BranchReadinessLevel=CB&OEMManufacturerName=DELL&IsCloudDomainJoined=0&ProcessorIdentifier=AMD64%20Family%2023%20Model%201%20Stepping%202&sku=48&ActivationChannel=Retail&AttrDataVer=186&IsMDMEnrolled=0&ProcessorCores=6&ProcessorModel=AMD%20Ryzen%205%203500%206-Core%20Processor&TotalPhysicalRAM=6144&PrimaryDiskType=4294967295&FlightingBranchName=&ChassisTypeId=1&OEMModelNumber=DELL&SystemVolumeTotalCapacity=260281&sampleId=95271487&deviceClass=Windows.Desktop&App=muse&DisableDualScan=0&AppVer=10.0&OEMSubModel=J5CR&locale=en-US&IsAlwaysOnAlwaysConnectedCapable=0&ms=0&DefaultUserRegion=244&UpdateServiceUrl=http%3A%2F%2Fneverupdatewindows10.com&osVer=10.0.19045.4046.amd64fre.vb_release.191206-1406&os=windows&deviceId=s%3ABAD99146-31D3-4EC6-A1A4-BE76F32BA5D4&DeferQualityUpdatePeriodInDays=0&ring=Retail&DeferFeatureUpdatePeriodInDays=30
unknown
whitelisted
7704
69f28a96c3b1f6636691345e01de8ddc54569c5fd479db676b457dc8da1b06aa.exe
POST
404
185.123.102.253:80
http://185.123.102.253/0bbfbb85010e4111.php
unknown
unknown
7304
svchost.exe
GET
200
2.16.164.49:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
8876
SIHClient.exe
GET
304
135.232.92.137:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
whitelisted
6768
MoUsoCoreWorker.exe
GET
200
2.16.164.49:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
7212
RUXIMICS.exe
GET
200
2.16.164.49:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
6768
MoUsoCoreWorker.exe
GET
200
23.52.181.212:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
7304
svchost.exe
GET
200
23.52.181.212:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
7304
svchost.exe
GET
200
20.73.194.208:443
https://settings-win.data.microsoft.com/settings/v3.0/WSD/WaasMedic?os=Windows&osVer=10.0.19041.1.amd64fre.vb_release.191206-&appVer=10.0.19041.3758&ring=Retail&sku=48&deviceClass=Windows.Desktop&locale=en-US&deviceId=BAD99146-31D3-4EC6-A1A4-BE76F32BA5D4
unknown
3.41 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
Not routed
whitelisted
7304
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
7212
RUXIMICS.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
6768
MoUsoCoreWorker.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
172.211.123.248:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
4
System
192.168.100.255:138
Not routed
whitelisted
7704
69f28a96c3b1f6636691345e01de8ddc54569c5fd479db676b457dc8da1b06aa.exe
185.123.102.253:80
HZ-EU-AS
BG
malicious
7304
svchost.exe
2.16.164.49:80
crl.microsoft.com
AKAMAI-ASN1
NL
whitelisted
7212
RUXIMICS.exe
2.16.164.49:80
crl.microsoft.com
AKAMAI-ASN1
NL
whitelisted
6768
MoUsoCoreWorker.exe
2.16.164.49:80
crl.microsoft.com
AKAMAI-ASN1
NL
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
whitelisted
self.events.data.microsoft.com
  • 52.182.143.208
  • 104.46.162.226
whitelisted
client.wns.windows.com
  • 172.211.123.248
  • 172.211.123.249
whitelisted
google.com
  • 142.251.127.102
  • 142.251.127.138
  • 142.251.127.139
  • 142.251.127.100
  • 142.251.127.113
  • 142.251.127.101
whitelisted
crl.microsoft.com
  • 2.16.164.49
  • 2.16.164.120
  • 23.216.77.38
  • 23.216.77.30
  • 23.216.77.25
  • 23.216.77.36
  • 23.216.77.18
whitelisted
www.microsoft.com
  • 23.52.181.212
  • 88.221.169.152
whitelisted
login.live.com
  • 40.126.31.129
  • 20.190.159.23
  • 20.190.159.71
  • 40.126.31.130
  • 40.126.31.69
  • 20.190.159.73
  • 20.190.159.68
  • 20.190.159.0
whitelisted
watson.events.data.microsoft.com
  • 172.178.240.162
whitelisted
slscr.update.microsoft.com
  • 135.232.92.137
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 74.179.77.164
whitelisted

Threats

PID
Process
Class
Message
7704
69f28a96c3b1f6636691345e01de8ddc54569c5fd479db676b457dc8da1b06aa.exe
Malware Command and Control Activity Detected
ET MALWARE StealC_V2 CnC Activity (POST)
7704
69f28a96c3b1f6636691345e01de8ddc54569c5fd479db676b457dc8da1b06aa.exe
Malware Command and Control Activity Detected
ET MALWARE StealC CnC Activity (POST)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
69f28a96c3b1f6636691345e01de8ddc54569c5fd479db676b457dc8da1b06aa.exe