File name:

Win32.Cutwail.zip

Full analysis: https://app.any.run/tasks/9984db0a-9d17-46e0-9cf9-4b1c5c5167da
Verdict: Malicious activity
Analysis date: June 26, 2025, 01:32:27
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
arch-exec
phishing
Indicators:
MIME: application/zip
File info: Zip archive data, at least v1.0 to extract, compression method=store
MD5:

DB2CC70364A13C3E10789A53043371F3

SHA1:

7D5C1ECBE541F916C3B1F657ED300C08A0977D93

SHA256:

64C68894407EC425BA179815D44B567B02A72056D8E79D9223062E0A60EA3B3A

SSDEEP:

6144:iWe10lFBWkGii0ojU56rYBpX69YaVjnjfzGeBYaT:iWK0lzVoE6rYBFQZbT

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Generic archive extractor

      • WinRAR.exe (PID: 5808)

    • Changes the autorun value in the registry

      • wuaucldt.exe (PID: 2992)

    • PHISHING has been detected (SURICATA)

      • svchost.exe (PID: 2200)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • counter.exe (PID: 4868)

    • Starts itself from another location

      • counter.exe (PID: 4868)

    • Reads security settings of Internet Explorer

      • WinRAR.exe (PID: 5808)

    • Drops a system driver (possible attempt to evade defenses)

      • WinRAR.exe (PID: 5808)

    • Starts CMD.EXE for commands execution

      • counter.exe (PID: 4868)

  • INFO

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 5808)
      • firefox.exe (PID: 2320)

    • Checks supported languages

      • counter.exe (PID: 4868)
      • wuaucldt.exe (PID: 2992)
      • counter.exe (PID: 1580)

    • Failed to create an executable file in Windows directory

      • counter.exe (PID: 4868)

    • Launching a file from a Registry key

      • wuaucldt.exe (PID: 2992)

    • Reads Microsoft Office registry keys

      • OpenWith.exe (PID: 7060)
      • firefox.exe (PID: 2320)
      • OpenWith.exe (PID: 7736)

    • Reads security settings of Internet Explorer

      • OpenWith.exe (PID: 7736)
      • OpenWith.exe (PID: 7060)

    • The sample compiled with english language support

      • firefox.exe (PID: 2320)

    • Application launched itself

      • firefox.exe (PID: 7968)
      • firefox.exe (PID: 424)
      • firefox.exe (PID: 2320)

    • Checks proxy server information

      • slui.exe (PID: 5504)

    • Reads the software policy settings

      • slui.exe (PID: 5504)

    • Launching a file from the Downloads directory

      • firefox.exe (PID: 2320)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 10
ZipBitFlag: -
ZipCompression: None
ZipModifyDate: 2015:04:14 22:49:06
ZipCRC: 0x00000000
ZipCompressedSize: -
ZipUncompressedSize: -
ZipFileName: 1/
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
162
Monitored processes
29
Malicious processes
4
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe counter.exe wuaucldt.exe svchost.exe cmd.exe no specs conhost.exe no specs slui.exe openwith.exe no specs firefox.exe no specs firefox.exe firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs openwith.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs counter.exe no specs #PHISHING svchost.exe

Process information

PID
CMD
Path
Indicators
Parent process
424"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\admin\AppData\Local\Temp\Rar$DIb5808.41564\unpacked_.safe"C:\Program Files\Mozilla Firefox\firefox.exeOpenWith.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Exit code:
0
Version:
136.0
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\bcrypt.dll
c:\program files\mozilla firefox\vcruntime140_1.dll
c:\program files\mozilla firefox\msvcp140.dll
c:\windows\system32\crypt32.dll
768"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250227124745 -prefsHandle 3388 -prefsLen 36996 -prefMapHandle 3392 -prefMapSize 272997 -ipcHandle 3336 -initialChannelId {37fb0fc4-81bd-4203-bf61-0141f4a6b351} -parentPid 2320 -crashReporter "\\.\pipe\gecko-crash-server-pipe.2320" -appDir "C:\Program Files\Mozilla Firefox\browser" - 4 rddC:\Program Files\Mozilla Firefox\firefox.exefirefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Version:
136.0
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\vcruntime140.dll
984"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 4872 -prefsLen 39068 -prefMapHandle 4904 -prefMapSize 272997 -jsInitHandle 4908 -jsInitLen 247456 -parentBuildID 20250227124745 -ipcHandle 4916 -initialChannelId {06800f07-8238-4141-898c-14a7a6bb5853} -parentPid 2320 -crashReporter "\\.\pipe\gecko-crash-server-pipe.2320" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 7 tabC:\Program Files\Mozilla Firefox\firefox.exefirefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Exit code:
0
Version:
136.0
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\vcruntime140.dll
1580"C:\Users\admin\AppData\Local\Temp\Rar$EXb5808.658\2\counter.exe" C:\Users\admin\AppData\Local\Temp\Rar$EXb5808.658\2\counter.exeWinRAR.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\rar$exb5808.658\2\counter.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
2144"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250227124745 -sandboxingKind 0 -prefsHandle 4876 -prefsLen 44905 -prefMapHandle 4880 -prefMapSize 272997 -ipcHandle 4760 -initialChannelId {9f9f75b1-37f7-429d-9838-02c6c1758715} -parentPid 2320 -crashReporter "\\.\pipe\gecko-crash-server-pipe.2320" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 6 utilityC:\Program Files\Mozilla Firefox\firefox.exefirefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Version:
136.0
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\vcruntime140_1.dll
c:\windows\system32\crypt32.dll
2200C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
2280"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 4064 -prefsLen 44926 -prefMapHandle 4068 -prefMapSize 272997 -jsInitHandle 4072 -jsInitLen 247456 -parentBuildID 20250227124745 -ipcHandle 4012 -initialChannelId {4b03ca4d-29ae-47b0-80d1-6603ca28275e} -parentPid 2320 -crashReporter "\\.\pipe\gecko-crash-server-pipe.2320" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 5 tabC:\Program Files\Mozilla Firefox\firefox.exefirefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Version:
136.0
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\vcruntime140.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\vcruntime140_1.dll
2320"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url C:\Users\admin\AppData\Local\Temp\Rar$DIb5808.41564\unpacked_.safeC:\Program Files\Mozilla Firefox\firefox.exe
firefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Version:
136.0
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\vcruntime140.dll
2388C:\WINDOWS\system32\cmd.exe /c del c:\users\admin\appdata\local\temp\RAR$EX~1.376\2\counter.exeC:\Windows\SysWOW64\cmd.execounter.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\combase.dll
2992c:\users\admin\wuaucldt.exeC:\Users\admin\wuaucldt.exe
counter.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\wuaucldt.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
Total events
21 876
Read events
21 797
Write events
79
Delete events
0

Modification events

(PID) Process:(5808) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\preferences.zip
(PID) Process:(5808) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:(5808) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:(5808) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\Win32.Cutwail.zip
(PID) Process:(5808) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(5808) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(5808) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(5808) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(5808) WinRAR.exeKey:HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface
Operation:writeName:ShowPassword
Value:
1
(PID) Process:(2992) wuaucldt.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:wuaucldt
Value:
c:\windows\system32\wuaucldt.exe
Executable files
27
Suspicious files
255
Text files
37
Unknown types
1

Dropped files

PID
Process
Filename
Type
2320firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmbinary
MD5:B7C14EC6110FA820CA6B65F5AEC85911
SHA256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
5808WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXb5808.37623\1\loader_00400000.Embedded01.DLLexecutable
MD5:9A6598AC4E9E50F2E19E2DFB865CA2D9
SHA256:B10EEEA84D9BF0314DCD86BFB6F931330D6CB52E6FB0BF4D1B8FE09DA3C332BA
5808WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXb5808.37623\4\decrypted.ex_executable
MD5:F593D4EABA8DC72A22309A69475E9729
SHA256:15F55C1FCB62950727289654E5D82AF0DA2DEAAE43DB8CA08B64E4086B503F4F
5808WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXb5808.37623\4\hui.ex1executable
MD5:AF4B04164D37352490FF297A719B575E
SHA256:98EA2381E5E1183B578D09A7A698BFE18B5FBAE56F5CA434B1DADAC1CE3BD632
2320firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\sessionCheckpoints.json.tmpbinary
MD5:EA8B62857DFDBD3D0BE7D7E4A954EC9A
SHA256:792955295AE9C382986222C6731C5870BD0E921E7F7E34CC4615F5CD67F225DA
5808WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$EXb5808.37623\3\unpacked_.safeexecutable
MD5:D5D09F257F4752E885140DE25594D53B
SHA256:8450D4FB93D45757950C2A65245C877B0116C6F696B0FBFD93814326EDBE914E
2320firefox.exeC:\Users\admin\AppData\Roaming\Mozilla\Firefox\Profiles\9kie7cg6.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
MD5:
SHA256:
5808WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DIb5808.41564\unpacked_.safeexecutable
MD5:D5D09F257F4752E885140DE25594D53B
SHA256:8450D4FB93D45757950C2A65245C877B0116C6F696B0FBFD93814326EDBE914E
2320firefox.exeC:\Users\admin\AppData\Local\Mozilla\Firefox\Profiles\9kie7cg6.default-release\startupCache\urlCache-current.binbinary
MD5:3134ED3F12E4F4F8643DB90043B0FD7B
SHA256:26E4F122034D7A03F6DA0E707799B09CBEEBDAF8D7A3133A1F7BD894AC72EEA1
4868counter.exeC:\Users\admin\wuaucldt.exeexecutable
MD5:B2D137AC14F97F1667AF89F0CB3B8488
SHA256:961537D5FD688EA7EAABDE87883DB48B0DA2F103971C27D805713EC87D51D44E
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
25
TCP/UDP connections
331
DNS requests
232
Threats
224

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1268
svchost.exe
GET
200
2.20.245.137:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1268
svchost.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
6320
svchost.exe
GET
200
2.23.77.188:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
316
SIHClient.exe
GET
200
69.192.161.161:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
2320
firefox.exe
GET
200
34.107.221.82:80
http://detectportal.firefox.com/canonical.html
unknown
whitelisted
316
SIHClient.exe
GET
200
69.192.161.161:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
2320
firefox.exe
GET
200
34.107.221.82:80
http://detectportal.firefox.com/success.txt?ipv4
unknown
whitelisted
2320
firefox.exe
POST
200
142.250.186.163:80
http://o.pki.goog/we2
unknown
whitelisted
2320
firefox.exe
POST
200
142.250.186.163:80
http://o.pki.goog/s/wr3/k58
unknown
whitelisted
2320
firefox.exe
GET
200
34.107.221.82:80
http://detectportal.firefox.com/success.txt?ipv4
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
5944
MoUsoCoreWorker.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:137
whitelisted
1268
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
592
RUXIMICS.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
1268
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
1268
svchost.exe
2.20.245.137:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
1268
svchost.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
6320
svchost.exe
20.190.160.64:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
6320
svchost.exe
2.23.77.188:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
  • 51.124.78.146
whitelisted
google.com
  • 216.58.206.78
whitelisted
crl.microsoft.com
  • 2.20.245.137
  • 2.20.245.139
whitelisted
www.microsoft.com
  • 95.101.149.131
  • 69.192.161.161
whitelisted
login.live.com
  • 20.190.160.64
  • 40.126.32.138
  • 20.190.160.17
  • 20.190.160.4
  • 40.126.32.74
  • 40.126.32.68
  • 40.126.32.136
  • 20.190.160.22
whitelisted
ocsp.digicert.com
  • 2.23.77.188
  • 2.17.190.73
whitelisted
client.wns.windows.com
  • 172.211.123.250
whitelisted
nexusrules.officeapps.live.com
  • 52.111.236.23
whitelisted
ex2.broadser
unknown
www.jica.go.jp
  • 108.138.26.27
  • 108.138.26.115
  • 108.138.26.14
  • 108.138.26.110
unknown

Threats

PID
Process
Class
Message
Unknown Traffic
ET USER_AGENTS Microsoft Dr Watson User-Agent (MSDW)
4824
svchost.exe
Generic Protocol Command Decode
SURICATA TLS handshake invalid length
4824
svchost.exe
Generic Protocol Command Decode
SURICATA TLS handshake invalid length
4824
svchost.exe
Generic Protocol Command Decode
SURICATA TLS handshake invalid length
4824
svchost.exe
Generic Protocol Command Decode
SURICATA TLS handshake invalid length
4824
svchost.exe
Generic Protocol Command Decode
SURICATA TLS handshake invalid length
4824
svchost.exe
A Network Trojan was detected
ET MALWARE Possible Variant.Kazy.53640 Malformed Client Hello SSL 3.0 (Cipher_Suite length greater than Client_Hello Length)
4824
svchost.exe
Generic Protocol Command Decode
SURICATA TLS handshake invalid length
4824
svchost.exe
A Network Trojan was detected
ET MALWARE Possible Variant.Kazy.53640 Malformed Client Hello SSL 3.0 (Cipher_Suite length greater than Client_Hello Length)
4824
svchost.exe
Generic Protocol Command Decode
SURICATA TLS handshake invalid length
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Win32.Cutwail.zip