File name:

SMTP[1].eml (24).tgz

Full analysis: https://app.any.run/tasks/e8d093cd-1923-4b4b-b0c0-20bf4db80984
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: April 15, 2025, 09:59:39
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
susp-attachments
attachments
attc-unc
stealer
evasion
telegram
Indicators:
MIME: application/gzip
File info: gzip compressed data, last modified: Tue Apr 15 09:29:49 2025, from Unix, original size modulo 2^32 1003520
MD5:

A5485298DB9519528D98873BDA01A154

SHA1:

B6582B557FBCF1E3513588DD437EEFD7F3FE48E7

SHA256:

044BC79654EC6FF47488C566D52AB482D49E41DD64D61EFD2777C36705971D16

SSDEEP:

24576:WEtPEw52dC/FRFDJujE1non8ci136zwJDPTugJwsPQxDszwYFHjxskEX2AZLdv3a:WEtPE82d6FRFFYE1non8ci136WDPTugt

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Executing a file with an untrusted certificate

      • BANK SLIP_TT COPY-025-14-4-2025.exe (PID: 7624)
      • BANK SLIP_TT COPY-025-14-4-2025.exe (PID: 7708)
      • BANK SLIP_TT COPY-025-14-4-2025.exe (PID: 4628)
      • BANK SLIP_TT COPY-025-14-4-2025.exe (PID: 7176)

    • Actions looks like stealing of personal data

      • BANK SLIP_TT COPY-025-14-4-2025.exe (PID: 7708)
      • BANK SLIP_TT COPY-025-14-4-2025.exe (PID: 7176)

    • Stealers network behavior

      • BANK SLIP_TT COPY-025-14-4-2025.exe (PID: 7708)

  • SUSPICIOUS

    • Application launched itself

      • WinRAR.exe (PID: 7328)
      • BANK SLIP_TT COPY-025-14-4-2025.exe (PID: 7624)
      • BANK SLIP_TT COPY-025-14-4-2025.exe (PID: 4628)

    • Creates file in the systems drive root

      • BANK SLIP_TT COPY-025-14-4-2025.exe (PID: 7624)
      • BANK SLIP_TT COPY-025-14-4-2025.exe (PID: 4628)

    • Reads security settings of Internet Explorer

      • WinRAR.exe (PID: 7328)
      • WinRAR.exe (PID: 7808)
      • WinRAR.exe (PID: 5352)
      • BANK SLIP_TT COPY-025-14-4-2025.exe (PID: 7708)
      • BANK SLIP_TT COPY-025-14-4-2025.exe (PID: 7176)

    • Reads Microsoft Outlook installation path

      • WinRAR.exe (PID: 7808)

    • Malware-specific behavior (creating "System.dll" in Temp)

      • BANK SLIP_TT COPY-025-14-4-2025.exe (PID: 7624)
      • BANK SLIP_TT COPY-025-14-4-2025.exe (PID: 4628)

    • Executable content was dropped or overwritten

      • BANK SLIP_TT COPY-025-14-4-2025.exe (PID: 7624)
      • BANK SLIP_TT COPY-025-14-4-2025.exe (PID: 4628)

    • The process creates files with name similar to system file names

      • BANK SLIP_TT COPY-025-14-4-2025.exe (PID: 7624)
      • BANK SLIP_TT COPY-025-14-4-2025.exe (PID: 4628)

    • There is functionality for taking screenshot (YARA)

      • BANK SLIP_TT COPY-025-14-4-2025.exe (PID: 7624)
      • BANK SLIP_TT COPY-025-14-4-2025.exe (PID: 4628)

    • Uses TASKKILL.EXE to kill Browsers

      • BANK SLIP_TT COPY-025-14-4-2025.exe (PID: 7708)
      • BANK SLIP_TT COPY-025-14-4-2025.exe (PID: 7176)

    • Process communicates with Telegram (possibly using it as an attacker's C2 server)

      • BANK SLIP_TT COPY-025-14-4-2025.exe (PID: 7708)
      • BANK SLIP_TT COPY-025-14-4-2025.exe (PID: 7176)

    • Checks for external IP

      • BANK SLIP_TT COPY-025-14-4-2025.exe (PID: 7708)
      • BANK SLIP_TT COPY-025-14-4-2025.exe (PID: 7176)

  • INFO

    • The sample compiled with english language support

      • WinRAR.exe (PID: 7328)
      • WinRAR.exe (PID: 7808)
      • OUTLOOK.EXE (PID: 8000)
      • WinRAR.exe (PID: 5352)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 5352)

    • Checks supported languages

      • BANK SLIP_TT COPY-025-14-4-2025.exe (PID: 7624)
      • BANK SLIP_TT COPY-025-14-4-2025.exe (PID: 7708)
      • BANK SLIP_TT COPY-025-14-4-2025.exe (PID: 4628)
      • BANK SLIP_TT COPY-025-14-4-2025.exe (PID: 7176)

    • Reads Microsoft Office registry keys

      • WinRAR.exe (PID: 7808)

    • Manual execution by a user

      • WinRAR.exe (PID: 5352)
      • BANK SLIP_TT COPY-025-14-4-2025.exe (PID: 4628)

    • Create files in a temporary directory

      • BANK SLIP_TT COPY-025-14-4-2025.exe (PID: 7624)
      • BANK SLIP_TT COPY-025-14-4-2025.exe (PID: 4628)

    • Reads the software policy settings

      • slui.exe (PID: 7496)
      • BANK SLIP_TT COPY-025-14-4-2025.exe (PID: 7708)
      • slui.exe (PID: 7772)
      • BANK SLIP_TT COPY-025-14-4-2025.exe (PID: 7176)

    • Reads the computer name

      • BANK SLIP_TT COPY-025-14-4-2025.exe (PID: 7708)
      • BANK SLIP_TT COPY-025-14-4-2025.exe (PID: 7176)

    • Reads the machine GUID from the registry

      • BANK SLIP_TT COPY-025-14-4-2025.exe (PID: 7708)
      • BANK SLIP_TT COPY-025-14-4-2025.exe (PID: 7176)

    • Checks proxy server information

      • BANK SLIP_TT COPY-025-14-4-2025.exe (PID: 7708)
      • slui.exe (PID: 7772)
      • BANK SLIP_TT COPY-025-14-4-2025.exe (PID: 7176)

    • Creates files or folders in the user directory

      • BANK SLIP_TT COPY-025-14-4-2025.exe (PID: 7708)
      • BANK SLIP_TT COPY-025-14-4-2025.exe (PID: 7176)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.z/gz/gzip | GZipped data (100)

EXIF

ZIP

Compression: Deflated
Flags: (none)
ModifyDate: 2025:04:15 09:29:49+00:00
ExtraFlags: (none)
OperatingSystem: Unix
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
154
Monitored processes
17
Malicious processes
5
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe no specs sppextcomobj.exe no specs slui.exe winrar.exe no specs outlook.exe ai.exe no specs winrar.exe bank slip_tt copy-025-14-4-2025.exe slui.exe bank slip_tt copy-025-14-4-2025.exe taskkill.exe no specs conhost.exe no specs outlook.exe no specs bank slip_tt copy-025-14-4-2025.exe bank slip_tt copy-025-14-4-2025.exe taskkill.exe no specs conhost.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1660taskkill /f /im chrome.exeC:\Windows\SysWOW64\taskkill.exeBANK SLIP_TT COPY-025-14-4-2025.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Terminates Processes
Exit code:
128
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\taskkill.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
2420"C:\Program Files\Microsoft Office\Root\Office16\OUTLOOK.EXE" -EmbeddingC:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEsvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Outlook
Exit code:
0
Version:
16.0.16026.20146
Modules
Images
c:\program files\microsoft office\root\office16\outlook.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
4628"C:\Users\admin\Desktop\BANK SLIP_TT COPY-025-14-4-2025.exe" C:\Users\admin\Desktop\BANK SLIP_TT COPY-025-14-4-2025.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Version:
1.3.0.0
Modules
Images
c:\users\admin\desktop\bank slip_tt copy-025-14-4-2025.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
5352"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Desktop\BANK SLIP_TT COPY-025-14-4-2025.txz"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
5376\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exetaskkill.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
5892"C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ai.exe" "1DDC4ED6-2195-4495-8C78-BD25866072B4" "2BD4F4D8-325E-42AE-81D3-1664951EE48B" "8000"C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ai.exeOUTLOOK.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Artificial Intelligence (AI) Host for the Microsoft® Windows® Operating System and Platform x64.
Version:
0.12.2.0
Modules
Images
c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\office16\ai.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\common files\microsoft shared\clicktorun\appvisvsubsystems64.dll
c:\windows\system32\advapi32.dll
c:\program files\common files\microsoft shared\clicktorun\c2r64.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ole32.dll
c:\windows\system32\ucrtbase.dll
7176"C:\Users\admin\Desktop\BANK SLIP_TT COPY-025-14-4-2025.exe" C:\Users\admin\Desktop\BANK SLIP_TT COPY-025-14-4-2025.exe
BANK SLIP_TT COPY-025-14-4-2025.exe
User:
admin
Integrity Level:
MEDIUM
Version:
1.3.0.0
Modules
Images
c:\windows\syswow64\mshtml.dll
c:\users\admin\desktop\bank slip_tt copy-025-14-4-2025.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
7328"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\SMTP[1].eml (24).tgz.gz"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
7460C:\WINDOWS\system32\SppExtComObj.exe -EmbeddingC:\Windows\System32\SppExtComObj.Exesvchost.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
KMS Connection Broker
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\sppextcomobj.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\oleaut32.dll
7496"C:\WINDOWS\System32\SLUI.exe" RuleId=3482d82e-ca2c-4e1f-8864-da0267b484b2;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c;NotificationInterval=1440;Trigger=TimerEventC:\Windows\System32\slui.exe
SppExtComObj.Exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Activation Client
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
Total events
26 676
Read events
24 607
Write events
1 894
Delete events
175

Modification events

(PID) Process:(7328) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\preferences.zip
(PID) Process:(7328) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:(7328) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:(7328) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\SMTP[1].eml (24).tgz.gz
(PID) Process:(7328) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(7328) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(7328) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(7328) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(7808) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:(7808) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\omni_23_10_2024_.zip
Executable files
4
Suspicious files
45
Text files
11
Unknown types
2

Dropped files

PID
Process
Filename
Type
8000OUTLOOK.EXEC:\Users\admin\Documents\Outlook Files\Outlook1.pst
MD5:
SHA256:
7328WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DIa7328.49959\SMTP[1].eml (24).tgzcompressed
MD5:248000CB1472E3ED782E0426C11A3C11
SHA256:877EBEE900FEFB169CC48F76DE2709BF81879447E00F045ED10F20FA86724D49
8000OUTLOOK.EXEC:\Users\admin\AppData\Local\Temp\olkFBF6.tmpbinary
MD5:52BDE58247E8ECEEF13DC8D928DFB193
SHA256:557AE5B3E73349462E30510083254D44C273A1E103AD20CDFC3C1C1EA4C0D0BF
8000OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\TokenBroker\Cache\56a61aeb75d8f5be186c26607f4bb213abe7c5ec.tbresbinary
MD5:CB7019D5404A0C8CD4A7AF5ADBCEC8C7
SHA256:F2745489D8A0EE63E1F0782FDFCB7FA6FACA225EFB2A60164277D71CF9E63292
8000OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Office\16.0\AddInClassifierCache\OfficeSharedEntities.bintext
MD5:CC90D669144261B198DEAD45AA266572
SHA256:89C701EEFF939A44F28921FD85365ECD87041935DCD0FE0BAF04957DA12C9899
8000OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\88D92FE9-2465-4970-9962-DAC893D1B25Dxml
MD5:D66888D507EE5614394C60D45E09194F
SHA256:0A8147A8FC1751B846AAD89D9C1327DF46373469AAF619AAD5DCFAA3A6869461
8000OUTLOOK.EXEC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64Abinary
MD5:D405C2704F695A319CD198ACB7FAD761
SHA256:EE28E7EEA4FA24F3CB4DB1F640818336AF05117F5A574EFAF4A2C3BBDF38A042
8000OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Office\16.0\AddInClassifierCache\OfficeSharedEntitiesUpdated.bintext
MD5:9FE1880E7A11FE60C9821E833F9DAD3C
SHA256:2725D80378AA345CACC289C9B271938BAD6D338554091302C15908B1B23A19A4
7808WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DIa7808.998\SMTP[1].emlbinary
MD5:E1F3952270664BD34F1C1FBA8483D68F
SHA256:096DF9D2FB9B5EC89D19CCA85142D508622F23BCDBEAB3C0FF748502EA4C4741
7624BANK SLIP_TT COPY-025-14-4-2025.exeC:\Users\admin\pacifist\Spidslrkernes\mendelssohnic.tra
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
15
TCP/UDP connections
44
DNS requests
31
Threats
12

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5496
MoUsoCoreWorker.exe
GET
200
2.16.164.89:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
6544
svchost.exe
GET
200
2.23.77.188:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
8000
OUTLOOK.EXE
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEApDqVCbATUviZV57HIIulA%3D
unknown
whitelisted
8000
OUTLOOK.EXE
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
6148
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
6148
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
7708
BANK SLIP_TT COPY-025-14-4-2025.exe
GET
200
172.217.23.99:80
http://c.pki.goog/r/r4.crl
unknown
whitelisted
7708
BANK SLIP_TT COPY-025-14-4-2025.exe
GET
200
172.217.18.3:80
http://o.pki.goog/we2/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBTuMJxAT2trYla0jia%2F5EUSmLrk3QQUdb7Ed66J9kQ3fc%2BxaB8dGuvcNFkCEQDHi9aO%2BrLYIArv8VY0Y8O5
unknown
whitelisted
7708
BANK SLIP_TT COPY-025-14-4-2025.exe
GET
200
172.217.23.99:80
http://c.pki.goog/r/gsr1.crl
unknown
whitelisted
7708
BANK SLIP_TT COPY-025-14-4-2025.exe
GET
200
172.217.18.3:80
http://o.pki.goog/we2/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBTuMJxAT2trYla0jia%2F5EUSmLrk3QQUdb7Ed66J9kQ3fc%2BxaB8dGuvcNFkCEQCaWeNpIFSBzAkvnnFNzwtC
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
5332
RUXIMICS.exe
40.127.240.158:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
40.127.240.158:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
2104
svchost.exe
40.127.240.158:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
4
System
192.168.100.255:138
whitelisted
5496
MoUsoCoreWorker.exe
2.16.164.89:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
2112
svchost.exe
40.127.240.158:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
3216
svchost.exe
172.211.123.249:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
6544
svchost.exe
20.190.159.71:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6544
svchost.exe
2.23.77.188:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 172.217.16.206
whitelisted
crl.microsoft.com
  • 2.16.164.89
  • 2.16.164.25
  • 2.16.164.99
  • 2.16.164.42
  • 2.16.164.130
  • 2.16.164.49
  • 2.16.164.106
whitelisted
client.wns.windows.com
  • 172.211.123.249
whitelisted
login.live.com
  • 20.190.159.71
  • 40.126.31.131
  • 20.190.159.130
  • 40.126.31.130
  • 40.126.31.67
  • 20.190.159.23
  • 20.190.159.131
  • 40.126.31.2
whitelisted
ocsp.digicert.com
  • 2.23.77.188
  • 2.17.190.73
whitelisted
settings-win.data.microsoft.com
  • 20.73.194.208
whitelisted
officeclient.microsoft.com
  • 52.109.32.97
whitelisted
ecs.office.com
  • 52.123.129.14
  • 52.123.128.14
whitelisted
roaming.officeapps.live.com
  • 52.109.68.129
whitelisted
omex.cdn.office.net
  • 23.48.23.66
  • 23.48.23.11
  • 23.48.23.43
whitelisted

Threats

PID
Process
Class
Message
7708
BANK SLIP_TT COPY-025-14-4-2025.exe
Attempted Information Leak
ET INFO IP Check Domain (showip in HTTP Host)
7708
BANK SLIP_TT COPY-025-14-4-2025.exe
Device Retrieving External IP Address Detected
ET HUNTING [ANY.RUN] DARKCLOUD Style External IP Check
7708
BANK SLIP_TT COPY-025-14-4-2025.exe
A Network Trojan was detected
STEALER [ANY.RUN] DarkCloud External IP Check
2196
svchost.exe
Misc activity
ET HUNTING Telegram API Domain in DNS Lookup
7708
BANK SLIP_TT COPY-025-14-4-2025.exe
Misc activity
ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI)
7708
BANK SLIP_TT COPY-025-14-4-2025.exe
Misc activity
ET HUNTING Telegram API Certificate Observed
7176
BANK SLIP_TT COPY-025-14-4-2025.exe
Attempted Information Leak
ET INFO IP Check Domain (showip in HTTP Host)
7176
BANK SLIP_TT COPY-025-14-4-2025.exe
A Network Trojan was detected
STEALER [ANY.RUN] DarkCloud External IP Check
7176
BANK SLIP_TT COPY-025-14-4-2025.exe
Device Retrieving External IP Address Detected
ET HUNTING [ANY.RUN] DARKCLOUD Style External IP Check
2196
svchost.exe
Misc activity
ET HUNTING Telegram API Domain in DNS Lookup
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
SMTP[1].eml (24).tgz