| File name: | Build.exe |
| Full analysis: | https://app.any.run/tasks/58ddfe04-c72e-45f1-840f-ca9372ca739d |
| Verdict: | Malicious activity |
| Threats: | Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. |
| Analysis date: | December 31, 2025, 22:35:52 |
| OS: | Windows 10 Professional (build: 19044, 64 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/vnd.microsoft.portable-executable |
| File info: | PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows, 3 sections |
| MD5: | 6DD2136F36DEBF53CA0FD8E1F148156D |
| SHA1: | D3C3A041A9F45C7A5CF7F689FEAE59006377814A |
| SHA256: | A3B997DC6225075BB0CC4F07E9B72BFBF16CC1724CCBE12FDCCE6A7BD345D053 |
| SSDEEP: | 3072:Iv1Pq5n1L12/ju0enoKPfn+uo7SSg+gN+fTTuG26ifEgXiJTe8zqrzLx2ckveOHn:35TGQ08xx9MYWHA9bJjU/HIrXG |
MALICIOUS
Steals credentials from Web Browsers
- Build.exe (PID: 7828)
Actions looks like stealing of personal data
- Build.exe (PID: 7828)
UNIXSTEALER has been detected
- Build.exe (PID: 7828)
UNIXSTEALER has been detected (YARA)
- Build.exe (PID: 7828)
SUSPICIOUS
Possible stealing of messenger data
- Build.exe (PID: 7828)
Possible stealing of FTP data
- Build.exe (PID: 7828)
Loads DLL from Mozilla Firefox
- Build.exe (PID: 7828)
Possible stealing of VPN data
- Build.exe (PID: 7828)
Possible stealing of email data
- Build.exe (PID: 7828)
Checks for external IP
- svchost.exe (PID: 2292)
The process connected to a server suspected of theft
- Build.exe (PID: 7828)
Possible usage of Discord/Telegram API has been detected (YARA)
- Build.exe (PID: 7828)
Uses WEVTUTIL.EXE to cleanup log
- Build.exe (PID: 7828)
Starts CMD.EXE for commands execution
- Build.exe (PID: 7828)
Executing commands from a ".bat" file
- Build.exe (PID: 7828)
Uses TIMEOUT.EXE to delay execution
- cmd.exe (PID: 5612)
INFO
Reads the computer name
- Build.exe (PID: 7828)
Reads Environment values
- Build.exe (PID: 7828)
Disables trace logs
- Build.exe (PID: 7828)
Checks supported languages
- Build.exe (PID: 7828)
Reads the machine GUID from the registry
- Build.exe (PID: 7828)
Creates files or folders in the user directory
- Build.exe (PID: 7828)
Create files in a temporary directory
- Build.exe (PID: 7828)
Checks proxy server information
- Build.exe (PID: 7828)
- slui.exe (PID: 7248)
Reads CPU info
- Build.exe (PID: 7828)
Reads security settings of Internet Explorer
- notepad.exe (PID: 8176)
- notepad.exe (PID: 8112)
- notepad.exe (PID: 3112)
- notepad.exe (PID: 5152)
Manual execution by a user
- notepad.exe (PID: 8176)
- notepad.exe (PID: 3112)
- notepad.exe (PID: 5152)
- notepad.exe (PID: 8112)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
ims-api
(PID) Process(7828) Build.exe
Telegram-Tokens (1)8106376274:AAEkayAXFzXeMY3ArPOoFjIpdjbI0KX_mho
Telegram-Info-Links
8106376274:AAEkayAXFzXeMY3ArPOoFjIpdjbI0KX_mho
Get info about bothttps://api.telegram.org/bot8106376274:AAEkayAXFzXeMY3ArPOoFjIpdjbI0KX_mho/getMe
Get incoming updateshttps://api.telegram.org/bot8106376274:AAEkayAXFzXeMY3ArPOoFjIpdjbI0KX_mho/getUpdates
Get webhookhttps://api.telegram.org/bot8106376274:AAEkayAXFzXeMY3ArPOoFjIpdjbI0KX_mho/getWebhookInfo
Delete webhookhttps://api.telegram.org/bot8106376274:AAEkayAXFzXeMY3ArPOoFjIpdjbI0KX_mho/deleteWebhook
Drop incoming updateshttps://api.telegram.org/bot8106376274:AAEkayAXFzXeMY3ArPOoFjIpdjbI0KX_mho/deleteWebhook?drop_pending_updates=true
Telegram-Requests
Token8106376274:AAEkayAXFzXeMY3ArPOoFjIpdjbI0KX_mho
End-PointsendMessage
Args
Token8106376274:AAEkayAXFzXeMY3ArPOoFjIpdjbI0KX_mho
End-PointsendDocument
Args
Telegram-Responses
oktrue
result
message_id142
from
id8106376274
is_bottrue
first_nameRay
usernameRayzstealerz_bot
chat
id6881225922
first_namevvseqxx
usernamevvseqxx
typeprivate
date1767220564
text🔥 Unix Stealer
💻 System Info
Computer Name: DESKTOP-JGLLJLD
Computer OS: Windows 10 Pro (64 Bit)
Total Memory: 6137MB
UUID: 078BFBFF00800F12
CPU: AMD Ryzen 5 3500 6-Core Processor
GPU: Microsoft Basic Display Adapter
🌍 IP Info
IP: 86.208.7.230
Region: [France]
Country: [FR]
📊 Grabbed Data
Cooki...
entities
offset0
length15
typebold
offset17
length14
typebold
offset32
length187
typecode
offset220
length10
typebold
offset231
length47
typecode
offset279
length15
typebold
offset295
length52
typecode
oktrue
result
message_id143
from
id8106376274
is_bottrue
first_nameRay
usernameRayzstealerz_bot
chat
id6881225922
first_namevvseqxx
usernamevvseqxx
typeprivate
date1767220565
document
file_nameUnix-ADMIN-5B31045.zip
mime_typeapplication/zip
file_idBQACAgEAAxkDAAOPaVWlVeIjiYQLX9IMAqCuYcGraR0AAlMGAAKJyKhGl7vmVc0aqWY4BA
file_unique_idAgADUwYAAonIqEY
file_size558099
captionUnix Stealer Log
Telegram-Tokens (1)8106376274:AAEkayAXFzXeMY3ArPOoFjIpdjbI0KX_mho
Telegram-Info-Links
8106376274:AAEkayAXFzXeMY3ArPOoFjIpdjbI0KX_mho
Get info about bothttps://api.telegram.org/bot8106376274:AAEkayAXFzXeMY3ArPOoFjIpdjbI0KX_mho/getMe
Get incoming updateshttps://api.telegram.org/bot8106376274:AAEkayAXFzXeMY3ArPOoFjIpdjbI0KX_mho/getUpdates
Get webhookhttps://api.telegram.org/bot8106376274:AAEkayAXFzXeMY3ArPOoFjIpdjbI0KX_mho/getWebhookInfo
Delete webhookhttps://api.telegram.org/bot8106376274:AAEkayAXFzXeMY3ArPOoFjIpdjbI0KX_mho/deleteWebhook
Drop incoming updateshttps://api.telegram.org/bot8106376274:AAEkayAXFzXeMY3ArPOoFjIpdjbI0KX_mho/deleteWebhook?drop_pending_updates=true
TRiD
| .exe | | | Generic CIL Executable (.NET, Mono, etc.) (56.7) |
|---|---|---|
| .exe | | | Win64 Executable (generic) (21.3) |
| .scr | | | Windows screen saver (10.1) |
| .dll | | | Win32 Dynamic Link Library (generic) (5) |
| .exe | | | Win32 Executable (generic) (3.4) |
EXIF
EXE
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 2092:06:18 05:21:39+00:00 |
| ImageFileCharacteristics: | Executable, Large address aware |
| PEType: | PE32 |
| LinkerVersion: | 48 |
| CodeSize: | 300544 |
| InitializedDataSize: | 2048 |
| UninitializedDataSize: | - |
| EntryPoint: | 0x48e4a |
| OSVersion: | 4 |
| ImageVersion: | - |
| SubsystemVersion: | 6 |
| Subsystem: | Windows GUI |
| FileVersionNumber: | 1.6.2.0 |
| ProductVersionNumber: | 1.6.2.0 |
| FileFlagsMask: | 0x003f |
| FileFlags: | (none) |
| FileOS: | Win32 |
| ObjectFileType: | Executable application |
| FileSubtype: | - |
| LanguageCode: | Neutral |
| CharacterSet: | Unicode |
| Comments: | - |
| CompanyName: | - |
| FileDescription: | - |
| FileVersion: | 1.6.2.0 |
| InternalName: | UnixStealer.exe |
| LegalCopyright: | - |
| LegalTrademarks: | - |
| OriginalFileName: | UnixStealer.exe |
| ProductName: | - |
| ProductVersion: | 1.6.2.0 |
| AssemblyVersion: | 1.6.2.0 |
Total processes
151
Monitored processes
16
Malicious processes
1
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 1136 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | wevtutil.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1164 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | wevtutil.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 2232 | "wevtutil.exe" cl Security | C:\Windows\System32\wevtutil.exe | — | Build.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Eventing Command Line Utility Exit code: 5 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 2292 | C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s Dnscache | C:\Windows\System32\svchost.exe | services.exe | ||||||||||||
User: NETWORK SERVICE Company: Microsoft Corporation Integrity Level: SYSTEM Description: Host Process for Windows Services Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 3112 | "C:\WINDOWS\system32\NOTEPAD.EXE" C:\Users\admin\Desktop\Browsers/Firefox/Bookmarks.txt | C:\Windows\System32\notepad.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Notepad Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 3500 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | wevtutil.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 4964 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 5152 | "C:\WINDOWS\system32\NOTEPAD.EXE" C:\Users\admin\Desktop\Display/Process.txt | C:\Windows\System32\notepad.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Notepad Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 5612 | C:\WINDOWS\system32\cmd.exe /c ""C:\Users\admin\AppData\Local\Temp\cleanup.bat"" | C:\Windows\System32\cmd.exe | — | Build.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 1 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 6244 | "wevtutil.exe" cl Application | C:\Windows\System32\wevtutil.exe | — | Build.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Eventing Command Line Utility Exit code: 5 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
Total events
6 454
Read events
6 438
Write events
15
Delete events
1
Modification events
| (PID) Process: | (7828) Build.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Build_RASAPI32 |
| Operation: | write | Name: | EnableFileTracing |
Value: 0 | |||
| (PID) Process: | (7828) Build.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Build_RASAPI32 |
| Operation: | write | Name: | EnableAutoFileTracing |
Value: 0 | |||
| (PID) Process: | (7828) Build.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Build_RASAPI32 |
| Operation: | write | Name: | EnableConsoleTracing |
Value: 0 | |||
| (PID) Process: | (7828) Build.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Build_RASAPI32 |
| Operation: | write | Name: | FileTracingMask |
Value: | |||
| (PID) Process: | (7828) Build.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Build_RASAPI32 |
| Operation: | write | Name: | ConsoleTracingMask |
Value: | |||
| (PID) Process: | (7828) Build.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Build_RASAPI32 |
| Operation: | write | Name: | MaxFileSize |
Value: 1048576 | |||
| (PID) Process: | (7828) Build.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Build_RASAPI32 |
| Operation: | write | Name: | FileDirectory |
Value: %windir%\tracing | |||
| (PID) Process: | (7828) Build.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Build_RASMANCS |
| Operation: | write | Name: | EnableFileTracing |
Value: 0 | |||
| (PID) Process: | (7828) Build.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Build_RASMANCS |
| Operation: | write | Name: | EnableAutoFileTracing |
Value: 0 | |||
| (PID) Process: | (7828) Build.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\Build_RASMANCS |
| Operation: | write | Name: | EnableConsoleTracing |
Value: 0 | |||
Executable files
0
Suspicious files
20
Text files
7
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 7828 | Build.exe | C:\Users\admin\AppData\Local\Temp\tmpE0E1.tmp.tmpdb | — | |
MD5:— | SHA256:— | |||
| 7828 | Build.exe | C:\Users\admin\AppData\Local\Temp\tmpE146.tmp.tmpdb | — | |
MD5:— | SHA256:— | |||
| 7828 | Build.exe | C:\Users\admin\AppData\Local\Temp\tmpE143.tmp.dat | binary | |
MD5:15689BCA2327BD6439BB5A321BFF1115 | SHA256:1513329660C876E166FDE7919D705ECFA5339732849159685C59847BE92B7478 | |||
| 7828 | Build.exe | C:\Users\admin\AppData\Local\Temp\tmpE112.tmp.dat | binary | |
MD5:A45465CDCDC6CB30C8906F3DA4EC114C | SHA256:4412319EF944EBCCA9581CBACB1D4E1DC614C348D1DFC5D2FAAAAD863D300209 | |||
| 7828 | Build.exe | C:\Users\admin\AppData\Local\Temp\tmpE122.tmp.dat | binary | |
MD5:15689BCA2327BD6439BB5A321BFF1115 | SHA256:1513329660C876E166FDE7919D705ECFA5339732849159685C59847BE92B7478 | |||
| 7828 | Build.exe | C:\Users\admin\AppData\Local\Temp\tmpE144.tmp.dat | binary | |
MD5:983A5B37990067066CF80EDDF2426994 | SHA256:E499265D1817B9CD52AC502B7BE6DEF5174478CAAAB7DADE263A7754E4E838D3 | |||
| 7828 | Build.exe | C:\Users\admin\AppData\Local\Temp\tmpE185.tmp.dat | binary | |
MD5:AD69D516F25355F9DF4BF7160DBC0A31 | SHA256:7C7CC596E5D1D2F3809B5D1E7BC8E9E578A88D1A07657C1FD411363C5853C1D3 | |||
| 7828 | Build.exe | C:\Users\admin\AppData\Local\Temp\tmpE145.tmp.tmpdb | binary | |
MD5:34B2848FBEDBF3D43462938703592DBC | SHA256:6CF535DAEEC70899C28C0C6127F210900C2999A97189DEDDA415987D0F353A72 | |||
| 7828 | Build.exe | C:\Users\admin\AppData\Local\Temp\tmpE1A5.tmp.dat | binary | |
MD5:9354520741EBDFB3142C07C6CBC20A35 | SHA256:1440E81F80958229541B1DA9D33A03E9AA5848545033C98EFF59E332AA2B59E9 | |||
| 7828 | Build.exe | C:\Users\admin\AppData\Local\Temp\tmpE1C8.tmp.dat | binary | |
MD5:AD69D516F25355F9DF4BF7160DBC0A31 | SHA256:7C7CC596E5D1D2F3809B5D1E7BC8E9E578A88D1A07657C1FD411363C5853C1D3 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
10
TCP/UDP connections
19
DNS requests
10
Threats
14
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
4704 | svchost.exe | GET | 200 | 72.246.29.11:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | US | binary | 814 b | whitelisted |
6768 | MoUsoCoreWorker.exe | GET | 200 | 72.246.29.11:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | US | binary | 814 b | whitelisted |
— | — | GET | 200 | 23.216.77.28:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | NL | binary | 825 b | whitelisted |
— | — | GET | 200 | 72.246.29.11:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | US | binary | 814 b | whitelisted |
7828 | Build.exe | GET | 200 | 208.95.112.1:80 | http://ip-api.com/line/?fields=status,country,countryCode,query | US | text | 31 b | unknown |
4704 | svchost.exe | GET | 200 | 23.216.77.28:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | NL | binary | 825 b | whitelisted |
6768 | MoUsoCoreWorker.exe | GET | 200 | 23.216.77.28:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | NL | binary | 825 b | whitelisted |
4704 | svchost.exe | GET | 200 | 4.231.128.59:443 | https://settings-win.data.microsoft.com/settings/v3.0/WSD/UpdateHealthTools?os=Windows&osVer=10.0.19041.1.amd64fre.vb_release.191206-&sku=48&deviceClass=Windows.Desktop&locale=en-US&deviceId=s:BAD99146-31D3-4EC6-A1A4-BE76F32BA5D4&sampleId=s:95271487&appVer=10.0.19041.3626&FlightRing=Retail&TelemetryLevel=1&HidOverGattReg=C%3A%5CWINDOWS%5CSystem32%5CDriverStore%5CFileRepository%5Chidbthle.inf_amd64_9610b4821fdf82a5%5CMicrosoft.Bluetooth.Profiles.HidOverGatt.dll&AppVer=&ProcessorIdentifier=AMD64%20Family%2023%20Model%201%20Stepping%202&OEMModel=DELL&UpdateOfferedDays=4294967295&ProcessorManufacturer=AuthenticAMD&InstallDate=1661339444&OEMModelBaseBoard=&BranchReadinessLevel=CB&OEMSubModel=J5CR&IsCloudDomainJoined=0&DeferFeatureUpdatePeriodInDays=30&IsDeviceRetailDemo=0&FlightingBranchName=&OSUILocale=en-US&DeviceFamily=Windows.Desktop&WuClientVer=10.0.19041.3996&UninstallActive=1&IsFlightingEnabled=0&OSSkuId=48&ProcessorClockSpeed=3094&TotalPhysicalRAM=6144&SecureBootCapable=0&App=SedimentPack&ProcessorCores=6&CurrentBranch=vb_release&InstallLanguage=en-US&DeferQualityUpdatePeriodInDays=0&OEMName_Uncleaned=DELL&TPMVersion=0&PrimaryDiskTotalCapacity=262144&InstallationType=Client&AttrDataVer=186&ProcessorModel=AMD%20Ryzen%205%203500%206-Core%20Processor&IsEdgeWithChromiumInstalled=1&OSVersion=10.0.19045.4046&IsMDMEnrolled=0&ActivationChannel=Retail&FirmwareVersion=A.40&TrendInstalledKey=1&OSArchitecture=AMD64&DefaultUserRegion=244&UpdateManagementGroup=2 | US | text | 1.43 Kb | whitelisted |
7828 | Build.exe | POST | — | 149.154.166.110:443 | https://api.telegram.org/bot8106376274:AAEkayAXFzXeMY3ArPOoFjIpdjbI0KX_mho/sendMessage | VG | — | — | unknown |
7828 | Build.exe | POST | 200 | 149.154.166.110:443 | https://api.telegram.org/bot8106376274:AAEkayAXFzXeMY3ArPOoFjIpdjbI0KX_mho/sendMessage | VG | text | 942 b | unknown |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
— | — | 51.104.136.2:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
4 | System | 192.168.100.255:137 | — | Not routed | — | whitelisted |
4704 | svchost.exe | 23.216.77.28:80 | crl.microsoft.com | AKAMAI-ASN1 | NL | whitelisted |
6768 | MoUsoCoreWorker.exe | 23.216.77.28:80 | crl.microsoft.com | AKAMAI-ASN1 | NL | whitelisted |
— | — | 23.216.77.28:80 | crl.microsoft.com | AKAMAI-ASN1 | NL | whitelisted |
4704 | svchost.exe | 72.246.29.11:80 | www.microsoft.com | AKAMAI-AS | US | whitelisted |
6768 | MoUsoCoreWorker.exe | 72.246.29.11:80 | www.microsoft.com | AKAMAI-AS | US | whitelisted |
— | — | 72.246.29.11:80 | www.microsoft.com | AKAMAI-AS | US | whitelisted |
— | — | 4.231.128.59:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
4 | System | 192.168.100.255:138 | — | Not routed | — | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
settings-win.data.microsoft.com |
| whitelisted |
google.com |
| whitelisted |
crl.microsoft.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
ip-api.com |
| whitelisted |
api.telegram.org |
| whitelisted |
self.events.data.microsoft.com |
| whitelisted |
activation-v2.sls.microsoft.com |
| whitelisted |
Threats
PID | Process | Class | Message |
|---|---|---|---|
2292 | svchost.exe | Device Retrieving External IP Address Detected | INFO [ANY.RUN] External IP Check (ip-api .com) |
2292 | svchost.exe | Device Retrieving External IP Address Detected | ET INFO External IP Lookup Domain in DNS Lookup (ip-api .com) |
— | — | Unknown Traffic | ET USER_AGENTS Microsoft Dr Watson User-Agent (MSDW) |
2292 | svchost.exe | Misc activity | SUSPICIOUS [ANY.RUN] Possible sending an external IP address to Telegram |
2292 | svchost.exe | Misc activity | ET HUNTING Telegram API Domain in DNS Lookup |
7828 | Build.exe | Successful Credential Theft Detected | STEALER [ANY.RUN] Attempt to exfiltrate via Telegram |
7828 | Build.exe | Misc activity | ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI) |
7828 | Build.exe | Misc activity | ET HUNTING Telegram API Certificate Observed |
7828 | Build.exe | Misc activity | SUSPICIOUS [ANY.RUN] Sent Host Name in HTTP POST Body |
7828 | Build.exe | Successful Credential Theft Detected | MALWARE [ANY.RUN] Stolen Data Exfiltration via Telegram Bot API |