Malware analysis RE_ RE_ RE_ RE_ CONFIRMACIÓN DE PAGO !!!.eml Malicious activity

Add for printing

File name:	RE_ RE_ RE_ RE_ CONFIRMACIÓN DE PAGO !!!.eml
Full analysis:	https://app.any.run/tasks/e4455dbb-1e99-4fd6-a7d2-b91f7544d566
Verdict:	Malicious activity
Threats:	A keylogger is a type of spyware that infects a system and has the ability to record every keystroke made on the device. This lets attackers collect personal information of victims, which may include their online banking credentials, as well as personal conversations. The most widespread vector of attack leading to a keylogger infection begins with a phishing email or link. Keylogging is also often present in remote access trojans as part of an extended set of malicious tools. Malware Trends Tracker >>>
Analysis date:	April 29, 2025, 14:25:57
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	arch-exec snake keylogger evasion telegram
Indicators:
MIME:	message/rfc822
File info:	SMTP mail, Unicode text, UTF-8 text, with CRLF line terminators
MD5:	B223FECB04E1E2EA291120DA89654F8D
SHA1:	A4DCEB4EB3BE2D777ED90335D05E9F0A9856030C
SHA256:	D7BAAB77E155464C1CA90B064F1AB4432C63CA51CABED7658E1F4E79988A2F1C
SSDEEP:	24576:Ronx7REK7qnFc0U9iOA9p7YdKvEW4P0O3S:ynxaWA7Y4J

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 300 seconds
Heavy Evasion option:: off
Network geolocation:: off
Additional time used:: 240 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- Generic archive extractor
  - OUTLOOK.EXE (PID: 4932)
- SNAKEKEYLOGGER has been detected (SURICATA)
  - RegSvcs.exe (PID: 7636)
- Uses Task Scheduler to run other applications
  - 89902937283628.exe (PID: 5072)
SUSPICIOUS
- Checks for external IP
  - svchost.exe (PID: 2196)
  - RegSvcs.exe (PID: 7636)
- Reads security settings of Internet Explorer
  - WinRAR.exe (PID: 2980)
  - 89902937283628.exe (PID: 5072)
- Executable content was dropped or overwritten
  - 89902937283628.exe (PID: 5072)
- Executes application which crashes
  - RegSvcs.exe (PID: 7636)
- Process communicates with Telegram (possibly using it as an attacker's C2 server)
  - RegSvcs.exe (PID: 7636)
INFO
- Reads the software policy settings
  - RegSvcs.exe (PID: 7636)
  - slui.exe (PID: 7804)
  - slui.exe (PID: 7920)
- Reads the computer name
  - RegSvcs.exe (PID: 7636)
  - 89902937283628.exe (PID: 5072)
- Creates files or folders in the user directory
  - 89902937283628.exe (PID: 5072)
  - WerFault.exe (PID: 8020)
- Reads the machine GUID from the registry
  - 89902937283628.exe (PID: 5072)
  - RegSvcs.exe (PID: 7636)
- Checks supported languages
  - 89902937283628.exe (PID: 5072)
  - RegSvcs.exe (PID: 7636)
- Executable content was dropped or overwritten
  - WinRAR.exe (PID: 2980)
- Create files in a temporary directory
  - 89902937283628.exe (PID: 5072)
- Checks proxy server information
  - RegSvcs.exe (PID: 7636)
  - slui.exe (PID: 7920)
- Process checks computer location settings
  - 89902937283628.exe (PID: 5072)
- Disables trace logs
  - RegSvcs.exe (PID: 7636)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.eml	\|	E-Mail message (Var. 1) (100)

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

153

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

2196

C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s Dnscache

C:\Windows\System32\svchost.exe

services.exe

User:

NETWORK SERVICE

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Host Process for Windows Services

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll

2980

"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\Content.Outlook\ZHGDDDAB\89902937283628.zip"

C:\Program Files\WinRAR\WinRAR.exe

OUTLOOK.EXE

User:

admin

Company:

Alexander Roshal

Integrity Level:

MEDIUM

Description:

WinRAR archiver

Version:

5.91.0

Modules

Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll

4932

"C:\Program Files\Microsoft Office\Root\Office16\OUTLOOK.EXE" /eml "C:\Users\admin\AppData\Local\Temp\RE_ RE_ RE_ RE_ CONFIRMACIÓN DE PAGO !!!.eml"

C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE

explorer.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Microsoft Outlook

Version:

16.0.16026.20146

Modules

Images
c:\program files\microsoft office\root\office16\outlook.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\program files\microsoft office\root\office16\vcruntime140_1.dll

5072

"C:\Users\admin\AppData\Local\Temp\Rar$EXa2980.12836\89902937283628.exe"

C:\Users\admin\AppData\Local\Temp\Rar$EXa2980.12836\89902937283628.exe

WinRAR.exe

User:

admin

Company:

Microsoft

Integrity Level:

MEDIUM

Description:

Advanced System Settings

Exit code:

Version:

1.0.0.0

Modules

Images
c:\users\admin\appdata\local\temp\rar$exa2980.12836\89902937283628.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll

7496

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\RSAUfIvxpyWk" /XML "C:\Users\admin\AppData\Local\Temp\tmpB6E9.tmp"

C:\Windows\SysWOW64\schtasks.exe

—

89902937283628.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Task Scheduler Configuration Tool

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\oleaut32.dll

7520

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

schtasks.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

7632

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

—

89902937283628.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Microsoft .NET Services Installation Utility

Exit code:

4294967295

Version:

4.8.9037.0 built by: NET481REL1

Modules

Images
c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll

7636

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

89902937283628.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Microsoft .NET Services Installation Utility

Exit code:

3762504530

Version:

4.8.9037.0 built by: NET481REL1

Modules

Images
c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\advapi32.dll

7696

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

—

89902937283628.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Microsoft .NET Services Installation Utility

Exit code:

4294967295

Version:

4.8.9037.0 built by: NET481REL1

Modules

Images
c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll

7712

"C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ai.exe" "10CE6ABD-7D1A-4A97-8285-7E3DE425BE01" "72EE37D1-F9F5-48C7-B313-F7B19709CE5F" "4932"

C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ai.exe

—

OUTLOOK.EXE

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Artificial Intelligence (AI) Host for the Microsoft® Windows® Operating System and Platform x64.

Version:

0.12.2.0

Modules

Images
c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\office16\ai.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\common files\microsoft shared\clicktorun\appvisvsubsystems64.dll
c:\program files\common files\microsoft shared\clicktorun\c2r64.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\ole32.dll
c:\windows\system32\sechost.dll

Add for printing

Total events

18 228

Read events

16 961

Write events

1 112

Delete events

155

Modification events


(PID) Process:	(4932) OUTLOOK.EXE	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Diagnostics\BootDiagnosticsData
Operation:	write	Name:	SessionId
Value: C7727E9F-3230-4B28-B317-5346C751031B
(PID) Process:	(4932) OUTLOOK.EXE	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Diagnostics
Operation:	delete value	Name:	BootFailureCount
Value:
(PID) Process:	(4932) OUTLOOK.EXE	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Preferences
Operation:	delete value	Name:	ChangeProfileOnRestart
Value:
(PID) Process:	(4932) OUTLOOK.EXE	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046
Operation:	write	Name:	00030429
Value: 09000000
(PID) Process:	(4932) OUTLOOK.EXE	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Diagnostics\BootDiagnosticsData
Operation:	write	Name:	ProfileBeingOpened
Value: Outlook
(PID) Process:	(4932) OUTLOOK.EXE	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\0a0d020000000000c000000000000046
Operation:	write	Name:	00030397
Value: 60000000
(PID) Process:	(4932) OUTLOOK.EXE	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\Internet\WebServiceCache\AllUsers\officeclient.microsoft.com\config16--lcid=1033&syslcid=1033&uilcid=1033&build=16.0.16026&crev=3\0
Operation:	write	Name:	FilePath
Value: officeclient.microsoft.com\C9C7F762-73B4-43B9-8061-C07891B5CDE1
(PID) Process:	(4932) OUTLOOK.EXE	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\Internet\WebServiceCache\AllUsers\officeclient.microsoft.com\config16--lcid=1033&syslcid=1033&uilcid=1033&build=16.0.16026&crev=3\0
Operation:	write	Name:	StartDate
Value: D0BB7BA912B9DB01
(PID) Process:	(4932) OUTLOOK.EXE	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\Internet\WebServiceCache\AllUsers\officeclient.microsoft.com\config16--lcid=1033&syslcid=1033&uilcid=1033&build=16.0.16026&crev=3\0
Operation:	write	Name:	EndDate
Value: D07BE5D3DBB9DB01
(PID) Process:	(4932) OUTLOOK.EXE	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\outlook.exe\ETWMonitor\{02CAC15F-D4BE-400E-9127-D54982AA4AE9}
Operation:	delete key	Name:	(default)
Value:

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
4932	OUTLOOK.EXE	C:\Users\admin\Documents\Outlook Files\Outlook1.pst		—
		MD5:—	SHA256:—
4932	OUTLOOK.EXE	C:\Users\admin\AppData\Local\Microsoft\TokenBroker\Cache\56a61aeb75d8f5be186c26607f4bb213abe7c5ec.tbres		binary
		MD5:C04F8386334F82D51AEAC9D6040854C4	SHA256:9B7ADEF99BFD1DD669FDCD83431593B1B4F911797C92C9725C1EB4E3F3E4C949
4932	OUTLOOK.EXE	C:\Users\admin\AppData\Roaming\Microsoft\Templates\~$rmalEmail.dotm		binary
		MD5:566D013D865E461D9669130B64B67483	SHA256:AF18CF86BE710F2C5A7333BA79BCB47FA3D442F9081632753C75B662D1077790
4932	OUTLOOK.EXE	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9		binary
		MD5:FB60FF789C58BC6CDCCF1F388665810F	SHA256:D0D379988D4ED6E4ACBE57E83246B62FE36DACBF96793173F626B7E31FDFB8E4
4932	OUTLOOK.EXE	C:\Users\admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres		binary
		MD5:8F00DE25D5B83347DCDB2F5C09786D2B	SHA256:014947171CAC78B8729AB71594434DE8A5AE21DE762D546F284B2AC76624C00D
4932	OUTLOOK.EXE	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9		binary
		MD5:FB2C8D6A934F273115EB27F99D42ABB5	SHA256:2F0AAEE17B34D836A67AD4944B5C97AC97D31D9F5BF58D75FE08D03F4594C60E
8020	WerFault.exe	C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_RegSvcs.exe_fbb6a1c2d3cf2233f631911b678ed791932f99_228b0592_32422e69-257d-42e9-9b76-3feba6f23990\Report.wer		—
		MD5:—	SHA256:—
8020	WerFault.exe	C:\Users\admin\AppData\Local\CrashDumps\RegSvcs.exe.7636.dmp		—
		MD5:—	SHA256:—
4932	OUTLOOK.EXE	C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\E285B2CF.dat		image
		MD5:0DB020747B3690A9383FC4BD9D468BDD	SHA256:DD01A8662C6B01D0D798108255DEA7EC78523D74CFE754CB05A26D550559D129
4932	OUTLOOK.EXE	C:\Users\admin\AppData\Local\Microsoft\Office\16.0\AddInClassifierCache\OfficeSharedEntities.bin		text
		MD5:CC90D669144261B198DEAD45AA266572	SHA256:89C701EEFF939A44F28921FD85365ECD87041935DCD0FE0BAF04957DA12C9899

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
5332	SIHClient.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl	unknown	—	—	whitelisted
5332	SIHClient.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl	unknown	—	—	whitelisted
5496	MoUsoCoreWorker.exe	GET	200	23.216.77.42:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
7636	RegSvcs.exe	GET	200	132.226.8.169:80	http://checkip.dyndns.org/	unknown	—	—	whitelisted
4932	OUTLOOK.EXE	GET	200	184.30.131.245:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D	unknown	—	—	whitelisted
7636	RegSvcs.exe	GET	200	132.226.8.169:80	http://checkip.dyndns.org/	unknown	—	—	whitelisted
7636	RegSvcs.exe	GET	200	132.226.8.169:80	http://checkip.dyndns.org/	unknown	—	—	whitelisted
7636	RegSvcs.exe	GET	200	132.226.8.169:80	http://checkip.dyndns.org/	unknown	—	—	whitelisted
7636	RegSvcs.exe	GET	200	132.226.8.169:80	http://checkip.dyndns.org/	unknown	—	—	whitelisted
7636	RegSvcs.exe	GET	200	132.226.8.169:80	http://checkip.dyndns.org/	unknown	—	—	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	whitelisted
—	—	51.124.78.146:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
5496	MoUsoCoreWorker.exe	23.216.77.42:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
5496	MoUsoCoreWorker.exe	184.30.21.171:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
2104	svchost.exe	51.124.78.146:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
4628	RUXIMICS.exe	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4932	OUTLOOK.EXE	52.109.76.240:443	officeclient.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
3216	svchost.exe	172.211.123.249:443	client.wns.windows.com	MICROSOFT-CORP-MSN-AS-BLOCK	FR	whitelisted
4932	OUTLOOK.EXE	52.123.128.14:443	ecs.office.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted

DNS requests

Domain	IP	Reputation
crl.microsoft.com	23.216.77.42 23.216.77.6	whitelisted
www.microsoft.com	184.30.21.171	whitelisted
google.com	142.250.185.142	whitelisted
settings-win.data.microsoft.com	20.73.194.208 51.104.136.2	whitelisted
officeclient.microsoft.com	52.109.76.240	whitelisted
client.wns.windows.com	172.211.123.249	whitelisted
ecs.office.com	52.123.128.14 52.123.129.14	whitelisted
roaming.officeapps.live.com	52.109.89.19	whitelisted
ocsp.digicert.com	184.30.131.245	whitelisted
omex.cdn.office.net	23.48.23.30 23.48.23.18 23.48.23.42	whitelisted

Threats

PID	Process	Class	Message
2196	svchost.exe	Device Retrieving External IP Address Detected	ET DYN_DNS External IP Lookup Domain in DNS Query (checkip .dyndns .org)
7636	RegSvcs.exe	Device Retrieving External IP Address Detected	ET INFO External IP Lookup - checkip.dyndns.org
7636	RegSvcs.exe	Device Retrieving External IP Address Detected	ET INFO 404/Snake/Matiex Keylogger Style External IP Check
2196	svchost.exe	Device Retrieving External IP Address Detected	INFO [ANY.RUN] External IP Address Lookup Domain (reallyfreegeoip .org)
7636	RegSvcs.exe	Device Retrieving External IP Address Detected	ET INFO External IP Lookup - checkip.dyndns.org
7636	RegSvcs.exe	Misc activity	ET INFO External IP Lookup Service Domain (reallyfreegeoip .org) in TLS SNI
2196	svchost.exe	Misc activity	ET INFO External IP Address Lookup Domain in DNS Lookup (reallyfreegeoip .org)
7636	RegSvcs.exe	Device Retrieving External IP Address Detected	ET INFO External IP Lookup - checkip.dyndns.org
7636	RegSvcs.exe	Device Retrieving External IP Address Detected	ET INFO External IP Lookup - checkip.dyndns.org
7636	RegSvcs.exe	Device Retrieving External IP Address Detected	ET INFO External IP Lookup - checkip.dyndns.org

Add for printing

No debug info

General Info

RE_ RE_ RE_ RE_ CONFIRMACIÓN DE PAGO !!!.eml

B223FECB04E1E2EA291120DA89654F8D

A4DCEB4EB3BE2D777ED90335D05E9F0A9856030C

D7BAAB77E155464C1CA90B064F1AB4432C63CA51CABED7658E1F4E79988A2F1C

24576:Ronx7REK7qnFc0U9iOA9p7YdKvEW4P0O3S:ynxaWA7Y4J

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Generic archive extractor

SNAKEKEYLOGGER has been detected (SURICATA)

Uses Task Scheduler to run other applications

SUSPICIOUS

Checks for external IP

Reads security settings of Internet Explorer

Executable content was dropped or overwritten

Executes application which crashes

Process communicates with Telegram (possibly using it as an attacker's C2 server)

INFO

Reads the software policy settings

Reads the computer name

Creates files or folders in the user directory

Reads the machine GUID from the registry

Checks supported languages

Executable content was dropped or overwritten

Create files in a temporary directory

Checks proxy server information

Process checks computer location settings

Disables trace logs

Malware configuration

Static information

TRiD

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings