File name:

small.pdf.zip

Full analysis: https://app.any.run/tasks/9df1e7de-0207-42f1-a408-e37e700e41c4
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: April 18, 2025, 13:12:12
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
arch-exec
arch-doc
python
stealer
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract, compression method=store
MD5:

CB08DC7B1F1544D7124C2A773B16208D

SHA1:

4AC6C6C03D34B99219B4A9C5F3C53D115FF5E50D

SHA256:

6E578060D8770AAB3B5B91C377D914FBAF4915B47DB86620076460985B07F4FB

SSDEEP:

98304:zUofHMToT6KGOmlK7XJCndU9Ip8yj+OrGMY6ZAflVcEhfTWFAkIaItXwq6GUuftV:BXXLF1nZWCul3OhqIfhKZAhXZP

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Generic archive extractor

      • WinRAR.exe (PID: 2136)

    • Uses Task Scheduler to run other applications

      • cmd.exe (PID: 1128)
      • cmd.exe (PID: 6676)

    • Bypass execution policy to execute commands

      • powershell.exe (PID: 1180)

    • Changes powershell execution policy (Bypass)

      • python.exe (PID: 1184)

    • Actions looks like stealing of personal data

      • python.exe (PID: 1184)

    • ASYNCRAT has been detected (SURICATA)

      • python.exe (PID: 1184)

  • SUSPICIOUS

    • Process drops legitimate windows executable

      • WinRAR.exe (PID: 2136)
      • BialystokUniversity_IncidentReport_Apr2025.BTD.pdf.exe (PID: 6988)

    • Process drops python dynamic module

      • WinRAR.exe (PID: 2136)
      • BialystokUniversity_IncidentReport_Apr2025.BTD.pdf.exe (PID: 6988)

    • Executable content was dropped or overwritten

      • BialystokUniversity_IncidentReport_Apr2025.BTD.pdf.exe (PID: 6988)
      • python.exe (PID: 1184)

    • The process drops C-runtime libraries

      • BialystokUniversity_IncidentReport_Apr2025.BTD.pdf.exe (PID: 6988)

    • Loads Python modules

      • python.exe (PID: 1184)
      • python.exe (PID: 4608)

    • Starts CMD.EXE for commands execution

      • python.exe (PID: 1184)
      • python.exe (PID: 4608)

    • Reads security settings of Internet Explorer

      • BialystokUniversity_IncidentReport_Apr2025.BTD.pdf.exe (PID: 6988)

    • Starts POWERSHELL.EXE for commands execution

      • python.exe (PID: 1184)

    • The process bypasses the loading of PowerShell profile settings

      • python.exe (PID: 1184)

    • Base64-obfuscated command line is found

      • python.exe (PID: 1184)

    • Connects to unusual port

      • python.exe (PID: 1184)

    • There is functionality for taking screenshot (YARA)

      • BialystokUniversity_IncidentReport_Apr2025.BTD.pdf.exe (PID: 6988)

    • Contacting a server suspected of hosting an CnC

      • python.exe (PID: 1184)

    • The process executes via Task Scheduler

      • wscript.exe (PID: 2980)

    • Checks for external IP

      • BialystokUniversity_IncidentReport_Apr2025.BTD.pdf.exe (PID: 6988)

    • BASE64 encoded PowerShell command has been detected

      • python.exe (PID: 1184)

    • Uses WMI to retrieve WMI-managed resources (SCRIPT)

      • wscript.exe (PID: 2980)

  • INFO

    • The sample compiled with english language support

      • WinRAR.exe (PID: 2136)
      • BialystokUniversity_IncidentReport_Apr2025.BTD.pdf.exe (PID: 6988)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 2136)

    • Manual execution by a user

      • BialystokUniversity_IncidentReport_Apr2025.BTD.pdf.exe (PID: 6988)

    • Checks supported languages

      • BialystokUniversity_IncidentReport_Apr2025.BTD.pdf.exe (PID: 6988)
      • python.exe (PID: 4608)
      • python.exe (PID: 1184)

    • Create files in a temporary directory

      • BialystokUniversity_IncidentReport_Apr2025.BTD.pdf.exe (PID: 6988)
      • python.exe (PID: 4608)
      • python.exe (PID: 1184)

    • Creates files or folders in the user directory

      • BialystokUniversity_IncidentReport_Apr2025.BTD.pdf.exe (PID: 6988)
      • python.exe (PID: 1184)

    • Python executable

      • python.exe (PID: 1184)
      • python.exe (PID: 4608)

    • Reads the computer name

      • BialystokUniversity_IncidentReport_Apr2025.BTD.pdf.exe (PID: 6988)
      • python.exe (PID: 1184)
      • python.exe (PID: 4608)

    • Checks proxy server information

      • BialystokUniversity_IncidentReport_Apr2025.BTD.pdf.exe (PID: 6988)

    • Reads the machine GUID from the registry

      • python.exe (PID: 1184)
      • python.exe (PID: 4608)

    • Reads the software policy settings

      • python.exe (PID: 1184)

    • Checks if a key exists in the options dictionary (POWERSHELL)

      • powershell.exe (PID: 1180)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: -
ZipCompression: None
ZipModifyDate: 2025:04:18 10:29:52
ZipCRC: 0x00000000
ZipCompressedSize: -
ZipUncompressedSize: -
ZipFileName: BialystokUniversity.IncidentReport.Apr2025.BTD.pdf/
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
143
Monitored processes
16
Malicious processes
2
Suspicious processes
2

Behavior graph

Click at the process to see the details
start winrar.exe sppextcomobj.exe no specs slui.exe no specs rundll32.exe no specs bialystokuniversity_incidentreport_apr2025.btd.pdf.exe #ASYNCRAT python.exe conhost.exe no specs python.exe no specs conhost.exe no specs cmd.exe no specs cmd.exe no specs schtasks.exe no specs schtasks.exe no specs powershell.exe no specs conhost.exe no specs wscript.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1128C:\WINDOWS\system32\cmd.exe /c "schtasks /Create /TN "WindowsHelper_EveryMinute" /XML "C:\Users\admin\AppData\Local\Temp\tmpc_qiolsd.xml" /F"C:\Windows\SysWOW64\cmd.exepython.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
1180"powershell.exe" -NoProfile -ExecutionPolicy Bypass -Enc UgBlAGcAaQBzAHQAZQByAC0AUwBjAGgAZQBkAHUAbABlAGQAVABhAHMAawAgAC0AVABhAHMAawBOAGEAbQBlACAAJwBlAHgAaABsAHAAdwAuAGUAeABlACcAIAAtAEEAYwB0AGkAbwBuACAAKABOAGUAdwAtAFMAYwBoAGUAZAB1AGwAZQBkAFQAYQBzAGsAQQBjAHQAaQBvAG4AIAAtAEUAeABlAGMAdQB0AGUAIAAnAEMAOgBcAFUAcwBlAHIAcwBcAGEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABSAG8AYQBtAGkAbgBnAFwAZQB4AGgAbABwAHcALgBlAHgAZQAnACkAIAAtAFQAcgBpAGcAZwBlAHIAIAAoAE4AZQB3AC0AUwBjAGgAZQBkAHUAbABlAGQAVABhAHMAawBUAHIAaQBnAGcAZQByACAALQBPAG4AYwBlACAALQBBAHQAIAAoAEcAZQB0AC0ARABhAHQAZQApACAALQBSAGUAcABlAHQAaQB0AGkAbwBuAEkAbgB0AGUAcgB2AGEAbAAgACgATgBlAHcALQBUAGkAbQBlAFMAcABhAG4AIAAtAE0AaQBuAHUAdABlAHMAIAA1ACkAKQAgAC0AVQBzAGUAcgAgACQAZQBuAHYAOgBVAHMAZQByAE4AYQBtAGUAIAAtAFMAZQB0AHQAaQBuAGcAcwAgACgATgBlAHcALQBTAGMAaABlAGQAdQBsAGUAZABUAGEAcwBrAFMAZQB0AHQAaQBuAGcAcwBTAGUAdAAgAC0ARQB4AGUAYwB1AHQAaQBvAG4AVABpAG0AZQBMAGkAbQBpAHQAIAAoAE4AZQB3AC0AVABpAG0AZQBTAHAAYQBuACAALQBTAGUAYwBvAG4AZABzACAAMAApACAALQBBAGwAbABvAHcAUwB0AGEAcgB0AEkAZgBPAG4AQgBhAHQAdABlAHIAaQBlAHMAIAAtAEQAbwBuAHQAUwB0AG8AcABJAGYARwBvAGkAbgBnAE8AbgBCAGEAdAB0AGUAcgBpAGUAcwApACAALQBGAG8AcgBjAGUAC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepython.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
1184"C:\Users\admin\AppData\Local\WindowsHelper\macOS\python.exe" "C:\Users\admin\AppData\Local\WindowsHelper\macOS\run.py"C:\Users\admin\AppData\Local\WindowsHelper\macOS\python.exe
BialystokUniversity_IncidentReport_Apr2025.BTD.pdf.exe
User:
admin
Company:
Python Software Foundation
Integrity Level:
MEDIUM
Description:
Python
Version:
3.11.4
Modules
Images
c:\users\admin\appdata\local\windowshelper\macos\python.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\ucrtbase.dll
2136"C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\AppData\Local\Temp\small.pdf.zipC:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
2140C:\WINDOWS\system32\SppExtComObj.exe -EmbeddingC:\Windows\System32\SppExtComObj.Exesvchost.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
KMS Connection Broker
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\sppextcomobj.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\oleaut32.dll
2268schtasks /Create /TN "WindowsHelper_EveryMinute" /XML "C:\Users\admin\AppData\Local\Temp\tmpp6bmv92d.xml" /FC:\Windows\SysWOW64\schtasks.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Task Scheduler Configuration Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
2980"wscript.exe" "C:\Users\admin\AppData\Local\WindowsHelper\run.vbs"C:\Windows\System32\wscript.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.812.10240.16384
Modules
Images
c:\windows\system32\wscript.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
4040C:\WINDOWS\System32\rundll32.exe C:\WINDOWS\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -EmbeddingC:\Windows\System32\rundll32.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shcore.dll
c:\windows\system32\imagehlp.dll
4068schtasks /Create /TN "WindowsHelper_EveryMinute" /XML "C:\Users\admin\AppData\Local\Temp\tmpc_qiolsd.xml" /FC:\Windows\SysWOW64\schtasks.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Task Scheduler Configuration Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
4488\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exepython.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
13 425
Read events
13 406
Write events
19
Delete events
0

Modification events

(PID) Process:(2136) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\preferences.zip
(PID) Process:(2136) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:(2136) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:(2136) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\small.pdf.zip
(PID) Process:(2136) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(2136) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(2136) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(2136) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(2136) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\ArcColumnWidths
Operation:writeName:name
Value:
256
(PID) Process:(2136) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\ArcColumnWidths
Operation:writeName:size
Value:
80
Executable files
62
Suspicious files
11
Text files
14
Unknown types
0

Dropped files

PID
Process
Filename
Type
2136WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2136.26282\BialystokUniversity.IncidentReport.Apr2025.BTD.pdf\macOS\libssl-1_1.dllexecutable
MD5:CA3F5E1496FC9AF4EDC9DC585E29C8FE
SHA256:CE48D4E55FAD09AE5DFE6CAEDDE57BBD04A1012F0F526E3705528AC1E2BA0268
2136WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2136.26282\BialystokUniversity.IncidentReport.Apr2025.BTD.pdf\macOS\7z_encrypted.binbinary
MD5:3AF1AE119D93CA01A1492FE23B8FFEC2
SHA256:D665C5FF9236DCE51E9747F179C2ADB414AE819C00CF693A4C4B4A84EFAF8AD6
2136WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2136.26282\BialystokUniversity.IncidentReport.Apr2025.BTD.pdf\macOS\LICENSE.txttext
MD5:EBCF45A479F291A0D965EA60B5F1C30B
SHA256:616FA565945ECA2F0E0A5440B3973FED7D5291622B90849212077FE68E27DCB0
2136WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2136.26282\BialystokUniversity.IncidentReport.Apr2025.BTD.pdf\macOS\libffi-8.dllexecutable
MD5:74D2B5E0120A6FAAE57042A9894C4430
SHA256:B982741576A050860C3F3608C7B269DBD35AB296429192B8AFA53F1F190069C0
2136WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2136.26282\BialystokUniversity.IncidentReport.Apr2025.BTD.pdf\macOS\libcrypto-1_1.dllexecutable
MD5:5829CDA43CAC0F04B8501D892A89CF59
SHA256:037D54D692D6B003B272F990FD25FCF8A462DD83D3693D3384AF28AE41519D9D
2136WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2136.26282\BialystokUniversity.IncidentReport.Apr2025.BTD.pdf\macOS\pyexpat.pydexecutable
MD5:3C97CEB3FA49DCB4F21A8855FAEDAC6F
SHA256:45140295649ECE38F988665B330198EF1F845F56D42411AEF90F403FF95C40CF
2136WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2136.26282\BialystokUniversity.IncidentReport.Apr2025.BTD.pdf\macOS\python.catbinary
MD5:77132B2720A8A259313F58D86532F81A
SHA256:B2AC3600EDC3093B066BB9DA73D4CAE055CBA9581E5172460A288E84B08EC499
2136WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2136.26282\BialystokUniversity.IncidentReport.Apr2025.BTD.pdf\hpreaderfprefs.dattext
MD5:6C08A4949B9DB64E06BA7989936C52C7
SHA256:29D4758C317CE47782A73064542A214BAF4252C10D45184BBADD445FA2569A26
2136WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2136.26282\BialystokUniversity.IncidentReport.Apr2025.BTD.pdf\macOS\python3.dllexecutable
MD5:5F1AF3F2396E33C79BB5DB70AF3FA181
SHA256:C78064A2828E0B4A3BF235C7A692BDAD4C9E3AE671DC9AECBACDC8EE48CA1A1B
2136WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2136.26282\BialystokUniversity.IncidentReport.Apr2025.BTD.pdf\macOS\7z_encrypted.bin.decryptedbinary
MD5:BF4DC209C002B8256B960A16648125A7
SHA256:FD60AD5CA178D8A210A618D2FBBF6B1BCB8A90E7AB5659061B86C4DEDA97152C
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
5
TCP/UDP connections
21
DNS requests
14
Threats
3

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
6544
svchost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
6372
SIHClient.exe
GET
200
23.218.209.163:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
6372
SIHClient.exe
GET
200
23.218.209.163:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
5496
MoUsoCoreWorker.exe
GET
200
23.53.40.178:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
6988
BialystokUniversity_IncidentReport_Apr2025.BTD.pdf.exe
GET
200
163.171.242.19:80
http://www.drm-x.com/pdfversion.htm
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2104
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:137
whitelisted
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
5496
MoUsoCoreWorker.exe
23.53.40.178:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4
System
192.168.100.255:138
whitelisted
3216
svchost.exe
172.211.123.249:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
6544
svchost.exe
20.190.160.64:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
6544
svchost.exe
2.17.190.73:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted
2104
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2112
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
  • 51.104.136.2
  • 20.73.194.208
whitelisted
google.com
  • 142.250.185.206
whitelisted
crl.microsoft.com
  • 23.53.40.178
  • 23.53.40.176
whitelisted
client.wns.windows.com
  • 172.211.123.249
whitelisted
login.live.com
  • 20.190.160.64
  • 20.190.160.3
  • 20.190.160.128
  • 20.190.160.66
  • 20.190.160.17
  • 20.190.160.20
  • 40.126.32.76
  • 20.190.160.5
whitelisted
ocsp.digicert.com
  • 2.17.190.73
whitelisted
www.drm-x.com
  • 163.171.242.19
  • 138.113.69.24
  • 163.171.156.15
  • 163.171.242.20
  • 138.113.69.22
  • 163.171.132.220
  • 163.171.128.241
  • 163.171.128.150
  • 163.171.242.18
  • 163.171.132.91
unknown
slscr.update.microsoft.com
  • 52.149.20.212
whitelisted
www.microsoft.com
  • 23.218.209.163
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 20.242.39.171
whitelisted

Threats

PID
Process
Class
Message
1184
python.exe
Domain Observed Used for C2 Detected
ET MALWARE Generic AsyncRAT/zgRAT Style SSL Cert
1184
python.exe
Malware Command and Control Activity Detected
REMOTE [ANY.RUN] AsyncRAT Successful Connection
6988
BialystokUniversity_IncidentReport_Apr2025.BTD.pdf.exe
Device Retrieving External IP Address Detected
SUSPICIOUS [ANY.RUN] An IP address was received from the server as a result of an HTTP request
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
small.pdf.zip