| File name: | dekont.exe |
| Full analysis: | https://app.any.run/tasks/4fed0320-b6e7-44a7-8727-6ee2c6fe92ff |
| Verdict: | Malicious activity |
| Threats: | Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. |
| Analysis date: | February 02, 2026, 11:01:36 |
| OS: | Windows 10 Professional (build: 19044, 64 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/vnd.microsoft.portable-executable |
| File info: | PE32+ executable (GUI) x86-64, for MS Windows, 6 sections |
| MD5: | 2DC0D61726889A6D705FABC8C15A33D2 |
| SHA1: | EB95DDE6E6B9849C0D8B4A9E9765E1430C23F55E |
| SHA256: | 90BBC997BEC391C14807BF222F3132C86435A7EAD74502B16EF901276BD117C9 |
| SSDEEP: | 98304:4vbhE1JwXLdgCJ3/OiArzpmJ7eyZJUyiBNSC1N8/iYZuo:uG |
MALICIOUS
Actions looks like stealing of personal data
- jsc.exe (PID: 1732)
PHANTOM has been detected (YARA)
- jsc.exe (PID: 1732)
Steals credentials from Web Browsers
- jsc.exe (PID: 1732)
PHANTOM has been detected
- jsc.exe (PID: 1732)
SUSPICIOUS
Browser sandbox disabling
- chrome.exe (PID: 8716)
- chrome.exe (PID: 8252)
- chrome.exe (PID: 8640)
- firefox.exe (PID: 8668)
- chrome.exe (PID: 1464)
- chrome.exe (PID: 2220)
- chrome.exe (PID: 2788)
- chrome.exe (PID: 5636)
- chrome.exe (PID: 7460)
- chrome.exe (PID: 4144)
- chrome.exe (PID: 7972)
- chrome.exe (PID: 2620)
- firefox.exe (PID: 6200)
- msedge.exe (PID: 8284)
- msedge.exe (PID: 2148)
- msedge.exe (PID: 7464)
- msedge.exe (PID: 3036)
- msedge.exe (PID: 6500)
- msedge.exe (PID: 6536)
- msedge.exe (PID: 9004)
- msedge.exe (PID: 6400)
- msedge.exe (PID: 7028)
- msedge.exe (PID: 1136)
- msedge.exe (PID: 7672)
- msedge.exe (PID: 1424)
- msedge.exe (PID: 8704)
- msedge.exe (PID: 5728)
- msedge.exe (PID: 8944)
- msedge.exe (PID: 9112)
- msedge.exe (PID: 8660)
- msedge.exe (PID: 7716)
- msedge.exe (PID: 524)
- msedge.exe (PID: 4696)
- msedge.exe (PID: 7120)
- msedge.exe (PID: 3796)
- msedge.exe (PID: 6924)
- msedge.exe (PID: 2748)
- msedge.exe (PID: 4660)
- msedge.exe (PID: 6020)
- msedge.exe (PID: 5612)
- firefox.exe (PID: 9448)
- firefox.exe (PID: 9504)
Browser launch with unusual user-data-dir
- jsc.exe (PID: 1732)
- chrome.exe (PID: 8716)
- msedge.exe (PID: 2148)
- msedge.exe (PID: 7464)
Multiple wallet extension IDs have been found
- jsc.exe (PID: 1732)
Found regular expressions for crypto-addresses (YARA)
- jsc.exe (PID: 1732)
Possible usage of Discord/Telegram API has been detected (YARA)
- jsc.exe (PID: 1732)
Contacting a server suspected of hosting an CnC
- jsc.exe (PID: 1732)
Possible stealing of email data
- jsc.exe (PID: 1732)
Checks for external IP
- jsc.exe (PID: 1732)
- svchost.exe (PID: 2292)
INFO
Checks supported languages
- jsc.exe (PID: 1732)
- dekont.exe (PID: 8396)
Reads the machine GUID from the registry
- jsc.exe (PID: 1732)
Create files in a temporary directory
- jsc.exe (PID: 1732)
Application launched itself
- firefox.exe (PID: 6200)
- chrome.exe (PID: 8716)
- msedge.exe (PID: 7464)
- msedge.exe (PID: 2148)
- firefox.exe (PID: 8668)
- firefox.exe (PID: 9504)
- firefox.exe (PID: 9448)
Reads the computer name
- jsc.exe (PID: 1732)
Drops script file
- firefox.exe (PID: 8668)
- firefox.exe (PID: 9504)
Disables trace logs
- jsc.exe (PID: 1732)
Reads CPU info
- jsc.exe (PID: 1732)
Checks proxy server information
- jsc.exe (PID: 1732)
- slui.exe (PID: 8408)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | InstallShield setup (57.6) |
|---|---|---|
| .exe | | | Win64 Executable (generic) (36.9) |
| .exe | | | Generic Win/DOS Executable (2.6) |
| .exe | | | DOS Executable Generic (2.6) |
EXIF
EXE
| MachineType: | AMD AMD64 |
|---|---|
| TimeStamp: | 2026:02:02 05:05:59+00:00 |
| ImageFileCharacteristics: | Executable, Large address aware |
| PEType: | PE32+ |
| LinkerVersion: | 2.5 |
| CodeSize: | 1047040 |
| InitializedDataSize: | 1339392 |
| UninitializedDataSize: | - |
| EntryPoint: | 0xfaff4 |
| OSVersion: | 6 |
| ImageVersion: | - |
| SubsystemVersion: | 6 |
| Subsystem: | Windows GUI |
| FileVersionNumber: | 1.5.881.75 |
| ProductVersionNumber: | 1.5.881.75 |
| FileFlagsMask: | 0x003f |
| FileFlags: | (none) |
| FileOS: | Win32 |
| ObjectFileType: | Executable application |
| FileSubtype: | - |
| LanguageCode: | Neutral |
| CharacterSet: | Unicode |
| CompanyName: | Halfbeak Radiodynamic Inc. |
| ProductName: | Boswellia Scrob |
| FileDescription: | Pseudotrimera tyrantlike payout orbiter. |
| FileVersion: | 1.5.881.75 |
| ProductVersion: | 1.5.881.75 |
| OriginalFileName: | ElephantryChlorapatite.exe |
| InternalName: | Tremulously Brushability |
| LegalCopyright: | © 2026 Halfbeak Radiodynamic Inc. |
Total processes
216
Monitored processes
68
Malicious processes
5
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 468 | "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 4784 -prefsLen 39371 -prefMapHandle 4788 -prefMapSize 272981 -jsInitHandle 4792 -jsInitLen 247456 -parentBuildID 20250227124745 -ipcHandle 4800 -initialChannelId {41fca39d-9614-4ef2-886f-9845e02acaad} -parentPid 9504 -crashReporter "\\.\pipe\gecko-crash-server-pipe.9504" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 8 tab | C:\Program Files\Mozilla Firefox\firefox.exe | — | firefox.exe | |||||||||||
User: admin Company: Mozilla Corporation Integrity Level: MEDIUM Description: Firefox Exit code: 0 Version: 136.0 Modules
| |||||||||||||||
| 524 | "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --user-data-dir="C:\Users\admin\AppData\Local\Temp\xbxhhqye.e0b" --extension-process --renderer-sub-type=extension --no-sandbox --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=3 --enable-main-frame-before-activation --renderer-client-id=20 --always-read-main-dll --field-trial-handle=3988,i,5366883856199499050,2625967517900559599,262144 --variations-seed-version --mojo-platform-channel-handle=4144 /prefetch:2 | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | — | msedge.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Edge Exit code: 0 Version: 133.0.3065.92 Modules
| |||||||||||||||
| 1136 | "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-sandbox --mute-audio --message-loop-type-ui --string-annotations --user-data-dir="C:\Users\admin\AppData\Local\Temp\xbxhhqye.e0b" --always-read-main-dll --field-trial-handle=3572,i,5366883856199499050,2625967517900559599,262144 --variations-seed-version --mojo-platform-channel-handle=3668 /prefetch:8 | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | — | msedge.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Edge Exit code: 0 Version: 133.0.3065.92 Modules
| |||||||||||||||
| 1424 | "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --user-data-dir="C:\Users\admin\AppData\Local\Temp\xbxhhqye.e0b" --no-sandbox --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=3 --enable-main-frame-before-activation --renderer-client-id=11 --always-read-main-dll --field-trial-handle=3680,i,5366883856199499050,2625967517900559599,262144 --variations-seed-version --mojo-platform-channel-handle=3724 /prefetch:1 | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | — | msedge.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Edge Exit code: 0 Version: 133.0.3065.92 Modules
| |||||||||||||||
| 1464 | "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --user-data-dir="C:\Users\admin\AppData\Local\Temp\jlmnzqiu.a31" --enable-dinosaur-easter-egg-alt-images --no-sandbox --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=3 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=2724,i,4359693193173390969,15013840234260218784,262144 --variations-seed-version --mojo-platform-channel-handle=2844 /prefetch:1 | C:\Program Files\Google\Chrome\Application\chrome.exe | — | chrome.exe | |||||||||||
User: admin Company: Google LLC Integrity Level: MEDIUM Description: Google Chrome Exit code: 0 Version: 133.0.6943.127 Modules
| |||||||||||||||
| 1464 | "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250227124745 -sandboxingKind 0 -prefsHandle 2664 -prefsLen 45267 -prefMapHandle 2668 -prefMapSize 272981 -ipcHandle 4520 -initialChannelId {bfafc305-88bb-400c-b4bc-47a1eab5addf} -parentPid 8668 -crashReporter "\\.\pipe\gecko-crash-server-pipe.8668" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 6 utility | C:\Program Files\Mozilla Firefox\firefox.exe | — | firefox.exe | |||||||||||
User: admin Company: Mozilla Corporation Integrity Level: MEDIUM Description: Firefox Exit code: 0 Version: 136.0 Modules
| |||||||||||||||
| 1684 | "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 3864 -prefsLen 39330 -prefMapHandle 3588 -prefMapSize 272981 -jsInitHandle 3852 -jsInitLen 247456 -parentBuildID 20250227124745 -ipcHandle 2796 -initialChannelId {a55ac33f-7768-4d07-b95a-72296764b133} -parentPid 8668 -crashReporter "\\.\pipe\gecko-crash-server-pipe.8668" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 9 tab | C:\Program Files\Mozilla Firefox\firefox.exe | — | firefox.exe | |||||||||||
User: admin Company: Mozilla Corporation Integrity Level: MEDIUM Description: Firefox Exit code: 0 Version: 136.0 Modules
| |||||||||||||||
| 1732 | "C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe" | C:\Windows\Microsoft.NET\Framework\v4.0.30319\jsc.exe | dekont.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: jsc.exe Version: 14.8.9037.0 built by: NET481REL1 Modules
| |||||||||||||||
| 2148 | "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-sandbox --allow-no-sandbox-job --disable-gpu --mute-audio --disable-audio --user-data-dir="C:\Users\admin\AppData\Local\Temp\xbxhhqye.e0b" | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | — | jsc.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Edge Exit code: 0 Version: 133.0.3065.92 Modules
| |||||||||||||||
| 2220 | "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-sandbox --mute-audio --string-annotations --user-data-dir="C:\Users\admin\AppData\Local\Temp\jlmnzqiu.a31" --field-trial-handle=2132,i,4359693193173390969,15013840234260218784,262144 --variations-seed-version --mojo-platform-channel-handle=2208 /prefetch:8 | C:\Program Files\Google\Chrome\Application\chrome.exe | — | chrome.exe | |||||||||||
User: admin Company: Google LLC Integrity Level: MEDIUM Description: Google Chrome Exit code: 0 Version: 133.0.6943.127 Modules
| |||||||||||||||
Total events
6 563
Read events
6 549
Write events
14
Delete events
0
Modification events
| (PID) Process: | (1732) jsc.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\jsc_RASAPI32 |
| Operation: | write | Name: | EnableFileTracing |
Value: 0 | |||
| (PID) Process: | (1732) jsc.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\jsc_RASAPI32 |
| Operation: | write | Name: | EnableAutoFileTracing |
Value: 0 | |||
| (PID) Process: | (1732) jsc.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\jsc_RASAPI32 |
| Operation: | write | Name: | EnableConsoleTracing |
Value: 0 | |||
| (PID) Process: | (1732) jsc.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\jsc_RASAPI32 |
| Operation: | write | Name: | FileTracingMask |
Value: | |||
| (PID) Process: | (1732) jsc.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\jsc_RASAPI32 |
| Operation: | write | Name: | ConsoleTracingMask |
Value: | |||
| (PID) Process: | (1732) jsc.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\jsc_RASAPI32 |
| Operation: | write | Name: | MaxFileSize |
Value: 1048576 | |||
| (PID) Process: | (1732) jsc.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\jsc_RASAPI32 |
| Operation: | write | Name: | FileDirectory |
Value: %windir%\tracing | |||
| (PID) Process: | (1732) jsc.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\jsc_RASMANCS |
| Operation: | write | Name: | EnableFileTracing |
Value: 0 | |||
| (PID) Process: | (1732) jsc.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\jsc_RASMANCS |
| Operation: | write | Name: | EnableAutoFileTracing |
Value: 0 | |||
| (PID) Process: | (1732) jsc.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Tracing\jsc_RASMANCS |
| Operation: | write | Name: | EnableConsoleTracing |
Value: 0 | |||
Executable files
12
Suspicious files
655
Text files
143
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 8716 | chrome.exe | C:\Users\admin\AppData\Local\Temp\jlmnzqiu.a31\First Run | — | |
MD5:— | SHA256:— | |||
| 8716 | chrome.exe | C:\Users\admin\AppData\Local\Temp\jlmnzqiu.a31\Crashpad\settings.dat | binary | |
MD5:DABF2B1287DD296BC9A9C3CA4A3C9CDB | SHA256:4CF0CA7E806BAE1E8730B3B368163F7A99413FF380C72FCE651E24E197833EEC | |||
| 8716 | chrome.exe | C:\Users\admin\AppData\Local\Temp\jlmnzqiu.a31\Variations | text | |
MD5:961E3604F228B0D10541EBF921500C86 | SHA256:F7B24F2EB3D5EB0550527490395D2F61C3D2FE74BB9CB345197DAD81B58B5FED | |||
| 8716 | chrome.exe | C:\Users\admin\AppData\Local\Temp\jlmnzqiu.a31\Default\Preferences | text | |
MD5:4E59CB02E412FEF6F44850CE158CF0AE | SHA256:604770F4DD9F3C88CE70B0A042E13DFF432D3EF46B429F561C87856AA6FD3506 | |||
| 8716 | chrome.exe | C:\Users\admin\AppData\Local\Temp\jlmnzqiu.a31\Default\Code Cache\wasm\index | binary | |
MD5:54CB446F628B2EA4A5BCE5769910512E | SHA256:FBCFE23A2ECB82B7100C50811691DDE0A33AA3DA8D176BE9882A9DB485DC0F2D | |||
| 8716 | chrome.exe | C:\Users\admin\AppData\Local\Temp\jlmnzqiu.a31\segmentation_platform\ukm_db-journal | binary | |
MD5:38D01F0BF4D1E3169C67DB80EBA30305 | SHA256:54B8275BF76298381DBCCBAF9C29FE3BA7852B352F0379EDEA75CF036F696EDF | |||
| 8716 | chrome.exe | C:\Users\admin\AppData\Local\Temp\jlmnzqiu.a31\Default\History-journal | — | |
MD5:— | SHA256:— | |||
| 8716 | chrome.exe | C:\Users\admin\AppData\Local\Temp\jlmnzqiu.a31\Default\Sync Data\LevelDB\000001.dbtmp | text | |
MD5:46295CAC801E5D4857D09837238A6394 | SHA256:0F1BAD70C7BD1E0A69562853EC529355462FCD0423263A3D39D6D0D70B780443 | |||
| 8716 | chrome.exe | C:\Users\admin\AppData\Local\Temp\jlmnzqiu.a31\Default\Code Cache\js\index-dir\temp-index | binary | |
MD5:115C6623BB2391A9BC5C850C48BB23A5 | SHA256:BEECBFCB30A7E71ACD9E28FCF4DDEA95CD08C7A30D4007457DA65A8223B42E0A | |||
| 8716 | chrome.exe | C:\Users\admin\AppData\Local\Temp\jlmnzqiu.a31\Local State | text | |
MD5:101B085D80BB17866F1D4CFAA71E4BE1 | SHA256:F07E04504F957DE6553F5793514780C4F2434D255D3EEBA6E497813CCA335E08 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
197
TCP/UDP connections
149
DNS requests
147
Threats
12
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
8640 | chrome.exe | GET | 200 | 216.58.206.46:80 | http://clients2.google.com/time/1/current?cup2key=8:oJG0MYXdAXvFpGGMUOp4UruzQCs_JVaQiWgHhA0zC-0&cup2hreq=e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 | US | text | 104 b | whitelisted |
— | — | GET | 200 | 2.17.190.73:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D | US | binary | 312 b | whitelisted |
8640 | chrome.exe | GET | 302 | 192.178.170.138:80 | http://redirector.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvNzI0QUFXNV9zT2RvdUwyMERESEZGVmJnQQ/1.0.0.6_nmmhkkegccagdldgiimedpiccmgmieda.crx | US | html | 627 b | whitelisted |
8640 | chrome.exe | POST | 200 | 142.251.127.84:443 | https://accounts.google.com/ListAccounts?gpsia=1&source=ChromiumBrowser&json=standard | US | text | 17 b | whitelisted |
8640 | chrome.exe | GET | 200 | 172.217.208.94:443 | https://clientservices.googleapis.com/chrome-variations/seed?osname=win&channel=stable&milestone=133 | US | compressed | 82.0 Kb | whitelisted |
8640 | chrome.exe | GET | 200 | 74.125.29.95:443 | https://safebrowsingohttpgateway.googleapis.com/v1/ohttp/hpkekeyconfig?key=AIzaSyA2KlwBX3mkFo30om9LUFYQhpqLoa_BNhE | US | binary | 41 b | whitelisted |
8640 | chrome.exe | GET | 200 | 216.58.206.46:443 | https://clients2.google.com/service/update2/crx?os=win&arch=x64&os_arch=x86_64&nacl_arch=x86-64&prod=chromecrx&prodchannel=&prodversion=133.0.6943.127&lang=en-US&acceptformat=crx3,puff&x=id%3Dghbmnnjooekpmoecnnnilnnbdlolhkhi%26v%3D0.0.0.0%26installedby%3Dinternal%26uc%26brand%3DGCEB%26ping%3Dr%253D-1%2526e%253D1&x=id%3Dnmmhkkegccagdldgiimedpiccmgmieda%26v%3D0.0.0.0%26installedby%3Dother%26uc%26brand%3DGCEB%26ping%3Dr%253D-1%2526e%253D1 | US | xml | 1.31 Kb | whitelisted |
8640 | chrome.exe | GET | 200 | 216.58.206.33:443 | https://clients2.googleusercontent.com/crx/blobs/AV8Xwo7T4emuVBe-4uGsskAqSULusSY436_Dfke0zG_M64Yq7jAvld7zNGgGsRiz8A12Vjnj15n-x0SQPT2PsUaqpnju_PtGYyLzjepmM4EEMxmrlYU2nu1WwqafSGZrx1UAxlKa5WwAH2pdgK_ZUcqbcT7cvAQjUViM/GHBMNNJOOEKPMOECNNNILNNBDLOLHKHI_1_100_1_0.crx | US | binary | 128 Kb | unknown |
8640 | chrome.exe | GET | 200 | 74.125.175.105:443 | https://r4---sn-aigl6nzk.gvt1.com/edgedl/chromewebstore/L2Nocm9tZV9leHRlbnNpb24vYmxvYnMvNzI0QUFXNV9zT2RvdUwyMERESEZGVmJnQQ/1.0.0.6_nmmhkkegccagdldgiimedpiccmgmieda.crx?cms_redirect=yes&met=1770030108,&mh=e_&mip=45.86.203.52&mm=28&mn=sn-aigl6nzk&ms=nvh&mt=1770029545&mv=m&mvi=4&pl=24&rmhost=r1---sn-aigl6nzk.gvt1.com&rms=nvh,nvh&shardbypass=sd&smhost=r5---sn-aigl6nsr.gvt1.com | US | binary | 128 Kb | whitelisted |
356 | svchost.exe | GET | 200 | 2.17.190.73:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D | US | binary | 471 b | whitelisted |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:137 | — | Not routed | — | whitelisted |
6320 | svchost.exe | 51.124.78.146:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
5780 | RUXIMICS.exe | 51.124.78.146:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
6768 | MoUsoCoreWorker.exe | 51.124.78.146:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
5568 | SearchApp.exe | 95.100.158.112:443 | www.bing.com | AKAMAI-ASN1 | NL | whitelisted |
— | — | 2.17.190.73:80 | ocsp.digicert.com | AKAMAI-AS | US | whitelisted |
3412 | svchost.exe | 172.211.123.249:443 | client.wns.windows.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
4 | System | 192.168.100.255:138 | — | Not routed | — | whitelisted |
8640 | chrome.exe | 216.58.206.46:80 | clients2.google.com | GOOGLE | US | whitelisted |
8640 | chrome.exe | 74.125.29.95:443 | safebrowsingohttpgateway.googleapis.com | GOOGLE | US | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
settings-win.data.microsoft.com |
| whitelisted |
google.com |
| whitelisted |
www.bing.com |
| whitelisted |
self.events.data.microsoft.com |
| whitelisted |
ocsp.digicert.com |
| whitelisted |
client.wns.windows.com |
| whitelisted |
clients2.google.com |
| whitelisted |
safebrowsingohttpgateway.googleapis.com |
| whitelisted |
clientservices.googleapis.com |
| whitelisted |
accounts.google.com |
| whitelisted |
Threats
PID | Process | Class | Message |
|---|---|---|---|
6320 | svchost.exe | Unknown Traffic | ET USER_AGENTS Microsoft Dr Watson User-Agent (MSDW) |
2292 | svchost.exe | Misc activity | ET HUNTING Telegram API Domain in DNS Lookup |
1732 | jsc.exe | Misc activity | ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI) |
1732 | jsc.exe | Misc activity | ET HUNTING Telegram API Certificate Observed |
1732 | jsc.exe | Device Retrieving External IP Address Detected | SUSPICIOUS [ANY.RUN] An IP address was received from the server as a result of an HTTP request |
2292 | svchost.exe | Device Retrieving External IP Address Detected | ET INFO External IP Lookup Domain in DNS Lookup (icanhazip .com) |
1732 | jsc.exe | Attempted Information Leak | ET INFO IP Check Domain (icanhazip. com in HTTP Host) |
1732 | jsc.exe | Misc activity | ET HUNTING Observed Telegram API Domain (api .telegram .org in TLS SNI) |
1732 | jsc.exe | Misc activity | SUSPICIOUS [ANY.RUN] Sent Host Name in HTTP POST Body |
1732 | jsc.exe | Misc activity | ET HUNTING Telegram API Request (GET) |
Process | Message |
|---|---|
chrome.exe | RecursiveDirectoryCreate( C:\Users\admin\AppData\Local\Temp\jlmnzqiu.a31 directory exists )
|
msedge.exe | RecursiveDirectoryCreate( C:\Users\admin\AppData\Local\Temp\xbxhhqye.e0b directory exists )
|