File name:

FG098765678900000879.exe

Full analysis: https://app.any.run/tasks/44c5f1ba-6964-4645-9deb-689f1f0795dd
Verdict: Malicious activity
Threats:

DarkCloud is an infostealer that focuses on collecting and exfiltrating browser data from the infected device. The malware is also capable of keylogging and crypto address swapping. DarkCloud is typically delivered to victims’ computers via phishing emails.

Malware Trends Tracker     >>>
Analysis date: June 26, 2025, 06:42:15
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
netreactor
darkcloud
upx
Indicators:
MD5:

ACF3F3E112F8562516FDD99CA05B4E3F

SHA1:

75047853D94CBF537B3D41FC7FA0E47209CA1150

SHA256:

8C8CBA879983D9F4D37FD6FB13D1062CE7A56B83D52D57BF54121523FB74E554

SSDEEP:

49152:cQDg2YVq60IGP57Y4vvsP+/ct4Ai7wlgQEN+HOMyCVcrceIIBQCH4dPn7wfrecB8:X82YVbEpvvH/G4AJClN+HTVdBG4dPkfa

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Uses Task Scheduler to run other applications

      • FG098765678900000879.exe (PID: 7032)

    • DARKCLOUD has been detected (YARA)

      • RegSvcs.exe (PID: 4868)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • FG098765678900000879.exe (PID: 7032)

    • Reads security settings of Internet Explorer

      • FG098765678900000879.exe (PID: 7032)

  • INFO

    • Checks supported languages

      • FG098765678900000879.exe (PID: 7032)
      • RegSvcs.exe (PID: 4868)

    • Creates files or folders in the user directory

      • FG098765678900000879.exe (PID: 7032)
      • RegSvcs.exe (PID: 4868)

    • .NET Reactor protector has been detected

      • FG098765678900000879.exe (PID: 7032)

    • Reads the computer name

      • FG098765678900000879.exe (PID: 7032)
      • RegSvcs.exe (PID: 4868)

    • Reads the machine GUID from the registry

      • FG098765678900000879.exe (PID: 7032)
      • RegSvcs.exe (PID: 4868)

    • Create files in a temporary directory

      • FG098765678900000879.exe (PID: 7032)

    • Process checks computer location settings

      • FG098765678900000879.exe (PID: 7032)

    • UPX packer has been detected

      • RegSvcs.exe (PID: 4868)

    • Reads the software policy settings

      • slui.exe (PID: 5724)

    • Checks proxy server information

      • slui.exe (PID: 5724)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
140
Monitored processes
5
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start fg098765678900000879.exe schtasks.exe no specs conhost.exe no specs #DARKCLOUD regsvcs.exe no specs slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
4456"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\oRuYmycLZ" /XML "C:\Users\admin\AppData\Local\Temp\tmp9961.tmp"C:\Windows\SysWOW64\schtasks.exeFG098765678900000879.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Task Scheduler Configuration Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
4868"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
FG098765678900000879.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft .NET Services Installation Utility
Version:
4.8.9037.0 built by: NET481REL1
Modules
Images
c:\windows\microsoft.net\framework\v4.0.30319\regsvcs.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvbvm60.dll
5724C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
6404\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeschtasks.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
7032"C:\Users\admin\Desktop\FG098765678900000879.exe" C:\Users\admin\Desktop\FG098765678900000879.exe
explorer.exe
User:
admin
Company:
PageTurn Software
Integrity Level:
MEDIUM
Description:
BookNook
Exit code:
0
Version:
025.174.0802
Modules
Images
c:\users\admin\desktop\fg098765678900000879.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
Total events
4 392
Read events
4 392
Write events
0
Delete events
0

Modification events

No data
Executable files
1
Suspicious files
0
Text files
1
Unknown types
3

Dropped files

PID
Process
Filename
Type
4868RegSvcs.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Templates\DBS\WebDatasqlite
MD5:983A5B37990067066CF80EDDF2426994
SHA256:E499265D1817B9CD52AC502B7BE6DEF5174478CAAAB7DADE263A7754E4E838D3
4868RegSvcs.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Templates\DBS\keyDBPath.dbsqlite
MD5:0FF3BCDD0BE077B9EB8194B5C09F453C
SHA256:225D669E47EB14D8C969799C92AAEF27B66CD984872EA09284E48DB46521E651
7032FG098765678900000879.exeC:\Users\admin\AppData\Local\Temp\tmp9961.tmpxml
MD5:C17D51C65238EA0F8B9CE4A15E48AED8
SHA256:392EB22C51E8C89DE5ACE32F01E38D220F45FCAF4C9D90235A79F60080998DF1
7032FG098765678900000879.exeC:\Users\admin\AppData\Roaming\oRuYmycLZ.exeexecutable
MD5:ACF3F3E112F8562516FDD99CA05B4E3F
SHA256:8C8CBA879983D9F4D37FD6FB13D1062CE7A56B83D52D57BF54121523FB74E554
4868RegSvcs.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Templates\DBS\LoginDatasqlite
MD5:A45465CDCDC6CB30C8906F3DA4EC114C
SHA256:4412319EF944EBCCA9581CBACB1D4E1DC614C348D1DFC5D2FAAAAD863D300209
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
28
TCP/UDP connections
42
DNS requests
17
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5944
MoUsoCoreWorker.exe
GET
200
2.16.241.19:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1268
svchost.exe
GET
200
2.16.241.19:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
3572
RUXIMICS.exe
GET
200
2.16.241.19:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1268
svchost.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
3572
RUXIMICS.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
POST
200
20.190.160.2:443
https://login.live.com/ppsecure/deviceaddcredential.srf
unknown
text
16.7 Kb
whitelisted
POST
200
20.190.160.2:443
https://login.live.com/RST2.srf
unknown
xml
1.24 Kb
whitelisted
POST
200
20.190.160.66:443
https://login.live.com/RST2.srf
unknown
xml
11.1 Kb
whitelisted
GET
304
172.202.163.200:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
5944
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
1268
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3572
RUXIMICS.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
5944
MoUsoCoreWorker.exe
2.16.241.19:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
1268
svchost.exe
2.16.241.19:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
3572
RUXIMICS.exe
2.16.241.19:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
5944
MoUsoCoreWorker.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
1268
svchost.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
whitelisted
google.com
  • 142.250.185.110
whitelisted
crl.microsoft.com
  • 2.16.241.19
  • 2.16.241.12
whitelisted
www.microsoft.com
  • 95.101.149.131
  • 2.23.246.101
whitelisted
login.live.com
  • 40.126.32.140
  • 20.190.160.14
  • 40.126.32.68
  • 40.126.32.133
  • 20.190.160.17
  • 40.126.32.138
  • 20.190.160.130
  • 40.126.32.76
whitelisted
client.wns.windows.com
  • 172.211.123.250
whitelisted
nexusrules.officeapps.live.com
  • 52.111.243.29
whitelisted
slscr.update.microsoft.com
  • 20.109.210.53
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 40.69.42.241
whitelisted
activation-v2.sls.microsoft.com
  • 20.83.72.98
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
FG098765678900000879.exe