File name:

n.exe

Full analysis: https://app.any.run/tasks/8ce29cd5-279d-4b7b-a6d2-5a38efa644ea
Verdict: Malicious activity
Threats:

A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection.

Malware Trends Tracker     >>>
Analysis date: May 25, 2025, 23:59:57
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
stealer
loader
diamotrix
clipper
ransomware
yero
worm
arch-doc
arch-exec
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (GUI) x86-64, for MS Windows, 5 sections
MD5:

72F47AB2A4D02BCF7964AE4D6997000B

SHA1:

554B217D26B6AB283EDB0CFC0347CAD9B147FE54

SHA256:

1301E4E6E9F4C27B06D4CB89147445D612E40BED3F9CAA525229FD2A0412D3BB

SSDEEP:

3072:DDMdMv3/i509Sew5aw2naULwnmeiV4UmpHSXy4ytGwq7:b/i5Zew5awQaUgmLVopHSXy4O

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Actions looks like stealing of personal data

      • n.exe (PID: 7000)
      • tmp5637.exe (PID: 5728)

    • Modifies files in the Chrome extension folder

      • n.exe (PID: 7000)

    • Writes a file to the Word startup folder

      • n.exe (PID: 7000)

    • RANSOMWARE has been detected

      • n.exe (PID: 7000)

    • YERO has been detected

      • n.exe (PID: 7000)
      • Update.exe (PID: 3008)
      • F570.tmp.exe (PID: 668)

    • Changes the autorun value in the registry

      • tmp8259.exe (PID: 5064)
      • tmp7881.exe (PID: 4016)

    • DIAMOTRIX mutex has been found

      • sysmrdv.exe (PID: 4920)
      • sysmrdv.exe (PID: 644)
      • sysmrdv.exe (PID: 780)

    • Executing a file with an untrusted certificate

      • tmp2267.exe (PID: 3396)
      • tmp2267.exe (PID: 3332)
      • tmp1575.exe (PID: 5984)
      • tmp1575.exe (PID: 6612)
      • tmp7759.exe (PID: 6824)
      • tmp7759.exe (PID: 5736)

    • Registers / Runs the DLL via REGSVR32.EXE

      • tmp2267.tmp (PID: 5528)
      • tmp1575.tmp (PID: 3124)
      • tmp7759.tmp (PID: 5568)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • n.exe (PID: 7000)
      • tmp8259.exe (PID: 5064)
      • tmp2267.exe (PID: 3332)
      • tmp2267.tmp (PID: 536)
      • tmp5637.exe (PID: 5728)
      • tmp2267.exe (PID: 3396)
      • tmp7881.exe (PID: 4016)
      • tmp2267.tmp (PID: 5528)
      • 7z.exe (PID: 3676)
      • tmp1575.exe (PID: 5984)
      • tmp1575.tmp (PID: 3192)
      • tmp1575.exe (PID: 6612)
      • tmp1575.tmp (PID: 3124)
      • 7z.exe (PID: 2240)
      • explorer.exe (PID: 5492)
      • Update.exe (PID: 3008)
      • tmp6728.exe (PID: 6792)
      • F570.tmp.exe (PID: 668)
      • 7z.exe (PID: 3124)
      • tmp7759.tmp (PID: 6960)
      • tmp7759.exe (PID: 5736)
      • tmp7759.exe (PID: 6824)
      • tmp7759.tmp (PID: 5568)
      • tmp4013.exe (PID: 664)

    • Creates file in the systems drive root

      • n.exe (PID: 7000)

    • Reads security settings of Internet Explorer

      • n.exe (PID: 7000)
      • tmp8259.exe (PID: 5064)
      • tmp2267.tmp (PID: 536)
      • tmp5637.exe (PID: 5728)
      • tmp7881.exe (PID: 4016)
      • temp_4288.exe (PID: 6392)

    • Process drops legitimate windows executable

      • n.exe (PID: 7000)
      • tmp8259.exe (PID: 5064)
      • tmp7881.exe (PID: 4016)
      • tmp5637.exe (PID: 5728)
      • explorer.exe (PID: 5492)
      • Update.exe (PID: 3008)
      • F570.tmp.exe (PID: 668)

    • Reads the date of Windows installation

      • n.exe (PID: 7000)
      • tmp8259.exe (PID: 5064)
      • tmp7881.exe (PID: 4016)
      • tmp5637.exe (PID: 5728)
      • temp_4288.exe (PID: 6392)

    • Starts a Microsoft application from unusual location

      • tmp8259.exe (PID: 5064)
      • tmp7881.exe (PID: 4016)
      • temp_4288.exe (PID: 6392)
      • B00.tmp.exe (PID: 2384)
      • tmp8583.exe (PID: 6768)
      • tmp1912.exe (PID: 5596)
      • tmp5871.exe (PID: 4276)
      • tmp8503.exe (PID: 6820)

    • Connects to the server without a host name

      • n.exe (PID: 7000)
      • tmp5637.exe (PID: 5728)
      • Update.exe (PID: 3008)
      • explorer.exe (PID: 5492)
      • tmp6728.exe (PID: 6792)
      • F570.tmp.exe (PID: 668)
      • tmp4013.exe (PID: 664)

    • Process requests binary or script from the Internet

      • n.exe (PID: 7000)
      • tmp5637.exe (PID: 5728)
      • Update.exe (PID: 3008)
      • F570.tmp.exe (PID: 668)

    • Starts itself from another location

      • tmp8259.exe (PID: 5064)
      • tmp7881.exe (PID: 4016)
      • temp_4288.exe (PID: 6392)
      • tmp8583.exe (PID: 6768)
      • tmp1912.exe (PID: 5596)
      • tmp5871.exe (PID: 4276)
      • tmp8503.exe (PID: 6820)

    • Reads the Windows owner or organization settings

      • tmp2267.tmp (PID: 536)
      • tmp2267.tmp (PID: 5528)

    • Potential Corporate Privacy Violation

      • n.exe (PID: 7000)
      • tmp5637.exe (PID: 5728)
      • Update.exe (PID: 3008)
      • F570.tmp.exe (PID: 668)

    • Starts POWERSHELL.EXE for commands execution

      • regsvr32.exe (PID: 2332)
      • regsvr32.exe (PID: 1184)
      • regsvr32.exe (PID: 3156)
      • regsvr32.exe (PID: 780)
      • regsvr32.exe (PID: 2840)

    • The process bypasses the loading of PowerShell profile settings

      • regsvr32.exe (PID: 2332)

    • The process hide an interactive prompt from the user

      • regsvr32.exe (PID: 2332)

    • The process executes via Task Scheduler

      • regsvr32.exe (PID: 3156)
      • regsvr32.exe (PID: 2840)

  • INFO

    • Creates files or folders in the user directory

      • n.exe (PID: 7000)
      • tmp8259.exe (PID: 5064)
      • tmp7881.exe (PID: 4016)
      • 7z.exe (PID: 3676)
      • tmp5637.exe (PID: 5728)

    • Checks supported languages

      • n.exe (PID: 7000)
      • tmp8259.exe (PID: 5064)
      • tmp1248.exe (PID: 5384)
      • tmp2267.exe (PID: 3332)
      • sysmrdv.exe (PID: 4920)
      • tmp2267.tmp (PID: 536)
      • tmp2267.exe (PID: 3396)
      • tmp5637.exe (PID: 5728)
      • tmp2267.tmp (PID: 5528)
      • tmp7881.exe (PID: 4016)
      • sysmrdv.exe (PID: 644)
      • 7z.exe (PID: 3676)
      • temp_4288.exe (PID: 6392)
      • sysmrdv.exe (PID: 780)

    • Reads the software policy settings

      • slui.exe (PID: 6372)
      • slui.exe (PID: 5164)

    • Create files in a temporary directory

      • n.exe (PID: 7000)
      • tmp2267.tmp (PID: 536)
      • tmp2267.exe (PID: 3396)
      • tmp2267.exe (PID: 3332)
      • tmp2267.tmp (PID: 5528)
      • tmp5637.exe (PID: 5728)

    • Reads the computer name

      • n.exe (PID: 7000)
      • tmp8259.exe (PID: 5064)
      • tmp1248.exe (PID: 5384)
      • tmp2267.tmp (PID: 536)
      • tmp2267.tmp (PID: 5528)
      • tmp5637.exe (PID: 5728)
      • tmp7881.exe (PID: 4016)
      • 7z.exe (PID: 3676)
      • temp_4288.exe (PID: 6392)

    • Checks proxy server information

      • n.exe (PID: 7000)
      • tmp5637.exe (PID: 5728)
      • slui.exe (PID: 5164)

    • The sample compiled with english language support

      • n.exe (PID: 7000)
      • tmp8259.exe (PID: 5064)
      • tmp7881.exe (PID: 4016)
      • tmp5637.exe (PID: 5728)
      • explorer.exe (PID: 5492)
      • Update.exe (PID: 3008)
      • F570.tmp.exe (PID: 668)

    • Process checks computer location settings

      • tmp8259.exe (PID: 5064)
      • n.exe (PID: 7000)
      • tmp2267.tmp (PID: 536)
      • tmp7881.exe (PID: 4016)
      • tmp5637.exe (PID: 5728)
      • temp_4288.exe (PID: 6392)

    • Failed to create an executable file in Windows directory

      • tmp8259.exe (PID: 5064)
      • tmp7881.exe (PID: 4016)
      • temp_4288.exe (PID: 6392)

    • Creates files in the program directory

      • tmp5637.exe (PID: 5728)

    • Checks if a key exists in the options dictionary (POWERSHELL)

      • powershell.exe (PID: 6980)

    • Application launched itself

      • chrome.exe (PID: 6040)

    • Manual execution by a user

      • chrome.exe (PID: 6040)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (87.3)
.exe | Generic Win/DOS Executable (6.3)
.exe | DOS Executable Generic (6.3)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2025:05:25 23:45:36+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 12
CodeSize: 47104
InitializedDataSize: 49152
UninitializedDataSize: -
EntryPoint: 0x1d7c
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
214
Monitored processes
82
Malicious processes
19
Suspicious processes
6

Behavior graph

Click at the process to see the details
start THREAT n.exe sppextcomobj.exe no specs slui.exe slui.exe tmp8259.exe tmp1248.exe no specs #DIAMOTRIX sysmrdv.exe no specs tmp2267.exe tmp2267.tmp tmp2267.exe tmp5637.exe tmp2267.tmp tmp7881.exe 7z.exe conhost.exe no specs #DIAMOTRIX sysmrdv.exe no specs regsvr32.exe no specs regsvr32.exe no specs powershell.exe no specs conhost.exe no specs temp_4288.exe no specs #DIAMOTRIX sysmrdv.exe no specs powershell.exe no specs conhost.exe no specs explorer.exe chrome.exe chrome.exe no specs b00.tmp.exe no specs sysmrdv.exe no specs chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs #YERO update.exe tmp8583.exe no specs tmp1063.exe no specs sysmrdv.exe no specs tmp1575.exe tmp1575.tmp tmp1575.exe tmp1575.tmp 7z.exe conhost.exe no specs regsvr32.exe no specs regsvr32.exe no specs tmp6728.exe powershell.exe no specs conhost.exe no specs tmp1912.exe no specs sysmrdv.exe no specs rundll32.exe no specs regsvr32.exe no specs powershell.exe no specs conhost.exe no specs explorer.exe no specs COpenControlPanel no specs #YERO f570.tmp.exe tmp5871.exe no specs tmp7250.exe no specs sysmrdv.exe no specs tmp7759.exe tmp7759.tmp tmp7759.exe tmp7759.tmp 7z.exe conhost.exe no specs regsvr32.exe no specs regsvr32.exe no specs powershell.exe no specs conhost.exe no specs tmp4013.exe tmp8503.exe no specs sysmrdv.exe no specs regsvr32.exe no specs powershell.exe no specs conhost.exe no specs svchost.exe

Process information

PID
CMD
Path
Indicators
Parent process
236"C:\Users\admin\AppData\Roaming\Sysmrdv\sysmrdv.exe" C:\Users\admin\AppData\Roaming\Sysmrdv\sysmrdv.exetmp8503.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
System
Exit code:
0
Version:
6.0.0.1
Modules
Images
c:\users\admin\appdata\roaming\sysmrdv\sysmrdv.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\shell32.dll
240\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exe7z.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
512"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=4608 --field-trial-handle=1952,i,14506648584675907374,7138016534067302763,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version /prefetch:1C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
122.0.6261.70
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
536"C:\Users\admin\AppData\Local\Temp\is-J5324.tmp\tmp2267.tmp" /SL5="$D030C,1967372,813056,C:\Users\admin\AppData\Local\Temp\tmp2267.exe" -silentC:\Users\admin\AppData\Local\Temp\is-J5324.tmp\tmp2267.tmp
tmp2267.exe
User:
admin
Company:
Integrity Level:
MEDIUM
Description:
Setup/Uninstall
Exit code:
1
Version:
51.1052.0.0
Modules
Images
c:\users\admin\appdata\local\temp\is-j5324.tmp\tmp2267.tmp
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\comdlg32.dll
616C:\WINDOWS\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}C:\Windows\SysWOW64\dllhost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
COM Surrogate
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\dllhost.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\ucrtbase.dll
c:\windows\syswow64\combase.dll
644"C:\Users\admin\AppData\Roaming\Sysmrdv\sysmrdv.exe" C:\Users\admin\AppData\Roaming\Sysmrdv\sysmrdv.exe
tmp7881.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
System
Exit code:
0
Version:
6.0.0.1
Modules
Images
c:\users\admin\appdata\roaming\sysmrdv\sysmrdv.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
664"C:\Users\admin\AppData\Local\Temp\tmp4013.exe" C:\Users\admin\AppData\Local\Temp\tmp4013.exe
F570.tmp.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\tmp4013.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
668C:\Users\admin\AppData\Local\Temp\F570.tmp.exeC:\Users\admin\AppData\Local\Temp\F570.tmp.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\f570.tmp.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\shlwapi.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
760"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --disable-quic --no-appcompat-clear --mojo-platform-channel-handle=2352 --field-trial-handle=1952,i,14506648584675907374,7138016534067302763,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version /prefetch:8C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
122.0.6261.70
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
772"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=1948 --field-trial-handle=1952,i,14506648584675907374,7138016534067302763,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version /prefetch:2C:\Program Files\Google\Chrome\Application\chrome.exechrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
LOW
Description:
Google Chrome
Exit code:
0
Version:
122.0.6261.70
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
Total events
144 712
Read events
143 887
Write events
782
Delete events
43

Modification events

(PID) Process:(5492) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Shell\Bags\1\Desktop
Operation:writeName:IconLayouts
Value:
00000000000000000000000000000000030001000100010017000000000000002C000000000000003A003A007B00360034003500460046003000340030002D0035003000380031002D0031003000310042002D0039004600300038002D003000300041004100300030003200460039003500340045007D003E002000200000001000000000000000430043006C00650061006E00650072002E006C006E006B003E0020007C0000001500000000000000410064006F006200650020004100630072006F006200610074002E006C006E006B003E0020007C0000000F00000000000000460069007200650066006F0078002E006C006E006B003E0020007C000000150000000000000047006F006F0067006C00650020004300680072006F006D0065002E006C006E006B003E0020007C000000180000000000000056004C00430020006D006500640069006100200070006C0061007900650072002E006C006E006B003E0020007C00000016000000000000004D006900630072006F0073006F0066007400200045006400670065002E006C006E006B003E0020007C0000000D0000000000000053006B007900700065002E006C006E006B003E0020007C00000011000000000000006200650069006E006700730065006E0074002E006A00700067003E002000200000001000000000000000620065006C006F0077007300650065002E007200740066003E002000200000001400000000000000630061007200650065007200630061006D006500720061002E007200740066003E002000200000001500000000000000640061007400610062006100730065006400650061006C0073002E006A00700067003E002000200000001800000000000000640065007400610069006C006500640064006F00630075006D0065006E0074002E007200740066003E00200020000000170000000000000066006F00720077006100720064006E006F00760065006D006200650072002E007200740066003E002000200000000E000000000000006E006F0073006100790073002E006A00700067003E0020002000000013000000000000006E006F007400690063006500730075006900740065002E007200740066003E0020002000000010000000000000006F0075007200730068006900700073002E0070006E0067003E0020002000000019000000000000007200650061006400650072006100730073006F00630069006100740069006F006E002E006A00700067003E00200020000000140000000000000072006500760069006500770073007300740079006C0065002E007200740066003E002000200000001600000000000000770061007400630068006500730061006400760061006E00630065002E006A00700067003E002000200000001400000000000000770068006900630068006A0061006E0075006100720079002E006A00700067003E002000200000001300000000000000770068006F0073006500630061006C006C00650064002E007200740066003E002000200000000E000000000000005500700064006100740065002E006500780065003E00200020000000010000000000000002000100000000000000000001000000000000000200010000000000000000001100000006000000010000001700000000000000000000000000000000000000803F0000004008000000803F0000404009000000803F000080400A000000803F0000A0400B0000000040000000000C00000000400000803F0D0000000040000000400E0000000040000040400F0000000040000080401000000000400000A040110000004040000000001200000040400000803F13000000404000000040140000004040000040401500000000000000803F0100000000000000004002000000000000004040030000000000000080400400000000000000A04005000000803F0000000006000000803F0000803F070000004040000080401600
(PID) Process:(5492) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Shell\Bags\1\Desktop
Operation:writeName:IconNameVersion
Value:
1
(PID) Process:(5492) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\OneDrive\Accounts
Operation:writeName:LastUpdate
Value:
04AF336800000000
(PID) Process:(5492) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\ShellNew
Operation:delete keyName:(default)
Value:
(PID) Process:(5492) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\ShellNew
Operation:writeName:Classes
Value:
.accdb
(PID) Process:(5492) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\ShellNew
Operation:writeName:~reserved~
Value:
0800000000000600
(PID) Process:(5492) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Shell\Bags\1\Desktop
Operation:writeName:Mode
Value:
1
(PID) Process:(5492) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Shell\Bags\1\Desktop
Operation:writeName:LogicalViewMode
Value:
3
(PID) Process:(5492) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Shell\Bags\1\Desktop
Operation:writeName:FFlags
Value:
(PID) Process:(5492) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Shell\Bags\1\Desktop
Operation:writeName:IconSize
Value:
48
Executable files
2 439
Suspicious files
102
Text files
84
Unknown types
0

Dropped files

PID
Process
Filename
Type
7000n.exeC:\Users\admin\AppData\Local\Adobe\ARM\Reader_20.013.20074\Update.exeexecutable
MD5:72F47AB2A4D02BCF7964AE4D6997000B
SHA256:1301E4E6E9F4C27B06D4CB89147445D612E40BED3F9CAA525229FD2A0412D3BB
7000n.exeC:\Users\admin\AppData\Local\Adobe\ARM\{291AA914-A987-4CE9-BD63-0C0A92D435E5}\Update.exeexecutable
MD5:72F47AB2A4D02BCF7964AE4D6997000B
SHA256:1301E4E6E9F4C27B06D4CB89147445D612E40BED3F9CAA525229FD2A0412D3BB
7000n.exeC:\Users\admin\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Acrobat\Files\Update.exeexecutable
MD5:72F47AB2A4D02BCF7964AE4D6997000B
SHA256:1301E4E6E9F4C27B06D4CB89147445D612E40BED3F9CAA525229FD2A0412D3BB
7000n.exeC:\Users\admin\AppData\Local\Adobe\Acrobat\Update.exeexecutable
MD5:72F47AB2A4D02BCF7964AE4D6997000B
SHA256:1301E4E6E9F4C27B06D4CB89147445D612E40BED3F9CAA525229FD2A0412D3BB
7000n.exeC:\Users\admin\AppData\Local\Adobe\Acrobat\DC\SOPHIA\Update.exeexecutable
MD5:72F47AB2A4D02BCF7964AE4D6997000B
SHA256:1301E4E6E9F4C27B06D4CB89147445D612E40BED3F9CAA525229FD2A0412D3BB
7000n.exeC:\Users\admin\AppData\Local\Adobe\ARM\Acrobat_23.001.20093\Update.exeexecutable
MD5:72F47AB2A4D02BCF7964AE4D6997000B
SHA256:1301E4E6E9F4C27B06D4CB89147445D612E40BED3F9CAA525229FD2A0412D3BB
7000n.exeC:\Users\admin\AppData\Update.exeexecutable
MD5:72F47AB2A4D02BCF7964AE4D6997000B
SHA256:1301E4E6E9F4C27B06D4CB89147445D612E40BED3F9CAA525229FD2A0412D3BB
7000n.exeC:\Users\admin\AppData\Local\Adobe\ARM\S\Update.exeexecutable
MD5:72F47AB2A4D02BCF7964AE4D6997000B
SHA256:1301E4E6E9F4C27B06D4CB89147445D612E40BED3F9CAA525229FD2A0412D3BB
7000n.exeC:\Users\admin\AppData\Local\Adobe\Update.exeexecutable
MD5:72F47AB2A4D02BCF7964AE4D6997000B
SHA256:1301E4E6E9F4C27B06D4CB89147445D612E40BED3F9CAA525229FD2A0412D3BB
7000n.exeC:\Users\admin\AppData\Local\Adobe\Acrobat\DC\Update.exeexecutable
MD5:72F47AB2A4D02BCF7964AE4D6997000B
SHA256:1301E4E6E9F4C27B06D4CB89147445D612E40BED3F9CAA525229FD2A0412D3BB
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
45
TCP/UDP connections
49
DNS requests
33
Threats
101

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
2.16.168.114:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
6544
svchost.exe
GET
200
2.23.77.188:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
2616
SIHClient.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
7000
n.exe
GET
200
185.156.72.8:80
http://185.156.72.8/1.exe
unknown
malicious
2616
SIHClient.exe
GET
200
2.23.246.101:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
7000
n.exe
GET
200
185.156.72.8:80
http://185.156.72.8/2.exe
unknown
malicious
7000
n.exe
GET
200
185.156.72.8:80
http://185.156.72.8/3.exe
unknown
malicious
7000
n.exe
GET
200
185.156.72.8:80
http://185.156.72.8/4.exe
unknown
malicious
7000
n.exe
GET
200
185.156.72.8:80
http://diamotrix.world/1.exe
unknown
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:137
whitelisted
2.16.168.114:80
crl.microsoft.com
Akamai International B.V.
RU
whitelisted
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
3216
svchost.exe
172.211.123.248:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
6544
svchost.exe
40.126.31.131:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6544
svchost.exe
2.23.77.188:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted
5796
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2616
SIHClient.exe
20.109.210.53:443
slscr.update.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
  • 40.127.240.158
whitelisted
crl.microsoft.com
  • 2.16.168.114
  • 2.16.168.124
whitelisted
www.microsoft.com
  • 95.101.149.131
  • 2.23.246.101
whitelisted
google.com
  • 172.217.18.14
whitelisted
client.wns.windows.com
  • 172.211.123.248
whitelisted
login.live.com
  • 40.126.31.131
  • 20.190.159.4
  • 40.126.31.0
  • 20.190.159.75
  • 20.190.159.130
  • 20.190.159.68
  • 40.126.31.130
  • 20.190.159.128
whitelisted
ocsp.digicert.com
  • 2.23.77.188
whitelisted
slscr.update.microsoft.com
  • 20.109.210.53
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 13.85.23.206
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted

Threats

PID
Process
Class
Message
7000
n.exe
Misc Attack
ET DROP Spamhaus DROP Listed Traffic Inbound group 35
7000
n.exe
A Network Trojan was detected
ET MALWARE Single char EXE direct download likely trojan (multiple families)
7000
n.exe
Misc activity
INFO [ANY.RUN] USER_AGENTS Suspicious User-Agent (Mozilla/5.0)
7000
n.exe
Potentially Bad Traffic
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
7000
n.exe
Potentially Bad Traffic
ET INFO Executable Download from dotted-quad Host
7000
n.exe
Potential Corporate Privacy Violation
ET INFO PE EXE or DLL Windows file download HTTP
7000
n.exe
A Network Trojan was detected
ET MALWARE Single char EXE direct download likely trojan (multiple families)
7000
n.exe
Potentially Bad Traffic
ET INFO Executable Download from dotted-quad Host
7000
n.exe
Misc activity
INFO [ANY.RUN] USER_AGENTS Suspicious User-Agent (Mozilla/5.0)
7000
n.exe
Potentially Bad Traffic
ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
No debug info