File name:

facturadepago.exe

Full analysis: https://app.any.run/tasks/b9799b10-13c5-4d8e-b889-13c70ae1b40d
Verdict: Malicious activity
Threats:

DarkCloud is an infostealer that focuses on collecting and exfiltrating browser data from the infected device. The malware is also capable of keylogging and crypto address swapping. DarkCloud is typically delivered to victims’ computers via phishing emails.

Malware Trends Tracker     >>>
Analysis date: April 29, 2025, 09:15:25
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
stealer
evasion
darkcloud
upx
ims-api
generic
amsi-bypass
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows, 3 sections
MD5:

39C011517F3DB30FD598F4EA6CA46B40

SHA1:

92E669B7F25FB80D7F9D48E7AD4B5DCACBB9E32E

SHA256:

D11CAEC43B34F3572CA3A4D59E2D017C913BCBC4D285AB108CF20F1A35916B09

SSDEEP:

49152:+NUz7MqkfA4+eTwFlqHsxUkzAuwbkKEDWhaRzRc5woRNAanCQk+aRsLiS5:+Ofco4+gccQ7Au0kK5IjcaGNtOS

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Uses Task Scheduler to run other applications

      • facturadepago.exe (PID: 7804)

    • DARKCLOUD has been detected (YARA)

      • facturadepago.exe (PID: 8148)

    • Stealers network behavior

      • facturadepago.exe (PID: 8148)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • facturadepago.exe (PID: 7804)

    • Possibly patching Antimalware Scan Interface function (YARA)

      • facturadepago.exe (PID: 7804)

    • Reads security settings of Internet Explorer

      • facturadepago.exe (PID: 7804)
      • facturadepago.exe (PID: 8148)

    • Application launched itself

      • facturadepago.exe (PID: 7804)

    • Checks for external IP

      • facturadepago.exe (PID: 8148)

    • Possible usage of Discord/Telegram API has been detected (YARA)

      • facturadepago.exe (PID: 8148)

  • INFO

    • Checks supported languages

      • facturadepago.exe (PID: 7804)
      • facturadepago.exe (PID: 8148)

    • Creates files or folders in the user directory

      • facturadepago.exe (PID: 7804)
      • facturadepago.exe (PID: 8148)

    • Reads the computer name

      • facturadepago.exe (PID: 7804)
      • facturadepago.exe (PID: 8148)

    • Reads the machine GUID from the registry

      • facturadepago.exe (PID: 7804)
      • facturadepago.exe (PID: 8148)

    • Create files in a temporary directory

      • facturadepago.exe (PID: 7804)

    • Process checks computer location settings

      • facturadepago.exe (PID: 7804)

    • Checks proxy server information

      • facturadepago.exe (PID: 8148)
      • slui.exe (PID: 7468)

    • UPX packer has been detected

      • facturadepago.exe (PID: 8148)

    • Reads the software policy settings

      • slui.exe (PID: 7468)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Generic CIL Executable (.NET, Mono, etc.) (63.1)
.exe | Win64 Executable (generic) (23.8)
.dll | Win32 Dynamic Link Library (generic) (5.6)
.exe | Win32 Executable (generic) (3.8)
.exe | Generic Win/DOS Executable (1.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2055:07:31 16:27:32+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 48
CodeSize: 1073152
InitializedDataSize: 2560
UninitializedDataSize: -
EntryPoint: 0x107fd6
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 1.0.0.0
ProductVersionNumber: 1.0.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
Comments: -
CompanyName: Microsoft
FileDescription: Advanced System Settings
FileVersion: 1.0.0.0
InternalName: ourd.exe
LegalCopyright: Copyright © Microsoft Corporation. All rights reserved.
LegalTrademarks: -
OriginalFileName: ourd.exe
ProductName: Advanced System Settings
ProductVersion: 1.0.0.0
AssemblyVersion: 1.0.0.0
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
130
Monitored processes
5
Malicious processes
2
Suspicious processes
0

Behavior graph

Click at the process to see the details
start facturadepago.exe schtasks.exe no specs conhost.exe no specs #DARKCLOUD facturadepago.exe slui.exe

Process information

PID
CMD
Path
Indicators
Parent process
7468C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
7804"C:\Users\admin\Desktop\facturadepago.exe" C:\Users\admin\Desktop\facturadepago.exe
explorer.exe
User:
admin
Company:
Microsoft
Integrity Level:
MEDIUM
Description:
Advanced System Settings
Exit code:
0
Version:
1.0.0.0
Modules
Images
c:\users\admin\desktop\facturadepago.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\mscoree.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
8080"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ZddHknwDzcl" /XML "C:\Users\admin\AppData\Local\Temp\tmpADA.tmp"C:\Windows\SysWOW64\schtasks.exefacturadepago.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Task Scheduler Configuration Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\schtasks.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvcrt.dll
8088\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeschtasks.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
8148"C:\Users\admin\Desktop\facturadepago.exe"C:\Users\admin\Desktop\facturadepago.exe
facturadepago.exe
User:
admin
Company:
Microsoft
Integrity Level:
MEDIUM
Description:
Advanced System Settings
Version:
1.0.0.0
Modules
Images
c:\users\admin\desktop\facturadepago.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvbvm60.dll
Total events
4 504
Read events
4 501
Write events
3
Delete events
0

Modification events

(PID) Process:(8148) facturadepago.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(8148) facturadepago.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(8148) facturadepago.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
Executable files
1
Suspicious files
5
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
7804facturadepago.exeC:\Users\admin\AppData\Local\Temp\tmpADA.tmpxml
MD5:96ABBC188DF8E1534EFDC08459860E4C
SHA256:50E38252AEF0013F75B394392591C2771336C0FBBF9527231C1E49A0AEF0D918
8148facturadepago.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Templates\DESKTOP-JGLLJLD-admin\cookies.dbbinary
MD5:19BA68C3ECBCA72C2B90AFADDE745DC6
SHA256:8B3758EE2D2C0A07EE7003F902F0667ABE5D9667941F8617EDA3CDF94C78E7B8
8148facturadepago.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Templates\DESKTOP-JGLLJLD-admin\LoginDatabinary
MD5:A45465CDCDC6CB30C8906F3DA4EC114C
SHA256:4412319EF944EBCCA9581CBACB1D4E1DC614C348D1DFC5D2FAAAAD863D300209
8148facturadepago.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Templates\DESKTOP-JGLLJLD-admin\keyDBPath.dbbinary
MD5:0FF3BCDD0BE077B9EB8194B5C09F453C
SHA256:225D669E47EB14D8C969799C92AAEF27B66CD984872EA09284E48DB46521E651
8148facturadepago.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Templates\DESKTOP-JGLLJLD-admin\cookies.db-shmbinary
MD5:B7C14EC6110FA820CA6B65F5AEC85911
SHA256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
8148facturadepago.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Templates\DESKTOP-JGLLJLD-admin\WebDatabinary
MD5:F6C33AC5E1032A0873BE7BFC65169287
SHA256:D97895CEDED32E33D57BDCACCDBE144E58AA87AF4D2F8855D630286CE30A8D83
7804facturadepago.exeC:\Users\admin\AppData\Roaming\ZddHknwDzcl.exeexecutable
MD5:39C011517F3DB30FD598F4EA6CA46B40
SHA256:D11CAEC43B34F3572CA3A4D59E2D017C913BCBC4D285AB108CF20F1A35916B09
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
25
TCP/UDP connections
38
DNS requests
16
Threats
3

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2104
svchost.exe
GET
200
23.216.77.6:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
2104
svchost.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
8148
facturadepago.exe
GET
200
162.55.60.2:80
http://showip.net/
unknown
shared
GET
304
20.12.23.50:443
https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL
unknown
660
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
660
SIHClient.exe
GET
200
23.216.77.30:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl
unknown
whitelisted
660
SIHClient.exe
GET
200
23.216.77.30:80
http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl
unknown
whitelisted
660
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
GET
200
20.3.187.198:443
https://fe3cr.delivery.mp.microsoft.com/clientwebservice/ping
unknown
660
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
40.127.240.158:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
4
System
192.168.100.255:137
whitelisted
2104
svchost.exe
40.127.240.158:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
unknown
4
System
192.168.100.255:138
whitelisted
4.231.128.59:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2104
svchost.exe
23.216.77.6:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
2104
svchost.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
2104
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
8148
facturadepago.exe
162.55.60.2:80
showip.net
Hetzner Online GmbH
DE
shared
7528
slui.exe
20.83.72.98:443
activation-v2.sls.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 4.231.128.59
  • 20.73.194.208
whitelisted
google.com
  • 142.250.186.174
whitelisted
crl.microsoft.com
  • 23.216.77.6
  • 23.216.77.28
  • 23.216.77.30
  • 23.216.77.42
whitelisted
www.microsoft.com
  • 23.35.229.160
whitelisted
showip.net
  • 162.55.60.2
shared
activation-v2.sls.microsoft.com
  • 20.83.72.98
  • 40.91.76.224
whitelisted
client.wns.windows.com
  • 172.211.123.249
whitelisted
login.live.com
  • 40.126.31.0
  • 20.190.159.128
  • 20.190.159.68
  • 20.190.159.4
  • 40.126.31.129
  • 20.190.159.64
  • 20.190.159.0
  • 40.126.31.131
whitelisted
slscr.update.microsoft.com
  • 52.149.20.212
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 13.85.23.206
whitelisted

Threats

PID
Process
Class
Message
8148
facturadepago.exe
Attempted Information Leak
ET INFO IP Check Domain (showip in HTTP Host)
8148
facturadepago.exe
A Network Trojan was detected
STEALER [ANY.RUN] DarkCloud External IP Check
8148
facturadepago.exe
Device Retrieving External IP Address Detected
ET HUNTING [ANY.RUN] DARKCLOUD Style External IP Check
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
facturadepago.exe