File name:

xegYmPC.exe

Full analysis: https://app.any.run/tasks/8d923078-d328-4ec7-8b11-14d7ba126ed6
Verdict: Malicious activity
Threats:

Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns.

Malware Trends Tracker     >>>
Analysis date: May 27, 2025, 16:47:06
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
stealer
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 4 sections
MD5:

5EFF5FBF2110ADD294DA3EB10C79299E

SHA1:

66FB81982CD8229469E71F533C6D3BE8D2AB5007

SHA256:

B309A34D8F0FD69613D30CF544609536FD08E724EC3C8C42991FC91C2A5D3812

SSDEEP:

98304:VfPnvHtHI0X+orJDpfR6yLBrumdYy3j6CWHXIuYz45ot8bpCmdwL7dElYqUwZV8K:EtppSt1rY

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Steals credentials from Web Browsers

      • BetaContro.exe (PID: 1812)

    • Actions looks like stealing of personal data

      • BetaContro.exe (PID: 1812)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • xegYmPC.exe (PID: 2340)
      • jRE9kd1BncC299.exe (PID: 4188)
      • BetaContro.exe (PID: 1812)

    • Executable content was dropped or overwritten

      • USilv.exe (PID: 4620)
      • xegYmPC.exe (PID: 2340)
      • USilv.exe (PID: 3300)
      • BetaContro.exe (PID: 1812)
      • Infra-Co.exe (PID: 4200)
      • jRE9kd1BncC299.exe (PID: 4188)

    • Starts itself from another location

      • USilv.exe (PID: 4620)

    • There is functionality for taking screenshot (YARA)

      • USilv.exe (PID: 3300)
      • jRE9kd1BncC299.exe (PID: 4188)

    • Reads the date of Windows installation

      • BetaContro.exe (PID: 1812)
      • NeuroM.exe (PID: 3140)

    • Process drops legitimate windows executable

      • jRE9kd1BncC299.exe (PID: 4188)

    • The process creates files with name similar to system file names

      • jRE9kd1BncC299.exe (PID: 4188)

    • Starts a Microsoft application from unusual location

      • Infra-Co.exe (PID: 4200)

    • Executes application which crashes

      • BetaContro.exe (PID: 1812)

  • INFO

    • Create files in a temporary directory

      • xegYmPC.exe (PID: 2340)
      • USilv.exe (PID: 3300)
      • BetaContro.exe (PID: 1812)
      • jRE9kd1BncC299.exe (PID: 4188)
      • Infra-Co.exe (PID: 4200)

    • Checks supported languages

      • xegYmPC.exe (PID: 2340)
      • USilv.exe (PID: 3300)
      • USilv.exe (PID: 4620)
      • BetaContro.exe (PID: 1812)
      • jRE9kd1BncC299.exe (PID: 4188)
      • Infra-Co.exe (PID: 4200)
      • NeuroM.exe (PID: 3140)

    • Reads the computer name

      • xegYmPC.exe (PID: 2340)
      • USilv.exe (PID: 4620)
      • BetaContro.exe (PID: 1812)
      • jRE9kd1BncC299.exe (PID: 4188)
      • USilv.exe (PID: 3300)
      • NeuroM.exe (PID: 3140)
      • Infra-Co.exe (PID: 4200)

    • The sample compiled with english language support

      • xegYmPC.exe (PID: 2340)
      • USilv.exe (PID: 4620)
      • USilv.exe (PID: 3300)
      • jRE9kd1BncC299.exe (PID: 4188)
      • Infra-Co.exe (PID: 4200)

    • Process checks computer location settings

      • xegYmPC.exe (PID: 2340)
      • BetaContro.exe (PID: 1812)
      • jRE9kd1BncC299.exe (PID: 4188)

    • Creates files in the program directory

      • USilv.exe (PID: 4620)
      • USilv.exe (PID: 3300)
      • Infra-Co.exe (PID: 4200)

    • Creates files or folders in the user directory

      • USilv.exe (PID: 3300)
      • Infra-Co.exe (PID: 4200)
      • WerFault.exe (PID: 5968)

    • Reads the machine GUID from the registry

      • BetaContro.exe (PID: 1812)
      • NeuroM.exe (PID: 3140)

    • The sample compiled with chinese language support

      • USilv.exe (PID: 3300)

    • Checks proxy server information

      • BetaContro.exe (PID: 1812)

    • Reads the software policy settings

      • slui.exe (PID: 4436)
      • BetaContro.exe (PID: 1812)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Generic Win/DOS Executable (50)
.exe | DOS Executable Generic (49.9)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2010:06:27 07:06:38+00:00
ImageFileCharacteristics: No relocs, Executable, 32-bit
PEType: PE32
LinkerVersion: 8
CodeSize: 70656
InitializedDataSize: 116736
UninitializedDataSize: -
EntryPoint: 0x11def
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 1.4.0.1795
ProductVersionNumber: 1.4.0.1795
FileFlagsMask: 0x003f
FileFlags: Private build
FileOS: Windows NT 32-bit
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
CompanyName: Oleg N. Scherbakov
FileDescription: 7z Setup SFX (x86)
FileVersion: 1.4.0.1795
InternalName: 7ZSfxMod
LegalCopyright: Copyright © 2005-2010 Oleg N. Scherbakov
OriginalFileName: 7ZSfxMod_x86.exe
PrivateBuild: June 27, 2010
ProductName: 7-Zip SFX
ProductVersion: 1.4.0.1795
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
144
Monitored processes
13
Malicious processes
4
Suspicious processes
1

Behavior graph

Click at the process to see the details
start xegympc.exe usilv.exe sppextcomobj.exe no specs slui.exe usilv.exe betacontro.exe tcpvcon.exe no specs jre9kd1bncc299.exe infra-co.exe werfault.exe no specs neurom.exe tcpvcon.exe no specs slui.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1196"C:\Users\admin\AppData\Roaming\Monmon5\tcpvcon.exe" "C:\Users\admin\AppData\Roaming\Monmon5\tcpvcon.exe" /accepteulaC:\Users\admin\AppData\Roaming\Monmon5\tcpvcon.exeUSilv.exe
User:
admin
Company:
Sysinternals - www.sysinternals.com
Integrity Level:
MEDIUM
Description:
Sysinternals TcpVcon
Version:
4.18
1812C:\ProgramData\BetaContro.exeC:\ProgramData\BetaContro.exe
USilv.exe
User:
admin
Company:
Qihoo 360 Technology Co. Ltd.
Integrity Level:
MEDIUM
Description:
Desktop Organizer
Exit code:
3221225477
Version:
1, 0, 0, 1156
Modules
Images
c:\users\admin\appdata\local\temp\ee5fb4b.tmp
c:\programdata\betacontro.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
2340"C:\Users\admin\AppData\Local\Temp\xegYmPC.exe" C:\Users\admin\AppData\Local\Temp\xegYmPC.exe
explorer.exe
User:
admin
Company:
Oleg N. Scherbakov
Integrity Level:
MEDIUM
Description:
7z Setup SFX (x86)
Exit code:
0
Version:
1.4.0.1795
Modules
Images
c:\users\admin\appdata\local\temp\xegympc.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
2904C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
3140C:\ProgramData\NeuroM.exeC:\ProgramData\NeuroM.exe
Infra-Co.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\users\admin\appdata\local\temp\f517741.tmp
c:\programdata\neurom.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
3300C:\ProgramData\Monmon5\USilv.exeC:\ProgramData\Monmon5\USilv.exe
USilv.exe
User:
admin
Company:
John Paul Chacha's Lab
Integrity Level:
MEDIUM
Description:
Chasys Draw IES Converter
Version:
5, 34, 1, 0
Modules
Images
c:\programdata\monmon5\usilv.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
4188"C:\Users\admin\AppData\Local\Temp\jRE9kd1BncC299.exe" C:\Users\admin\AppData\Local\Temp\jRE9kd1BncC299.exe
BetaContro.exe
User:
admin
Company:
Oleg N. Scherbakov
Integrity Level:
MEDIUM
Description:
7z Setup SFX (x86)
Version:
1.4.0.1795
Modules
Images
c:\users\admin\appdata\local\temp\jre9kd1bncc299.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
4200"C:\Users\admin\AppData\Local\Temp\Infra-Co.exe" C:\Users\admin\AppData\Local\Temp\Infra-Co.exe
jRE9kd1BncC299.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Test Authoring and Execution Framework [v10.88]
Version:
10.88.2411.08001
Modules
Images
c:\users\admin\appdata\local\temp\infra-co.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\ucrtbase.dll
4436"C:\WINDOWS\System32\SLUI.exe" RuleId=3482d82e-ca2c-4e1f-8864-da0267b484b2;Action=AutoActivate;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=4de7cb65-cdf1-4de9-8ae8-e3cce27b9f2c;NotificationInterval=1440;Trigger=TimerEventC:\Windows\System32\slui.exe
SppExtComObj.Exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Activation Client
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
4620"C:\Users\admin\AppData\Local\Temp\USilv.exe" C:\Users\admin\AppData\Local\Temp\USilv.exe
xegYmPC.exe
User:
admin
Company:
John Paul Chacha's Lab
Integrity Level:
MEDIUM
Description:
Chasys Draw IES Converter
Exit code:
0
Version:
5, 34, 1, 0
Modules
Images
c:\users\admin\appdata\local\temp\usilv.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll
Total events
4 060
Read events
4 058
Write events
2
Delete events
0

Modification events

(PID) Process:(3140) NeuroM.exeKey:HKEY_CURRENT_USER\SOFTWARE\Application10
Operation:writeName:b
Value:
2233613161323464322D316566642D646138332D323161372D37396639366439626335653022
(PID) Process:(3140) NeuroM.exeKey:HKEY_CURRENT_USER\SOFTWARE\Application10
Operation:writeName:c
Value:
7B2231223A22593441644C74567536776D2F34684D2B5A73786E70657850496A633D222C2230223A7B2232223A226763704D4438702B68455033646A663130594A694B6443412B73303D222C2230223A747275652C2231223A5B7B2230223A2231222C2231223A225E5C5C732A286263317C5B31335D295B612D7A412D484A2D4E502D5A302D395D7B32362C33357D5C5C732A24227D2C7B2230223A2232222C2231223A225E5C5C732A6263315B612D7A412D484A2D4E502D5A302D395D7B33352C34317D5C5C732A24222C2232223A22626331713738337532306B74756D756C6E68703532716C336A737074637971687A6467387479356A7679227D2C7B2230223A2233222C2231223A225E5C5C732A345B302D3941425D5B312D39412D484A2D4E502D5A612D6B6D2D7A5D7B39337D5C5C732A24222C2232223A223435486372797571544B4762315A34716A785A6D656E46664A6B6B4B45654762775545514279615A546A523934717A453639464A336B43664C675A59726E42487A6751515546696F5972754562417152764543706B644B6A37763952367070227D2C7B2230223A2234222C2231223A225E5C5C732A475B302D39612D7A412D5A5D7B35357D5C5C732A24222C2232223A224743415742494E3343504850574A4147584B354D374534353759493558525A45475A4D464F56434745454A4E483443474A33574C4E324449227D2C7B2230223A2235222C2231223A225E5C5C732A725B302D39612D7A412D5A5D7B32342C33347D5C5C732A24222C2232223A22724E644B426132627A736B517A706F78514534333776576D44327A774A566F664A35227D2C7B2230223A2236222C2231223A225E5C5C732A283F3A4C7C4D7C6C746331295B612D7A412D5A302D395D7B32362C33357D5C5C732A24222C2232223A226C7463317177327A336C6E753577776639366A67653363383639716A396665636A77676C64666B30346736227D2C7B2230223A2237222C2231223A225E5C5C732A6C7463315B612D7A302D395D7B33392C35397D5C5C732A24222C2232223A226C7463317177327A336C6E753577776639366A67653363383639716A396665636A77676C64666B30346736227D2C7B2230223A2239222C2231223A225E5C5C732A28626974636F696E636173683A293F2828717C70295B612D7A302D395D7B34317D7C28317C33295B612D7A412D5A302D395D7B32362C33357D295C5C732A24222C2232223A227171387364776D73336470373370306736743638716A6C76656C347A6E7934793276686B7A7A706D6574227D2C7B2230223A223130222C2231223A225E5C5C732A585B312D39412D484A2D4E502D5A612D6B6D2D7A5D7B33337D5C5C732A24222C2232223A2258764B5776326F7473454653446B4442666F703276566E6B726369363763376D674D227D2C7B2230223A223131222C2231223A225E5C5C732A447B317D5B352D39412D484A2D4E502D555D7B317D5B312D39412D484A2D4E502D5A612D6B6D2D7A5D7B33327D5C5C732A24222C2232223A224450634E685678746133776651585A6B68655A71395578787A396F6568375671477A227D2C7B2230223A223133222C2231223A225E5C5C732A30785B612D66412D46302D395D7B34307D5C5C732A24222C2232223A22307863354162376336386435353731356531383742654339356161313231303535334134653364656432227D2C7B2230223A223134222C2231223A225E5C5C732A545B612D7A412D5A302D395D7B32382C33337D5C5C732A24222C2232223A2254434D50384A74347769775547647231533552445A324C39617056546B4B46534768227D2C7B2230223A223135222C2231223A225E5C5C732A74315B302D39412D7A5D7B33337D5C5C732A24222C2232223A2274314B3636757A59344D31414456734B537A516E394573454D68776F6F387462713658227D2C7B2230223A223136222C2231223A225E5C5C732A5B312D39412D484A2D4E502D5A612D6B6D2D7A5D7B33322C34347D5C5C732A24222C2232223A2238524135457143346A51485474686134344D4C62353158766B4D436356384E41644645614464383170364871227D2C7B2230223A223137222C2231223A225E5C5C732A2861646472317C7374616B6531295B302D39612D7A412D5A5D2B5C5C732A24222C2232223A22616464723171787879637765397A336E67757967336D7A66356B396B326C6A72737971756572797A386433736B61717070686C7630763837653966786B30633730756674717830786C74706B6A6137373036666D63357339386A646E716A343071717870306368227D2C7B2230223A223230222C2231223A225E5C5C732A283F3A45517C5551295B302D39412D5A612D7A5F2D5D7B34387D5C5C732A24222C2232223A2255514361776F4B306744727756517A432D4E447679306157426F37464D636F5F5949366B4D4D7035684145386E684C69227D5D7D7D
Executable files
18
Suspicious files
3
Text files
4
Unknown types
2

Dropped files

PID
Process
Filename
Type
2340xegYmPC.exeC:\Users\admin\AppData\Local\Temp\Prumchartfeen.rl
MD5:
SHA256:
4620USilv.exeC:\ProgramData\Monmon5\Prumchartfeen.rl
MD5:
SHA256:
3300USilv.exeC:\Users\admin\AppData\Local\Temp\EDBF07C.tmp
MD5:
SHA256:
4188jRE9kd1BncC299.exeC:\Users\admin\AppData\Local\Temp\Hundbreendprim.ics
MD5:
SHA256:
2340xegYmPC.exeC:\Users\admin\AppData\Local\Temp\USilv.exeexecutable
MD5:F4302FE795F09128D6046DB4B96ACE59
SHA256:A978B51372A5185007BE36E7B808FC09D88453188378B34E90ECBD5DE726D5A0
3300USilv.exeC:\Users\admin\AppData\Roaming\Monmon5\tcpvcon.exeexecutable
MD5:1CF39530D557CE880D7F71984928384F
SHA256:198995FECC0E38A2749B7E48C54112A959B77878683B726EE36430C4BACEC196
4200Infra-Co.exeC:\Users\admin\AppData\Local\Temp\F456927.tmp
MD5:
SHA256:
1812BetaContro.exeC:\Users\admin\AppData\Local\Temp\jRE9kd1BncC299.exeexecutable
MD5:F37EE5E9E70E7AE17135E5CE39112E0E
SHA256:BD6B94857200AB6693AD6A75C6CA3D7D30C8056A64E80A8341A8970D55B2FBB3
4188jRE9kd1BncC299.exeC:\Users\admin\AppData\Local\Temp\Wex.Common.dllexecutable
MD5:B3DF4F43929D6E720A5932170F4E21BC
SHA256:C3F33C4B04AD42BB7E1D395D64591457F7C4D6CB76122F33317E75AE868007FC
4188jRE9kd1BncC299.exeC:\Users\admin\AppData\Local\Temp\Wex.Logger.dllexecutable
MD5:2F4C45B4C38E6F3AA88F87DEAB304A17
SHA256:7D8F0A132C6D83417AB2A3840CE076D23268FB2EA263EDC4DBA1282495383A10
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
24
DNS requests
18
Threats
1

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
6544
svchost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
DE
binary
471 b
whitelisted
2104
svchost.exe
GET
200
23.216.77.28:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
DE
binary
825 b
whitelisted
5728
SIHClient.exe
GET
200
23.52.120.96:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
DE
binary
419 b
whitelisted
3140
NeuroM.exe
GET
101
104.21.80.1:80
http://flare-299.shop/c
unknown
unknown
2104
svchost.exe
GET
200
23.52.120.96:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
DE
binary
868 b
whitelisted
5728
SIHClient.exe
GET
200
23.52.120.96:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
DE
binary
407 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2104
svchost.exe
23.216.77.28:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
2104
svchost.exe
23.52.120.96:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
172.211.123.249:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
4
System
192.168.100.255:137
whitelisted
6544
svchost.exe
40.126.31.69:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6544
svchost.exe
2.17.190.73:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted
2104
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
5728
SIHClient.exe
172.202.163.200:443
slscr.update.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
GB
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
  • 51.124.78.146
whitelisted
crl.microsoft.com
  • 23.216.77.28
  • 23.216.77.6
whitelisted
www.microsoft.com
  • 23.52.120.96
whitelisted
google.com
  • 142.250.185.78
whitelisted
client.wns.windows.com
  • 172.211.123.249
whitelisted
login.live.com
  • 40.126.31.69
  • 40.126.31.2
  • 40.126.31.73
  • 20.190.159.73
  • 40.126.31.1
  • 40.126.31.71
  • 20.190.159.129
  • 40.126.31.3
whitelisted
ocsp.digicert.com
  • 2.17.190.73
whitelisted
slscr.update.microsoft.com
  • 172.202.163.200
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 13.85.23.206
whitelisted
uplink-routes.asia
  • 104.21.80.1
  • 104.21.96.1
  • 104.21.48.1
  • 104.21.64.1
  • 104.21.112.1
  • 104.21.16.1
  • 104.21.32.1
unknown

Threats

PID
Process
Class
Message
3140
NeuroM.exe
A Network Trojan was detected
ET MALWARE DeerStealer Websocket Initial Request
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
xegYmPC.exe