| URL: | https://github.com/gdfsai0fkjfdsi9/someusefulexe |
| Full analysis: | https://app.any.run/tasks/f78dbf38-bcdc-4ce5-bf89-aa80ede9583e |
| Verdict: | Malicious activity |
| Threats: | Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. |
| Analysis date: | July 01, 2025, 12:04:45 |
| OS: | Windows 10 Professional (build: 19044, 64 bit) |
| Tags: | |
| Indicators: | |
| MD5: | 513E0BE9750987FF866A42C7EBBAC72E |
| SHA1: | BB54C5FF1BBFC44C0B8CEDB3ED019C73C60B89CF |
| SHA256: | CA2C2290FF4A0E61143A856D638B4226FBD9394E1782ECCF422D5A38C9967EC4 |
| SSDEEP: | 3:N8tEdyBKP2STADmxdAn:2ukBKeSJbAn |
MALICIOUS
Script downloads file (POWERSHELL)
- powershell.exe (PID: 7532)
Executing a file with an untrusted certificate
- startse.exe (PID: 8120)
Steals credentials from Web Browsers
- winprotect.exe (PID: 5436)
Actions looks like stealing of personal data
- winprotect.exe (PID: 5436)
Changes the autorun value in the registry
- reg.exe (PID: 3716)
SUSPICIOUS
Reads security settings of Internet Explorer
- rdpbypa.exe (PID: 436)
Reads the date of Windows installation
- rdpbypa.exe (PID: 436)
Starts CMD.EXE for commands execution
- rdpbypa.exe (PID: 436)
- winprotect.exe (PID: 5436)
Base64-obfuscated command line is found
- cmd.exe (PID: 2432)
Executing commands from a ".bat" file
- rdpbypa.exe (PID: 436)
- winprotect.exe (PID: 5436)
Starts POWERSHELL.EXE for commands execution
- cmd.exe (PID: 2432)
NGROK has been detected
- powershell.exe (PID: 7532)
Gets file extension (POWERSHELL)
- powershell.exe (PID: 7532)
Executable content was dropped or overwritten
- powershell.exe (PID: 7532)
- winprotect.exe (PID: 6348)
- winprotect.exe (PID: 5436)
BASE64 encoded PowerShell command has been detected
- cmd.exe (PID: 2432)
Connects to unusual port
- startse.exe (PID: 8120)
Process drops python dynamic module
- winprotect.exe (PID: 6348)
Application launched itself
- winprotect.exe (PID: 6348)
Process drops legitimate windows executable
- winprotect.exe (PID: 6348)
Loads Python modules
- winprotect.exe (PID: 5436)
Reads the Windows owner or organization settings
- ngrok.exe (PID: 7892)
The process drops C-runtime libraries
- winprotect.exe (PID: 6348)
Uses WMIC.EXE to obtain Windows Installer data
- cmd.exe (PID: 7888)
- cmd.exe (PID: 7512)
- cmd.exe (PID: 7200)
- cmd.exe (PID: 8048)
Accesses product unique identifier via WMI (SCRIPT)
- WMIC.exe (PID: 7724)
- WMIC.exe (PID: 7196)
- WMIC.exe (PID: 7612)
- WMIC.exe (PID: 8076)
Checks for external IP
- svchost.exe (PID: 2200)
Uses REG/REGEDIT.EXE to modify registry
- cmd.exe (PID: 4032)
- cmd.exe (PID: 7548)
Uses NETSH.EXE to obtain data on the network
- cmd.exe (PID: 1132)
- cmd.exe (PID: 5896)
- cmd.exe (PID: 7600)
INFO
Checks supported languages
- identity_helper.exe (PID: 7604)
- rdpbypa.exe (PID: 436)
- ngrok.exe (PID: 7892)
- startse.exe (PID: 8120)
- winprotect.exe (PID: 6348)
- winprotect.exe (PID: 5436)
Reads Environment values
- identity_helper.exe (PID: 7604)
- ngrok.exe (PID: 7892)
- startse.exe (PID: 8120)
Application launched itself
- msedge.exe (PID: 5960)
Reads the computer name
- identity_helper.exe (PID: 7604)
- rdpbypa.exe (PID: 436)
- ngrok.exe (PID: 7892)
- winprotect.exe (PID: 6348)
- winprotect.exe (PID: 5436)
Launching a file from the Downloads directory
- msedge.exe (PID: 5960)
Create files in a temporary directory
- rdpbypa.exe (PID: 436)
- winprotect.exe (PID: 6348)
- winprotect.exe (PID: 5436)
Executable content was dropped or overwritten
- msedge.exe (PID: 4580)
- msedge.exe (PID: 5960)
Process checks computer location settings
- rdpbypa.exe (PID: 436)
Uses string replace method (POWERSHELL)
- powershell.exe (PID: 7532)
Gets or sets the time when the file was last written to (POWERSHELL)
- powershell.exe (PID: 7532)
Disables trace logs
- powershell.exe (PID: 7532)
The sample compiled with english language support
- powershell.exe (PID: 7532)
- winprotect.exe (PID: 6348)
Checks if a key exists in the options dictionary (POWERSHELL)
- powershell.exe (PID: 7532)
Checks proxy server information
- powershell.exe (PID: 7532)
- winprotect.exe (PID: 5436)
Checks whether the specified file exists (POWERSHELL)
- powershell.exe (PID: 7532)
The executable file from the user directory is run by the Powershell process
- ngrok.exe (PID: 7892)
Reads product name
- ngrok.exe (PID: 7892)
Reads the machine GUID from the registry
- ngrok.exe (PID: 7892)
- winprotect.exe (PID: 5436)
Checks operating system version
- winprotect.exe (PID: 5436)
Reads security settings of Internet Explorer
- WMIC.exe (PID: 7724)
- WMIC.exe (PID: 8076)
- WMIC.exe (PID: 7612)
- WMIC.exe (PID: 7196)
Creates files or folders in the user directory
- winprotect.exe (PID: 5436)
Launching a file from a Registry key
- reg.exe (PID: 3716)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
Total processes
208
Monitored processes
71
Malicious processes
5
Suspicious processes
4
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 436 | "C:\Users\admin\Downloads\rdpbypa.exe" | C:\Users\admin\Downloads\rdpbypa.exe | — | msedge.exe | |||||||||||
User: admin Integrity Level: MEDIUM Exit code: 1 Modules
| |||||||||||||||
| 1132 | C:\WINDOWS\system32\cmd.exe /c "netsh wlan show profiles" | C:\Windows\System32\cmd.exe | — | winprotect.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 1 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1356 | "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.142 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.92 --initial-client-data=0x304,0x308,0x30c,0x2fc,0x314,0x7ffc4344f208,0x7ffc4344f214,0x7ffc4344f220 | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | — | msedge.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Edge Version: 133.0.3065.92 Modules
| |||||||||||||||
| 1636 | "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2512,i,1903969255637057152,14630953998409316143,262144 --variations-seed-version --mojo-platform-channel-handle=2508 /prefetch:2 | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | — | msedge.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Microsoft Edge Version: 133.0.3065.92 Modules
| |||||||||||||||
| 2200 | C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s Dnscache | C:\Windows\System32\svchost.exe | services.exe | ||||||||||||
User: NETWORK SERVICE Company: Microsoft Corporation Integrity Level: SYSTEM Description: Host Process for Windows Services Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 2216 | "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --disable-quic --string-annotations --always-read-main-dll --field-trial-handle=2544,i,1903969255637057152,14630953998409316143,262144 --variations-seed-version --mojo-platform-channel-handle=2796 /prefetch:8 | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | — | msedge.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Microsoft Edge Version: 133.0.3065.92 Modules
| |||||||||||||||
| 2404 | "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --disable-quic --message-loop-type-ui --string-annotations --always-read-main-dll --field-trial-handle=7596,i,1903969255637057152,14630953998409316143,262144 --variations-seed-version --mojo-platform-channel-handle=7356 /prefetch:8 | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | — | msedge.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Edge Exit code: 0 Version: 133.0.3065.92 Modules
| |||||||||||||||
| 2428 | C:\WINDOWS\system32\cmd.exe /c "ver" | C:\Windows\System32\cmd.exe | — | winprotect.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 2432 | "C:\WINDOWS\system32\cmd.exe" /c "C:\Users\admin\AppData\Local\Temp\B517.tmp\B518.tmp\B519.bat C:\Users\admin\Downloads\rdpbypa.exe" | C:\Windows\System32\cmd.exe | — | rdpbypa.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 1 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 2632 | "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --extension-process --renderer-sub-type=extension --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --always-read-main-dll --field-trial-handle=4268,i,1903969255637057152,14630953998409316143,262144 --variations-seed-version --mojo-platform-channel-handle=4324 /prefetch:2 | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | — | msedge.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: LOW Description: Microsoft Edge Exit code: 0 Version: 133.0.3065.92 Modules
| |||||||||||||||
Total events
20 038
Read events
20 014
Write events
23
Delete events
1
Modification events
| (PID) Process: | (5960) msedge.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon |
| Operation: | write | Name: | failed_count |
Value: 0 | |||
| (PID) Process: | (5960) msedge.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon |
| Operation: | write | Name: | state |
Value: 2 | |||
| (PID) Process: | (5960) msedge.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon |
| Operation: | write | Name: | state |
Value: 1 | |||
| (PID) Process: | (5960) msedge.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowProperties\721710 |
| Operation: | write | Name: | WindowTabManagerFileMappingId |
Value: {68DA5418-5F00-46F1-A7A9-C56D895F0D82} | |||
| (PID) Process: | (5960) msedge.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\StabilityMetrics |
| Operation: | write | Name: | user_experience_metrics.stability.exited_cleanly |
Value: 0 | |||
| (PID) Process: | (5960) msedge.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\EdgeUpdate\ClientStateMedium\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\LastWasDefault |
| Operation: | write | Name: | S-1-5-21-1693682860-607145093-2874071422-1001 |
Value: D5D24A3C73972F00 | |||
| (PID) Process: | (5960) msedge.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowProperties\721710 |
| Operation: | write | Name: | WindowTabManagerFileMappingId |
Value: {E2B4C144-B1C0-488B-BEA9-95F83C5CB190} | |||
| (PID) Process: | (5960) msedge.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowProperties\721710 |
| Operation: | write | Name: | WindowTabManagerFileMappingId |
Value: {509BD5AD-615C-424F-B07D-701C6E351189} | |||
| (PID) Process: | (5960) msedge.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowProperties\721710 |
| Operation: | write | Name: | WindowTabManagerFileMappingId |
Value: {652B4DF3-3FEA-411E-A26F-4FB95A95FA91} | |||
| (PID) Process: | (5960) msedge.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowProperties\721710 |
| Operation: | write | Name: | WindowTabManagerFileMappingId |
Value: {548A0DAE-D5D8-4CF3-8DFD-384C0001E4F8} | |||
Executable files
103
Suspicious files
345
Text files
78
Unknown types
46
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 5960 | msedge.exe | C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\parcel_tracking_db\LOG.old~RF175a64.TMP | — | |
MD5:— | SHA256:— | |||
| 5960 | msedge.exe | C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\PersistentOriginTrials\LOG.old~RF175a64.TMP | — | |
MD5:— | SHA256:— | |||
| 5960 | msedge.exe | C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\parcel_tracking_db\LOG.old | — | |
MD5:— | SHA256:— | |||
| 5960 | msedge.exe | C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\PersistentOriginTrials\LOG.old | — | |
MD5:— | SHA256:— | |||
| 5960 | msedge.exe | C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\commerce_subscription_db\LOG.old~RF175a93.TMP | — | |
MD5:— | SHA256:— | |||
| 5960 | msedge.exe | C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\LOG.old~RF175a93.TMP | — | |
MD5:— | SHA256:— | |||
| 5960 | msedge.exe | C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\LOG.old | — | |
MD5:— | SHA256:— | |||
| 5960 | msedge.exe | C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\commerce_subscription_db\LOG.old | — | |
MD5:— | SHA256:— | |||
| 5960 | msedge.exe | C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\ClientCertificates\LOG.old~RF175aa3.TMP | — | |
MD5:— | SHA256:— | |||
| 5960 | msedge.exe | C:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\EdgePushStorageWithConnectTokenAndKey\LOG.old~RF175aa3.TMP | — | |
MD5:— | SHA256:— | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
10
TCP/UDP connections
98
DNS requests
81
Threats
12
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
4580 | msedge.exe | GET | 200 | 150.171.28.11:80 | http://edge.microsoft.com/browsernetworktime/time/1/current?cup2key=2:4VUHNNPvYLTPterezEi15vvfKHC_Q3eHTAOITPieApE&cup2hreq=e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 | unknown | — | — | whitelisted |
6284 | svchost.exe | GET | 200 | 2.23.77.188:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D | unknown | — | — | whitelisted |
1268 | svchost.exe | GET | 200 | 2.16.168.114:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
1268 | svchost.exe | GET | 200 | 95.101.149.131:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
7548 | SIHClient.exe | GET | 200 | 2.20.154.94:80 | http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl | unknown | — | — | whitelisted |
7548 | SIHClient.exe | GET | 200 | 2.20.154.94:80 | http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl | unknown | — | — | whitelisted |
7892 | ngrok.exe | GET | 200 | 18.66.147.120:80 | http://crl.ngrok-agent.com/ngrok.crl | unknown | — | — | unknown |
7836 | svchost.exe | HEAD | 200 | 199.232.214.172:80 | http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/bf8090eb-6e5c-4c51-9250-5bf9b46cf160?P1=1751618457&P2=404&P3=2&P4=AFVaeUMe6RRvcpzWzv6rw2Iox3VzlFNoDxYbXUSKDgeNbjJrCofcAnMhnpnCrSEYoG%2fAoRyKP1jlfHAS5Sfi0g%3d%3d | unknown | — | — | whitelisted |
7836 | svchost.exe | GET | 206 | 199.232.214.172:80 | http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/bf8090eb-6e5c-4c51-9250-5bf9b46cf160?P1=1751618457&P2=404&P3=2&P4=AFVaeUMe6RRvcpzWzv6rw2Iox3VzlFNoDxYbXUSKDgeNbjJrCofcAnMhnpnCrSEYoG%2fAoRyKP1jlfHAS5Sfi0g%3d%3d | unknown | — | — | whitelisted |
7836 | svchost.exe | GET | 206 | 199.232.214.172:80 | http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/bf8090eb-6e5c-4c51-9250-5bf9b46cf160?P1=1751618457&P2=404&P3=2&P4=AFVaeUMe6RRvcpzWzv6rw2Iox3VzlFNoDxYbXUSKDgeNbjJrCofcAnMhnpnCrSEYoG%2fAoRyKP1jlfHAS5Sfi0g%3d%3d | unknown | — | — | whitelisted |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
5944 | MoUsoCoreWorker.exe | 4.231.128.59:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
1268 | svchost.exe | 4.231.128.59:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
2512 | RUXIMICS.exe | 4.231.128.59:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
4580 | msedge.exe | 13.107.42.16:443 | config.edge.skype.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
4580 | msedge.exe | 150.171.28.11:80 | edge.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
4580 | msedge.exe | 140.82.121.4:443 | github.com | GITHUB | US | whitelisted |
4580 | msedge.exe | 150.171.28.11:443 | edge.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
4580 | msedge.exe | 2.23.227.211:443 | copilot.microsoft.com | Ooredoo Q.S.C. | QA | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
settings-win.data.microsoft.com |
| whitelisted |
google.com |
| whitelisted |
edge.microsoft.com |
| whitelisted |
config.edge.skype.com |
| whitelisted |
github.com |
| whitelisted |
copilot.microsoft.com |
| whitelisted |
github.githubassets.com |
| whitelisted |
avatars.githubusercontent.com |
| whitelisted |
www.bing.com |
| whitelisted |
github-cloud.s3.amazonaws.com |
| whitelisted |
Threats
PID | Process | Class | Message |
|---|---|---|---|
4580 | msedge.exe | Not Suspicious Traffic | INFO [ANY.RUN] Attempting to access raw user content on GitHub |
4580 | msedge.exe | Not Suspicious Traffic | INFO [ANY.RUN] Attempting to access raw user content on GitHub |
7892 | ngrok.exe | Misc activity | ET INFO Go-http-client User-Agent Observed Outbound |
7892 | ngrok.exe | Misc activity | ET USER_AGENTS Go HTTP Client User-Agent |
2200 | svchost.exe | Device Retrieving External IP Address Detected | ET INFO External IP Lookup Domain (ipapi .co in DNS lookup) |
5436 | winprotect.exe | Misc activity | ET INFO Observed Discord Domain (discord .com in TLS SNI) |
2200 | svchost.exe | Misc activity | ET INFO Observed Discord Domain in DNS Lookup (discord .com) |
5436 | winprotect.exe | Misc activity | ET INFO Observed Discord Service Domain (discord .com) in TLS SNI |
2200 | svchost.exe | Misc activity | ET INFO Discord Chat Service Domain in DNS Lookup (discord .com) |
2200 | svchost.exe | Not Suspicious Traffic | INFO [ANY.RUN] Attempting to access raw user content on GitHub |