File name:

mal3.7z

Full analysis: https://app.any.run/tasks/3b0d625a-063a-453a-898f-35949940ff11
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: May 18, 2025, 18:54:45
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
stealer
loader
delphi
Indicators:
MIME: application/x-7z-compressed
File info: 7-zip archive data, version 0.3
MD5:

1872C9863ECC368396E06F6008E77277

SHA1:

FFD6584886661695926E446F055996378FD651BC

SHA256:

B55D4C9373819BCBE1739B0274765458C9BF1B78FE0845850A55E13FA03B06E9

SSDEEP:

98304:OFPg1qXP9uOZ0gVpyjlC0U9ltexX7937zNRihZCSxC3yN5PAFQ+aMVFUPU+kMkMx:+pyjIjQrBga3H58sU

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Steals credentials from Web Browsers

      • mal3.exe (PID: 7228)

    • Actions looks like stealing of personal data

      • mal3.exe (PID: 7228)
      • VirtuServer128.exe (PID: 6480)

    • Executing a file with an untrusted certificate

      • hjksfll.exe (PID: 5380)
      • mal3.exe (PID: 7228)
      • DistriCompiler89.exe (PID: 7856)
      • DistriCompiler89.exe (PID: 7800)
      • hjksfba.exe (PID: 7816)
      • DistriCompiler89.exe (PID: 8084)
      • VirtuServer128.exe (PID: 6480)
      • shark.exe (PID: 2692)

    • Known privilege escalation attack

      • dllhost.exe (PID: 8056)

    • Uses Task Scheduler to run other applications

      • cmd.exe (PID: 3800)

  • SUSPICIOUS

    • There is functionality for taking screenshot (YARA)

      • mal3.exe (PID: 7228)
      • DistriCompiler89.exe (PID: 7800)
      • hjksfba.exe (PID: 7816)
      • DistriCompiler89.exe (PID: 8084)
      • shark.exe (PID: 2692)

    • Potential Corporate Privacy Violation

      • mal3.exe (PID: 7228)

    • Executable content was dropped or overwritten

      • mal3.exe (PID: 7228)
      • hjksfll.exe (PID: 5380)
      • DistriCompiler89.exe (PID: 7856)
      • DistriCompiler89.exe (PID: 7800)
      • DistriCompiler89.exe (PID: 8084)
      • VirtuServer128.exe (PID: 6480)
      • MicrosoftEdgeWebview2Setup.exe (PID: 5164)
      • hjksfba.exe (PID: 7816)

    • Reads security settings of Internet Explorer

      • hjksfll.exe (PID: 5380)
      • VirtuServer128.exe (PID: 6480)
      • MicrosoftEdgeUpdate.exe (PID: 1012)

    • Drops 7-zip archiver for unpacking

      • DistriCompiler89.exe (PID: 7800)

    • Starts itself from another location

      • DistriCompiler89.exe (PID: 7856)

    • Connects to unusual port

      • VirtuServer128.exe (PID: 6480)
      • shark.exe (PID: 2692)

    • Process drops legitimate windows executable

      • VirtuServer128.exe (PID: 6480)
      • MicrosoftEdgeWebview2Setup.exe (PID: 5164)
      • MicrosoftEdgeUpdate.exe (PID: 1012)

    • Starts POWERSHELL.EXE for commands execution

      • VirtuServer128.exe (PID: 6480)
      • shark.exe (PID: 2692)

    • Starts process via Powershell

      • powershell.exe (PID: 8172)

    • Disables SEHOP

      • MicrosoftEdgeUpdate.exe (PID: 1012)

    • Starts CMD.EXE for commands execution

      • hjksfba.exe (PID: 7816)

    • Executes application which crashes

      • hjksfba.exe (PID: 7816)
      • shark.exe (PID: 2692)

    • Starts a Microsoft application from unusual location

      • MicrosoftEdgeUpdate.exe (PID: 1012)

    • The process executes via Task Scheduler

      • shark.exe (PID: 2692)

  • INFO

    • Manual execution by a user

      • mal3.exe (PID: 7228)

    • Reads the machine GUID from the registry

      • mal3.exe (PID: 7228)
      • 7za.exe (PID: 7984)
      • VirtuServer128.exe (PID: 6480)

    • Reads the computer name

      • elevation_service.exe (PID: 7488)
      • mal3.exe (PID: 7228)
      • hjksfll.exe (PID: 5380)
      • 7za.exe (PID: 7984)
      • DistriCompiler89.exe (PID: 7800)
      • DistriCompiler89.exe (PID: 7856)
      • DistriCompiler89.exe (PID: 8084)
      • VirtuServer128.exe (PID: 6480)
      • 7za.exe (PID: 4920)
      • MicrosoftEdgeUpdate.exe (PID: 1012)

    • Executes as Windows Service

      • elevation_service.exe (PID: 7488)

    • Reads the software policy settings

      • slui.exe (PID: 6564)
      • VirtuServer128.exe (PID: 6480)
      • MicrosoftEdgeUpdate.exe (PID: 1012)
      • wermgr.exe (PID: 856)

    • Checks proxy server information

      • slui.exe (PID: 6564)
      • VirtuServer128.exe (PID: 6480)
      • MicrosoftEdgeUpdate.exe (PID: 1012)
      • wermgr.exe (PID: 856)

    • Checks supported languages

      • elevation_service.exe (PID: 7488)
      • hjksfll.exe (PID: 5380)
      • mal3.exe (PID: 7228)
      • DistriCompiler89.exe (PID: 7856)
      • DistriCompiler89.exe (PID: 7800)
      • hjksfba.exe (PID: 7816)
      • 7za.exe (PID: 7984)
      • DistriCompiler89.exe (PID: 8084)
      • VirtuServer128.exe (PID: 6480)
      • 7za.exe (PID: 4920)
      • MicrosoftEdgeWebview2Setup.exe (PID: 5164)
      • MicrosoftEdgeUpdate.exe (PID: 1012)
      • shark.exe (PID: 2692)

    • Creates files in the program directory

      • DistriCompiler89.exe (PID: 7856)
      • DistriCompiler89.exe (PID: 7800)
      • DistriCompiler89.exe (PID: 8084)
      • VirtuServer128.exe (PID: 6480)
      • MicrosoftEdgeWebview2Setup.exe (PID: 5164)
      • hjksfba.exe (PID: 7816)

    • Create files in a temporary directory

      • DistriCompiler89.exe (PID: 7800)
      • DistriCompiler89.exe (PID: 8084)

    • The sample compiled with english language support

      • DistriCompiler89.exe (PID: 7800)
      • DistriCompiler89.exe (PID: 8084)
      • VirtuServer128.exe (PID: 6480)
      • MicrosoftEdgeUpdate.exe (PID: 1012)
      • MicrosoftEdgeWebview2Setup.exe (PID: 5164)

    • Compiled with Borland Delphi (YARA)

      • hjksfba.exe (PID: 7816)
      • shark.exe (PID: 2692)

    • Checks transactions between databases Windows and Oracle

      • 7za.exe (PID: 7984)

    • Reads security settings of Internet Explorer

      • dllhost.exe (PID: 8056)

    • Creates files or folders in the user directory

      • VirtuServer128.exe (PID: 6480)

    • Process checks computer location settings

      • MicrosoftEdgeUpdate.exe (PID: 1012)

    • Reads Environment values

      • MicrosoftEdgeUpdate.exe (PID: 1012)

    • Drops encrypted JS script (Microsoft Script Encoder)

      • hjksfba.exe (PID: 7816)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.7z | 7-Zip compressed archive (gen) (100)

EXIF

ZIP

FileVersion: 7z v0.03
ModifyDate: 2025:05:17 11:44:43+00:00
ArchivedFileName: mal3.exe
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
226
Monitored processes
57
Malicious processes
12
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe no specs slui.exe mal3.exe chrome.exe no specs msedge.exe no specs elevation_service.exe no specs chrome.exe no specs msedge.exe no specs chrome.exe no specs msedge.exe no specs chrome.exe no specs msedge.exe no specs hjksfll.exe districompiler89.exe districompiler89.exe hjksfba.exe 7za.exe no specs conhost.exe no specs CMSTPLUA districompiler89.exe virtuserver128.exe 7za.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs microsoftedgewebview2setup.exe microsoftedgeupdate.exe wermgr.exe werfault.exe no specs werfault.exe no specs werfault.exe no specs werfault.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs werfault.exe no specs werfault.exe no specs shark.exe ucpdmgr.exe no specs conhost.exe no specs ucpdmgr.exe no specs conhost.exe no specs werfault.exe no specs werfault.exe no specs werfault.exe no specs werfault.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs powershell.exe no specs conhost.exe no specs werfault.exe no specs werfault.exe no specs werfault.exe no specs werfault.exe no specs werfault.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
132C:\WINDOWS\SysWOW64\WerFault.exe -u -p 7816 -s 156C:\Windows\SysWOW64\WerFault.exehjksfba.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
660C:\WINDOWS\SysWOW64\WerFault.exe -u -p 7816 -s 608C:\Windows\SysWOW64\WerFault.exehjksfba.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
856"C:\WINDOWS\system32\wermgr.exe" "-outproc" "0" "1012" "2072" "2368" "2460" "0" "0" "0" "0" "0" "0" "0" "0" C:\Windows\SysWOW64\wermgr.exe
MicrosoftEdgeUpdate.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\wermgr.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
896"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemal3.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
1012"C:\Program Files (x86)\Microsoft\Temp\EU9808.tmp\MicrosoftEdgeUpdate.exe" /silent /install "appguid={F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}&appname=Microsoft%20Edge%20Webview2%20Runtime&needsadmin=prefers"C:\Program Files (x86)\Microsoft\Temp\EU9808.tmp\MicrosoftEdgeUpdate.exe
MicrosoftEdgeWebview2Setup.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft Edge Update
Exit code:
2147747592
Version:
1.3.195.25
Modules
Images
c:\program files (x86)\microsoft\temp\eu9808.tmp\microsoftedgeupdate.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\ole32.dll
c:\windows\syswow64\ucrtbase.dll
1204C:\WINDOWS\SysWOW64\WerFault.exe -u -p 2692 -s 672C:\Windows\SysWOW64\WerFault.exeshark.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
1268"C:\WINDOWS\system32\UCPDMgr.exe"C:\Windows\System32\UCPDMgr.exesvchost.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
User Choice Protection Manager
Exit code:
0
Version:
1.0.0.414301
Modules
Images
c:\windows\system32\ucpdmgr.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
1584powershell -Command "Get-WmiObject Win32_Processor | Select-Object -ExpandProperty ProcessorId"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeshark.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\oleaut32.dll
2692"C:\ProgramData\shark.exe"C:\ProgramData\shark.exe
svchost.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\programdata\shark.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
2848powershell -Command "Get-WmiObject Win32_DiskDrive | Select-Object -ExpandProperty SerialNumber | Select-Object -First 1"C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeshark.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\oleaut32.dll
Total events
44 109
Read events
44 040
Write events
67
Delete events
2

Modification events

(PID) Process:(7252) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\preferences.zip
(PID) Process:(7252) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:(7252) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:(7252) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\Desktop\mal3.7z
(PID) Process:(7252) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(7252) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(7252) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(7252) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(7252) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface\MainWin
Operation:writeName:Placement
Value:
2C0000000000000001000000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF3D0000002D000000FD03000016020000
(PID) Process:(7252) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\ArcColumnWidths
Operation:writeName:name
Value:
256
Executable files
214
Suspicious files
17
Text files
11
Unknown types
0

Dropped files

PID
Process
Filename
Type
7252WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa7252.36989\mal3.exe
MD5:
SHA256:
5380hjksfll.exeC:\Users\admin\balata.appbinary
MD5:B91B05B3D67760A786C8B1EFC5955BC3
SHA256:3BF2616347DA3CF6440536EE343CA7B44811E9D5F7307CFEF9BE54714AB8AF00
7856DistriCompiler89.exeC:\ProgramData\Iaclientv2\DirectGUI.dllexecutable
MD5:DBB97D5BA941838BB34FF9F98BD47B6C
SHA256:D121A42FC56B92CD0B8AEDE3C0A268BEC534293F87DA0C774CF78CA557D3E1AD
8084DistriCompiler89.exeC:\Users\admin\AppData\Local\Temp\18E678.tmp
MD5:
SHA256:
5380hjksfll.exeC:\Users\admin\dx0.dllexecutable
MD5:693DFBB9B324E80B70660927CA1DEA69
SHA256:7C28D90E3484B566EE00ADAB4679A3D1C51F86F01560035D86C8F7788AC05234
7424chrome.exeC:\Users\admin\AppData\Local\Temp\Login Databinary
MD5:A45465CDCDC6CB30C8906F3DA4EC114C
SHA256:4412319EF944EBCCA9581CBACB1D4E1DC614C348D1DFC5D2FAAAAD863D300209
7228mal3.exeC:\Users\admin\hjksfll.exeexecutable
MD5:06CD992D7E3A5334AD400EAA61C160AB
SHA256:F86FB2936D6B0B2E6C84519734016EE8AE695457734194C6331F86D1962091DD
7664chrome.exeC:\Users\admin\AppData\Local\Temp\Cookiesbinary
MD5:06AD9E737639FDC745B3B65312857109
SHA256:C8925892CA8E213746633033AE95ACFB8DD9531BC376B82066E686AC6F40A404
7800DistriCompiler89.exeC:\ProgramData\Iaclientv2\7za.exeexecutable
MD5:874D01860E2C726CF7D18E0054E30ACA
SHA256:EC835CBAAD5C14EF5ABCD659199C2027D2C05CEE852FB82018D9D065261F304F
7856DistriCompiler89.exeC:\ProgramData\Iaclientv2\dx0.dllexecutable
MD5:693DFBB9B324E80B70660927CA1DEA69
SHA256:7C28D90E3484B566EE00ADAB4679A3D1C51F86F01560035D86C8F7788AC05234
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
11
TCP/UDP connections
58
DNS requests
21
Threats
42

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
23.48.23.177:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5892
SIHClient.exe
GET
200
23.48.23.188:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl
unknown
whitelisted
5892
SIHClient.exe
GET
200
23.48.23.188:80
http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl
unknown
whitelisted
5892
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.2.crl
unknown
whitelisted
5892
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
5892
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.2.crl
unknown
whitelisted
5892
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
7228
mal3.exe
GET
200
172.67.221.174:80
http://h4.fringezipping.bet/sh.ext.bin
unknown
unknown
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
5892
SIHClient.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
23.48.23.177:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
7536
slui.exe
20.83.72.98:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
7228
mal3.exe
172.67.221.174:443
CLOUDFLARENET
US
unknown
6564
slui.exe
20.83.72.98:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
7228
mal3.exe
172.67.221.174:80
CLOUDFLARENET
US
unknown
6480
VirtuServer128.exe
15.197.198.189:8545
data-seed-prebsc-1-s1.binance.org
AMAZON-02
US
unknown

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
whitelisted
google.com
  • 172.217.16.142
whitelisted
crl.microsoft.com
  • 23.48.23.177
  • 23.48.23.161
  • 23.48.23.174
  • 23.48.23.166
  • 23.48.23.160
  • 23.48.23.156
  • 23.48.23.162
  • 23.48.23.159
  • 23.48.23.173
  • 23.48.23.188
  • 23.48.23.176
  • 23.48.23.185
  • 23.48.23.134
  • 23.48.23.194
  • 23.48.23.138
  • 23.48.23.192
  • 23.48.23.179
whitelisted
www.microsoft.com
  • 184.30.21.171
whitelisted
activation-v2.sls.microsoft.com
  • 20.83.72.98
whitelisted
self.events.data.microsoft.com
  • 51.132.193.104
whitelisted
data-seed-prebsc-1-s1.binance.org
  • 15.197.198.189
  • 3.33.196.84
unknown
msedge.sf.dl.delivery.mp.microsoft.com
  • 2.16.106.5
  • 2.16.106.35
whitelisted
config.edge.skype.com
  • 13.107.42.16
whitelisted
watson.events.data.microsoft.com
  • 20.42.73.29
whitelisted

Threats

PID
Process
Class
Message
A Network Trojan was detected
ET MALWARE ACR Stealer CnC Checkin Attempt
Misc activity
ET HUNTING ZIP file exfiltration over raw TCP
Potentially Bad Traffic
ET INFO HTTP Request to a *.top domain
Potentially Bad Traffic
ET HUNTING Request to .TOP Domain with Minimal Headers
Potentially Bad Traffic
ET HUNTING Request to .TOP Domain with Minimal Headers
Potentially Bad Traffic
ET HUNTING Request to .TOP Domain with Minimal Headers
Misc activity
ET HUNTING ZIP file exfiltration over raw TCP
Potentially Bad Traffic
ET HUNTING Request to .TOP Domain with Minimal Headers
Misc activity
ET HUNTING ZIP file exfiltration over raw TCP
Potentially Bad Traffic
ET INFO HTTP Request to a *.top domain
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
mal3.7z