| File name: | _20e96722673872dc789302d6c66aacc88e79e023118dfc8851528e5903cf3190.txt |
| Full analysis: | https://app.any.run/tasks/8ff3928f-1b4c-4281-9bd7-1a2b3e97ea68 |
| Verdict: | Malicious activity |
| Threats: | Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. |
| Analysis date: | March 12, 2026, 20:11:26 |
| OS: | Windows 10 Professional (build: 19044, 64 bit) |
| Tags: | |
| Indicators: | |
| MIME: | text/plain |
| File info: | Unicode text, UTF-8 text, with very long lines (502), with CRLF line terminators |
| MD5: | 289B8E23ACE9BF4A5461FD1CD5305C20 |
| SHA1: | 1D36B2A20C797414FE5F10C54ACF6315A7B478ED |
| SHA256: | 20E96722673872DC789302D6C66AACC88E79E023118DFC8851528E5903CF3190 |
| SSDEEP: | 196608:DnRoZQFiS2Bwh0heagmLPsN92i0IjTVs/eh:FoeF2Bw2l0nXJs/eh |
MALICIOUS
Detects the decoding of a binary file from Base64 (SCRIPT)
- wscript.exe (PID: 8960)
Uses base64 encoding (SCRIPT)
- wscript.exe (PID: 8960)
Changes the autorun value in the registry
- colorcpl.exe (PID: 8120)
Actions looks like stealing of personal data
- colorcpl.exe (PID: 8120)
PHANTOM has been detected (YARA)
- colorcpl.exe (PID: 8120)
Steals credentials from Web Browsers
- colorcpl.exe (PID: 8120)
PHANTOM has been detected (SURICATA)
- colorcpl.exe (PID: 8120)
PHANTOM has been detected
- colorcpl.exe (PID: 8120)
SUSPICIOUS
Creates FileSystem object to access computer's file system (SCRIPT)
- wscript.exe (PID: 8960)
Creates XML DOM element (SCRIPT)
- wscript.exe (PID: 8960)
Script creates XML DOM node (SCRIPT)
- wscript.exe (PID: 8960)
The process executes JS scripts
- wscript.exe (PID: 8960)
Writes binary data to a Stream object (SCRIPT)
- wscript.exe (PID: 8960)
Likely accesses (executes) a file from the Public directory
- BLHXDZLJYTBNGKMVLKAPRLCAXATITCNTZLMUWQBWRWASFSKUBWIRBYOBYQHDHEEEJ.exe (PID: 9048)
Gets name of the script (SCRIPT)
- wscript.exe (PID: 8960)
Executable content was dropped or overwritten
- wscript.exe (PID: 8960)
- colorcpl.exe (PID: 8120)
Creates a Stream, which may work with files, input/output devices, pipes, or TCP/IP sockets (SCRIPT)
- wscript.exe (PID: 8960)
Saves data to a binary file (SCRIPT)
- wscript.exe (PID: 8960)
Starts the AutoIt3 executable file
- wscript.exe (PID: 8960)
Possible usage of Discord/Telegram API has been detected (YARA)
- colorcpl.exe (PID: 8120)
Runs shell command (SCRIPT)
- wscript.exe (PID: 8960)
Sets XML DOM element text (SCRIPT)
- wscript.exe (PID: 8960)
Multiple wallet extension IDs have been found
- colorcpl.exe (PID: 8120)
Found regular expressions for crypto-addresses (YARA)
- colorcpl.exe (PID: 8120)
Browser sandbox disabling
- chrome.exe (PID: 7924)
- chrome.exe (PID: 9184)
- chrome.exe (PID: 3920)
- chrome.exe (PID: 9076)
- chrome.exe (PID: 3020)
- chrome.exe (PID: 8996)
- chrome.exe (PID: 5108)
- chrome.exe (PID: 3440)
- chrome.exe (PID: 7960)
- chrome.exe (PID: 6916)
- msedge.exe (PID: 6036)
- msedge.exe (PID: 8940)
- firefox.exe (PID: 8240)
- msedge.exe (PID: 8996)
- msedge.exe (PID: 6440)
- msedge.exe (PID: 2752)
- msedge.exe (PID: 2256)
- firefox.exe (PID: 1856)
- firefox.exe (PID: 6608)
- firefox.exe (PID: 2900)
- msedge.exe (PID: 6696)
Browser launch with unusual user-data-dir
- chrome.exe (PID: 7924)
- colorcpl.exe (PID: 8120)
- msedge.exe (PID: 6036)
Possible stealing of email data
- colorcpl.exe (PID: 8120)
Checks for external IP
- colorcpl.exe (PID: 8120)
- svchost.exe (PID: 2292)
Contacting a server suspected of hosting an CnC
- colorcpl.exe (PID: 8120)
INFO
Checks supported languages
- BLHXDZLJYTBNGKMVLKAPRLCAXATITCNTZLMUWQBWRWASFSKUBWIRBYOBYQHDHEEEJ.exe (PID: 9048)
- colorcpl.exe (PID: 3584)
Reads mouse settings
- BLHXDZLJYTBNGKMVLKAPRLCAXATITCNTZLMUWQBWRWASFSKUBWIRBYOBYQHDHEEEJ.exe (PID: 9048)
Launching a file from a Registry key
- colorcpl.exe (PID: 8120)
The sample compiled with english language support
- colorcpl.exe (PID: 8120)
- wscript.exe (PID: 8960)
Creates files or folders in the user directory
- colorcpl.exe (PID: 8120)
Application launched itself
- chrome.exe (PID: 7924)
- firefox.exe (PID: 2900)
- firefox.exe (PID: 8240)
- msedge.exe (PID: 6036)
- firefox.exe (PID: 1856)
- firefox.exe (PID: 6608)
Manual execution by a user
- colorcpl.exe (PID: 3584)
Disables trace logs
- colorcpl.exe (PID: 8120)
Create files in a temporary directory
- colorcpl.exe (PID: 8120)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
Total processes
192
Monitored processes
49
Malicious processes
5
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 664 | "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 4688 -prefsLen 39223 -prefMapHandle 4684 -prefMapSize 272981 -jsInitHandle 4620 -jsInitLen 247456 -parentBuildID 20250227124745 -ipcHandle 4900 -initialChannelId {b262753a-afd1-4f79-a6b4-f670fa06c2d9} -parentPid 8240 -crashReporter "\\.\pipe\gecko-crash-server-pipe.8240" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 8 tab | C:\Program Files\Mozilla Firefox\firefox.exe | — | firefox.exe | |||||||||||
User: admin Company: Mozilla Corporation Integrity Level: MEDIUM Description: Firefox Exit code: 0 Version: 136.0 Modules
| |||||||||||||||
| 1068 | "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 3948 -prefsLen 45111 -prefMapHandle 3952 -prefMapSize 272981 -jsInitHandle 3956 -jsInitLen 247456 -parentBuildID 20250227124745 -ipcHandle 3968 -initialChannelId {d2cbe0b0-401f-4083-bbc5-3d9ef174efda} -parentPid 8240 -crashReporter "\\.\pipe\gecko-crash-server-pipe.8240" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 5 tab | C:\Program Files\Mozilla Firefox\firefox.exe | — | firefox.exe | |||||||||||
User: admin Company: Mozilla Corporation Integrity Level: MEDIUM Description: Firefox Exit code: 0 Version: 136.0 Modules
| |||||||||||||||
| 1508 | "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler --user-data-dir=C:\Users\admin\AppData\Local\Temp\dbo1jwad.hap /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\admin\AppData\Local\Temp\dbo1jwad.hap\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.127 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ffd7114fff8,0x7ffd71150004,0x7ffd71150010 | C:\Program Files\Google\Chrome\Application\chrome.exe | — | chrome.exe | |||||||||||
User: admin Company: Google LLC Integrity Level: MEDIUM Description: Google Chrome Exit code: 0 Version: 133.0.6943.127 Modules
| |||||||||||||||
| 1848 | "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 4624 -prefsLen 45212 -prefMapHandle 4668 -prefMapSize 272981 -jsInitHandle 4676 -jsInitLen 247456 -parentBuildID 20250227124745 -ipcHandle 4608 -initialChannelId {3314a16d-7786-4509-81ab-d4fff945896d} -parentPid 8240 -crashReporter "\\.\pipe\gecko-crash-server-pipe.8240" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 7 tab | C:\Program Files\Mozilla Firefox\firefox.exe | — | firefox.exe | |||||||||||
User: admin Company: Mozilla Corporation Integrity Level: MEDIUM Description: Firefox Exit code: 0 Version: 136.0 Modules
| |||||||||||||||
| 1856 | "C:\Program Files\Mozilla Firefox\firefox.exe" --no-sandbox --allow-no-sandbox-job --disable-gpu --mute-audio --disable-audio --user-data-dir="C:\Users\admin\AppData\Local\Temp\0hiuhfe2.mez" | C:\Program Files\Mozilla Firefox\firefox.exe | — | colorcpl.exe | |||||||||||
User: admin Company: Mozilla Corporation Integrity Level: MEDIUM Description: Firefox Exit code: 0 Version: 136.0 Modules
| |||||||||||||||
| 1928 | "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250227124745 -prefsHandle 1936 -prefsLen 36521 -prefMapHandle 1940 -prefMapSize 272981 -ipcHandle 2012 -initialChannelId {d8520e95-abb2-4730-a8da-2778c89b5f2c} -parentPid 8240 -crashReporter "\\.\pipe\gecko-crash-server-pipe.8240" -appDir "C:\Program Files\Mozilla Firefox\browser" - 1 gpu | C:\Program Files\Mozilla Firefox\firefox.exe | — | firefox.exe | |||||||||||
User: admin Company: Mozilla Corporation Integrity Level: MEDIUM Description: Firefox Exit code: 0 Version: 136.0 Modules
| |||||||||||||||
| 2096 | "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 3440 -prefsLen 37305 -prefMapHandle 3444 -prefMapSize 272981 -jsInitHandle 3448 -jsInitLen 247456 -parentBuildID 20250227124745 -ipcHandle 3456 -initialChannelId {f8aa93c4-cd8f-4778-b162-a7295602d4ba} -parentPid 6608 -crashReporter "\\.\pipe\gecko-crash-server-pipe.6608" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 3 tab | C:\Program Files\Mozilla Firefox\firefox.exe | — | firefox.exe | |||||||||||
User: admin Company: Mozilla Corporation Integrity Level: MEDIUM Description: Firefox Exit code: 0 Version: 136.0 Modules
| |||||||||||||||
| 2256 | "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --user-data-dir="C:\Users\admin\AppData\Local\Temp\kobi5n0t.cwy" --no-sandbox --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=3 --enable-main-frame-before-activation --renderer-client-id=7 --always-read-main-dll --field-trial-handle=3440,i,6014784248773276845,13485076469588127573,262144 --variations-seed-version --mojo-platform-channel-handle=3452 /prefetch:1 | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | — | msedge.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Edge Exit code: 0 Version: 133.0.3065.92 Modules
| |||||||||||||||
| 2292 | C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s Dnscache | C:\Windows\System32\svchost.exe | services.exe | ||||||||||||
User: NETWORK SERVICE Company: Microsoft Corporation Integrity Level: SYSTEM Description: Host Process for Windows Services Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 2752 | "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --no-sandbox --string-annotations --user-data-dir="C:\Users\admin\AppData\Local\Temp\kobi5n0t.cwy" --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAAAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --use-gl=angle --use-angle=swiftshader-webgl --always-read-main-dll --field-trial-handle=2256,i,6014784248773276845,13485076469588127573,262144 --variations-seed-version --mojo-platform-channel-handle=2068 /prefetch:2 | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | — | msedge.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Edge Exit code: 0 Version: 133.0.3065.92 Modules
| |||||||||||||||
Total events
9 699
Read events
9 682
Write events
17
Delete events
0
Modification events
| (PID) Process: | (8960) wscript.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows Script\Settings\Telemetry\wscript.exe |
| Operation: | write | Name: | JScriptSetScriptStateStarted |
Value: 3E6D1E0000000000 | |||
| (PID) Process: | (8120) colorcpl.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ICM\ProfileAssociations\Display\{4d36e96e-e325-11ce-bfc1-08002be10318}\0008 |
| Operation: | write | Name: | UsePerUserProfiles |
Value: 0 | |||
| (PID) Process: | (8120) colorcpl.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run |
| Operation: | write | Name: | colorcpl |
Value: C:\Users\admin\AppData\Roaming\colorcpl.exe | |||
| (PID) Process: | (8120) colorcpl.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\colorcpl_RASAPI32 |
| Operation: | write | Name: | EnableFileTracing |
Value: 0 | |||
| (PID) Process: | (8120) colorcpl.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\colorcpl_RASAPI32 |
| Operation: | write | Name: | EnableAutoFileTracing |
Value: 0 | |||
| (PID) Process: | (8120) colorcpl.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\colorcpl_RASAPI32 |
| Operation: | write | Name: | EnableConsoleTracing |
Value: 0 | |||
| (PID) Process: | (8120) colorcpl.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\colorcpl_RASAPI32 |
| Operation: | write | Name: | FileTracingMask |
Value: | |||
| (PID) Process: | (8120) colorcpl.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\colorcpl_RASAPI32 |
| Operation: | write | Name: | ConsoleTracingMask |
Value: | |||
| (PID) Process: | (8120) colorcpl.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\colorcpl_RASAPI32 |
| Operation: | write | Name: | MaxFileSize |
Value: 1048576 | |||
| (PID) Process: | (8120) colorcpl.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\colorcpl_RASAPI32 |
| Operation: | write | Name: | FileDirectory |
Value: %windir%\tracing | |||
Executable files
3
Suspicious files
274
Text files
86
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 7924 | chrome.exe | C:\Users\admin\AppData\Local\Temp\dbo1jwad.hap\First Run | — | |
MD5:— | SHA256:— | |||
| 8960 | wscript.exe | C:\Users\Public\Libraries\BLHXDZLJYTBNGKMVLKAPRLCAXATITCNTZLMUWQBWRWASFSKUBWIRBYOBYQHDHEEEJ.exe | executable | |
MD5:8FA52F316C393496F272357191DB6DEB | SHA256:92C6531A09180FAE8B2AAE7384B4CEA9986762F0C271B35DA09B4D0E733F9F45 | |||
| 7924 | chrome.exe | C:\Users\admin\AppData\Local\Temp\dbo1jwad.hap\Default\History-journal | — | |
MD5:— | SHA256:— | |||
| 8960 | wscript.exe | C:\Users\Public\Libraries\BLHXDZLJYTBNGKMVLKAPRLCAXATITCNTZLMUWQBWRWASFSKUBWIRBYOBYQHDHEEEJ | binary | |
MD5:D2F9973E639C5F941A9F7534C856EA57 | SHA256:46F045B134716AD06092F5E8F9ED22F8138BA8FB63801A97C539734BE939EB5D | |||
| 7924 | chrome.exe | C:\Users\admin\AppData\Local\Temp\dbo1jwad.hap\Variations | text | |
MD5:961E3604F228B0D10541EBF921500C86 | SHA256:F7B24F2EB3D5EB0550527490395D2F61C3D2FE74BB9CB345197DAD81B58B5FED | |||
| 7924 | chrome.exe | C:\Users\admin\AppData\Local\Temp\dbo1jwad.hap\Default\Sync Data\LevelDB\CURRENT | text | |
MD5:46295CAC801E5D4857D09837238A6394 | SHA256:0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443 | |||
| 7924 | chrome.exe | C:\Users\admin\AppData\Local\Temp\dbo1jwad.hap\Crashpad\settings.dat | binary | |
MD5:81A396FAAF7CCB3B3DA186D74B8D18DD | SHA256:606A8804DC48F62AFD27DF009726E618822845D0B695E9BE7AA78F0CF1E0EEBC | |||
| 7924 | chrome.exe | C:\Users\admin\AppData\Local\Temp\dbo1jwad.hap\d2c360c8-75c4-4694-ad0c-923fd300c926.tmp | text | |
MD5:E013B418BB541581701D8C5D6103B36D | SHA256:40FC958C676CD83DA0C988D50A1815171E02CDA8BF097C3F6B2EDDC1B51A45EC | |||
| 7924 | chrome.exe | C:\Users\admin\AppData\Local\Temp\dbo1jwad.hap\Last Version | text | |
MD5:D18CE7F480944AE4E61A969D8C1E5003 | SHA256:E0CB362A73D69BAD940A018881701B5F2A8527C13C3F5ACBBEA43B8820DFC199 | |||
| 7924 | chrome.exe | C:\Users\admin\AppData\Local\Temp\dbo1jwad.hap\Default\History | binary | |
MD5:9B85A4B842B758BE395BC19ABA64799C | SHA256:ECC8D7540D26E3C2C43589C761E94638FC5096AF874D7DF216E833B9599C673A | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
153
TCP/UDP connections
96
DNS requests
51
Threats
41
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
1324 | RUXIMICS.exe | GET | 304 | 51.104.136.2:443 | https://settings-win.data.microsoft.com/settings/v3.0/WSD/RUXIM?os=Windows&osVer=10.0.19045.4046.amd64fre.vb_release.191206-1406&sku=48&deviceClass=Windows.Desktop&locale=en-US&deviceId=s:BAD99146-31D3-4EC6-A1A4-BE76F32BA5D4&sampleId=s:95271487&appVer=10.0.19041.3623&OSVersionFull=10.0.19045.4046.amd64fre.vb_release.191206-1406&FlightRing=Retail&AttrDataVer=186&App=RUXIM&AppVer=&DeviceFamily=Windows.Desktop | unknown | — | — | whitelisted |
1324 | RUXIMICS.exe | GET | 200 | 2.16.164.72:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
6768 | MoUsoCoreWorker.exe | GET | 200 | 23.59.18.102:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
1324 | RUXIMICS.exe | GET | 200 | 23.59.18.102:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
— | — | POST | 400 | 20.190.160.20:443 | https://login.live.com/ppsecure/deviceaddcredential.srf | unknown | text | 203 b | whitelisted |
— | — | POST | 400 | 40.126.32.68:443 | https://login.live.com/ppsecure/deviceaddcredential.srf | unknown | binary | 203 b | whitelisted |
— | — | POST | 400 | 20.190.160.132:443 | https://login.live.com/ppsecure/deviceaddcredential.srf | unknown | text | 203 b | whitelisted |
7428 | svchost.exe | GET | 200 | 23.59.18.102:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
356 | svchost.exe | POST | 400 | 20.190.159.75:443 | https://login.live.com/ppsecure/deviceaddcredential.srf | unknown | — | 203 b | whitelisted |
— | — | POST | 200 | 40.126.32.68:443 | https://login.live.com/RST2.srf | unknown | text | 1.24 Kb | whitelisted |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:137 | — | Not routed | — | whitelisted |
7428 | svchost.exe | 51.104.136.2:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
1324 | RUXIMICS.exe | 51.104.136.2:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
6768 | MoUsoCoreWorker.exe | 51.104.136.2:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
— | — | 2.16.204.148:443 | www.bing.com | AKAMAI-ASN1 | NL | whitelisted |
— | — | 172.211.123.250:443 | client.wns.windows.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
4 | System | 192.168.100.255:138 | — | Not routed | — | whitelisted |
7428 | svchost.exe | 2.16.164.72:80 | crl.microsoft.com | AKAMAI-ASN1 | NL | whitelisted |
6768 | MoUsoCoreWorker.exe | 2.16.164.72:80 | crl.microsoft.com | AKAMAI-ASN1 | NL | whitelisted |
1324 | RUXIMICS.exe | 2.16.164.72:80 | crl.microsoft.com | AKAMAI-ASN1 | NL | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
settings-win.data.microsoft.com |
| whitelisted |
self.events.data.microsoft.com |
| whitelisted |
www.bing.com |
| whitelisted |
client.wns.windows.com |
| whitelisted |
google.com |
| whitelisted |
crl.microsoft.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
login.live.com |
| whitelisted |
firefox.settings.services.mozilla.com |
| whitelisted |
mozilla.map.fastly.net |
| whitelisted |
Threats
PID | Process | Class | Message |
|---|---|---|---|
1324 | RUXIMICS.exe | Unknown Traffic | ET USER_AGENTS Microsoft Dr Watson User-Agent (MSDW) |
8120 | colorcpl.exe | Misc activity | ET HUNTING Telegram API Certificate Observed |
2292 | svchost.exe | Misc activity | ET HUNTING Telegram API Domain in DNS Lookup |
8120 | colorcpl.exe | Misc activity | ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI) |
— | — | Potentially Bad Traffic | SUSPICIOUS [ANY.RUN] Telegram Bot API request (/sendDocument) |
8120 | colorcpl.exe | Potentially Bad Traffic | SUSPICIOUS [ANY.RUN] Telegram Bot API request (/sendDocument) |
— | — | Misc activity | SUSPICIOUS [ANY.RUN] Sent Host Name in HTTP POST Body |
— | — | Potentially Bad Traffic | SUSPICIOUS [ANY.RUN] Telegram Bot API request (/sendDocument) |
8120 | colorcpl.exe | Misc activity | SUSPICIOUS [ANY.RUN] Sent Host Name in HTTP POST Body |
8120 | colorcpl.exe | Potentially Bad Traffic | SUSPICIOUS [ANY.RUN] Telegram Bot API request (/sendDocument) |
Process | Message |
|---|---|
chrome.exe | RecursiveDirectoryCreate( C:\Users\admin\AppData\Local\Temp\dbo1jwad.hap directory exists )
|
msedge.exe | RecursiveDirectoryCreate( C:\Users\admin\AppData\Local\Temp\kobi5n0t.cwy directory exists )
|