File name:

RubyInstaller.zip

Full analysis: https://app.any.run/tasks/f38be00b-af6e-4ffa-a1ff-483ad9576bb7
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: April 29, 2025, 09:56:03
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
arch-doc
python
discord
stealer
evasion
telegram
ims-api
generic
blind-copy
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract, compression method=store
MD5:

90CBED2E8F839842BE433D7C001F4278

SHA1:

D50E03C015EC4DB9E84274917B7418296F3CB218

SHA256:

9325B95B119309A6C4EFF73859569D83E85A6E6B67AD23E0E052458E834EF9C7

SSDEEP:

196608:DxRPWB1OlSuzMpd+VSFW5jIqdObehW6rCKloUuJm8rX9tbr:DDuB19gVVWUw6UoFlG9tbr

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Steals credentials from Web Browsers

      • Ruby Installer.exe (PID: 3008)

    • Actions looks like stealing of personal data

      • Ruby Installer.exe (PID: 3008)

  • SUSPICIOUS

    • Process drops python dynamic module

      • WinRAR.exe (PID: 4428)

    • Generic archive extractor

      • WinRAR.exe (PID: 4428)

    • Process drops legitimate windows executable

      • WinRAR.exe (PID: 4428)

    • Starts CMD.EXE for commands execution

      • Ruby Installer.exe (PID: 3008)

    • Loads Python modules

      • Ruby Installer.exe (PID: 3008)

    • Process communicates with Telegram (possibly using it as an attacker's C2 server)

      • Ruby Installer.exe (PID: 3008)

    • Possible usage of Discord/Telegram API has been detected (YARA)

      • Ruby Installer.exe (PID: 3008)

    • Checks for external IP

      • svchost.exe (PID: 2196)
      • Ruby Installer.exe (PID: 3008)

    • Multiple wallet extension IDs have been found

      • Ruby Installer.exe (PID: 3008)

    • There is functionality for taking screenshot (YARA)

      • Ruby Installer.exe (PID: 3008)

  • INFO

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 4428)

    • The sample compiled with english language support

      • WinRAR.exe (PID: 4428)

    • Checks proxy server information

      • slui.exe (PID: 6112)
      • Ruby Installer.exe (PID: 3008)

    • Reads the software policy settings

      • slui.exe (PID: 6112)

    • Manual execution by a user

      • Ruby Installer.exe (PID: 3008)

    • Reads the computer name

      • Ruby Installer.exe (PID: 3008)

    • Checks supported languages

      • Ruby Installer.exe (PID: 3008)

    • Checks operating system version

      • Ruby Installer.exe (PID: 3008)

    • Create files in a temporary directory

      • Ruby Installer.exe (PID: 3008)

    • Attempting to use instant messaging service

      • Ruby Installer.exe (PID: 3008)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

ims-api

(PID) Process(3008) Ruby Installer.exe
Telegram-Tokens (1)7314319960:AAG8duFZrF4eB35xJR-_JxiSudg5dlbhfto
Telegram-Info-Links
7314319960:AAG8duFZrF4eB35xJR-_JxiSudg5dlbhfto
Get info about bothttps://api.telegram.org/bot7314319960:AAG8duFZrF4eB35xJR-_JxiSudg5dlbhfto/getMe
Get incoming updateshttps://api.telegram.org/bot7314319960:AAG8duFZrF4eB35xJR-_JxiSudg5dlbhfto/getUpdates
Get webhookhttps://api.telegram.org/bot7314319960:AAG8duFZrF4eB35xJR-_JxiSudg5dlbhfto/getWebhookInfo
Delete webhookhttps://api.telegram.org/bot7314319960:AAG8duFZrF4eB35xJR-_JxiSudg5dlbhfto/deleteWebhook
Drop incoming updateshttps://api.telegram.org/bot7314319960:AAG8duFZrF4eB35xJR-_JxiSudg5dlbhfto/deleteWebhook?drop_pending_updates=true
Telegram-Tokens (1)7314319960:AAG8duFZrF4eB35xJR-_JxiSudg5dlbhfto
Telegram-Info-Links
7314319960:AAG8duFZrF4eB35xJR-_JxiSudg5dlbhfto
Get info about bothttps://api.telegram.org/bot7314319960:AAG8duFZrF4eB35xJR-_JxiSudg5dlbhfto/getMe
Get incoming updateshttps://api.telegram.org/bot7314319960:AAG8duFZrF4eB35xJR-_JxiSudg5dlbhfto/getUpdates
Get webhookhttps://api.telegram.org/bot7314319960:AAG8duFZrF4eB35xJR-_JxiSudg5dlbhfto/getWebhookInfo
Delete webhookhttps://api.telegram.org/bot7314319960:AAG8duFZrF4eB35xJR-_JxiSudg5dlbhfto/deleteWebhook
Drop incoming updateshttps://api.telegram.org/bot7314319960:AAG8duFZrF4eB35xJR-_JxiSudg5dlbhfto/deleteWebhook?drop_pending_updates=true
Telegram-Requests
Token7314319960:AAG8duFZrF4eB35xJR-_JxiSudg5dlbhfto
End-PointsendPhoto
Args
chat_id (1)-4248047512
parse_mode (1)HTML
caption (1)CStealer (Telegram Version) https://t.me/cstealerr 👨‍👩‍👧‍👦 Team Name: Default 👷‍♂️ Worker ID: 0001 🦣 Name: admin 📱 Phone: Not Available 📬 E-Mail: Not Available 🌏 IP: None (😕 GL-DB) 💻 OS%3
Telegram-Tokens (1)7314319960:AAG8duFZrF4eB35xJR-_JxiSudg5dlbhfto
Telegram-Info-Links
7314319960:AAG8duFZrF4eB35xJR-_JxiSudg5dlbhfto
Get info about bothttps://api.telegram.org/bot7314319960:AAG8duFZrF4eB35xJR-_JxiSudg5dlbhfto/getMe
Get incoming updateshttps://api.telegram.org/bot7314319960:AAG8duFZrF4eB35xJR-_JxiSudg5dlbhfto/getUpdates
Get webhookhttps://api.telegram.org/bot7314319960:AAG8duFZrF4eB35xJR-_JxiSudg5dlbhfto/getWebhookInfo
Delete webhookhttps://api.telegram.org/bot7314319960:AAG8duFZrF4eB35xJR-_JxiSudg5dlbhfto/deleteWebhook
Drop incoming updateshttps://api.telegram.org/bot7314319960:AAG8duFZrF4eB35xJR-_JxiSudg5dlbhfto/deleteWebhook?drop_pending_updates=true
Telegram-Requests
Token7314319960:AAG8duFZrF4eB35xJR-_JxiSudg5dlbhfto
End-PointsendPhoto
Args
No Malware configuration.

TRiD

.zip | ZIP compressed archive (36.3)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: -
ZipCompression: None
ZipModifyDate: 2024:07:23 07:46:20
ZipCRC: 0x00000000
ZipCompressedSize: -
ZipUncompressedSize: -
ZipFileName: Ruby Installer/
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
127
Monitored processes
7
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe slui.exe rundll32.exe no specs ruby installer.exe cmd.exe no specs conhost.exe no specs svchost.exe

Process information

PID
CMD
Path
Indicators
Parent process
2040\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2196C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
3008"C:\Users\admin\Desktop\Ruby Installer\Ruby Installer.exe" C:\Users\admin\Desktop\Ruby Installer\Ruby Installer.exe
explorer.exe
User:
admin
Company:
dacheats.co
Integrity Level:
MEDIUM
Description:
Ruby Installer
Exit code:
0
Version:
1.2.0.0
Modules
Images
c:\users\admin\desktop\ruby installer\ruby installer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
ims-api
(PID) Process(3008) Ruby Installer.exe
Telegram-Tokens (1)7314319960:AAG8duFZrF4eB35xJR-_JxiSudg5dlbhfto
Telegram-Info-Links
7314319960:AAG8duFZrF4eB35xJR-_JxiSudg5dlbhfto
Get info about bothttps://api.telegram.org/bot7314319960:AAG8duFZrF4eB35xJR-_JxiSudg5dlbhfto/getMe
Get incoming updateshttps://api.telegram.org/bot7314319960:AAG8duFZrF4eB35xJR-_JxiSudg5dlbhfto/getUpdates
Get webhookhttps://api.telegram.org/bot7314319960:AAG8duFZrF4eB35xJR-_JxiSudg5dlbhfto/getWebhookInfo
Delete webhookhttps://api.telegram.org/bot7314319960:AAG8duFZrF4eB35xJR-_JxiSudg5dlbhfto/deleteWebhook
Drop incoming updateshttps://api.telegram.org/bot7314319960:AAG8duFZrF4eB35xJR-_JxiSudg5dlbhfto/deleteWebhook?drop_pending_updates=true
(PID) Process(3008) Ruby Installer.exe
Telegram-Tokens (1)7314319960:AAG8duFZrF4eB35xJR-_JxiSudg5dlbhfto
Telegram-Info-Links
7314319960:AAG8duFZrF4eB35xJR-_JxiSudg5dlbhfto
Get info about bothttps://api.telegram.org/bot7314319960:AAG8duFZrF4eB35xJR-_JxiSudg5dlbhfto/getMe
Get incoming updateshttps://api.telegram.org/bot7314319960:AAG8duFZrF4eB35xJR-_JxiSudg5dlbhfto/getUpdates
Get webhookhttps://api.telegram.org/bot7314319960:AAG8duFZrF4eB35xJR-_JxiSudg5dlbhfto/getWebhookInfo
Delete webhookhttps://api.telegram.org/bot7314319960:AAG8duFZrF4eB35xJR-_JxiSudg5dlbhfto/deleteWebhook
Drop incoming updateshttps://api.telegram.org/bot7314319960:AAG8duFZrF4eB35xJR-_JxiSudg5dlbhfto/deleteWebhook?drop_pending_updates=true
Telegram-Requests
Token7314319960:AAG8duFZrF4eB35xJR-_JxiSudg5dlbhfto
End-PointsendPhoto
Args
chat_id (1)-4248047512
parse_mode (1)HTML
caption (1)CStealer (Telegram Version) https://t.me/cstealerr 👨‍👩‍👧‍👦 Team Name: Default 👷‍♂️ Worker ID: 0001 🦣 Name: admin 📱 Phone: Not Available 📬 E-Mail: Not Available 🌏 IP: None (😕 GL-DB) 💻 OS%3
(PID) Process(3008) Ruby Installer.exe
Telegram-Tokens (1)7314319960:AAG8duFZrF4eB35xJR-_JxiSudg5dlbhfto
Telegram-Info-Links
7314319960:AAG8duFZrF4eB35xJR-_JxiSudg5dlbhfto
Get info about bothttps://api.telegram.org/bot7314319960:AAG8duFZrF4eB35xJR-_JxiSudg5dlbhfto/getMe
Get incoming updateshttps://api.telegram.org/bot7314319960:AAG8duFZrF4eB35xJR-_JxiSudg5dlbhfto/getUpdates
Get webhookhttps://api.telegram.org/bot7314319960:AAG8duFZrF4eB35xJR-_JxiSudg5dlbhfto/getWebhookInfo
Delete webhookhttps://api.telegram.org/bot7314319960:AAG8duFZrF4eB35xJR-_JxiSudg5dlbhfto/deleteWebhook
Drop incoming updateshttps://api.telegram.org/bot7314319960:AAG8duFZrF4eB35xJR-_JxiSudg5dlbhfto/deleteWebhook?drop_pending_updates=true
Telegram-Requests
Token7314319960:AAG8duFZrF4eB35xJR-_JxiSudg5dlbhfto
End-PointsendPhoto
Args
4188C:\WINDOWS\system32\cmd.exe /c "ver"C:\Windows\System32\cmd.exeRuby Installer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
4428"C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\Desktop\RubyInstaller.zipC:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
4608C:\WINDOWS\System32\rundll32.exe C:\WINDOWS\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -EmbeddingC:\Windows\System32\rundll32.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shcore.dll
c:\windows\system32\imagehlp.dll
6112C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
Total events
5 119
Read events
5 101
Write events
18
Delete events
0

Modification events

(PID) Process:(4428) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\preferences.zip
(PID) Process:(4428) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:(4428) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:(4428) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Desktop\RubyInstaller.zip
(PID) Process:(4428) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(4428) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(4428) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(4428) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(4428) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\ArcColumnWidths
Operation:writeName:name
Value:
256
(PID) Process:(4428) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\ArcColumnWidths
Operation:writeName:size
Value:
80
Executable files
164
Suspicious files
706
Text files
1 628
Unknown types
0

Dropped files

PID
Process
Filename
Type
4428WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa4428.39958\Ruby Installer\lib\asyncio\mixins.pycbinary
MD5:9661427DC1D4F1A3E0166494C5B2FACE
SHA256:065B30895703FDA5E93EAD0051132B8EC7CB451B391CD3BADA67A5B3A66A9C0A
4428WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa4428.39958\Ruby Installer\lib\asyncio\base_events.pycbinary
MD5:73D4D9419CB7446D9873A901D9DBEE95
SHA256:5445E67212BEBCEDE5CEED27C19D8FA43C4D517AEA3FE119592A153B4956048B
4428WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa4428.39958\Ruby Installer\lib\asyncio\base_subprocess.pycbinary
MD5:6D34066672FCE4E28E63B33BC1E04FF2
SHA256:DBEBC419591BDFB31619C7CF429D9C04699C0ADC07CCDF8FA7F260F6A6BE9DD3
4428WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa4428.39958\Ruby Installer\lib\asyncio\base_tasks.pycbinary
MD5:680E522B9A2F58875F56DC406C050632
SHA256:94247088CB8111A7AA94E77FB6419EFC69DE426FE593697E5613487EF669B111
4428WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa4428.39958\Ruby Installer\lib\asyncio\events.pycbinary
MD5:40AF50C688F6475473DDF8D4B659BA86
SHA256:288C7D30B956B774D12C4F6364287C04A23CB1E76BF04B1B5BF634854B0A1F76
4428WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa4428.39958\Ruby Installer\lib\asyncio\locks.pycbinary
MD5:9734FAD1704D1697484BE6E4ED08FBB7
SHA256:049A61A9B84EAC875F169D23B3653A4D8E25560517DB191B41D81A81B5FFBC06
4428WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa4428.39958\Ruby Installer\lib\asyncio\constants.pycbinary
MD5:3BA36BAE5EC7E6FB0B1AE10251181586
SHA256:510EEA0837BC0350195AF21218426D0D2DD4DB58D01782916E52043B97A4F838
4428WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa4428.39958\Ruby Installer\lib\asyncio\format_helpers.pycbinary
MD5:6F429F57B33E6ECD8A8F21A1ECC82B79
SHA256:9A049F98EE7D85FF4A013C785127B6A707ACAE4E9008A43900088ED817763D9B
4428WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa4428.39958\Ruby Installer\lib\asyncio\coroutines.pycbinary
MD5:2F30AC25F6E022322AF3141DB9D053B9
SHA256:699EC65EE8F7784B5A5AC6FD67A1170F82E6B2DF283F57A04F431A46406DA940
4428WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa4428.39958\Ruby Installer\lib\asyncio\exceptions.pycbinary
MD5:8C384B3C8F18B05DF72116B545A5E558
SHA256:652E6B935A1CEDDE0C212162A3C3006495EEFB7A5BC8EA8A5E54573DD2589C8C
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
19
TCP/UDP connections
55
DNS requests
17
Threats
33

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5960
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.2.crl
unknown
whitelisted
GET
200
13.95.31.18:443
https://fe3cr.delivery.mp.microsoft.com/clientwebservice/ping
unknown
2104
svchost.exe
GET
200
23.216.77.6:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
2104
svchost.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
GET
304
20.12.23.50:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
GET
200
20.12.23.50:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
5960
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
GET
200
20.12.23.50:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
GET
304
20.12.23.50:443
https://slscr.update.microsoft.com/SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
5960
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.2.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
2104
svchost.exe
23.216.77.6:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
2104
svchost.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
660
slui.exe
20.83.72.98:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
6112
slui.exe
20.83.72.98:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
3008
Ruby Installer.exe
162.159.128.233:443
discord.com
CLOUDFLARENET
whitelisted
3008
Ruby Installer.exe
172.67.74.152:443
api.ipify.org
CLOUDFLARENET
US
shared
3008
Ruby Installer.exe
159.89.102.253:443
geolocation-db.com
DIGITALOCEAN-ASN
DE
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.184.238
whitelisted
crl.microsoft.com
  • 23.216.77.6
  • 23.216.77.42
  • 23.216.77.20
  • 23.216.77.25
  • 23.216.77.36
  • 23.216.77.28
  • 23.216.77.21
  • 23.216.77.41
  • 23.216.77.35
  • 23.216.77.43
  • 23.216.77.19
  • 23.216.77.30
  • 23.216.77.18
  • 23.216.77.29
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
settings-win.data.microsoft.com
  • 51.104.136.2
whitelisted
activation-v2.sls.microsoft.com
  • 20.83.72.98
whitelisted
discord.com
  • 162.159.128.233
  • 162.159.136.232
  • 162.159.135.232
  • 162.159.138.232
  • 162.159.137.232
whitelisted
api.ipify.org
  • 172.67.74.152
  • 104.26.12.205
  • 104.26.13.205
shared
geolocation-db.com
  • 159.89.102.253
whitelisted
api.gofile.io
  • 45.112.123.126
  • 51.91.7.6
whitelisted
api.telegram.org
  • 149.154.167.220
whitelisted

Threats

PID
Process
Class
Message
2196
svchost.exe
Misc activity
ET INFO Observed Discord Domain in DNS Lookup (discord .com)
2196
svchost.exe
Misc activity
ET INFO Discord Chat Service Domain in DNS Lookup (discord .com)
3008
Ruby Installer.exe
Misc activity
ET INFO Observed Discord Service Domain (discord .com) in TLS SNI
3008
Ruby Installer.exe
Misc activity
ET INFO Observed Discord Domain (discord .com in TLS SNI)
3008
Ruby Installer.exe
Misc activity
ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI
2196
svchost.exe
Misc activity
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup
3008
Ruby Installer.exe
Misc activity
ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI
2196
svchost.exe
Misc activity
ET INFO External IP Lookup Domain in DNS Lookup (geolocation-db .com)
2196
svchost.exe
Potentially Bad Traffic
ET FILE_SHARING Online File Storage Domain in DNS Lookup (gofile .io)
3008
Ruby Installer.exe
Misc activity
ET INFO External IP Lookup Domain (geolocation-db .com) in TLS SNI
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
RubyInstaller.zip