File name:

_f3e30bdadc67374a7536e28daa0906ab8ab743d9afee075a1ddf519237546f12.exe

Full analysis: https://app.any.run/tasks/98130464-baa0-4b0d-9fc5-ea9d54c3c3c5
Verdict: Malicious activity
Threats:

Stealc is a stealer malware that targets victims’ sensitive data, which it exfiltrates from browsers, messaging apps, and other software. The malware is equipped with advanced features, including fingerprinting, control panel, evasion mechanisms, string obfuscation, etc. Stealc establishes persistence and communicates with its C2 server through HTTP POST requests.

Malware Trends Tracker     >>>
Analysis date: February 26, 2026, 23:02:23
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
xor-url
generic
auto-reg
stealer
stealc
vidar
golang
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (GUI) x86-64, for MS Windows, 9 sections
MD5:

8CCCEFF3CCCB3C4F11C01EF1AD7C16B4

SHA1:

B175DCEB6D917936923880A67C50673FB652FAE6

SHA256:

F3E30BDADC67374A7536E28DAA0906AB8AB743D9AFEE075A1DDF519237546F12

SSDEEP:

49152:KoSywzv3xQ+XJPQbGcyF5VC99tFRd9Zpbcue2S9RNaHRmevyXcYvf4mAJeAJHAJE:+pLZLW95d9ZpbrSp0

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • XORed URL has been found (YARA)

      • _f3e30bdadc67374a7536e28daa0906ab8ab743d9afee075a1ddf519237546f12.exe (PID: 8488)
      • $99_f3e30bdadc67374a7536e28daa0906ab8ab743d9afee075a1ddf519237546f12.exe (PID: 4212)

    • Changes the autorun value in the registry

      • reg.exe (PID: 508)

    • STEALC has been detected (SURICATA)

      • _f3e30bdadc67374a7536e28daa0906ab8ab743d9afee075a1ddf519237546f12.exe (PID: 8488)

    • Steals credentials from Web Browsers

      • _f3e30bdadc67374a7536e28daa0906ab8ab743d9afee075a1ddf519237546f12.exe (PID: 8488)

    • Actions looks like stealing of personal data

      • _f3e30bdadc67374a7536e28daa0906ab8ab743d9afee075a1ddf519237546f12.exe (PID: 8488)

  • SUSPICIOUS

    • Starts CMD.EXE for commands execution

      • _f3e30bdadc67374a7536e28daa0906ab8ab743d9afee075a1ddf519237546f12.exe (PID: 8488)

    • Uses REG/REGEDIT.EXE to modify registry

      • cmd.exe (PID: 4288)

    • Contacting a server suspected of hosting an CnC

      • _f3e30bdadc67374a7536e28daa0906ab8ab743d9afee075a1ddf519237546f12.exe (PID: 8488)

    • Executable content was dropped or overwritten

      • _f3e30bdadc67374a7536e28daa0906ab8ab743d9afee075a1ddf519237546f12.exe (PID: 8488)

    • Reads the date of Windows installation

      • _f3e30bdadc67374a7536e28daa0906ab8ab743d9afee075a1ddf519237546f12.exe (PID: 8488)

    • Possible stealing from crypto wallets

      • _f3e30bdadc67374a7536e28daa0906ab8ab743d9afee075a1ddf519237546f12.exe (PID: 8488)

    • Searches for installed software

      • _f3e30bdadc67374a7536e28daa0906ab8ab743d9afee075a1ddf519237546f12.exe (PID: 8488)

    • Possible stealing from browsers

      • _f3e30bdadc67374a7536e28daa0906ab8ab743d9afee075a1ddf519237546f12.exe (PID: 8488)

    • Possible stealing from password managers

      • _f3e30bdadc67374a7536e28daa0906ab8ab743d9afee075a1ddf519237546f12.exe (PID: 8488)

  • INFO

    • Launching a file from a Registry key

      • reg.exe (PID: 508)

    • Application based on Golang

      • _f3e30bdadc67374a7536e28daa0906ab8ab743d9afee075a1ddf519237546f12.exe (PID: 8488)
      • $99_f3e30bdadc67374a7536e28daa0906ab8ab743d9afee075a1ddf519237546f12.exe (PID: 4212)

    • Checks supported languages

      • $99_f3e30bdadc67374a7536e28daa0906ab8ab743d9afee075a1ddf519237546f12.exe (PID: 4212)
      • _f3e30bdadc67374a7536e28daa0906ab8ab743d9afee075a1ddf519237546f12.exe (PID: 8488)

    • Checks proxy server information

      • _f3e30bdadc67374a7536e28daa0906ab8ab743d9afee075a1ddf519237546f12.exe (PID: 8488)
      • slui.exe (PID: 7976)

    • Creates files in the program directory

      • _f3e30bdadc67374a7536e28daa0906ab8ab743d9afee075a1ddf519237546f12.exe (PID: 8488)

    • Manual execution by a user

      • $99_f3e30bdadc67374a7536e28daa0906ab8ab743d9afee075a1ddf519237546f12.exe (PID: 4212)

    • Reads security settings of Internet Explorer

      • _f3e30bdadc67374a7536e28daa0906ab8ab743d9afee075a1ddf519237546f12.exe (PID: 8488)

    • Reads the computer name

      • _f3e30bdadc67374a7536e28daa0906ab8ab743d9afee075a1ddf519237546f12.exe (PID: 8488)
      • $99_f3e30bdadc67374a7536e28daa0906ab8ab743d9afee075a1ddf519237546f12.exe (PID: 4212)

    • Reads the machine GUID from the registry

      • _f3e30bdadc67374a7536e28daa0906ab8ab743d9afee075a1ddf519237546f12.exe (PID: 8488)

    • There is functionality for taking screenshot (YARA)

      • $99_f3e30bdadc67374a7536e28daa0906ab8ab743d9afee075a1ddf519237546f12.exe (PID: 4212)

    • Reads product name

      • _f3e30bdadc67374a7536e28daa0906ab8ab743d9afee075a1ddf519237546f12.exe (PID: 8488)

    • Reads Environment values

      • _f3e30bdadc67374a7536e28daa0906ab8ab743d9afee075a1ddf519237546f12.exe (PID: 8488)

    • Reads CPU info

      • _f3e30bdadc67374a7536e28daa0906ab8ab743d9afee075a1ddf519237546f12.exe (PID: 8488)

    • Application launched itself

      • chrome.exe (PID: 8544)
      • chrome.exe (PID: 1684)
      • chrome.exe (PID: 824)
      • chrome.exe (PID: 8952)

    • Drops script file

      • _f3e30bdadc67374a7536e28daa0906ab8ab743d9afee075a1ddf519237546f12.exe (PID: 8488)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (87.3)
.exe | Generic Win/DOS Executable (6.3)
.exe | DOS Executable Generic (6.3)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 0000:00:00 00:00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 3
CodeSize: 985600
InitializedDataSize: 169984
UninitializedDataSize: -
EntryPoint: 0x7c820
OSVersion: 6.1
ImageVersion: 1
SubsystemVersion: 6.1
Subsystem: Windows GUI
FileVersionNumber: 12.4.0.2386
ProductVersionNumber: 12.4.0.2386
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: DAEMON Tools Lite
CompanyName: Disc Soft Limited
FileDescription: DAEMON Tools Lite
FileVersion: 12.4.0.2386
InternalName: DTWpfInstaller.exe
LegalCopyright: © 2007-2025 Disc Soft Limited.
LegalTrademarks: -
OriginalFileName: DTWpfInstaller.exe
ProductName: DAEMON Tools Lite Installer
ProductVersion: 12.4.0.2386
AssemblyVersion: 12.4.0.2386
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
210
Monitored processes
64
Malicious processes
2
Suspicious processes
1

Behavior graph

Click at the process to see the details
start #STEALC _f3e30bdadc67374a7536e28daa0906ab8ab743d9afee075a1ddf519237546f12.exe cmd.exe no specs conhost.exe no specs reg.exe #XOR-URL $99_f3e30bdadc67374a7536e28daa0906ab8ab743d9afee075a1ddf519237546f12.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs slui.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
508reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "$99_f3e30bdadc67374a7536e28daa0906ab8ab743d9afee075a1ddf519237546f12.exe" /t REG_SZ /d "C:\Users\admin\Documents\$99_f3e30bdadc67374a7536e28daa0906ab8ab743d9afee075a1ddf519237546f12.exe" /fC:\Windows\System32\reg.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Registry Console Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
824"C:\Program Files\Google\Chrome\Application\chrome.exe" --profile-directory="Default"C:\Program Files\Google\Chrome\Application\chrome.exe
_f3e30bdadc67374a7536e28daa0906ab8ab743d9afee075a1ddf519237546f12.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Exit code:
0
Version:
133.0.6943.127
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
1080"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --disable-quic --string-annotations --field-trial-handle=6088,i,14118299914043816973,12398627319787523163,262144 --variations-seed-version=20251218-201203.402000 --mojo-platform-channel-handle=5920 /prefetch:8C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
133.0.6943.127
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\133.0.6943.127\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
1116"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=1912,i,14118299914043816973,12398627319787523163,262144 --variations-seed-version=20251218-201203.402000 --mojo-platform-channel-handle=1304 /prefetch:2C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Exit code:
0
Version:
133.0.6943.127
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
1524"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=3 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3280,i,14118299914043816973,12398627319787523163,262144 --variations-seed-version=20251218-201203.402000 --mojo-platform-channel-handle=3464 /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
133.0.6943.127
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\133.0.6943.127\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
1656"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --disable-quic --string-annotations --field-trial-handle=5456,i,14118299914043816973,12398627319787523163,262144 --variations-seed-version=20251218-201203.402000 --mojo-platform-channel-handle=5736 /prefetch:8C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Exit code:
0
Version:
133.0.6943.127
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
1684"C:\Program Files\Google\Chrome\Application\chrome.exe" --profile-directory="Default"C:\Program Files\Google\Chrome\Application\chrome.exe
_f3e30bdadc67374a7536e28daa0906ab8ab743d9afee075a1ddf519237546f12.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Exit code:
0
Version:
133.0.6943.127
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
1916"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=3 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3696,i,3499008145879170871,8126337733442257916,262144 --variations-seed-version=20260226-090104.641000-production --mojo-platform-channel-handle=1872 /prefetch:2C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
133.0.6943.127
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\133.0.6943.127\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
2036"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=3 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3308,i,3040438485575803393,10777597951361551966,262144 --variations-seed-version=20260226-090104.641000-production --mojo-platform-channel-handle=3324 /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
133.0.6943.127
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\google\chrome\application\133.0.6943.127\chrome_elf.dll
c:\windows\system32\version.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
2244"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=2036,i,3499008145879170871,8126337733442257916,262144 --variations-seed-version=20260226-090104.641000-production --mojo-platform-channel-handle=2028 /prefetch:2C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Exit code:
0
Version:
133.0.6943.127
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
Total events
7 483
Read events
7 479
Write events
4
Delete events
0

Modification events

(PID) Process:(508) reg.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:$99_f3e30bdadc67374a7536e28daa0906ab8ab743d9afee075a1ddf519237546f12.exe
Value:
C:\Users\admin\Documents\$99_f3e30bdadc67374a7536e28daa0906ab8ab743d9afee075a1ddf519237546f12.exe
(PID) Process:(8488) _f3e30bdadc67374a7536e28daa0906ab8ab743d9afee075a1ddf519237546f12.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(8488) _f3e30bdadc67374a7536e28daa0906ab8ab743d9afee075a1ddf519237546f12.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(8488) _f3e30bdadc67374a7536e28daa0906ab8ab743d9afee075a1ddf519237546f12.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
Executable files
1
Suspicious files
81
Text files
126
Unknown types
36

Dropped files

PID
Process
Filename
Type
8544chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SegmentInfoDB\LOG.old~RF1f0950.TMP
MD5:
SHA256:
8544chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SegmentInfoDB\LOG.old
MD5:
SHA256:
8544chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\PersistentOriginTrials\LOG.old~RF1f095f.TMP
MD5:
SHA256:
8544chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\PersistentOriginTrials\LOG.old
MD5:
SHA256:
8544chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SignalDB\LOG.old~RF1f095f.TMP
MD5:
SHA256:
8544chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\parcel_tracking_db\LOG.old~RF1f095f.TMP
MD5:
SHA256:
8544chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\Segmentation Platform\SignalDB\LOG.old
MD5:
SHA256:
8544chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\parcel_tracking_db\LOG.old
MD5:
SHA256:
8544chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\commerce_subscription_db\LOG.old~RF1f096f.TMP
MD5:
SHA256:
8544chrome.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\LOG.old~RF1f096f.TMP
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
230
TCP/UDP connections
138
DNS requests
92
Threats
19

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3304
SIHClient.exe
GET
304
74.178.76.128:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
US
whitelisted
5660
RUXIMICS.exe
GET
200
23.55.110.193:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
NL
binary
825 b
whitelisted
7544
svchost.exe
GET
200
23.55.110.193:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
NL
binary
825 b
whitelisted
6768
MoUsoCoreWorker.exe
GET
200
23.55.110.193:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
NL
binary
825 b
whitelisted
6768
MoUsoCoreWorker.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
US
binary
814 b
whitelisted
5660
RUXIMICS.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
US
binary
814 b
whitelisted
POST
200
20.190.159.128:443
https://login.live.com/RST2.srf
US
binary
10.3 Kb
whitelisted
7544
svchost.exe
GET
200
88.221.169.152:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
US
binary
814 b
whitelisted
POST
200
20.190.159.128:443
https://login.live.com/RST2.srf
US
binary
10.3 Kb
whitelisted
356
svchost.exe
POST
200
20.190.159.131:443
https://login.live.com/RST2.srf
US
binary
10.3 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
Not routed
whitelisted
7544
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
5660
RUXIMICS.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
6768
MoUsoCoreWorker.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
92.123.104.67:443
www.bing.com
AKAMAI-ASN1
NL
whitelisted
172.211.123.248:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
4
System
192.168.100.255:138
Not routed
whitelisted
6768
MoUsoCoreWorker.exe
23.55.110.193:80
crl.microsoft.com
AKAMAI-ASN1
NL
whitelisted
5660
RUXIMICS.exe
23.55.110.193:80
crl.microsoft.com
AKAMAI-ASN1
NL
whitelisted
7544
svchost.exe
23.55.110.193:80
crl.microsoft.com
AKAMAI-ASN1
NL
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
  • 40.127.240.158
whitelisted
self.events.data.microsoft.com
  • 13.69.239.72
  • 20.42.73.27
whitelisted
www.bing.com
  • 92.123.104.67
  • 92.123.104.34
  • 92.123.104.60
  • 92.123.104.28
  • 92.123.104.47
  • 92.123.104.59
  • 92.123.104.52
  • 92.123.104.19
  • 92.123.104.49
whitelisted
client.wns.windows.com
  • 172.211.123.248
whitelisted
google.com
  • 142.251.141.14
whitelisted
crl.microsoft.com
  • 23.55.110.193
  • 23.55.110.211
  • 23.48.23.18
  • 23.48.23.33
  • 23.48.23.50
  • 23.48.23.58
  • 23.48.23.51
  • 23.48.23.11
  • 23.48.23.35
  • 23.48.23.10
whitelisted
www.microsoft.com
  • 88.221.169.152
  • 23.52.181.212
whitelisted
login.live.com
  • 20.190.159.131
  • 40.126.31.71
  • 20.190.159.4
  • 20.190.159.0
  • 40.126.31.1
  • 20.190.159.128
  • 40.126.31.130
  • 40.126.31.67
  • 20.190.160.4
  • 20.190.160.130
  • 40.126.32.74
  • 20.190.160.14
  • 20.190.160.65
  • 20.190.160.64
  • 40.126.32.72
  • 20.190.160.22
whitelisted
telegram.me
  • 149.154.167.99
whitelisted
slscr.update.microsoft.com
  • 74.178.76.128
whitelisted

Threats

PID
Process
Class
Message
A Network Trojan was detected
ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M1
Malware Command and Control Activity Detected
ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2
8488
_f3e30bdadc67374a7536e28daa0906ab8ab743d9afee075a1ddf519237546f12.exe
A Network Trojan was detected
ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M1
8488
_f3e30bdadc67374a7536e28daa0906ab8ab743d9afee075a1ddf519237546f12.exe
Malware Command and Control Activity Detected
ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2
8488
_f3e30bdadc67374a7536e28daa0906ab8ab743d9afee075a1ddf519237546f12.exe
Malware Command and Control Activity Detected
ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2
8488
_f3e30bdadc67374a7536e28daa0906ab8ab743d9afee075a1ddf519237546f12.exe
Malware Command and Control Activity Detected
ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2
8488
_f3e30bdadc67374a7536e28daa0906ab8ab743d9afee075a1ddf519237546f12.exe
Malware Command and Control Activity Detected
ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2
8488
_f3e30bdadc67374a7536e28daa0906ab8ab743d9afee075a1ddf519237546f12.exe
Malware Command and Control Activity Detected
ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2
8488
_f3e30bdadc67374a7536e28daa0906ab8ab743d9afee075a1ddf519237546f12.exe
Malware Command and Control Activity Detected
ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2
8488
_f3e30bdadc67374a7536e28daa0906ab8ab743d9afee075a1ddf519237546f12.exe
Malware Command and Control Activity Detected
ET MALWARE Win32/Stealc/Vidar Stealer Style Headers In HTTP POST M2
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
_f3e30bdadc67374a7536e28daa0906ab8ab743d9afee075a1ddf519237546f12.exe