File name:

Vipcardingtopc.exe

Full analysis: https://app.any.run/tasks/1913db6e-1dec-4c06-bc3d-a28ea7f650b9
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: March 07, 2025, 02:38:08
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
stealer
autoit
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 5 sections
MD5:

042F0B941E67179FB7C5FA70DAD5DD8D

SHA1:

EC3B7D892DD6632B7AE92B0BBECE23FE614B3C53

SHA256:

0CF5C4B3399D094FA0C58399FAC521E4B2902DB7AE1692AA502F5784AC755D49

SSDEEP:

24576:NafYzaKMRoi0y2qUKdpmYs/Plf4HhSjrckztFmG5Zmy+Xerxuxy3uvm3A2c8DwRH:IfYzajRoi0y2qUKdpmYs/Plf4HhSjrc3

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Actions looks like stealing of personal data

      • Vipcardingtopc.exe (PID: 7324)

    • Modifies files in the Chrome extension folder

      • Vipcardingtopc.exe (PID: 7324)

  • SUSPICIOUS

    • There is functionality for taking screenshot (YARA)

      • Vipcardingtopc.exe (PID: 7324)

    • The process creates files with name similar to system file names

      • Vipcardingtopc.exe (PID: 7324)

  • INFO

    • Reads mouse settings

      • Vipcardingtopc.exe (PID: 7324)

    • Creates files or folders in the user directory

      • Vipcardingtopc.exe (PID: 7324)

    • Creates files in the program directory

      • Vipcardingtopc.exe (PID: 7324)

    • The sample compiled with english language support

      • Vipcardingtopc.exe (PID: 7324)

    • Checks supported languages

      • Vipcardingtopc.exe (PID: 7324)

    • The process uses AutoIt

      • Vipcardingtopc.exe (PID: 7324)

    • Create files in a temporary directory

      • Vipcardingtopc.exe (PID: 7324)

    • Reads the machine GUID from the registry

      • Vipcardingtopc.exe (PID: 7324)

    • Checks proxy server information

      • slui.exe (PID: 7680)

    • Reads the software policy settings

      • slui.exe (PID: 7680)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (64.6)
.dll | Win32 Dynamic Link Library (generic) (15.4)
.exe | Win32 Executable (generic) (10.5)
.exe | Generic Win/DOS Executable (4.6)
.exe | DOS Executable Generic (4.6)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2018:08:29 10:57:03+00:00
ImageFileCharacteristics: Executable, Large address aware, 32-bit
PEType: PE32
LinkerVersion: 12
CodeSize: 581120
InitializedDataSize: 285184
UninitializedDataSize: -
EntryPoint: 0x27f4a
OSVersion: 5.1
ImageVersion: -
SubsystemVersion: 5.1
Subsystem: Windows GUI
FileVersionNumber: 0.0.0.0
ProductVersionNumber: 0.0.0.0
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (British)
CharacterSet: Unicode
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
123
Monitored processes
2
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start vipcardingtopc.exe slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
7324"C:\Users\admin\Desktop\Vipcardingtopc.exe" C:\Users\admin\Desktop\Vipcardingtopc.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\desktop\vipcardingtopc.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\psapi.dll
7680C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
Total events
3 393
Read events
3 393
Write events
0
Delete events
0

Modification events

No data
Executable files
1
Suspicious files
2 377
Text files
237
Unknown types
0

Dropped files

PID
Process
Filename
Type
7324Vipcardingtopc.exeC:\Users\admin\AppData\Roaming\Network\neton.pbk
MD5:
SHA256:
7324Vipcardingtopc.exeC:\Users\admin\AppData\Local\Microsoft\Windows\netq.pbk
MD5:
SHA256:
7324Vipcardingtopc.exeC:\Users\admin\AppData\Local\ConnectedDevicesPlatform\ActivitiesCache.db.eoeobinary
MD5:3BC41EDE63D80DD45451F328A81627BD
SHA256:C2B7343398BC6B5FF3445F5227790DA10B66FCD2BCF2E01E1CDAD3EC4D859283
7324Vipcardingtopc.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\EdgeEDrop\EdgeEDropSQLite.db.eoeobinary
MD5:F93E27B512B8EDD3803C6F96BC3A0994
SHA256:CC0A26242BF3B95F27DE0884D87B3C641D46ED2EFA4D0E578F247EF652997466
7324Vipcardingtopc.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\heavy_ad_intervention_opt_out.db.eoeobinary
MD5:AE7061225559534F6F239ABF330E1787
SHA256:D55787B61196C16CF435EBAF51E01FF0DF196F512A0BCF159145C6517D882A26
7324Vipcardingtopc.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\databases\Databases.db.eoeobinary
MD5:94D51BFE80B48EA0133BED0CE6402CB2
SHA256:AA4528CA03D481F1C5D1067B203ACE4C38C7D0D16EE078324C176097645176E2
7324Vipcardingtopc.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\first_party_sets.db.eoeobinary
MD5:556CDE719B59D9254E8E5F3535975DB9
SHA256:37D295B27B9E1BB7098B817053128537834C0E20E98FCC94C289CD27501A2718
7324Vipcardingtopc.exeC:\Users\admin\AppData\Local\Google\Chrome\User Data\Default\databases\Databases.db.eoeobinary
MD5:23DE6B932E0A33D27B5B1D714BC0422F
SHA256:F3E5F08410BEAD80DB9877C770B44B132ACDE25D1362597F10B4CEB9DEEB10CD
7324Vipcardingtopc.exeC:\Users\admin\AppData\Local\IconCache.db.eoeobinary
MD5:B6AE989A9201FE80313ED8229C42CAF3
SHA256:E2066A252FA37C845464A1A62AB2150F4A6EEACEC2456960639EEE69D394EC23
7324Vipcardingtopc.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\load_statistics.db.eoeobinary
MD5:5C37BAFB6F6B1C5E932FF62B6565364F
SHA256:5FFDC36721E792B9CF6696A514950C913C56E240A309F320A4A8F9803A3BE7C4
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
20
DNS requests
5
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
POST
500
52.161.91.37:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
POST
500
52.161.91.37:443
https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail
unknown
xml
512 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
192.168.100.255:137
whitelisted
2104
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
2104
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6032
slui.exe
40.91.76.224:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
7680
slui.exe
40.91.76.224:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
  • 51.104.136.2
whitelisted
google.com
  • 142.250.185.78
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Vipcardingtopc.exe