File name:

Türk Müziğinde Makamlar, Usuller ve Seyir Örnekleri - M.exe

Full analysis: https://app.any.run/tasks/9ea34b18-00e1-47bf-9d4c-f706f621a2f6
Verdict: Malicious activity
Threats:

Stealc is a stealer malware that targets victims’ sensitive data, which it exfiltrates from browsers, messaging apps, and other software. The malware is equipped with advanced features, including fingerprinting, control panel, evasion mechanisms, string obfuscation, etc. Stealc establishes persistence and communicates with its C2 server through HTTP POST requests.

Malware Trends Tracker     >>>
Analysis date: May 22, 2025, 09:34:10
OS: Windows 11 Professional (build: 22000, 64 bit)
Tags:
stealc
stealer
evasion
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows, 9 sections
MD5:

EFED07DC2B0F4C01EEFD643A69899933

SHA1:

AC27FB537F51256226F27B3570ADE0F9DBB567C0

SHA256:

87E6993296E3B64A2D27B96CD5A9B78C5C2BA0993901AAAFADE59B7F9A480D77

SSDEEP:

98304:/tIjr0mevZgNdmNgdCkbW2AtXEl7VAWBLlHJIDrUg1OYOYO0nnUuOGH4hlEpn43e:ZLP+g+

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • STEALC has been detected

      • Türk Müziğinde Makamlar, Usuller ve Seyir Örnekleri - M.exe (PID: 2556)

    • Actions looks like stealing of personal data

      • Türk Müziğinde Makamlar, Usuller ve Seyir Örnekleri - M.exe (PID: 2556)

  • SUSPICIOUS

    • Reads the Internet Settings

      • Türk Müziğinde Makamlar, Usuller ve Seyir Örnekleri - M.exe (PID: 2556)

    • Reads settings of System Certificates

      • Türk Müziğinde Makamlar, Usuller ve Seyir Örnekleri - M.exe (PID: 2556)

    • Reads security settings of Internet Explorer

      • Türk Müziğinde Makamlar, Usuller ve Seyir Örnekleri - M.exe (PID: 2556)

    • Searches for installed software

      • Türk Müziğinde Makamlar, Usuller ve Seyir Örnekleri - M.exe (PID: 2556)

    • Checks for external IP

      • svchost.exe (PID: 1664)

    • Multiple wallet extension IDs have been found

      • Türk Müziğinde Makamlar, Usuller ve Seyir Örnekleri - M.exe (PID: 2556)

    • Loads DLL from Mozilla Firefox

      • Türk Müziğinde Makamlar, Usuller ve Seyir Örnekleri - M.exe (PID: 2556)

    • There is functionality for taking screenshot (YARA)

      • Türk Müziğinde Makamlar, Usuller ve Seyir Örnekleri - M.exe (PID: 2556)

  • INFO

    • Reads the computer name

      • Türk Müziğinde Makamlar, Usuller ve Seyir Örnekleri - M.exe (PID: 2556)

    • Checks proxy server information

      • Türk Müziğinde Makamlar, Usuller ve Seyir Örnekleri - M.exe (PID: 2556)

    • Checks supported languages

      • Türk Müziğinde Makamlar, Usuller ve Seyir Örnekleri - M.exe (PID: 2556)

    • Reads the machine GUID from the registry

      • Türk Müziğinde Makamlar, Usuller ve Seyir Örnekleri - M.exe (PID: 2556)

    • Creates files or folders in the user directory

      • Türk Müziğinde Makamlar, Usuller ve Seyir Örnekleri - M.exe (PID: 2556)

    • Reads the software policy settings

      • Türk Müziğinde Makamlar, Usuller ve Seyir Örnekleri - M.exe (PID: 2556)

    • Reads CPU info

      • Türk Müziğinde Makamlar, Usuller ve Seyir Örnekleri - M.exe (PID: 2556)

    • Creates files in the program directory

      • Türk Müziğinde Makamlar, Usuller ve Seyir Örnekleri - M.exe (PID: 2556)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | InstallShield setup (83.4)
.exe | Win32 Executable (generic) (8.7)
.exe | Generic Win/DOS Executable (3.8)
.exe | DOS Executable Generic (3.8)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2025:05:21 19:48:36+00:00
ImageFileCharacteristics: Executable, No line numbers, No symbols, 32-bit, No debug
PEType: PE32
LinkerVersion: 2.44
CodeSize: 87552
InitializedDataSize: 16844800
UninitializedDataSize: 3072
EntryPoint: 0x1400
OSVersion: 4
ImageVersion: 1
SubsystemVersion: 4
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
102
Monitored processes
2
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #STEALC türk müziğinde makamlar, usuller ve seyir örnekleri - m.exe svchost.exe

Process information

PID
CMD
Path
Indicators
Parent process
1664C:\Windows\system32\svchost.exe -k NetworkService -pC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.22000.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\bcryptprimitives.dll
2556"C:\Users\admin\Desktop\Türk Müziğinde Makamlar, Usuller ve Seyir Örnekleri - M.exe" C:\Users\admin\Desktop\Türk Müziğinde Makamlar, Usuller ve Seyir Örnekleri - M.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\desktop\türk müziğinde makamlar, usuller ve seyir örnekleri - m.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64base.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64con.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
Total events
4 274
Read events
4 263
Write events
11
Delete events
0

Modification events

(PID) Process:(2556) Türk Müziğinde Makamlar, Usuller ve Seyir Örnekleri - M.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(2556) Türk Müziğinde Makamlar, Usuller ve Seyir Örnekleri - M.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(2556) Türk Müziğinde Makamlar, Usuller ve Seyir Örnekleri - M.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(2556) Türk Müziğinde Makamlar, Usuller ve Seyir Örnekleri - M.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(2556) Türk Müziğinde Makamlar, Usuller ve Seyir Örnekleri - M.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(2556) Türk Müziğinde Makamlar, Usuller ve Seyir Örnekleri - M.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(2556) Türk Müziğinde Makamlar, Usuller ve Seyir Örnekleri - M.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
Executable files
0
Suspicious files
11
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
2556Türk Müziğinde Makamlar, Usuller ve Seyir Örnekleri - M.exeC:\ProgramData\VBTs85u9fcHcbinary
MD5:D4FFBCB6C3BE3C361A27B003A9E59B9D
SHA256:4FAC37318809D95FBDC4A5170D67E506248D927AE9C55FE1D0134B509C699C0B
2556Türk Müziğinde Makamlar, Usuller ve Seyir Örnekleri - M.exeC:\ProgramData\KmYMNSRA4OA6binary
MD5:A45465CDCDC6CB30C8906F3DA4EC114C
SHA256:4412319EF944EBCCA9581CBACB1D4E1DC614C348D1DFC5D2FAAAAD863D300209
2556Türk Müziğinde Makamlar, Usuller ve Seyir Örnekleri - M.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\J0KBFYBW\23JVA4WF.jsonbinary
MD5:5197FCE47FCA0827BA5A2C40226D909F
SHA256:05FA2581E3CEB24396E37500F55056E64C5378FC2F02EC3CF40B3C2A3EF96EB9
2556Türk Müziğinde Makamlar, Usuller ve Seyir Örnekleri - M.exeC:\ProgramData\ENOIP63mV3akbinary
MD5:878B4A19A46C2343632625663498ACC1
SHA256:9449376593BDBC61C221CF26F2DE418355BB070B132E7B1E26F6CC9053155443
2556Türk Müziğinde Makamlar, Usuller ve Seyir Örnekleri - M.exeC:\ProgramData\Low2FINUFJYWbinary
MD5:542A852FD1F65F0AC9CB401E98FB64C7
SHA256:B6227B485A9517906CDA638569923BDBF44C45D5295F0AB44040923C4CB730F0
2556Türk Müziğinde Makamlar, Usuller ve Seyir Örnekleri - M.exeC:\ProgramData\mf2FKnJ6G4PYbinary
MD5:D367DDFDA80FDCF578726BC3B0BC3E3C
SHA256:0B8607FDF72F3E651A2A8B0AC7BE171B4CB44909D76BB8D6C47393B8EA3D84A0
2556Türk Müziğinde Makamlar, Usuller ve Seyir Örnekleri - M.exeC:\ProgramData\UoMCkhDfglgybinary
MD5:29A644B1F0D96166A05602FE27B3F4AD
SHA256:BF96902FEB97E990A471492F78EE8386BCF430D66BDAEFDEAFBF912C8CF7CE46
2556Türk Müziğinde Makamlar, Usuller ve Seyir Örnekleri - M.exeC:\ProgramData\2jOVZAMsSTkUbinary
MD5:95598559ADF42B08EEAEC4DA9139F34A
SHA256:17229F40CF588999FEACE68ECC82A36590017F5148C2F696DC358283B50BF68D
2556Türk Müziğinde Makamlar, Usuller ve Seyir Örnekleri - M.exeC:\ProgramData\ARXmiSfnt1Zqbinary
MD5:643F2DD6AE87B2681A33B71E9EBDE13B
SHA256:791078836C97EAB0A48C332BF4F864D6A9DBFE10C02095027671436553A63E12
2556Türk Müziğinde Makamlar, Usuller ve Seyir Örnekleri - M.exeC:\ProgramData\MQeOQYuM0Kxfbinary
MD5:5E7E1E3387F1FA981B8A73A588F1E11C
SHA256:6E9D84198252E325C83A7FD432FFDAAEB126BF14E4A9E74E9FC29A8F7910A6E2
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
29
TCP/UDP connections
13
DNS requests
9
Threats
7

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
HEAD
200
23.197.142.186:443
https://fs.microsoft.com/fs/windows/config.json
unknown
2556
Türk Müziğinde Makamlar, Usuller ve Seyir Örnekleri - M.exe
POST
200
176.98.186.52:80
http://bookpopoq.shop/43d10964878dfc17.php
unknown
unknown
2556
Türk Müziğinde Makamlar, Usuller ve Seyir Örnekleri - M.exe
POST
200
176.98.186.52:80
http://bookpopoq.shop/43d10964878dfc17.php
unknown
unknown
2556
Türk Müziğinde Makamlar, Usuller ve Seyir Örnekleri - M.exe
POST
200
176.98.186.52:80
http://bookpopoq.shop/43d10964878dfc17.php
unknown
unknown
2556
Türk Müziğinde Makamlar, Usuller ve Seyir Örnekleri - M.exe
POST
200
176.98.186.52:80
http://bookpopoq.shop/43d10964878dfc17.php
unknown
unknown
GET
200
23.197.142.186:443
https://fs.microsoft.com/fs/windows/config.json
unknown
binary
55 b
whitelisted
5452
MoUsoCoreWorker.exe
GET
200
199.232.210.172:80
http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?a611b53bce54c856
unknown
whitelisted
GET
200
2.18.64.212:80
http://www.msftconnecttest.com/connecttest.txt
unknown
whitelisted
GET
200
195.201.57.90:443
https://ipwho.is/
unknown
binary
721 b
malicious
2556
Türk Müziğinde Makamlar, Usuller ve Seyir Örnekleri - M.exe
POST
200
176.98.186.52:80
http://bookpopoq.shop/43d10964878dfc17.php
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2.18.64.212:80
Administracion Nacional de Telecomunicaciones
UY
unknown
239.255.255.250:1900
whitelisted
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5452
MoUsoCoreWorker.exe
199.232.210.172:80
ctldl.windowsupdate.com
FASTLY
US
whitelisted
3672
svchost.exe
104.102.63.189:443
fs.microsoft.com
AKAMAI-AS
US
whitelisted
2556
Türk Müziğinde Makamlar, Usuller ve Seyir Örnekleri - M.exe
195.201.57.90:443
ipwho.is
Hetzner Online GmbH
DE
malicious
2556
Türk Müziğinde Makamlar, Usuller ve Seyir Örnekleri - M.exe
176.98.186.52:80
bookpopoq.shop
Art-telecom Ltd.
RU
unknown
3640
svchost.exe
40.126.31.131:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2768
svchost.exe
23.50.131.216:80
ctldl.windowsupdate.com
Akamai International B.V.
DE
whitelisted
2988
OfficeClickToRun.exe
51.104.15.252:443
self.events.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
GB
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
whitelisted
ctldl.windowsupdate.com
  • 199.232.210.172
  • 199.232.214.172
  • 23.50.131.216
  • 23.50.131.200
whitelisted
fs.microsoft.com
  • 104.102.63.189
whitelisted
google.com
  • 172.217.23.110
whitelisted
ipwho.is
  • 195.201.57.90
malicious
bookpopoq.shop
  • 176.98.186.52
unknown
login.live.com
  • 40.126.31.131
  • 20.190.159.23
  • 40.126.31.1
  • 40.126.31.0
  • 40.126.31.128
  • 40.126.31.129
  • 20.190.159.64
  • 40.126.31.69
whitelisted
self.events.data.microsoft.com
  • 51.104.15.252
whitelisted

Threats

PID
Process
Class
Message
Misc activity
ET INFO Microsoft Connection Test
1664
svchost.exe
Potentially Bad Traffic
ET INFO External IP Lookup Domain in DNS Lookup (ipwho .is)
2556
Türk Müziğinde Makamlar, Usuller ve Seyir Örnekleri - M.exe
Generic Protocol Command Decode
SURICATA HTTP unable to match response to request
2556
Türk Müziğinde Makamlar, Usuller ve Seyir Örnekleri - M.exe
Generic Protocol Command Decode
SURICATA HTTP unable to match response to request
2556
Türk Müziğinde Makamlar, Usuller ve Seyir Örnekleri - M.exe
Generic Protocol Command Decode
SURICATA HTTP unable to match response to request
2556
Türk Müziğinde Makamlar, Usuller ve Seyir Örnekleri - M.exe
Generic Protocol Command Decode
SURICATA HTTP unable to match response to request
2556
Türk Müziğinde Makamlar, Usuller ve Seyir Örnekleri - M.exe
Generic Protocol Command Decode
SURICATA HTTP unable to match response to request
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Türk Müziğinde Makamlar, Usuller ve Seyir Örnekleri - M.exe