File name:

32acd0a9-0a72-499e-850c-fa68fa42ad1f

Full analysis: https://app.any.run/tasks/8111c029-85ff-4f7a-81be-2ac0c69436c2
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: April 15, 2025, 20:57:08
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
attachments
attc-unc
susp-attachments
stealer
evasion
Indicators:
MIME: application/zip
File info: Zip archive data, at least v5.1 to extract, compression method=AES Encrypted
MD5:

F16B0A21F5A558312CA934417035F0C2

SHA1:

A42891480E0E0769CFA9DB56B02A6739D962811A

SHA256:

448774E59631B7756C4350148BE4B70998F8A47DDF62263D6AC04235259F594D

SSDEEP:

49152:sv9nBt6kVgeUBTyi4998nVy2o7wBSMZwJgwK6foibpp80JlvFp8NhD+YAHl/G9o5:G9BA4tri4n8nVy28wBLw+wKJvYpFiL6D

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Executing a file with an untrusted certificate

      • BANK SLIP_TT COPY-0237844735748.exe (PID: 7728)
      • BANK SLIP_TT COPY-0237844735748.exe (PID: 3884)
      • BANK SLIP_TT COPY-0237844735748.exe (PID: 7976)
      • BANK SLIP_TT COPY-0237844735748.exe (PID: 7964)
      • BANK SLIP_TT COPY-0237844735748.exe (PID: 632)
      • BANK SLIP_TT COPY-0237844735748.exe (PID: 1012)

    • Actions looks like stealing of personal data

      • BANK SLIP_TT COPY-0237844735748.exe (PID: 7964)
      • BANK SLIP_TT COPY-0237844735748.exe (PID: 632)
      • BANK SLIP_TT COPY-0237844735748.exe (PID: 1012)

    • Stealers network behavior

      • BANK SLIP_TT COPY-0237844735748.exe (PID: 1012)

  • SUSPICIOUS

    • Reads Microsoft Outlook installation path

      • WinRAR.exe (PID: 7428)

    • Reads security settings of Internet Explorer

      • WinRAR.exe (PID: 7428)
      • WinRAR.exe (PID: 7780)
      • BANK SLIP_TT COPY-0237844735748.exe (PID: 632)
      • BANK SLIP_TT COPY-0237844735748.exe (PID: 7964)
      • BANK SLIP_TT COPY-0237844735748.exe (PID: 1012)

    • The process creates files with name similar to system file names

      • BANK SLIP_TT COPY-0237844735748.exe (PID: 7728)
      • BANK SLIP_TT COPY-0237844735748.exe (PID: 3884)
      • BANK SLIP_TT COPY-0237844735748.exe (PID: 7976)

    • Creates file in the systems drive root

      • BANK SLIP_TT COPY-0237844735748.exe (PID: 7728)
      • BANK SLIP_TT COPY-0237844735748.exe (PID: 3884)
      • BANK SLIP_TT COPY-0237844735748.exe (PID: 7976)

    • Executable content was dropped or overwritten

      • BANK SLIP_TT COPY-0237844735748.exe (PID: 7728)
      • BANK SLIP_TT COPY-0237844735748.exe (PID: 3884)
      • BANK SLIP_TT COPY-0237844735748.exe (PID: 7976)

    • Malware-specific behavior (creating "System.dll" in Temp)

      • BANK SLIP_TT COPY-0237844735748.exe (PID: 7728)
      • BANK SLIP_TT COPY-0237844735748.exe (PID: 3884)
      • BANK SLIP_TT COPY-0237844735748.exe (PID: 7976)

    • Application launched itself

      • BANK SLIP_TT COPY-0237844735748.exe (PID: 7728)
      • BANK SLIP_TT COPY-0237844735748.exe (PID: 3884)
      • BANK SLIP_TT COPY-0237844735748.exe (PID: 7976)

    • Checks for external IP

      • BANK SLIP_TT COPY-0237844735748.exe (PID: 7964)
      • BANK SLIP_TT COPY-0237844735748.exe (PID: 632)
      • BANK SLIP_TT COPY-0237844735748.exe (PID: 1012)

    • Uses TASKKILL.EXE to kill Browsers

      • BANK SLIP_TT COPY-0237844735748.exe (PID: 7964)
      • BANK SLIP_TT COPY-0237844735748.exe (PID: 632)
      • BANK SLIP_TT COPY-0237844735748.exe (PID: 1012)

  • INFO

    • Reads the software policy settings

      • slui.exe (PID: 7616)
      • BANK SLIP_TT COPY-0237844735748.exe (PID: 632)
      • BANK SLIP_TT COPY-0237844735748.exe (PID: 7964)
      • BANK SLIP_TT COPY-0237844735748.exe (PID: 1012)

    • Reads Microsoft Office registry keys

      • WinRAR.exe (PID: 7428)

    • The sample compiled with english language support

      • WinRAR.exe (PID: 7428)
      • OUTLOOK.EXE (PID: 6972)
      • WinRAR.exe (PID: 7780)

    • Create files in a temporary directory

      • BANK SLIP_TT COPY-0237844735748.exe (PID: 7728)
      • BANK SLIP_TT COPY-0237844735748.exe (PID: 3884)
      • BANK SLIP_TT COPY-0237844735748.exe (PID: 7976)

    • Checks supported languages

      • BANK SLIP_TT COPY-0237844735748.exe (PID: 7728)
      • BANK SLIP_TT COPY-0237844735748.exe (PID: 3884)
      • BANK SLIP_TT COPY-0237844735748.exe (PID: 7964)
      • BANK SLIP_TT COPY-0237844735748.exe (PID: 7976)
      • BANK SLIP_TT COPY-0237844735748.exe (PID: 632)
      • BANK SLIP_TT COPY-0237844735748.exe (PID: 1012)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 7780)

    • Creates files or folders in the user directory

      • BANK SLIP_TT COPY-0237844735748.exe (PID: 7964)
      • BANK SLIP_TT COPY-0237844735748.exe (PID: 632)
      • BANK SLIP_TT COPY-0237844735748.exe (PID: 1012)

    • Reads the computer name

      • BANK SLIP_TT COPY-0237844735748.exe (PID: 632)
      • BANK SLIP_TT COPY-0237844735748.exe (PID: 7964)
      • BANK SLIP_TT COPY-0237844735748.exe (PID: 1012)

    • Reads the machine GUID from the registry

      • BANK SLIP_TT COPY-0237844735748.exe (PID: 632)
      • BANK SLIP_TT COPY-0237844735748.exe (PID: 7964)
      • BANK SLIP_TT COPY-0237844735748.exe (PID: 1012)

    • Checks proxy server information

      • BANK SLIP_TT COPY-0237844735748.exe (PID: 632)
      • BANK SLIP_TT COPY-0237844735748.exe (PID: 7964)
      • BANK SLIP_TT COPY-0237844735748.exe (PID: 1012)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 51
ZipBitFlag: 0x0801
ZipCompression: Unknown (99)
ZipModifyDate: 2025:04:15 20:54:50
ZipCRC: 0x00000000
ZipCompressedSize: 1101608
ZipUncompressedSize: 1101580
ZipFileName: aee9bf3747fb171023713ac15a124c4f256f9151c592f2dac2555bf7ffd0b9e5.eml
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
152
Monitored processes
20
Malicious processes
9
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe no specs sppextcomobj.exe no specs slui.exe outlook.exe ai.exe no specs winrar.exe slui.exe no specs bank slip_tt copy-0237844735748.exe bank slip_tt copy-0237844735748.exe bank slip_tt copy-0237844735748.exe bank slip_tt copy-0237844735748.exe bank slip_tt copy-0237844735748.exe bank slip_tt copy-0237844735748.exe taskkill.exe no specs conhost.exe no specs taskkill.exe no specs conhost.exe no specs outlook.exe no specs taskkill.exe no specs conhost.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
632"C:\Users\admin\AppData\Local\Temp\Rar$EXa7780.1380\BANK SLIP_TT COPY-0237844735748.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa7780.1380\BANK SLIP_TT COPY-0237844735748.exe
BANK SLIP_TT COPY-0237844735748.exe
User:
admin
Integrity Level:
MEDIUM
Version:
1.3.0.0
Modules
Images
c:\windows\syswow64\mshtml.dll
c:\users\admin\appdata\local\temp\rar$exa7780.1380\bank slip_tt copy-0237844735748.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
1012"C:\Users\admin\AppData\Local\Temp\Rar$EXa7780.2064\BANK SLIP_TT COPY-0237844735748.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa7780.2064\BANK SLIP_TT COPY-0237844735748.exe
BANK SLIP_TT COPY-0237844735748.exe
User:
admin
Integrity Level:
MEDIUM
Version:
1.3.0.0
Modules
Images
c:\windows\syswow64\mshtml.dll
c:\users\admin\appdata\local\temp\rar$exa7780.2064\bank slip_tt copy-0237844735748.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
2568\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exetaskkill.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
3884"C:\Users\admin\AppData\Local\Temp\Rar$EXa7780.1380\BANK SLIP_TT COPY-0237844735748.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXa7780.1380\BANK SLIP_TT COPY-0237844735748.exe
WinRAR.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Version:
1.3.0.0
Modules
Images
c:\users\admin\appdata\local\temp\rar$exa7780.1380\bank slip_tt copy-0237844735748.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\user32.dll
c:\windows\syswow64\win32u.dll
3896\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exetaskkill.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
4528taskkill /f /im chrome.exeC:\Windows\SysWOW64\taskkill.exeBANK SLIP_TT COPY-0237844735748.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Terminates Processes
Exit code:
128
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\taskkill.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
4620\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exetaskkill.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
5256"C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ai.exe" "DCE5EFC3-302B-43BA-9811-74FB874AB71B" "1C17CA4B-3297-4FAC-BE43-00360DD5E91C" "6972"C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ai.exeOUTLOOK.EXE
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Artificial Intelligence (AI) Host for the Microsoft® Windows® Operating System and Platform x64.
Version:
0.12.2.0
Modules
Images
c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\office16\ai.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\common files\microsoft shared\clicktorun\appvisvsubsystems64.dll
c:\windows\system32\advapi32.dll
c:\program files\common files\microsoft shared\clicktorun\c2r64.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ole32.dll
c:\windows\system32\sechost.dll
5680taskkill /f /im chrome.exeC:\Windows\SysWOW64\taskkill.exeBANK SLIP_TT COPY-0237844735748.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Terminates Processes
Exit code:
128
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\taskkill.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
6344taskkill /f /im chrome.exeC:\Windows\SysWOW64\taskkill.exeBANK SLIP_TT COPY-0237844735748.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Terminates Processes
Exit code:
128
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\taskkill.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll
c:\windows\syswow64\msvcrt.dll
Total events
33 387
Read events
31 187
Write events
2 076
Delete events
124

Modification events

(PID) Process:(7428) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\preferences.zip
(PID) Process:(7428) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:(7428) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:(7428) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\32acd0a9-0a72-499e-850c-fa68fa42ad1f.zip
(PID) Process:(7428) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(7428) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(7428) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(7428) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(7428) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\ArcColumnWidths
Operation:writeName:name
Value:
256
(PID) Process:(7428) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\ArcColumnWidths
Operation:writeName:size
Value:
80
Executable files
6
Suspicious files
50
Text files
12
Unknown types
0

Dropped files

PID
Process
Filename
Type
6972OUTLOOK.EXEC:\Users\admin\Documents\Outlook Files\Outlook1.pst
MD5:
SHA256:
6972OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\23A63E85.tmpimage
MD5:F15B33577FD7B2D8AA8365F80F5EA3DA
SHA256:58DFAE5EA3915167E5FC35B418BF84E7FD5B77B52E5581F098AB511AAEFE8BE2
6972OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbresbinary
MD5:58D8159F31D3DD85BEB961AD13A294BA
SHA256:640222B6E157A9D4B1178084F93D152E230CE4302C68489B6EE73C79E41DDE2B
6972OUTLOOK.EXEC:\Users\admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\40EC43C5-2C4A-4D80-8205-EE8F1CCD65E9xml
MD5:A6EC13359394F73D2D33C78D65690A69
SHA256:3CEE29CE8CBE6536E148593A9CB52BEB1BF76900E3D1DCD6EB9FB1401FC913D3
7428WinRAR.exeC:\Users\admin\AppData\Local\Temp\__rzi_7428.49341compressed
MD5:DD9C4B3C459BFF4E8EBA7EEF2C32198E
SHA256:86E32DEA64A507B22CEE24293D7D819659FE17678613DBB567DC004558A1DA28
6972OUTLOOK.EXEC:\Users\admin\AppData\Roaming\Microsoft\Templates\~$rmalEmail.dotmbinary
MD5:E77EE026BEA4844FAD4E88AA411BC11E
SHA256:A6328B31185F5B8CE3C50E4E603975908C76D0B8C6439F4EFECA4E286EC0C531
6972OUTLOOK.EXEC:\Users\admin\AppData\Local\Temp\olk6DF9.tmpbinary
MD5:680E4C96FBE70761D06B2B0AE9FA86B7
SHA256:44D39300FFA2431C497CA4529EEC847F679FC27652BE31153E7BD504F44DA233
7428WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DIb7428.47323\aee9bf3747fb171023713ac15a124c4f256f9151c592f2dac2555bf7ffd0b9e5.eml:OECustomPropertybinary
MD5:2EA2D3E787E264E94F6EA446ADD1411F
SHA256:0E82CABC7E0F41AF62367102A1038EC73C532B75DF8C9763388446EB6F04FD6A
7728BANK SLIP_TT COPY-0237844735748.exeC:\Users\admin\pacifist\Eksperimentets\mendelssohnic.tra
MD5:
SHA256:
7428WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DIb7428.47323\aee9bf3747fb171023713ac15a124c4f256f9151c592f2dac2555bf7ffd0b9e5.emlhtml
MD5:05DFCA2C37826B1AF40FB22EAE41B4D2
SHA256:EE70A246DBD37BC1F204434E601544A039D09726C632915C7C1444701BA48A43
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
12
TCP/UDP connections
40
DNS requests
31
Threats
12

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
2.16.168.122:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
6544
svchost.exe
GET
200
2.23.77.188:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
8152
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
8152
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
7964
BANK SLIP_TT COPY-0237844735748.exe
GET
200
142.250.185.195:80
http://c.pki.goog/r/gsr1.crl
unknown
whitelisted
6972
OUTLOOK.EXE
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEApDqVCbATUviZV57HIIulA%3D
unknown
whitelisted
7964
BANK SLIP_TT COPY-0237844735748.exe
GET
200
142.250.185.195:80
http://c.pki.goog/r/r4.crl
unknown
whitelisted
7964
BANK SLIP_TT COPY-0237844735748.exe
GET
200
142.250.185.195:80
http://o.pki.goog/we2/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTuMJxAT2trYla0jia%2F5EUSmLrk3QQUdb7Ed66J9kQ3fc%2BxaB8dGuvcNFkCEDmdiANCnbVJCTfkel4NKS0%3D
unknown
whitelisted
7964
BANK SLIP_TT COPY-0237844735748.exe
GET
200
162.55.60.2:80
http://showip.net/
unknown
shared
632
BANK SLIP_TT COPY-0237844735748.exe
GET
200
162.55.60.2:80
http://showip.net/
unknown
shared
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2104
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2.16.168.122:80
crl.microsoft.com
Akamai International B.V.
RU
whitelisted
4
System
192.168.100.255:138
whitelisted
2112
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3216
svchost.exe
172.211.123.250:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
6544
svchost.exe
40.126.31.131:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6544
svchost.exe
2.23.77.188:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted
2104
svchost.exe
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
  • 4.231.128.59
whitelisted
crl.microsoft.com
  • 2.16.168.122
  • 2.16.168.124
whitelisted
google.com
  • 142.250.184.206
whitelisted
client.wns.windows.com
  • 172.211.123.250
whitelisted
login.live.com
  • 40.126.31.131
  • 20.190.159.2
  • 20.190.159.131
  • 20.190.159.129
  • 40.126.31.73
  • 20.190.159.75
  • 40.126.31.130
  • 20.190.159.71
  • 40.126.31.69
  • 20.190.159.68
  • 40.126.31.71
  • 40.126.31.1
  • 40.126.31.3
whitelisted
ocsp.digicert.com
  • 2.23.77.188
  • 2.17.190.73
whitelisted
slscr.update.microsoft.com
  • 4.175.87.197
whitelisted
www.microsoft.com
  • 23.35.229.160
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 20.242.39.171
whitelisted
officeclient.microsoft.com
  • 52.109.32.97
whitelisted

Threats

PID
Process
Class
Message
7964
BANK SLIP_TT COPY-0237844735748.exe
Attempted Information Leak
ET INFO IP Check Domain (showip in HTTP Host)
7964
BANK SLIP_TT COPY-0237844735748.exe
Device Retrieving External IP Address Detected
ET HUNTING [ANY.RUN] DARKCLOUD Style External IP Check
7964
BANK SLIP_TT COPY-0237844735748.exe
A Network Trojan was detected
STEALER [ANY.RUN] DarkCloud External IP Check
632
BANK SLIP_TT COPY-0237844735748.exe
A Network Trojan was detected
STEALER [ANY.RUN] DarkCloud External IP Check
632
BANK SLIP_TT COPY-0237844735748.exe
Attempted Information Leak
ET INFO IP Check Domain (showip in HTTP Host)
632
BANK SLIP_TT COPY-0237844735748.exe
Device Retrieving External IP Address Detected
ET HUNTING [ANY.RUN] DARKCLOUD Style External IP Check
1012
BANK SLIP_TT COPY-0237844735748.exe
Attempted Information Leak
ET INFO IP Check Domain (showip in HTTP Host)
1012
BANK SLIP_TT COPY-0237844735748.exe
Device Retrieving External IP Address Detected
ET HUNTING [ANY.RUN] DARKCLOUD Style External IP Check
1012
BANK SLIP_TT COPY-0237844735748.exe
A Network Trojan was detected
STEALER [ANY.RUN] DarkCloud External IP Check
2196
svchost.exe
Misc activity
ET HUNTING Telegram API Domain in DNS Lookup
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
32acd0a9-0a72-499e-850c-fa68fa42ad1f