File name:	SAB4.0.bat
Full analysis:	https://app.any.run/tasks/71a67b54-687d-4a93-9d13-80cdd62f2db5
Verdict:	Malicious activity
Threats:	Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Malware Trends Tracker >>>
Analysis date:	June 21, 2025, 09:02:59
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	discord exfiltration stealer auto-startup
Indicators:
MIME:	text/x-msdos-batch
File info:	DOS batch file, ASCII text, with CRLF line terminators
MD5:	7DFCB45FAC911C07BD4ED656C6CAB357
SHA1:	48AAEEB3BE89DCAABDE0F45FB278B0ECECD18E4C
SHA256:	B7C68A607271299CFFA5DA76B17044B891A17EE2742A2C37147522C30CDF481A
SSDEEP:	96:nQI8XV8wDIH5E8+aNb+qtXCMEWHvEqJ0IEXvEgR:nQI0IHvnNb++JEWHvxuDXcgR


(PID) Process:	(6896) powershell.exe	Key:	HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\MuiCache
Operation:	write	Name:	C:\WINDOWS\System32\cmd.exe.FriendlyAppName
Value: Windows Command Processor
(PID) Process:	(6896) powershell.exe	Key:	HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\MuiCache
Operation:	write	Name:	C:\WINDOWS\System32\cmd.exe.ApplicationCompany
Value: Microsoft Corporation
(PID) Process:	(6012) reg.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Operation:	write	Name:	DisableTaskMgr
Value: 1
(PID) Process:	(436) reg.exe	Key:	HKEY_CURRENT_USER\Control Panel\Mouse
Operation:	write	Name:	SwapMouseButtons
Value: 1
(PID) Process:	(7000) reg.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer
Operation:	write	Name:	NoDesktop
Value: 1
(PID) Process:	(1700) reg.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
Operation:	write	Name:	SmartScreenEnabled
Value: Off
(PID) Process:	(2140) reg.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile
Operation:	write	Name:	EnableFirewall
Value: 0
(PID) Process:	(4320) reg.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile
Operation:	write	Name:	EnableFirewall
Value: 0
(PID) Process:	(5244) reg.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender
Operation:	write	Name:	DisableAntiSpyware
Value: 1
(PID) Process:	(2760) reg.exe	Key:	HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
Operation:	write	Name:	EnableFirewall
Value: 0

PID	Process	Filename		Type
6896	powershell.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive		binary
		MD5:390F7936FBF2B5B735CB5658747D094C	SHA256:02B7C30F5FE709B63491505DBDA706845258B687D9CD7CC4ADFA4C8D6E653D14
6584	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_pol0qs1q.pvr.psm1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6584	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_oqvmo3m3.r1z.ps1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
4036	cmd.exe	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\MyAutoStart.bat		text
		MD5:7DFCB45FAC911C07BD4ED656C6CAB357	SHA256:B7C68A607271299CFFA5DA76B17044B891A17EE2742A2C37147522C30CDF481A
6896	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_dhouzihf.jr0.ps1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6896	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_clqkptpu.ate.psm1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
1740	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_j4dpzp4b.0xr.ps1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
4036	cmd.exe	C:\Users\admin\Downloads\VARIETY_WOLFED_wellcoming.jpg		image
		MD5:277C184E29E6AF7EEC45143B3F1F580D	SHA256:E2B0033C330E10F447ED06C9DC3A738494A57F7CE7EAD2CC6283EDA3B1449616
4036	cmd.exe	C:\Users\admin\Downloads\VARIETY_WOLFED_photographyprivacy.jpg		image
		MD5:FD99E9F105BA54814F6A67E217EAE3D2	SHA256:C5C55B377EE18CBFCF89DE263D57D11A5F30EB599B6F4B73890866356E5010FD
4036	cmd.exe	C:\Users\admin\Downloads\VARIETY_WOLFED_partiesbest.png		image
		MD5:3BD3D5DCB21B36ED7AB745E2A5D3E75D	SHA256:BAAFFE6B1DA1DCA7D5711C2F689B6324C30D795F2C400932A9FF31E30388AA64

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
3588	RUXIMICS.exe	GET	200	2.19.11.105:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
5944	MoUsoCoreWorker.exe	GET	200	2.19.11.105:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
1268	svchost.exe	GET	200	2.19.11.105:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
5944	MoUsoCoreWorker.exe	GET	200	95.101.149.131:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
1268	svchost.exe	GET	200	95.101.149.131:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
3588	RUXIMICS.exe	GET	200	95.101.149.131:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
—	—	POST	200	20.190.159.75:443	https://login.live.com/RST2.srf	unknown	xml	1.24 Kb	whitelisted
—	—	POST	404	162.159.128.233:443	https://discord.com/api/webhooks/1385864776902774865/NxFnzjTjNF0AFMRMbF63CBItfiGK1xQaLlpolNP5QAbGKVfs4h48tJsrLB-XoxUgYlA1	unknown	binary	45 b	whitelisted
—	—	POST	200	40.126.31.69:443	https://login.live.com/RST2.srf	unknown	xml	11.1 Kb	whitelisted
—	—	POST	200	20.190.159.68:443	https://login.live.com/ppsecure/deviceaddcredential.srf	unknown	text	16.7 Kb	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	whitelisted
5944	MoUsoCoreWorker.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
1268	svchost.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
3588	RUXIMICS.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
3588	RUXIMICS.exe	2.19.11.105:80	crl.microsoft.com	Elisa Oyj	NL	whitelisted
5944	MoUsoCoreWorker.exe	2.19.11.105:80	crl.microsoft.com	Elisa Oyj	NL	whitelisted
1268	svchost.exe	2.19.11.105:80	crl.microsoft.com	Elisa Oyj	NL	whitelisted
5944	MoUsoCoreWorker.exe	95.101.149.131:80	www.microsoft.com	Akamai International B.V.	NL	whitelisted
1268	svchost.exe	95.101.149.131:80	www.microsoft.com	Akamai International B.V.	NL	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	51.104.136.2 4.231.128.59	whitelisted
google.com	216.58.206.78	whitelisted
crl.microsoft.com	2.19.11.105 2.19.11.120 23.53.40.178 23.53.40.176	whitelisted
www.microsoft.com	95.101.149.131 23.35.229.160	whitelisted
login.live.com	40.126.32.76 20.190.160.128 20.190.160.22 20.190.160.65 20.190.160.132 40.126.32.68 20.190.160.67 20.190.160.66	whitelisted
discord.com	162.159.135.232 162.159.138.232 162.159.128.233 162.159.136.232 162.159.137.232	whitelisted
client.wns.windows.com	172.211.123.250 172.211.123.248	whitelisted
nexusrules.officeapps.live.com	52.111.236.22	whitelisted
slscr.update.microsoft.com	20.109.210.53	whitelisted
fe3cr.delivery.mp.microsoft.com	40.69.42.241	whitelisted

PID	Process	Class	Message
6584	powershell.exe	Misc activity	ET INFO Observed Discord Domain (discord .com in TLS SNI)
2200	svchost.exe	Misc activity	ET INFO Observed Discord Domain in DNS Lookup (discord .com)
6584	powershell.exe	Misc activity	ET INFO Observed Discord Service Domain (discord .com) in TLS SNI
2200	svchost.exe	Misc activity	ET INFO Discord Chat Service Domain in DNS Lookup (discord .com)
6584	powershell.exe	Successful Credential Theft Detected	STEALER [ANY.RUN] Attempt to exfiltrate via Discord
—	—	Not Suspicious Traffic	ET INFO Windows Powershell User-Agent Usage
—	—	Not Suspicious Traffic	ET INFO Windows Powershell User-Agent Usage
3108	powershell.exe	Misc activity	ET INFO Observed Discord Domain (discord .com in TLS SNI)
3108	powershell.exe	Misc activity	ET INFO Observed Discord Service Domain (discord .com) in TLS SNI
3108	powershell.exe	Successful Credential Theft Detected	STEALER [ANY.RUN] Attempt to exfiltrate via Discord

General Info

SAB4.0.bat

7DFCB45FAC911C07BD4ED656C6CAB357

48AAEEB3BE89DCAABDE0F45FB278B0ECECD18E4C

B7C68A607271299CFFA5DA76B17044B891A17EE2742A2C37147522C30CDF481A

96:nQI8XV8wDIH5E8+aNb+qtXCMEWHvEqJ0IEXvEgR:nQI0IHvnNb++JEWHvxuDXcgR

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Disables Windows firewall

Changes firewall settings

UAC/LUA settings modification

Disables Windows Defender

Disables task manager

Starts NET.EXE for service management

Uses NET.EXE to stop Windows Update service

Create files in the Startup directory

Task Manager has been disabled (taskmgr)

SUSPICIOUS

Starts POWERSHELL.EXE for commands execution

Executing commands from a ".bat" file

The process bypasses the loading of PowerShell profile settings

Uses REG/REGEDIT.EXE to modify registry

The process connected to a server suspected of theft

Reads security settings of Internet Explorer

Starts SC.EXE for service management

Windows service management via SC.EXE

Suspicious use of NETSH.EXE

Starts process via Powershell

Starts CMD.EXE for commands execution

Uses ICACLS.EXE to modify access control lists

INFO

Reads mouse settings

Script raised an exception (POWERSHELL)

Remote server returned an error (POWERSHELL)

Disables trace logs

Checks proxy server information

Reads the computer name

Checks supported languages

Manual execution by a user

Launching a file from the Startup directory

Reads the software policy settings

Reads Microsoft Office registry keys

Reads security settings of Internet Explorer

Malware configuration

Static information

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests