File name:

QUOTATION_JANQUOTE312025DF.scr

Full analysis: https://app.any.run/tasks/2990eca3-29d6-45d7-9598-5a75db1f6ddf
Verdict: Malicious activity
Threats:

DarkCloud is an infostealer that focuses on collecting and exfiltrating browser data from the infected device. The malware is also capable of keylogging and crypto address swapping. DarkCloud is typically delivered to victims’ computers via phishing emails.

Malware Trends Tracker     >>>
Analysis date: March 25, 2025, 02:20:28
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
auto
stealer
darkcloud
fileshare
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows, 3 sections
MD5:

FF9F16BB211925E198C7227412C48AEA

SHA1:

951758EE2E91AD047B5A71232ADC99A6C4F4712A

SHA256:

4112269E2B0EC24C3F2955CDD8354A8EA4D172C72B7DCBD41C8FDA13BCE82FB3

SSDEEP:

24576:wYe8f7rCeAsFWsWCtS5jFWpv/BR/C/JUi4auWbpk:De8CeAsFWsWCtSVFWpv/BR/C/JUi4au8

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • DARKCLOUD has been found (auto)

      • QUOTATION_JANQUOTE312025DF.scr.exe (PID: 5280)

  • SUSPICIOUS

    • Executes application which crashes

      • QUOTATION_JANQUOTE312025DF.scr.exe (PID: 5280)

    • Reads security settings of Internet Explorer

      • ShellExperienceHost.exe (PID: 6972)

  • INFO

    • Disables trace logs

      • QUOTATION_JANQUOTE312025DF.scr.exe (PID: 5280)

    • Reads the computer name

      • QUOTATION_JANQUOTE312025DF.scr.exe (PID: 5280)
      • ShellExperienceHost.exe (PID: 6972)

    • Checks supported languages

      • QUOTATION_JANQUOTE312025DF.scr.exe (PID: 5280)
      • ShellExperienceHost.exe (PID: 6972)

    • Creates files or folders in the user directory

      • WerFault.exe (PID: 5156)
      • BackgroundTransferHost.exe (PID: 4008)

    • Reads security settings of Internet Explorer

      • BackgroundTransferHost.exe (PID: 5740)
      • BackgroundTransferHost.exe (PID: 4108)
      • BackgroundTransferHost.exe (PID: 4008)
      • BackgroundTransferHost.exe (PID: 6988)
      • BackgroundTransferHost.exe (PID: 5124)

    • Reads the software policy settings

      • QUOTATION_JANQUOTE312025DF.scr.exe (PID: 5280)
      • BackgroundTransferHost.exe (PID: 4008)
      • slui.exe (PID: 2852)

    • Checks proxy server information

      • QUOTATION_JANQUOTE312025DF.scr.exe (PID: 5280)
      • BackgroundTransferHost.exe (PID: 4008)

    • Reads the machine GUID from the registry

      • QUOTATION_JANQUOTE312025DF.scr.exe (PID: 5280)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Generic CIL Executable (.NET, Mono, etc.) (63.1)
.exe | Win64 Executable (generic) (23.8)
.dll | Win32 Dynamic Link Library (generic) (5.6)
.exe | Win32 Executable (generic) (3.8)
.exe | Generic Win/DOS Executable (1.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2025:02:24 05:39:33+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 8
CodeSize: 678400
InitializedDataSize: 335360
UninitializedDataSize: -
EntryPoint: 0xa787e
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 4.0.0.117
ProductVersionNumber: 4.0.0.117
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: AhnLab V3 Lite Main UI Application
CompanyName: AhnLab, Inc.
FileDescription: AhnLab V3 Lite Main UI Application
FileVersion: 4.0.0.117
InternalName: Kssguhfz.exe
LegalCopyright: © 2018-2019 AhnLab, Inc. All rights reserved.
LegalTrademarks: -
OriginalFileName: Kssguhfz.exe
ProductName: AhnLab V3 Lite
ProductVersion: 4.0.0.117
AssemblyVersion: 4.0.0.117
No data.
screenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
149
Monitored processes
11
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start quotation_janquote312025df.scr.exe sppextcomobj.exe no specs slui.exe werfault.exe no specs backgroundtransferhost.exe no specs backgroundtransferhost.exe backgroundtransferhost.exe no specs backgroundtransferhost.exe no specs backgroundtransferhost.exe no specs slui.exe no specs shellexperiencehost.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1764C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
2852"C:\WINDOWS\System32\SLUI.exe" RuleId=3482d82e-ca2c-4e1f-8864-da0267b484b2;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c;NotificationInterval=1440;Trigger=TimerEventC:\Windows\System32\slui.exe
SppExtComObj.Exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Activation Client
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
4008"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1C:\Windows\System32\BackgroundTransferHost.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Download/Upload Host
Exit code:
1
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\backgroundtransferhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\bcryptprimitives.dll
4108"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1C:\Windows\System32\BackgroundTransferHost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Download/Upload Host
Exit code:
1
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\backgroundtransferhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\bcryptprimitives.dll
5124"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1C:\Windows\System32\BackgroundTransferHost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Download/Upload Host
Exit code:
1
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\backgroundtransferhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\bcryptprimitives.dll
5156C:\WINDOWS\SysWOW64\WerFault.exe -u -p 5280 -s 2104C:\Windows\SysWOW64\WerFault.exeQUOTATION_JANQUOTE312025DF.scr.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Problem Reporting
Exit code:
0
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\werfault.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
5280"C:\Users\admin\AppData\Local\Temp\QUOTATION_JANQUOTE312025DF.scr.exe" C:\Users\admin\AppData\Local\Temp\QUOTATION_JANQUOTE312025DF.scr.exe
explorer.exe
User:
admin
Company:
AhnLab, Inc.
Integrity Level:
MEDIUM
Description:
AhnLab V3 Lite Main UI Application
Exit code:
3762504530
Version:
4.0.0.117
Modules
Images
c:\users\admin\appdata\local\temp\quotation_janquote312025df.scr.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
5740"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.1C:\Windows\System32\BackgroundTransferHost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Download/Upload Host
Exit code:
1
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\backgroundtransferhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\bcryptprimitives.dll
6876C:\WINDOWS\system32\SppExtComObj.exe -EmbeddingC:\Windows\System32\SppExtComObj.Exesvchost.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
KMS Connection Broker
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\sppextcomobj.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\oleaut32.dll
6972"C:\WINDOWS\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mcaC:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Shell Experience Host
Version:
10.0.19041.3758 (WinBuild.160101.0800)
Modules
Images
c:\windows\systemapps\shellexperiencehost_cw5n1h2txyewy\shellexperiencehost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\wincorlib.dll
Total events
5 904
Read events
5 873
Write events
31
Delete events
0

Modification events

(PID) Process:(5280) QUOTATION_JANQUOTE312025DF.scr.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\QUOTATION_JANQUOTE312025?DF_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(5280) QUOTATION_JANQUOTE312025DF.scr.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\QUOTATION_JANQUOTE312025?DF_RASAPI32
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(5280) QUOTATION_JANQUOTE312025DF.scr.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\QUOTATION_JANQUOTE312025?DF_RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(5280) QUOTATION_JANQUOTE312025DF.scr.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\QUOTATION_JANQUOTE312025?DF_RASAPI32
Operation:writeName:FileTracingMask
Value:
(PID) Process:(5280) QUOTATION_JANQUOTE312025DF.scr.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\QUOTATION_JANQUOTE312025?DF_RASAPI32
Operation:writeName:ConsoleTracingMask
Value:
(PID) Process:(5280) QUOTATION_JANQUOTE312025DF.scr.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\QUOTATION_JANQUOTE312025?DF_RASAPI32
Operation:writeName:MaxFileSize
Value:
1048576
(PID) Process:(5280) QUOTATION_JANQUOTE312025DF.scr.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\QUOTATION_JANQUOTE312025?DF_RASAPI32
Operation:writeName:FileDirectory
Value:
%windir%\tracing
(PID) Process:(5280) QUOTATION_JANQUOTE312025DF.scr.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\QUOTATION_JANQUOTE312025?DF_RASMANCS
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(5280) QUOTATION_JANQUOTE312025DF.scr.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\QUOTATION_JANQUOTE312025?DF_RASMANCS
Operation:writeName:EnableAutoFileTracing
Value:
0
(PID) Process:(5280) QUOTATION_JANQUOTE312025DF.scr.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\QUOTATION_JANQUOTE312025?DF_RASMANCS
Operation:writeName:EnableConsoleTracing
Value:
0
Executable files
0
Suspicious files
7
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
5156WerFault.exeC:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_4NBAL3L102YDCYVU_fd75299524d694da7a8bfb942089a812dc57b3c_75488bfb_a891825c-5b50-4b34-b565-4f1c356c773f\Report.wer
MD5:
SHA256:
5156WerFault.exeC:\Users\admin\AppData\Local\CrashDumps\QUOTATION_JANQUOTE312025DF.scr.exe.5280.dmp
MD5:
SHA256:
4008BackgroundTransferHost.exeC:\Users\admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\BackgroundTransferApi\89145120-8306-4f02-b982-c5439789e851.down_data
MD5:
SHA256:
5156WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WERCAE4.tmp.WERInternalMetadata.xmlbinary
MD5:1792BFC116649A3F1FB6554A4D010CBE
SHA256:E50E5CBEBF6A29E53677F2A31653B83D5D37F57854837A5CC1700B6CA566C09B
5156WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WERC5E2.tmp.dmpbinary
MD5:86E8792B64A88BC572D0F38B734A8012
SHA256:27476F5DE7A151D7DF01EBA50EE7675E3B0782CBA9255C66D45C8F968B7DE7EA
4008BackgroundTransferHost.exeC:\Users\admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\BackgroundTransferApi\2c265987-a34b-41cc-8618-5f51051e96c5.up_meta_securebinary
MD5:457BF5A0641764270DF1FC3FCAD95517
SHA256:2BCA498C91D5CD518D544CB5E240555CBFACE50A91AEDD321D0F24F2FE07A21A
4008BackgroundTransferHost.exeC:\Users\admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\BackgroundTransferApi\89145120-8306-4f02-b982-c5439789e851.d2119b22-e9a5-464d-aa96-f03df490495b.down_metabinary
MD5:2A97F24FF457F1262B9E136A2CC329BF
SHA256:992E128DE12947C19658D032501EC3BCC90E1F56AF458C7DDA0A6C1C3346C8EF
4008BackgroundTransferHost.exeC:\Users\admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\BackgroundTransferApi\2c265987-a34b-41cc-8618-5f51051e96c5.d2119b22-e9a5-464d-aa96-f03df490495b.down_metabinary
MD5:2A97F24FF457F1262B9E136A2CC329BF
SHA256:992E128DE12947C19658D032501EC3BCC90E1F56AF458C7DDA0A6C1C3346C8EF
4008BackgroundTransferHost.exeC:\Users\admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\AC\Microsoft\CryptnetUrlCache\Content\26C212D9399727259664BDFCA073966E_F9F7D6A7ECE73106D2A8C63168CDA10Dbinary
MD5:4872BABAF39AA62B8D32695EBB7E9173
SHA256:2EE85DF86EE29BBEB3DCA81AA29B6DE204F605A2769B84C728A329178A2D0999
5156WerFault.exeC:\ProgramData\Microsoft\Windows\WER\Temp\WERCB33.tmp.xmlxml
MD5:3360A17C7AEBD114DBDE4DE5224AC503
SHA256:45DA6A8DA05B6CCDB33357F07D545F4CB5D65DB5C71AE6D5B5AD387D549D7C6B
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
8
TCP/UDP connections
29
DNS requests
19
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
23.216.77.6:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5496
MoUsoCoreWorker.exe
GET
200
23.216.77.6:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5280
QUOTATION_JANQUOTE312025DF.scr.exe
GET
301
23.237.50.106:80
http://1010.filemail.com/api/file/get?filekey=-_kBKBT13jX2_LIfYPjjbfkjHjzAesZvr5R3Rl17LoBiliq1BJLUAmc8TXt4ve25JA&pk_vid=8e2aec8f065dac991740375555c1eb95
unknown
malicious
6544
svchost.exe
GET
200
184.30.131.245:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
1228
backgroundTaskHost.exe
GET
200
184.30.131.245:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAUZZSZEml49Gjh0j13P68w%3D
unknown
whitelisted
5740
SIHClient.exe
GET
200
2.19.217.218:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
4008
BackgroundTransferHost.exe
GET
200
184.30.131.245:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
5740
SIHClient.exe
GET
200
2.19.217.218:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2104
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
4
System
192.168.100.255:138
whitelisted
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
23.216.77.6:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5496
MoUsoCoreWorker.exe
23.216.77.6:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5280
QUOTATION_JANQUOTE312025DF.scr.exe
23.237.50.106:80
1010.filemail.com
COGENT-174
US
malicious
5280
QUOTATION_JANQUOTE312025DF.scr.exe
23.237.50.106:443
1010.filemail.com
COGENT-174
US
malicious
3216
svchost.exe
40.113.110.67:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
6544
svchost.exe
40.126.32.72:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
  • 20.73.194.208
  • 40.127.240.158
whitelisted
google.com
  • 172.217.18.14
whitelisted
crl.microsoft.com
  • 23.216.77.6
  • 23.216.77.28
whitelisted
1010.filemail.com
  • 23.237.50.106
malicious
client.wns.windows.com
  • 40.113.110.67
whitelisted
login.live.com
  • 40.126.32.72
  • 20.190.160.130
  • 20.190.160.66
  • 20.190.160.132
  • 40.126.32.140
  • 20.190.160.2
  • 40.126.32.68
  • 20.190.160.20
whitelisted
ocsp.digicert.com
  • 184.30.131.245
whitelisted
arc.msn.com
  • 20.31.169.57
whitelisted
www.bing.com
  • 23.212.110.162
  • 23.212.110.144
whitelisted
slscr.update.microsoft.com
  • 20.12.23.50
whitelisted

Threats

PID
Process
Class
Message
5280
QUOTATION_JANQUOTE312025DF.scr.exe
Not Suspicious Traffic
INFO [ANY.RUN] Observed File Sharing Service Download Domain (filemail.com)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
QUOTATION_JANQUOTE312025DF.scr