File name:

SMTP[1].eml (24).tgz

Full analysis: https://app.any.run/tasks/e8d093cd-1923-4b4b-b0c0-20bf4db80984
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: April 15, 2025, 09:59:39
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
susp-attachments
attachments
attc-unc
stealer
evasion
telegram
Indicators:
MIME: application/gzip
File info: gzip compressed data, last modified: Tue Apr 15 09:29:49 2025, from Unix, original size modulo 2^32 1003520
MD5:

A5485298DB9519528D98873BDA01A154

SHA1:

B6582B557FBCF1E3513588DD437EEFD7F3FE48E7

SHA256:

044BC79654EC6FF47488C566D52AB482D49E41DD64D61EFD2777C36705971D16

SSDEEP:

24576:WEtPEw52dC/FRFDJujE1non8ci136zwJDPTugJwsPQxDszwYFHjxskEX2AZLdv3a:WEtPE82d6FRFFYE1non8ci136WDPTugt

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Executing a file with an untrusted certificate

      • BANK SLIP_TT COPY-025-14-4-2025.exe (PID: 7624)
      • BANK SLIP_TT COPY-025-14-4-2025.exe (PID: 7708)
      • BANK SLIP_TT COPY-025-14-4-2025.exe (PID: 7176)
      • BANK SLIP_TT COPY-025-14-4-2025.exe (PID: 4628)

    • Actions looks like stealing of personal data

      • BANK SLIP_TT COPY-025-14-4-2025.exe (PID: 7708)
      • BANK SLIP_TT COPY-025-14-4-2025.exe (PID: 7176)

    • Stealers network behavior

      • BANK SLIP_TT COPY-025-14-4-2025.exe (PID: 7708)

  • SUSPICIOUS

    • Application launched itself

      • WinRAR.exe (PID: 7328)
      • BANK SLIP_TT COPY-025-14-4-2025.exe (PID: 7624)
      • BANK SLIP_TT COPY-025-14-4-2025.exe (PID: 4628)

    • Reads security settings of Internet Explorer

      • WinRAR.exe (PID: 7328)
      • WinRAR.exe (PID: 7808)
      • WinRAR.exe (PID: 5352)
      • BANK SLIP_TT COPY-025-14-4-2025.exe (PID: 7708)
      • BANK SLIP_TT COPY-025-14-4-2025.exe (PID: 7176)

    • Reads Microsoft Outlook installation path

      • WinRAR.exe (PID: 7808)

    • Executable content was dropped or overwritten

      • BANK SLIP_TT COPY-025-14-4-2025.exe (PID: 7624)
      • BANK SLIP_TT COPY-025-14-4-2025.exe (PID: 4628)

    • Creates file in the systems drive root

      • BANK SLIP_TT COPY-025-14-4-2025.exe (PID: 7624)
      • BANK SLIP_TT COPY-025-14-4-2025.exe (PID: 4628)

    • The process creates files with name similar to system file names

      • BANK SLIP_TT COPY-025-14-4-2025.exe (PID: 7624)
      • BANK SLIP_TT COPY-025-14-4-2025.exe (PID: 4628)

    • Malware-specific behavior (creating "System.dll" in Temp)

      • BANK SLIP_TT COPY-025-14-4-2025.exe (PID: 7624)
      • BANK SLIP_TT COPY-025-14-4-2025.exe (PID: 4628)

    • There is functionality for taking screenshot (YARA)

      • BANK SLIP_TT COPY-025-14-4-2025.exe (PID: 7624)
      • BANK SLIP_TT COPY-025-14-4-2025.exe (PID: 4628)

    • Uses TASKKILL.EXE to kill Browsers

      • BANK SLIP_TT COPY-025-14-4-2025.exe (PID: 7708)
      • BANK SLIP_TT COPY-025-14-4-2025.exe (PID: 7176)

    • Checks for external IP

      • BANK SLIP_TT COPY-025-14-4-2025.exe (PID: 7708)
      • BANK SLIP_TT COPY-025-14-4-2025.exe (PID: 7176)

    • Process communicates with Telegram (possibly using it as an attacker's C2 server)

      • BANK SLIP_TT COPY-025-14-4-2025.exe (PID: 7708)
      • BANK SLIP_TT COPY-025-14-4-2025.exe (PID: 7176)

  • INFO

    • The sample compiled with english language support

      • WinRAR.exe (PID: 7328)
      • WinRAR.exe (PID: 7808)
      • OUTLOOK.EXE (PID: 8000)
      • WinRAR.exe (PID: 5352)

    • Reads Microsoft Office registry keys

      • WinRAR.exe (PID: 7808)

    • Manual execution by a user

      • WinRAR.exe (PID: 5352)
      • BANK SLIP_TT COPY-025-14-4-2025.exe (PID: 4628)

    • Checks supported languages

      • BANK SLIP_TT COPY-025-14-4-2025.exe (PID: 7624)
      • BANK SLIP_TT COPY-025-14-4-2025.exe (PID: 7708)
      • BANK SLIP_TT COPY-025-14-4-2025.exe (PID: 7176)
      • BANK SLIP_TT COPY-025-14-4-2025.exe (PID: 4628)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 5352)

    • Create files in a temporary directory

      • BANK SLIP_TT COPY-025-14-4-2025.exe (PID: 7624)
      • BANK SLIP_TT COPY-025-14-4-2025.exe (PID: 4628)

    • Reads the software policy settings

      • slui.exe (PID: 7496)
      • BANK SLIP_TT COPY-025-14-4-2025.exe (PID: 7708)
      • BANK SLIP_TT COPY-025-14-4-2025.exe (PID: 7176)
      • slui.exe (PID: 7772)

    • Checks proxy server information

      • BANK SLIP_TT COPY-025-14-4-2025.exe (PID: 7708)
      • BANK SLIP_TT COPY-025-14-4-2025.exe (PID: 7176)
      • slui.exe (PID: 7772)

    • Reads the computer name

      • BANK SLIP_TT COPY-025-14-4-2025.exe (PID: 7708)
      • BANK SLIP_TT COPY-025-14-4-2025.exe (PID: 7176)

    • Reads the machine GUID from the registry

      • BANK SLIP_TT COPY-025-14-4-2025.exe (PID: 7708)
      • BANK SLIP_TT COPY-025-14-4-2025.exe (PID: 7176)

    • Creates files or folders in the user directory

      • BANK SLIP_TT COPY-025-14-4-2025.exe (PID: 7708)
      • BANK SLIP_TT COPY-025-14-4-2025.exe (PID: 7176)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.z/gz/gzip | GZipped data (100)

EXIF

ZIP

Compression: Deflated
Flags: (none)
ModifyDate: 2025:04:15 09:29:49+00:00
ExtraFlags: (none)
OperatingSystem: Unix
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
154
Monitored processes
17
Malicious processes
5
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe no specs sppextcomobj.exe no specs slui.exe winrar.exe no specs outlook.exe ai.exe no specs winrar.exe bank slip_tt copy-025-14-4-2025.exe slui.exe bank slip_tt copy-025-14-4-2025.exe taskkill.exe no specs conhost.exe no specs outlook.exe no specs bank slip_tt copy-025-14-4-2025.exe bank slip_tt copy-025-14-4-2025.exe taskkill.exe no specs conhost.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1660taskkill /f /im chrome.exeC:\Windows\SysWOW64\taskkill.exeBANK SLIP_TT COPY-025-14-4-2025.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Terminates Processes
Exit code:
128
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\taskkill.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
2420"C:\Program Files\Microsoft Office\Root\Office16\OUTLOOK.EXE" -EmbeddingC:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXEsvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Outlook
Exit code:
0
Version:
16.0.16026.20146
Modules
Images
c:\program files\microsoft office\root\office16\outlook.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
4628"C:\Users\admin\Desktop\BANK SLIP_TT COPY-025-14-4-2025.exe" C:\Users\admin\Desktop\BANK SLIP_TT COPY-025-14-4-2025.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Version:
1.3.0.0
Modules
Images
c:\users\admin\desktop\bank slip_tt copy-025-14-4-2025.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
5352"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Desktop\BANK SLIP_TT COPY-025-14-4-2025.txz"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
5376\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exetaskkill.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
5892"C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ai.exe" "1DDC4ED6-2195-4495-8C78-BD25866072B4" "2BD4F4D8-325E-42AE-81D3-1664951EE48B" "8000"C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ai.exeOUTLOOK.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Artificial Intelligence (AI) Host for the Microsoft® Windows® Operating System and Platform x64.
Version:
0.12.2.0
Modules
Images
c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\office16\ai.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\common files\microsoft shared\clicktorun\appvisvsubsystems64.dll
c:\windows\system32\advapi32.dll
c:\program files\common files\microsoft shared\clicktorun\c2r64.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ole32.dll
c:\windows\system32\ucrtbase.dll
7176"C:\Users\admin\Desktop\BANK SLIP_TT COPY-025-14-4-2025.exe" C:\Users\admin\Desktop\BANK SLIP_TT COPY-025-14-4-2025.exe
BANK SLIP_TT COPY-025-14-4-2025.exe
User:
admin
Integrity Level:
MEDIUM
Version:
1.3.0.0
Modules
Images
c:\windows\syswow64\mshtml.dll
c:\users\admin\desktop\bank slip_tt copy-025-14-4-2025.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
7328"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\SMTP[1].eml (24).tgz.gz"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
7460C:\WINDOWS\system32\SppExtComObj.exe -EmbeddingC:\Windows\System32\SppExtComObj.Exesvchost.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
KMS Connection Broker
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\sppextcomobj.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\oleaut32.dll
7496"C:\WINDOWS\System32\SLUI.exe" RuleId=3482d82e-ca2c-4e1f-8864-da0267b484b2;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c;NotificationInterval=1440;Trigger=TimerEventC:\Windows\System32\slui.exe
SppExtComObj.Exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Activation Client
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
Total events
26 676
Read events
24 607
Write events
1 894
Delete events
175

Modification events

(PID) Process:(7328) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\preferences.zip
(PID) Process:(7328) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:(7328) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:(7328) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\SMTP[1].eml (24).tgz.gz
(PID) Process:(7328) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(7328) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(7328) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(7328) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(7808) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:(7808) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\omni_23_10_2024_.zip
Executable files
4
Suspicious files
45
Text files
11
Unknown types
2

Dropped files

PID
Process
Filename
Type
8000OUTLOOK.EXEC:\Users\admin\Documents\Outlook Files\Outlook1.pst
MD5:
SHA256:
7808WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DIa7808.998\SMTP[1].eml:OECustomPropertybinary
MD5:EFB260EE07B124A37A54726A2963C2BC
SHA256:071EDF9ECF203A5686F0C13099FA09011263CA7606DC7928149B3B119068920E
8000OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbresbinary
MD5:3FD6412CBD482CF2884D4850361BAD8F
SHA256:A0926FD717DED0028D04CB5B67DE84926874A4800E44D7DB03B402B62FF294BB
8000OUTLOOK.EXEC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04binary
MD5:8F262A930527AE9D8ED59AB687A6A635
SHA256:7EE7CAED54B6B2C7A7E94A75C33C983AC56462826D27BD5F54DF8421BB500E15
8000OUTLOOK.EXEC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64Ader
MD5:DA942B68436EE42E617C0A9D51B22A89
SHA256:3A5165EE9E26227D2B00160311D8CEA792C36F74B7A06A70894D3E4BB7FA1629
8000OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Office\16.0\AddInClassifierCache\OfficeSharedEntities.bintext
MD5:CC90D669144261B198DEAD45AA266572
SHA256:89C701EEFF939A44F28921FD85365ECD87041935DCD0FE0BAF04957DA12C9899
8000OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\TokenBroker\Cache\56a61aeb75d8f5be186c26607f4bb213abe7c5ec.tbresbinary
MD5:CB7019D5404A0C8CD4A7AF5ADBCEC8C7
SHA256:F2745489D8A0EE63E1F0782FDFCB7FA6FACA225EFB2A60164277D71CF9E63292
8000OUTLOOK.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$rmalEmail.dotmbinary
MD5:850BF18CF68E9EB9D568317533DB5B8E
SHA256:864D80C78EF74A04C2A34439FEF5E6D5E468D7D1B55D5AF5E5938CEDE50DBE52
7328WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DIa7328.49959\SMTP[1].eml (24).tgzcompressed
MD5:248000CB1472E3ED782E0426C11A3C11
SHA256:877EBEE900FEFB169CC48F76DE2709BF81879447E00F045ED10F20FA86724D49
7624BANK SLIP_TT COPY-025-14-4-2025.exeC:\Users\admin\pacifist\Spidslrkernes\mendelssohnic.tra
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
15
TCP/UDP connections
44
DNS requests
31
Threats
12

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
6544
svchost.exe
GET
200
2.23.77.188:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
8000
OUTLOOK.EXE
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
8000
OUTLOOK.EXE
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEApDqVCbATUviZV57HIIulA%3D
unknown
whitelisted
6148
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
5496
MoUsoCoreWorker.exe
GET
200
2.16.164.89:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
7708
BANK SLIP_TT COPY-025-14-4-2025.exe
GET
200
172.217.18.3:80
http://o.pki.goog/we2/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBTuMJxAT2trYla0jia%2F5EUSmLrk3QQUdb7Ed66J9kQ3fc%2BxaB8dGuvcNFkCEQCaWeNpIFSBzAkvnnFNzwtC
unknown
whitelisted
7708
BANK SLIP_TT COPY-025-14-4-2025.exe
GET
200
172.217.23.99:80
http://c.pki.goog/r/r4.crl
unknown
whitelisted
7708
BANK SLIP_TT COPY-025-14-4-2025.exe
GET
200
172.217.18.3:80
http://o.pki.goog/we2/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBTuMJxAT2trYla0jia%2F5EUSmLrk3QQUdb7Ed66J9kQ3fc%2BxaB8dGuvcNFkCEQDHi9aO%2BrLYIArv8VY0Y8O5
unknown
whitelisted
7708
BANK SLIP_TT COPY-025-14-4-2025.exe
GET
200
172.217.23.99:80
http://c.pki.goog/r/gsr1.crl
unknown
whitelisted
6148
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
5332
RUXIMICS.exe
40.127.240.158:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
40.127.240.158:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
2104
svchost.exe
40.127.240.158:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
4
System
192.168.100.255:138
whitelisted
5496
MoUsoCoreWorker.exe
2.16.164.89:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
2112
svchost.exe
40.127.240.158:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
3216
svchost.exe
172.211.123.249:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
6544
svchost.exe
20.190.159.71:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6544
svchost.exe
2.23.77.188:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 172.217.16.206
whitelisted
crl.microsoft.com
  • 2.16.164.89
  • 2.16.164.25
  • 2.16.164.99
  • 2.16.164.42
  • 2.16.164.130
  • 2.16.164.49
  • 2.16.164.106
whitelisted
client.wns.windows.com
  • 172.211.123.249
whitelisted
login.live.com
  • 20.190.159.71
  • 40.126.31.131
  • 20.190.159.130
  • 40.126.31.130
  • 40.126.31.67
  • 20.190.159.23
  • 20.190.159.131
  • 40.126.31.2
whitelisted
ocsp.digicert.com
  • 2.23.77.188
  • 2.17.190.73
whitelisted
settings-win.data.microsoft.com
  • 20.73.194.208
whitelisted
officeclient.microsoft.com
  • 52.109.32.97
whitelisted
ecs.office.com
  • 52.123.129.14
  • 52.123.128.14
whitelisted
roaming.officeapps.live.com
  • 52.109.68.129
whitelisted
omex.cdn.office.net
  • 23.48.23.66
  • 23.48.23.11
  • 23.48.23.43
whitelisted

Threats

PID
Process
Class
Message
7708
BANK SLIP_TT COPY-025-14-4-2025.exe
Attempted Information Leak
ET INFO IP Check Domain (showip in HTTP Host)
7708
BANK SLIP_TT COPY-025-14-4-2025.exe
Device Retrieving External IP Address Detected
ET HUNTING [ANY.RUN] DARKCLOUD Style External IP Check
7708
BANK SLIP_TT COPY-025-14-4-2025.exe
A Network Trojan was detected
STEALER [ANY.RUN] DarkCloud External IP Check
2196
svchost.exe
Misc activity
ET HUNTING Telegram API Domain in DNS Lookup
7708
BANK SLIP_TT COPY-025-14-4-2025.exe
Misc activity
ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI)
7708
BANK SLIP_TT COPY-025-14-4-2025.exe
Misc activity
ET HUNTING Telegram API Certificate Observed
7176
BANK SLIP_TT COPY-025-14-4-2025.exe
Attempted Information Leak
ET INFO IP Check Domain (showip in HTTP Host)
7176
BANK SLIP_TT COPY-025-14-4-2025.exe
A Network Trojan was detected
STEALER [ANY.RUN] DarkCloud External IP Check
7176
BANK SLIP_TT COPY-025-14-4-2025.exe
Device Retrieving External IP Address Detected
ET HUNTING [ANY.RUN] DARKCLOUD Style External IP Check
2196
svchost.exe
Misc activity
ET HUNTING Telegram API Domain in DNS Lookup
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
SMTP[1].eml (24).tgz