File name:

ReleaseBootstrapper.exe

Full analysis: https://app.any.run/tasks/cdf539f6-74ab-499c-9d84-9a0c4fe509f0
Verdict: Malicious activity
Threats:

Stealc is a stealer malware that targets victims’ sensitive data, which it exfiltrates from browsers, messaging apps, and other software. The malware is equipped with advanced features, including fingerprinting, control panel, evasion mechanisms, string obfuscation, etc. Stealc establishes persistence and communicates with its C2 server through HTTP POST requests.

Malware Trends Tracker     >>>
Analysis date: March 25, 2025, 01:58:08
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
autoit
telegram
vidar
stealer
stealc
autoit-loader
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive, 5 sections
MD5:

E6B0F17E667A02188022382FE852C726

SHA1:

1BCB2A920EF0D61E4ED04C6ECA2466BD061AFCA6

SHA256:

D0BE0F705A18DAC97F49288D9DB0B1217E6AB5F666CC3066C3BDF1F8CE760C44

SSDEEP:

49152:lJ6Wgy2s0W+9jFPveQh3NDthnMW9lrx/41LvXUiInrOypL8IJu+L8O5twiVlpKmB:l/gDs74xHeQhdDF9lKFBInqyL4OIoxnF

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • AutoIt loader has been detected (YARA)

      • Dock.com (PID: 6824)

    • VIDAR mutex has been found

      • Dock.com (PID: 6824)

    • Actions looks like stealing of personal data

      • Dock.com (PID: 6824)

    • Steals credentials from Web Browsers

      • Dock.com (PID: 6824)

  • SUSPICIOUS

    • Get information on the list of running processes

      • cmd.exe (PID: 6644)

    • Starts CMD.EXE for commands execution

      • ReleaseBootstrapper.exe (PID: 6744)
      • cmd.exe (PID: 6644)

    • Using 'findstr.exe' to search for text patterns in files and output

      • cmd.exe (PID: 6644)

    • Application launched itself

      • cmd.exe (PID: 6644)

    • Executing commands from a ".bat" file

      • ReleaseBootstrapper.exe (PID: 6744)

    • Reads security settings of Internet Explorer

      • ReleaseBootstrapper.exe (PID: 6744)
      • Dock.com (PID: 6824)

    • The executable file from the user directory is run by the CMD process

      • Dock.com (PID: 6824)

    • Starts application with an unusual extension

      • cmd.exe (PID: 6644)

    • Starts the AutoIt3 executable file

      • cmd.exe (PID: 6644)

    • There is functionality for taking screenshot (YARA)

      • Dock.com (PID: 6824)

    • Process communicates with Telegram (possibly using it as an attacker's C2 server)

      • Dock.com (PID: 6824)

    • Searches for installed software

      • Dock.com (PID: 6824)

  • INFO

    • Reads the computer name

      • ReleaseBootstrapper.exe (PID: 6744)
      • extrac32.exe (PID: 2384)
      • Dock.com (PID: 6824)

    • Create files in a temporary directory

      • ReleaseBootstrapper.exe (PID: 6744)
      • extrac32.exe (PID: 2384)

    • Checks supported languages

      • ReleaseBootstrapper.exe (PID: 6744)
      • extrac32.exe (PID: 2384)
      • Dock.com (PID: 6824)

    • Creates a new folder

      • cmd.exe (PID: 5892)

    • Process checks computer location settings

      • ReleaseBootstrapper.exe (PID: 6744)

    • Reads mouse settings

      • Dock.com (PID: 6824)

    • Creates files in the program directory

      • Dock.com (PID: 6824)

    • Reads the software policy settings

      • SIHClient.exe (PID: 6564)
      • Dock.com (PID: 6824)
      • slui.exe (PID: 7144)

    • Creates files or folders in the user directory

      • Dock.com (PID: 6824)

    • Reads the machine GUID from the registry

      • Dock.com (PID: 6824)

    • Reads product name

      • Dock.com (PID: 6824)

    • Reads Environment values

      • Dock.com (PID: 6824)

    • Reads CPU info

      • Dock.com (PID: 6824)

    • Application launched itself

      • msedge.exe (PID: 6264)
      • chrome.exe (PID: 4220)

    • Checks proxy server information

      • Dock.com (PID: 6824)
      • slui.exe (PID: 7144)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable MS Visual C++ (generic) (42.2)
.exe | Win64 Executable (generic) (37.3)
.dll | Win32 Dynamic Link Library (generic) (8.8)
.exe | Win32 Executable (generic) (6)
.exe | Generic Win/DOS Executable (2.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2010:04:10 12:19:06+00:00
ImageFileCharacteristics: No relocs, Executable, 32-bit
PEType: PE32
LinkerVersion: 9
CodeSize: 25600
InitializedDataSize: 4094976
UninitializedDataSize: 16896
EntryPoint: 0x33ff
OSVersion: 5
ImageVersion: 6
SubsystemVersion: 5
Subsystem: Windows GUI
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
166
Monitored processes
37
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start releasebootstrapper.exe no specs cmd.exe no specs conhost.exe no specs tasklist.exe no specs findstr.exe no specs tasklist.exe no specs findstr.exe no specs cmd.exe no specs extrac32.exe no specs findstr.exe no specs cmd.exe no specs cmd.exe no specs #VIDAR dock.com choice.exe no specs sihclient.exe chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs slui.exe msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
812tasklist C:\Windows\SysWOW64\tasklist.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Lists the current running tasks
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\tasklist.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
1116findstr "SophosHealth bdservicehost AvastUI AVGUI nsWscSvc ekrn" C:\Windows\SysWOW64\findstr.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Find String (QGREP) Utility
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\findstr.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
1188"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=4304 --field-trial-handle=2300,i,7198464388838734682,2252790480789883191,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
1324tasklist C:\Windows\SysWOW64\tasklist.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Lists the current running tasks
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\tasklist.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
1532"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3204 --field-trial-handle=1956,i,12172335132478030490,11479569540783496856,262144 --variations-seed-version /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
122.0.6261.70
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
2140"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --disable-quic --no-appcompat-clear --mojo-platform-channel-handle=1440 --field-trial-handle=1956,i,12172335132478030490,11479569540783496856,262144 --variations-seed-version /prefetch:3C:\Program Files\Google\Chrome\Application\chrome.exe
chrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Exit code:
0
Version:
122.0.6261.70
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
2384extrac32 /Y /E Consider.accdtC:\Windows\SysWOW64\extrac32.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft® CAB File Extract Utility
Exit code:
0
Version:
5.00 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\extrac32.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
2420"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=2444 --field-trial-handle=2300,i,7198464388838734682,2252790480789883191,262144 --variations-seed-version /prefetch:3C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
msedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
2560cmd /c copy /b ..\Farmers.accdt + ..\Loving.accdt + ..\Essex.accdt + ..\Omissions.accdt N C:\Windows\SysWOW64\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
3024"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=9223 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=4540 --field-trial-handle=1956,i,12172335132478030490,11479569540783496856,262144 --variations-seed-version /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
122.0.6261.70
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
Total events
16 923
Read events
16 906
Write events
17
Delete events
0

Modification events

(PID) Process:(6824) Dock.comKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(6824) Dock.comKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(6824) Dock.comKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(4220) chrome.exeKey:HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\BLBeacon
Operation:writeName:failed_count
Value:
0
(PID) Process:(4220) chrome.exeKey:HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\BLBeacon
Operation:writeName:state
Value:
2
(PID) Process:(4220) chrome.exeKey:HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\BLBeacon
Operation:writeName:state
Value:
1
(PID) Process:(4220) chrome.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Google\Update\ClientStateMedium\{8A69D345-D564-463C-AFF1-A69D9E530F96}
Operation:writeName:usagestats
Value:
0
(PID) Process:(4220) chrome.exeKey:HKEY_CURRENT_USER\SOFTWARE\Google\Chrome\StabilityMetrics
Operation:writeName:user_experience_metrics.stability.exited_cleanly
Value:
0
(PID) Process:(6264) msedge.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\EdgeUpdate\ClientStateMedium\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\LastWasDefault
Operation:writeName:S-1-5-21-1693682860-607145093-2874071422-1001
Value:
1AF07D5AB78F2F00
(PID) Process:(6264) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon
Operation:writeName:failed_count
Value:
0
Executable files
8
Suspicious files
91
Text files
57
Unknown types
0

Dropped files

PID
Process
Filename
Type
6744ReleaseBootstrapper.exeC:\Users\admin\AppData\Local\Temp\Consider.accdtcompressed
MD5:2DBB271BA97E171B613BDFF649DE8A3A
SHA256:1D4D08714D46AF893D39A533F8F6C060B5E9CCA90CB9378C7F9675FAF2469D54
6744ReleaseBootstrapper.exeC:\Users\admin\AppData\Local\Temp\Farmers.accdtbinary
MD5:811F35F280FDD1E3CDFCED423B65289B
SHA256:E256B960E50D471C990BF8CDFD4B74C96242E14256B72948337ABA8F101020FE
2384extrac32.exeC:\Users\admin\AppData\Local\Temp\Randbinary
MD5:AEFBB751347FFF1C92606447EF1F8747
SHA256:D9A48B72483B24D073FF783D3058A28549924D7BF68BCF4A6C2D1F303A4BC8F6
2384extrac32.exeC:\Users\admin\AppData\Local\Temp\Artificialbinary
MD5:0E58AAABFABB2E319A758E4961D9DC24
SHA256:0A564744855736E0CB1E78CE368F197EBDEC8B2BF51614833F20095ECE18458F
2384extrac32.exeC:\Users\admin\AppData\Local\Temp\Diamondsbinary
MD5:3CCC7DDE95B5A425B3CD3FBBBD6E52F1
SHA256:9AC4012BE2E89950905FBD582FB674A1AD18816F45CEF9A1BD976592492AA549
2384extrac32.exeC:\Users\admin\AppData\Local\Temp\Springbinary
MD5:CDECFE5AD8BC85F3ABE608B909F87E1C
SHA256:7A6A0968506C4D9156A5DB02D29D37CB1817A9B82069E7BD24DE4FA684C9B3EA
2384extrac32.exeC:\Users\admin\AppData\Local\Temp\Createsbinary
MD5:4F0D9529E009B9DC45186BAEF93059A5
SHA256:8AF885085DBE2C96585D05253C5FC430B2219F4DCA5898E83EFF5767EF1C9041
2384extrac32.exeC:\Users\admin\AppData\Local\Temp\Arrangebinary
MD5:A54FF498C3AFF2F0BEF19883B7EBBA5B
SHA256:ABEDE8442F3DBF8F0E23BC3408D165B5469D99F36259C88DFA01B5193701F92A
2384extrac32.exeC:\Users\admin\AppData\Local\Temp\Rehabbinary
MD5:A59175D52E449F19FDA83F216D8EA86C
SHA256:797F6635CF70D41F32795EC0FAA2E687149C09DF3F25792D43D6F834A04B1846
2384extrac32.exeC:\Users\admin\AppData\Local\Temp\Establishedbinary
MD5:3B81EE4E6AB3BA8B4F69EC309FF589C1
SHA256:CABCC8FF82AAC6DA1602290B88548723FB90EA25BAC39E25247BA955338FDAEE
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
117
TCP/UDP connections
124
DNS requests
67
Threats
28

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1532
RUXIMICS.exe
GET
200
23.216.77.6:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
304
4.245.163.56:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
GET
200
20.242.39.171:443
https://fe3cr.delivery.mp.microsoft.com/clientwebservice/ping
unknown
6564
SIHClient.exe
GET
200
23.216.77.28:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl
unknown
whitelisted
6564
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
6564
SIHClient.exe
GET
200
23.216.77.28:80
http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl
unknown
whitelisted
6564
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
6564
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
POST
200
40.126.32.68:443
https://login.live.com/RST2.srf
unknown
xml
1.35 Kb
whitelisted
POST
400
40.126.32.68:443
https://login.live.com/ppsecure/deviceaddcredential.srf
unknown
text
203 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
1532
RUXIMICS.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
3216
svchost.exe
40.115.3.253:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
1532
RUXIMICS.exe
23.216.77.6:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
6544
svchost.exe
40.126.32.134:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
5280
backgroundTaskHost.exe
20.223.36.55:443
arc.msn.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6564
SIHClient.exe
4.245.163.56:443
slscr.update.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
  • 51.124.78.146
whitelisted
google.com
  • 142.250.185.142
whitelisted
client.wns.windows.com
  • 40.115.3.253
whitelisted
crl.microsoft.com
  • 23.216.77.6
  • 23.216.77.28
whitelisted
login.live.com
  • 40.126.32.134
  • 40.126.32.138
  • 40.126.32.68
  • 20.190.160.3
  • 40.126.32.76
  • 20.190.160.132
  • 20.190.160.65
  • 40.126.32.74
whitelisted
arc.msn.com
  • 20.223.36.55
whitelisted
dlmLBUzKKWWpirLBfbtXjYwRvnex.dlmLBUzKKWWpirLBfbtXjYwRvnex
unknown
slscr.update.microsoft.com
  • 4.245.163.56
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 13.95.31.18
whitelisted

Threats

PID
Process
Class
Message
6824
Dock.com
Misc activity
ET INFO Observed Telegram Domain (t .me in TLS SNI)
A Network Trojan was detected
ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M1
Malware Command and Control Activity Detected
ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config M1
Malware Command and Control Activity Detected
ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2
Malware Command and Control Activity Detected
ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2
A Network Trojan was detected
STEALER [ANY.RUN] Base64 Encoded SQLite Dump
Malware Command and Control Activity Detected
ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2
A Network Trojan was detected
STEALER [ANY.RUN] Base64 Encoded SQLite Dump
Malware Command and Control Activity Detected
ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2
A Network Trojan was detected
STEALER [ANY.RUN] Base64 Encoded SQLite Dump
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
ReleaseBootstrapper.exe