| File name: | itroublveTSC-main.zip |
| Full analysis: | https://app.any.run/tasks/6935a267-83e6-43ec-968b-b962d047b195 |
| Verdict: | Malicious activity |
| Threats: | Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. |
| Analysis date: | April 10, 2026, 11:05:09 |
| OS: | Windows 10 Professional (build: 19044, 64 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/zip |
| File info: | Zip archive data, at least v1.0 to extract, compression method=store |
| MD5: | 828C18B4A4B912CBA65B139F197A30E8 |
| SHA1: | 164247AFA83328F3E2410588D77131F4350AFBC8 |
| SHA256: | 047A95C3F8B093814A1A3190194D85FF776CE0264DB38683B33E720894994E38 |
| SSDEEP: | 98304:UQwXEQg6MmFjcF7rA70w4azIimqq0tRBn4cBIhW+aYuzozE323Xf+RhfADfNDV+F:DCbm5+oifBJoDfgnC+s4UA0vLif |
MALICIOUS
Create files in the Startup directory
- ItroublveTSC.exe (PID: 9056)
Disables Windows Defender
- reg.exe (PID: 5464)
- reg.exe (PID: 476)
- reg.exe (PID: 7964)
- reg.exe (PID: 8640)
- reg.exe (PID: 5356)
Gets path to any of the special folders (SCRIPT)
- wscript.exe (PID: 6404)
- wscript.exe (PID: 5516)
- wscript.exe (PID: 6632)
Password recovery utility (NirSoft) for browsers is detected
- snuvcdsm.exe (PID: 6332)
Steals credentials from Web Browsers
- RtkBtManServ.exe (PID: 7772)
- snuvcdsm.exe (PID: 6332)
- xwizard.exe (PID: 8696)
The tool for viewing Chrome cookies (NirSoft) is detected
- winhlp32.exe (PID: 3120)
The tool for viewing Firefox cookies (NirSoft) is detected
- splwow64.exe (PID: 2868)
The tool for viewing Edge cookies (NirSoft) is detected
- hh.exe (PID: 2856)
Executing a file with an untrusted certificate
- hh.exe (PID: 2856)
Web Browser History Viewer utility (NirSoft) is detected
- xwizard.exe (PID: 8696)
SUSPICIOUS
Executable content was dropped or overwritten
- ItroublveTSC.exe (PID: 9056)
- RtkBtManServ.exe (PID: 7772)
Reads the date of Windows installation
- ItroublveTSC.exe (PID: 9056)
- RtkBtManServ.exe (PID: 7772)
Executing commands from a ".bat" file
- ItroublveTSC.exe (PID: 9056)
- wscript.exe (PID: 6404)
- wscript.exe (PID: 5516)
- wscript.exe (PID: 6632)
Starts CMD.EXE for commands execution
- cmd.exe (PID: 3384)
- cmd.exe (PID: 1700)
- cmd.exe (PID: 5484)
- cmd.exe (PID: 4104)
- cmd.exe (PID: 2052)
Uses REG/REGEDIT.EXE to modify or delete registry entries
- cmd.exe (PID: 3384)
Modifies existing scheduled task
- schtasks.exe (PID: 5920)
- schtasks.exe (PID: 8284)
- schtasks.exe (PID: 1600)
- schtasks.exe (PID: 4952)
- schtasks.exe (PID: 5336)
Creates FileSystem object to access computer's file system (SCRIPT)
- wscript.exe (PID: 6404)
- wscript.exe (PID: 5516)
- wscript.exe (PID: 6632)
Browser credential dumping tool execution detected
- cmd.exe (PID: 1700)
- cmd.exe (PID: 5484)
- cmd.exe (PID: 4104)
The executable file from the user directory is run by the CMD process
- snuvcdsm.exe (PID: 6332)
- winhlp32.exe (PID: 3120)
- splwow64.exe (PID: 2868)
- hh.exe (PID: 2856)
- xwizard.exe (PID: 8696)
BROWSERPASSVIEW has been detected
- cmd.exe (PID: 1700)
Runs shell command (SCRIPT)
- wscript.exe (PID: 6404)
- wscript.exe (PID: 5516)
- wscript.exe (PID: 6632)
Checks for external IP
- svchost.exe (PID: 2292)
- RtkBtManServ.exe (PID: 7772)
Possible stealing from browsers
- snuvcdsm.exe (PID: 6332)
- xwizard.exe (PID: 8696)
Starts CMD.EXE with AutoRun commands disabled
- cmd.exe (PID: 2052)
Uses CHOICE.EXE to delay execution
- cmd.exe (PID: 2052)
File deletion via cmd.exe
- cmd.exe (PID: 2052)
INFO
Create files in a temporary directory
- ItroublveTSC.exe (PID: 9056)
- RtkBtManServ.exe (PID: 7772)
- snuvcdsm.exe (PID: 6332)
- winhlp32.exe (PID: 3120)
- splwow64.exe (PID: 2868)
- hh.exe (PID: 2856)
- xwizard.exe (PID: 8696)
Generic archive extractor
- WinRAR.exe (PID: 7484)
Executable content was dropped or overwritten
- WinRAR.exe (PID: 7484)
Reads the computer name
- ItroublveTSC.exe (PID: 9056)
- RtkBtManServ.exe (PID: 7772)
- snuvcdsm.exe (PID: 6332)
Checks supported languages
- ItroublveTSC.exe (PID: 9056)
- RtkBtManServ.exe (PID: 7772)
- snuvcdsm.exe (PID: 6332)
- winhlp32.exe (PID: 3120)
- splwow64.exe (PID: 2868)
- xwizard.exe (PID: 8696)
- hh.exe (PID: 2856)
Reads security settings of Internet Explorer
- ItroublveTSC.exe (PID: 9056)
- RtkBtManServ.exe (PID: 7772)
Manual execution by a user
- ItroublveTSC.exe (PID: 9056)
Process checks computer location settings
- ItroublveTSC.exe (PID: 9056)
- RtkBtManServ.exe (PID: 7772)
Creates files or folders in the user directory
- ItroublveTSC.exe (PID: 9056)
Launching a file from the Startup directory
- ItroublveTSC.exe (PID: 9056)
Reads the machine GUID from the registry
- RtkBtManServ.exe (PID: 7772)
- snuvcdsm.exe (PID: 6332)
The sample compiled with english language support
- RtkBtManServ.exe (PID: 7772)
Disables trace logs
- RtkBtManServ.exe (PID: 7772)
Reads Environment values
- RtkBtManServ.exe (PID: 7772)
Reads Microsoft Office registry keys
- RtkBtManServ.exe (PID: 7772)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .zip | | | ZIP compressed archive (100) |
|---|
EXIF
ZIP
| ZipRequiredVersion: | 10 |
|---|---|
| ZipBitFlag: | - |
| ZipCompression: | None |
| ZipModifyDate: | 2021:06:09 14:26:14 |
| ZipCRC: | 0x00000000 |
| ZipCompressedSize: | - |
| ZipUncompressedSize: | - |
| ZipFileName: | itroublveTSC-main/ |
Total processes
198
Monitored processes
54
Malicious processes
17
Suspicious processes
3
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 476 | reg add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f | C:\Windows\System32\reg.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Registry Console Tool Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1116 | reg add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f | C:\Windows\System32\reg.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Registry Console Tool Exit code: 1 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1600 | schtasks /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable | C:\Windows\System32\schtasks.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Task Scheduler Configuration Tool Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1700 | "C:\Windows\System32\cmd.exe" /c compile.bat | C:\Windows\System32\cmd.exe | — | wscript.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1944 | choice /C Y /N /D Y /T 3 | C:\Windows\System32\choice.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Offers the user a choice Exit code: 1 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 2052 | "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Users\admin\AppData\Local\Temp\RtkBtManServ.exe" | C:\Windows\System32\cmd.exe | — | RtkBtManServ.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 2292 | C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s Dnscache | C:\Windows\System32\svchost.exe | services.exe | ||||||||||||
User: NETWORK SERVICE Company: Microsoft Corporation Integrity Level: SYSTEM Description: Host Process for Windows Services Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 2392 | reg add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f | C:\Windows\System32\reg.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Registry Console Tool Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 2496 | reg add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f | C:\Windows\System32\reg.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Registry Console Tool Exit code: 1 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 2788 | reg add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f┬┤ | C:\Windows\System32\reg.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Registry Console Tool Exit code: 1 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
Total events
7 674
Read events
7 626
Write events
40
Delete events
8
Modification events
| (PID) Process: | (7484) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory |
| Operation: | write | Name: | 3 |
Value: C:\Users\admin\Desktop\chromium_ext.zip | |||
| (PID) Process: | (7484) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory |
| Operation: | write | Name: | 2 |
Value: C:\Users\admin\Desktop\omni_23_10_2024_.zip | |||
| (PID) Process: | (7484) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory |
| Operation: | write | Name: | 1 |
Value: C:\Users\admin\Downloads\chromium_build 1.zip | |||
| (PID) Process: | (7484) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory |
| Operation: | write | Name: | 0 |
Value: C:\Users\admin\Desktop\itroublveTSC-main.zip | |||
| (PID) Process: | (7484) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | name |
Value: 120 | |||
| (PID) Process: | (7484) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | size |
Value: 80 | |||
| (PID) Process: | (7484) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | type |
Value: 120 | |||
| (PID) Process: | (7484) WinRAR.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths |
| Operation: | write | Name: | mtime |
Value: 100 | |||
| (PID) Process: | (5464) reg.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender |
| Operation: | write | Name: | DisableAntiSpyware |
Value: 1 | |||
| (PID) Process: | (7360) reg.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\MpEngine |
| Operation: | write | Name: | MpEnablePus |
Value: 0 | |||
Executable files
18
Suspicious files
24
Text files
23
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 7484 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa7484.25509\itroublveTSC-main\bin\Binaries\RtkBtManServ.exe | executable | |
MD5:88AB0BB59B0B20816A833BA91C1606D3 | SHA256:F4FB42C8312A6002A8783E2A1AB4571EB89E92CD192B1A21E8C4582205C37312 | |||
| 7484 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa7484.25509\itroublveTSC-main\ItroublveTSC.exe | executable | |
MD5:33A3190EC49FA155F7E9B178E2240E6B | SHA256:C37500C096EE6DE40EE92D659163D7E3EC93D2E5676B350D63554C172064947D | |||
| 7484 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa7484.25509\itroublveTSC-main\bin\Binaries\whysosad | text | |
MD5:FC3C88C2080884D6C995D48E172FBC4F | SHA256:1637CE704A463BD3C91A38AA02D1030107670F91EE3F0DD4FA13D07A77BA2664 | |||
| 7484 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa7484.25509\itroublveTSC-main\bin\Binaries\config | text | |
MD5:1BA367D0F9AAC0F650E65AB7401776C0 | SHA256:68C4EC552C98F3B5A4744E4EEFADD6364DC8075C2E718B7BCBFC76625AA60D03 | |||
| 7484 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa7484.25509\itroublveTSC-main\bin\App.config | xml | |
MD5:13FF21470B63470978E08E4933EB8E56 | SHA256:16286566D54D81C3721F7ECF7F426D965DE364E9BE2F9E628D7363B684B6FE6A | |||
| 7484 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa7484.25509\itroublveTSC-main\bin\obf\Confuser.Runtime.dll | executable | |
MD5:42E45FA8BB26246ED3B3C2760E782912 | SHA256:C8BCBE8C706659824ED001CAF0BE23B8470A99C0391A23C419884AD93DF3CCE0 | |||
| 7484 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa7484.25509\itroublveTSC-main\bin\obf\Confuser.Renamer.dll | executable | |
MD5:E1656B7BFD3B7C9634F72C4F9085D226 | SHA256:4CE9A9F15724B17DA414C4AAD7B7BFBBA0FD1B80E3D0B8452551D5F79FD32B50 | |||
| 9056 | ItroublveTSC.exe | C:\Users\admin\AppData\Local\Temp\whysosad | text | |
MD5:FC3C88C2080884D6C995D48E172FBC4F | SHA256:1637CE704A463BD3C91A38AA02D1030107670F91EE3F0DD4FA13D07A77BA2664 | |||
| 9056 | ItroublveTSC.exe | C:\Users\admin\AppData\Local\Temp\config | text | |
MD5:1BA367D0F9AAC0F650E65AB7401776C0 | SHA256:68C4EC552C98F3B5A4744E4EEFADD6364DC8075C2E718B7BCBFC76625AA60D03 | |||
| 7484 | WinRAR.exe | C:\Users\admin\AppData\Local\Temp\Rar$DRa7484.25509\itroublveTSC-main\bin\obf\Teen.dll | executable | |
MD5:FB9D14387B89B30606D094AE8CD93EA0 | SHA256:68EAC14CA256F9871CC85FFC77C86B1D6378E6C900DFF34F8B697BE07B77446A | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
28
TCP/UDP connections
26
DNS requests
18
Threats
20
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
8756 | svchost.exe | GET | 304 | 20.73.194.208:443 | https://settings-win.data.microsoft.com/settings/v3.0/WSD/UpdateHealthTools?os=Windows&osVer=10.0.19041.1.amd64fre.vb_release.191206-&sku=48&deviceClass=Windows.Desktop&locale=en-US&deviceId=s:BAD99146-31D3-4EC6-A1A4-BE76F32BA5D4&sampleId=s:95271487&appVer=10.0.19041.3626&FlightRing=Retail&TelemetryLevel=1&HidOverGattReg=C%3A%5CWINDOWS%5CSystem32%5CDriverStore%5CFileRepository%5Chidbthle.inf_amd64_9610b4821fdf82a5%5CMicrosoft.Bluetooth.Profiles.HidOverGatt.dll&AppVer=&ProcessorIdentifier=AMD64%20Family%2023%20Model%201%20Stepping%202&OEMModel=DELL&UpdateOfferedDays=4294967295&ProcessorManufacturer=AuthenticAMD&InstallDate=1661339444&OEMModelBaseBoard=&BranchReadinessLevel=CB&OEMSubModel=J5CR&IsCloudDomainJoined=0&DeferFeatureUpdatePeriodInDays=30&IsDeviceRetailDemo=0&FlightingBranchName=&OSUILocale=en-US&DeviceFamily=Windows.Desktop&WuClientVer=10.0.19041.3996&UninstallActive=1&IsFlightingEnabled=0&OSSkuId=48&ProcessorClockSpeed=3094&TotalPhysicalRAM=6144&SecureBootCapable=0&App=SedimentPack&ProcessorCores=6&CurrentBranch=vb_release&InstallLanguage=en-US&DeferQualityUpdatePeriodInDays=0&OEMName_Uncleaned=DELL&TPMVersion=0&PrimaryDiskTotalCapacity=262144&InstallationType=Client&AttrDataVer=186&ProcessorModel=AMD%20Ryzen%205%203500%206-Core%20Processor&IsEdgeWithChromiumInstalled=1&OSVersion=10.0.19045.4046&IsMDMEnrolled=0&ActivationChannel=Retail&FirmwareVersion=A.40&TrendInstalledKey=1&OSArchitecture=AMD64&DefaultUserRegion=244&UpdateManagementGroup=2 | US | — | — | whitelisted |
6768 | MoUsoCoreWorker.exe | GET | 304 | 40.127.240.158:443 | https://settings-win.data.microsoft.com/settings/v3.0/OneSettings/Client?OSVersionFull=10.0.19045.4046.amd64fre.vb_release.191206-1406&LocalDeviceID=s%3ABAD99146-31D3-4EC6-A1A4-BE76F32BA5D4&FlightRing=Retail&AttrDataVer=186&OSUILocale=en-US&OSSkuId=48&App=WOSC&AppVer=&IsFlightingEnabled=0&TelemetryLevel=1&DeviceFamily=Windows.Desktop | US | — | — | whitelisted |
8756 | svchost.exe | GET | 200 | 20.73.194.208:443 | https://settings-win.data.microsoft.com/settings/v3.0/WSD/WaaSAssessment?os=Windows&osVer=10.0.19041.1.amd64fre.vb_release.191206-&ring=Retail&sku=48&deviceClass=Windows.Desktop&locale=en-US&deviceId=BAD99146-31D3-4EC6-A1A4-BE76F32BA5D4&FlightRing=Retail&TelemetryLevel=1&HidOverGattReg=C%3A%5CWINDOWS%5CSystem32%5CDriverStore%5CFileRepository%5Chidbthle.inf_amd64_9610b4821fdf82a5%5CMicrosoft.Bluetooth.Profiles.HidOverGatt.dll&AppVer=10.0&ProcessorIdentifier=AMD64%20Family%2023%20Model%201%20Stepping%202&OEMModel=DELL&UpdateOfferedDays=4294967295&ProcessorManufacturer=AuthenticAMD&InstallDate=1661339444&OEMModelBaseBoard=&BranchReadinessLevel=CB&OEMSubModel=J5CR&IsCloudDomainJoined=0&DeferFeatureUpdatePeriodInDays=30&IsDeviceRetailDemo=0&FlightingBranchName=&OSUILocale=en-US&DeviceFamily=Windows.Desktop&WuClientVer=10.0.19041.3996&UninstallActive=1&IsFlightingEnabled=0&OSSkuId=48&ProcessorClockSpeed=3094&TotalPhysicalRAM=6144&SecureBootCapable=0&App=WaaSAssessment&ProcessorCores=6&CurrentBranch=vb_release&InstallLanguage=en-US&DeferQualityUpdatePeriodInDays=0&ServicingBranch=CB&OEMName_Uncleaned=DELL&TPMVersion=0&PrimaryDiskTotalCapacity=262144&InstallationType=Client&AttrDataVer=186&ProcessorModel=AMD%20Ryzen%205%203500%206-Core%20Processor&IsEdgeWithChromiumInstalled=1&OSVersion=10.0.19045.4046&IsMDMEnrolled=0&ActivationChannel=Retail&HonorWUfBDeferrals=0&FirmwareVersion=A.40&TrendInstalledKey=1&OSArchitecture=AMD64&DefaultUserRegion=244&UpdateManagementGroup=2 | US | text | 5.74 Kb | whitelisted |
8756 | svchost.exe | GET | 200 | 2.16.164.120:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | NL | binary | 825 b | whitelisted |
8756 | svchost.exe | GET | 200 | 23.52.181.212:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | US | binary | 814 b | whitelisted |
2416 | SIHClient.exe | GET | 304 | 74.179.77.204:443 | https://slscr.update.microsoft.com/SLS/%7B522D76A4-93E1-47F8-B8CE-07C937AD1A1E%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL | US | — | — | whitelisted |
2416 | SIHClient.exe | GET | 200 | 135.233.95.135:443 | https://fe3cr.delivery.mp.microsoft.com/clientwebservice/ping | US | — | — | whitelisted |
2416 | SIHClient.exe | GET | 200 | 74.179.77.204:443 | https://slscr.update.microsoft.com/sls/ping | US | — | — | whitelisted |
2416 | SIHClient.exe | GET | 304 | 74.179.77.204:443 | https://slscr.update.microsoft.com/SLS/%7BE7A50285-D08D-499D-9FF8-180FDC2332BC%7D/x64/10.0.19045.4046/0?CH=686&L=en-US&P=&PT=0x30&WUA=10.0.19041.3996&MK=DELL&MD=DELL | US | — | — | whitelisted |
7772 | RtkBtManServ.exe | POST | — | 162.159.135.232:443 | https://discord.com/api/webhooks/851870796301205524/UFVDReiBhaCiJ8-_Z-OAGsRlpgp14pY-bsrz3enVP2cA3sRhWgu4CCMJEAz2oCYoD0QH | US | — | — | malicious |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
6768 | MoUsoCoreWorker.exe | 51.104.136.2:443 | — | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
4 | System | 192.168.100.255:137 | — | Not routed | — | whitelisted |
8756 | svchost.exe | 51.104.136.2:443 | — | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
4936 | RUXIMICS.exe | 51.104.136.2:443 | — | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
4 | System | 192.168.100.255:138 | — | Not routed | — | whitelisted |
8756 | svchost.exe | 20.73.194.208:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
8756 | svchost.exe | 2.16.164.120:80 | crl.microsoft.com | AKAMAI-ASN1 | NL | whitelisted |
8756 | svchost.exe | 23.52.181.212:80 | www.microsoft.com | AKAMAI-AS | US | whitelisted |
7772 | RtkBtManServ.exe | 173.231.16.77:443 | api64.ipify.org | WEBNX | US | whitelisted |
7772 | RtkBtManServ.exe | 162.159.135.232:443 | discord.com | CLOUDFLARENET | US | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
google.com |
| whitelisted |
self.events.data.microsoft.com |
| whitelisted |
settings-win.data.microsoft.com |
| whitelisted |
crl.microsoft.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
itroublvehacker.gq |
| whitelisted |
api64.ipify.org |
| whitelisted |
discord.com |
| whitelisted |
client.wns.windows.com |
| whitelisted |
login.live.com |
| whitelisted |
Threats
PID | Process | Class | Message |
|---|---|---|---|
8756 | svchost.exe | Unknown Traffic | ET USER_AGENTS Microsoft Dr Watson User-Agent (MSDW) |
2292 | svchost.exe | Potentially Bad Traffic | ET INFO DNS Query for Suspicious .gq Domain |
2292 | svchost.exe | Misc activity | ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup |
7772 | RtkBtManServ.exe | Misc activity | ET INFO External IP Address Lookup Domain (ipify .org) in TLS SNI |
7772 | RtkBtManServ.exe | Misc activity | ET INFO Observed Discord Service Domain (discord .com) in TLS SNI |
2292 | svchost.exe | Misc activity | ET INFO Observed Discord Domain in DNS Lookup (discord .com) |
2292 | svchost.exe | Misc activity | ET INFO Discord Chat Service Domain in DNS Lookup (discord .com) |
7772 | RtkBtManServ.exe | Misc activity | ET INFO Observed Discord Domain (discord .com in TLS SNI) |
7772 | RtkBtManServ.exe | Misc activity | ET INFO Observed Discord Domain (discord .com in TLS SNI) |
7772 | RtkBtManServ.exe | Misc activity | ET INFO Observed Discord Service Domain (discord .com) in TLS SNI |