File name:

d049a62a-9f90-4627-9528-f3af29660dd5

Full analysis: https://app.any.run/tasks/bd2a6e3f-526a-460f-925f-3f651bf57e4a
Verdict: Malicious activity
Analysis date: June 21, 2025, 18:44:05
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
crypto-regex
clipper
diamotrix
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (GUI) x86-64, for MS Windows, 5 sections
MD5:

5941D0550CA95007DEFA7DD2542F3D87

SHA1:

3074B38531B1DCA2E822FCE46492B828E10C8C06

SHA256:

2D20E8C7EC69A445479656870236715088B17B495206A102AB7ECE00F5B135DE

SSDEEP:

24576:WilbsHTGz18+hm9mnYP5MpATf+0EzFnRbsQ4DW9ionote/+Zh7wfBjwPQjkj:WilbsHTGz18Wm9MYPqpATf+0EzFnRbsb

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was injected by another process

      • sihost.exe (PID: 4180)
      • svchost.exe (PID: 4204)
      • svchost.exe (PID: 4248)
      • explorer.exe (PID: 4772)
      • svchost.exe (PID: 5048)
      • RuntimeBroker.exe (PID: 5224)
      • StartMenuExperienceHost.exe (PID: 5160)
      • SearchApp.exe (PID: 5328)
      • RuntimeBroker.exe (PID: 5448)
      • dllhost.exe (PID: 5604)
      • TextInputHost.exe (PID: 2772)
      • dllhost.exe (PID: 2484)
      • RuntimeBroker.exe (PID: 4376)
      • ApplicationFrameHost.exe (PID: 5096)
      • svchost.exe (PID: 6984)
      • UserOOBEBroker.exe (PID: 5936)

    • Runs injected code in another process

      • d049a62a-9f90-4627-9528-f3af29660dd5.exe (PID: 3488)

    • Changes the autorun value in the registry

      • d049a62a-9f90-4627-9528-f3af29660dd5.exe (PID: 3488)
      • explorer.exe (PID: 4772)
      • explorer.exe (PID: 1044)
      • explorer.exe (PID: 7120)
      • explorer.exe (PID: 1568)
      • explorer.exe (PID: 4768)
      • explorer.exe (PID: 5600)
      • explorer.exe (PID: 5276)
      • explorer.exe (PID: 1564)
      • explorer.exe (PID: 6260)

    • DIAMOTRIX has been detected (SURICATA)

      • explorer.exe (PID: 4772)
      • explorer.exe (PID: 1044)
      • explorer.exe (PID: 1568)
      • explorer.exe (PID: 1564)

  • SUSPICIOUS

    • Found regular expressions for crypto-addresses (YARA)

      • d049a62a-9f90-4627-9528-f3af29660dd5.exe (PID: 3488)
      • explorer.exe (PID: 1044)

    • Reads the date of Windows installation

      • StartMenuExperienceHost.exe (PID: 2148)
      • SearchApp.exe (PID: 1896)
      • StartMenuExperienceHost.exe (PID: 4156)
      • SearchApp.exe (PID: 4172)
      • StartMenuExperienceHost.exe (PID: 4880)
      • StartMenuExperienceHost.exe (PID: 2756)
      • SearchApp.exe (PID: 1812)
      • StartMenuExperienceHost.exe (PID: 2320)

    • Reads security settings of Internet Explorer

      • StartMenuExperienceHost.exe (PID: 2148)
      • StartMenuExperienceHost.exe (PID: 4156)
      • GameBar.exe (PID: 1704)
      • StartMenuExperienceHost.exe (PID: 4880)
      • StartMenuExperienceHost.exe (PID: 2756)
      • StartMenuExperienceHost.exe (PID: 2320)

    • Connects to the server without a host name

      • explorer.exe (PID: 4772)
      • explorer.exe (PID: 1044)
      • explorer.exe (PID: 1568)
      • explorer.exe (PID: 1564)

    • Executable content was dropped or overwritten

      • d049a62a-9f90-4627-9528-f3af29660dd5.exe (PID: 3488)

    • Creates file in the systems drive root

      • explorer.exe (PID: 1044)

  • INFO

    • Reads the computer name

      • d049a62a-9f90-4627-9528-f3af29660dd5.exe (PID: 3488)
      • TextInputHost.exe (PID: 6424)
      • StartMenuExperienceHost.exe (PID: 2148)
      • SearchApp.exe (PID: 1896)
      • TextInputHost.exe (PID: 6312)
      • StartMenuExperienceHost.exe (PID: 4156)
      • SearchApp.exe (PID: 4172)
      • GameBar.exe (PID: 1704)
      • TextInputHost.exe (PID: 724)
      • StartMenuExperienceHost.exe (PID: 4880)
      • SearchApp.exe (PID: 5260)
      • SearchApp.exe (PID: 1812)
      • TextInputHost.exe (PID: 756)
      • StartMenuExperienceHost.exe (PID: 2756)
      • StartMenuExperienceHost.exe (PID: 2320)
      • TextInputHost.exe (PID: 5696)
      • SearchApp.exe (PID: 4928)

    • Checks supported languages

      • d049a62a-9f90-4627-9528-f3af29660dd5.exe (PID: 3488)
      • TextInputHost.exe (PID: 6424)
      • SearchApp.exe (PID: 1896)
      • StartMenuExperienceHost.exe (PID: 2148)
      • k.exe (PID: 5612)
      • k.exe (PID: 1964)
      • TextInputHost.exe (PID: 6312)
      • StartMenuExperienceHost.exe (PID: 4156)
      • SearchApp.exe (PID: 4172)
      • k.exe (PID: 4836)
      • GameBar.exe (PID: 1704)
      • TextInputHost.exe (PID: 724)
      • StartMenuExperienceHost.exe (PID: 4880)
      • SearchApp.exe (PID: 5260)
      • TextInputHost.exe (PID: 756)
      • k.exe (PID: 2532)
      • StartMenuExperienceHost.exe (PID: 2756)
      • SearchApp.exe (PID: 1812)
      • StartMenuExperienceHost.exe (PID: 2320)
      • TextInputHost.exe (PID: 5696)
      • SearchApp.exe (PID: 4928)
      • k.exe (PID: 3488)

    • Reads the machine GUID from the registry

      • StartMenuExperienceHost.exe (PID: 5160)
      • d049a62a-9f90-4627-9528-f3af29660dd5.exe (PID: 3488)
      • TextInputHost.exe (PID: 2772)
      • SearchApp.exe (PID: 1896)
      • SearchApp.exe (PID: 4172)
      • SearchApp.exe (PID: 5260)
      • SearchApp.exe (PID: 1812)
      • SearchApp.exe (PID: 4928)

    • Launching a file from a Registry key

      • d049a62a-9f90-4627-9528-f3af29660dd5.exe (PID: 3488)
      • explorer.exe (PID: 4772)
      • explorer.exe (PID: 1044)
      • explorer.exe (PID: 7120)
      • explorer.exe (PID: 1568)
      • explorer.exe (PID: 4768)
      • explorer.exe (PID: 5276)
      • explorer.exe (PID: 5600)
      • explorer.exe (PID: 1564)
      • explorer.exe (PID: 6260)

    • Checks proxy server information

      • explorer.exe (PID: 4772)
      • explorer.exe (PID: 1044)
      • SearchApp.exe (PID: 1896)
      • explorer.exe (PID: 1568)
      • explorer.exe (PID: 7120)
      • slui.exe (PID: 1816)
      • SearchApp.exe (PID: 4172)
      • explorer.exe (PID: 4768)
      • SearchApp.exe (PID: 5260)
      • explorer.exe (PID: 5276)
      • explorer.exe (PID: 5600)
      • SearchApp.exe (PID: 1812)
      • explorer.exe (PID: 1564)
      • explorer.exe (PID: 6260)
      • SearchApp.exe (PID: 4928)

    • Creates files in the program directory

      • d049a62a-9f90-4627-9528-f3af29660dd5.exe (PID: 3488)

    • Reads security settings of Internet Explorer

      • explorer.exe (PID: 1044)
      • explorer.exe (PID: 4772)
      • RuntimeBroker.exe (PID: 5224)
      • explorer.exe (PID: 1568)
      • explorer.exe (PID: 7120)
      • explorer.exe (PID: 5276)
      • sihost.exe (PID: 4180)
      • explorer.exe (PID: 4768)
      • explorer.exe (PID: 1564)
      • explorer.exe (PID: 5600)
      • RuntimeBroker.exe (PID: 5448)
      • explorer.exe (PID: 6260)

    • Process checks computer location settings

      • StartMenuExperienceHost.exe (PID: 2148)
      • SearchApp.exe (PID: 1896)
      • StartMenuExperienceHost.exe (PID: 4156)
      • SearchApp.exe (PID: 4172)
      • StartMenuExperienceHost.exe (PID: 4880)
      • SearchApp.exe (PID: 5260)
      • StartMenuExperienceHost.exe (PID: 2756)
      • SearchApp.exe (PID: 1812)
      • StartMenuExperienceHost.exe (PID: 2320)
      • SearchApp.exe (PID: 4928)

    • Manual execution by a user

      • rundll32.exe (PID: 1412)
      • mobsync.exe (PID: 788)
      • TextInputHost.exe (PID: 6312)
      • rundll32.exe (PID: 6360)
      • SearchApp.exe (PID: 4172)
      • mobsync.exe (PID: 5628)
      • rundll32.exe (PID: 5564)
      • GameBar.exe (PID: 1704)
      • rundll32.exe (PID: 3388)
      • TextInputHost.exe (PID: 724)
      • StartMenuExperienceHost.exe (PID: 4880)
      • SearchApp.exe (PID: 5260)
      • mobsync.exe (PID: 5744)
      • SearchApp.exe (PID: 1812)
      • TextInputHost.exe (PID: 756)
      • StartMenuExperienceHost.exe (PID: 2756)
      • rundll32.exe (PID: 5852)
      • mobsync.exe (PID: 4500)
      • rundll32.exe (PID: 1496)
      • WmiPrvSE.exe (PID: 6692)
      • StartMenuExperienceHost.exe (PID: 4156)

    • Reads the software policy settings

      • SearchApp.exe (PID: 1896)
      • SearchApp.exe (PID: 4172)
      • slui.exe (PID: 1816)
      • SearchApp.exe (PID: 5260)
      • SearchApp.exe (PID: 1812)
      • SearchApp.exe (PID: 4928)

    • Creates files or folders in the user directory

      • dllhost.exe (PID: 5604)
      • explorer.exe (PID: 1044)
      • explorer.exe (PID: 1568)

    • Reads Environment values

      • SearchApp.exe (PID: 1896)
      • SearchApp.exe (PID: 4172)
      • SearchApp.exe (PID: 5260)
      • SearchApp.exe (PID: 1812)
      • SearchApp.exe (PID: 4928)

    • Application launched itself

      • firefox.exe (PID: 2148)
      • firefox.exe (PID: 3768)
      • chrome.exe (PID: 3800)

    • Reads Microsoft Office registry keys

      • firefox.exe (PID: 2148)

    • Reads the time zone

      • WmiPrvSE.exe (PID: 6692)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (87.3)
.exe | Generic Win/DOS Executable (6.3)
.exe | DOS Executable Generic (6.3)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2025:06:21 18:36:12+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 14.4
CodeSize: 55808
InitializedDataSize: 541184
UninitializedDataSize: -
EntryPoint: 0x1e78
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
217
Monitored processes
87
Malicious processes
10
Suspicious processes
18

Behavior graph

Click at the process to see the details
start start start d049a62a-9f90-4627-9528-f3af29660dd5.exe #DIAMOTRIX explorer.exe slui.exe k.exe no specs #DIAMOTRIX explorer.exe explorer.exe no specs startmenuexperiencehost.exe no specs textinputhost.exe no specs rundll32.exe no specs tiworker.exe no specs searchapp.exe backgroundtaskhost.exe no specs mobsync.exe no specs rundll32.exe no specs k.exe no specs explorer.exe textinputhost.exe no specs startmenuexperiencehost.exe no specs rundll32.exe no specs #DIAMOTRIX explorer.exe searchapp.exe mobsync.exe no specs rundll32.exe no specs k.exe no specs gamebar.exe no specs explorer.exe rundll32.exe no specs textinputhost.exe no specs startmenuexperiencehost.exe no specs searchapp.exe mobsync.exe no specs explorer.exe k.exe no specs explorer.exe textinputhost.exe no specs startmenuexperiencehost.exe no specs rundll32.exe no specs searchapp.exe mobsync.exe no specs #DIAMOTRIX explorer.exe rundll32.exe no specs firefox.exe no specs firefox.exe firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs chrome.exe chrome.exe no specs chrome.exe chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs chrome.exe no specs wmiprvse.exe no specs k.exe no specs explorer.exe startmenuexperiencehost.exe no specs textinputhost.exe no specs tiworker.exe no specs rundll32.exe no specs searchapp.exe chrome.exe no specs mobsync.exe no specs dllhost.exe textinputhost.exe sihost.exe svchost.exe svchost.exe runtimebroker.exe svchost.exe applicationframehost.exe startmenuexperiencehost.exe runtimebroker.exe searchapp.exe runtimebroker.exe dllhost.exe useroobebroker.exe svchost.exe

Process information

PID
CMD
Path
Indicators
Parent process
724"C:\WINDOWS\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXjd5de1g66v206tj52m9d0dtpppx4cgpn.mcaC:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Exit code:
1
Version:
123.26505.0.0
Modules
Images
c:\windows\systemapps\microsoftwindows.client.cbs_cw5n1h2txyewy\textinputhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\systemapps\microsoftwindows.client.cbs_cw5n1h2txyewy\vcruntime140_app.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\kernel.appcore.dll
756"C:\WINDOWS\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXjd5de1g66v206tj52m9d0dtpppx4cgpn.mcaC:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Exit code:
1
Version:
123.26505.0.0
Modules
Images
c:\windows\systemapps\microsoftwindows.client.cbs_cw5n1h2txyewy\textinputhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\systemapps\microsoftwindows.client.cbs_cw5n1h2txyewy\vcruntime140_app.dll
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\msvcrt.dll
788C:\WINDOWS\System32\mobsync.exe -EmbeddingC:\Windows\System32\mobsync.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Sync Center
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\mobsync.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
1044explorer.exeC:\Windows\explorer.exe
winlogon.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
0
Version:
10.0.19041.3758 (WinBuild.160101.0800)
Modules
Images
c:\windows\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\shcore.dll
1156"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --disable-quic --disable-http2 --string-annotations --field-trial-handle=2104,i,2001888891139059639,8265219230258317105,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version=20250221-144540.991000 --mojo-platform-channel-handle=2132 /prefetch:3C:\Program Files\Google\Chrome\Application\chrome.exe
chrome.exe
User:
admin
Company:
Google LLC
Integrity Level:
MEDIUM
Description:
Google Chrome
Version:
133.0.6943.127
Modules
Images
c:\program files\google\chrome\application\chrome.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\aclayers.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
1236"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 3228 -prefsLen 36996 -prefMapHandle 3232 -prefMapSize 272997 -jsInitHandle 3236 -jsInitLen 247456 -parentBuildID 20250227124745 -ipcHandle 3244 -initialChannelId {a9127d43-5c30-4950-98f5-edc554a75cce} -parentPid 2148 -crashReporter "\\.\pipe\gecko-crash-server-pipe.2148" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 3 tabC:\Program Files\Mozilla Firefox\firefox.exefirefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Exit code:
0
Version:
136.0
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\vcruntime140.dll
c:\windows\system32\crypt32.dll
1412C:\WINDOWS\System32\rundll32.exe C:\WINDOWS\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -EmbeddingC:\Windows\System32\rundll32.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shcore.dll
c:\windows\system32\imagehlp.dll
1496C:\WINDOWS\System32\rundll32.exe C:\WINDOWS\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -EmbeddingC:\Windows\System32\rundll32.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shcore.dll
c:\windows\system32\imagehlp.dll
1512"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 4132 -prefsLen 44926 -prefMapHandle 4136 -prefMapSize 272997 -jsInitHandle 4140 -jsInitLen 247456 -parentBuildID 20250227124745 -ipcHandle 4152 -initialChannelId {75856288-6c9f-47b8-b7c4-218adc8f8336} -parentPid 2148 -crashReporter "\\.\pipe\gecko-crash-server-pipe.2148" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 5 tabC:\Program Files\Mozilla Firefox\firefox.exefirefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Exit code:
0
Version:
136.0
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\vcruntime140.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\vcruntime140_1.dll
1564explorer.exeC:\Windows\explorer.exe
winlogon.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
0
Version:
10.0.19041.3758 (WinBuild.160101.0800)
Modules
Images
c:\windows\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\shcore.dll
Total events
191 129
Read events
189 610
Write events
1 435
Delete events
84

Modification events

(PID) Process:(4772) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:0000000000090230
Operation:writeName:VirtualDesktop
Value:
10000000303044563096AFED4A643448A750FA41CFC7F708
(PID) Process:(4772) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:0000000000090230
Operation:delete keyName:(default)
Value:
(PID) Process:(3488) d049a62a-9f90-4627-9528-f3af29660dd5.exeKey:HKEY_CURRENT_USER\SOFTWARE\bbeecafdaeec
Operation:writeName:CurrentPath
Value:
C:\Users\admin\AppData\Local\Temp\d049a62a-9f90-4627-9528-f3af29660dd5.exe
(PID) Process:(3488) d049a62a-9f90-4627-9528-f3af29660dd5.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:bbeecafdaeec
Value:
"C:\ProgramData\bbeecafdaeec.exe"
(PID) Process:(4772) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FeatureUsage\AppLaunch
Operation:writeName:Microsoft.Windows.Explorer
Value:
56
(PID) Process:(4772) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\OneDrive\Accounts
Operation:writeName:LastUpdate
Value:
8EFD566800000000
(PID) Process:(4772) explorer.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
Operation:writeName:NodeSlots
Value:
02020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202
(PID) Process:(4772) explorer.exeKey:HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
Operation:writeName:MRUListEx
Value:
030000000000000004000000110000000E000000100000000F0000000C0000000D0000000B000000050000000A000000090000000800000001000000070000000600000002000000FFFFFFFF
(PID) Process:(4772) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Toolbar
Operation:writeName:Locked
Value:
1
(PID) Process:(4772) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:bbeecafdaeec
Value:
"C:\Users\admin\AppData\Local\Temp\d049a62a-9f90-4627-9528-f3af29660dd5.exe"
Executable files
6
Suspicious files
403
Text files
157
Unknown types
0

Dropped files

PID
Process
Filename
Type
1896SearchApp.exeC:\Users\admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\5Y734AMR\77\Init[1].htmhtml
MD5:D4547383B0C2446CC0B6FF22B6B9D3C0
SHA256:A9A9CF16844FFF484BEF87CE5A1BA373B8D2C04C806A559E1C030DAFD8B16806
1896SearchApp.exeC:\Users\admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\INetCache\Q84V0JUH\6hU_LneafI_NFLeDvM367ebFaKQ[1].jsbinary
MD5:C6C21B7634D82C53FB86080014D86E66
SHA256:D39E9BA92B07F4D50B11A49965E9B162452D7B9C9F26D9DCB07825727E31057E
3160TiWorker.exeC:\Windows\Logs\CBS\CBS.logtext
MD5:C275579D648D11C5BB96623AD475286D
SHA256:BDD23C83420677B5F4A092D242D453C0ADD9C65F44F26CBAF69DCA278980145E
1896SearchApp.exeC:\Users\admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\ZWUI0EBX\www.bing[1].xmltext
MD5:BB591CD69B37344A2CACD2DEF0AB00CD
SHA256:56A33C1426B2722B5290E585FB7B27629F07E63A27FB028C4C15F46BD34577E1
1896SearchApp.exeC:\Users\admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\5Y734AMR\77\-M-8YWX0KlEtdAHVrkTvKQHOghs[1].jsbinary
MD5:32EE4742328DFB725F3A96641B93B344
SHA256:061E63AF37D22CCEF7FB5BB9BEABA0DF2F36B64F985BB8A408638846C895D0A7
1896SearchApp.exeC:\Users\admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\TokenBroker\Cache\fbaf94e759052658216786bfbabcdced1b67a5c2.tbresbinary
MD5:359435F10DE2F2ACE2F4208CD3AB3878
SHA256:3B308B60183B080D5D251C80813BDC95C9E87C1366E00749BBF8C378FD5516FB
4772explorer.exeC:\Users\admin\AppData\Local\Microsoft\PenWorkspace\DiscoverCacheData.datbinary
MD5:E49C56350AEDF784BFE00E444B879672
SHA256:A8BD235303668981563DFB5AAE338CB802817C4060E2C199B7C84901D57B7E1E
1896SearchApp.exeC:\Users\admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\CryptnetUrlCache\Content\26C212D9399727259664BDFCA073966E_F9F7D6A7ECE73106D2A8C63168CDA10Dbinary
MD5:DF367B9525354CC5543C9247210072ED
SHA256:68511E58CC309F2895652008EF4A7C0B18C023D5EDBC435BCE4E83F8BE640D09
1896SearchApp.exeC:\Users\admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\CryptnetUrlCache\MetaData\26C212D9399727259664BDFCA073966E_F9F7D6A7ECE73106D2A8C63168CDA10Dbinary
MD5:FC187BCAD1A0D552B99301A07ADB03A2
SHA256:425FE13175231BDF1B7EE07F50F23C10341933C84165AD439D61E7583B1A0389
3488d049a62a-9f90-4627-9528-f3af29660dd5.exeC:\ProgramData\bbeecafdaeec.exeexecutable
MD5:5941D0550CA95007DEFA7DD2542F3D87
SHA256:2D20E8C7EC69A445479656870236715088B17B495206A102AB7ECE00F5B135DE
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
32
TCP/UDP connections
105
DNS requests
111
Threats
10

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1268
svchost.exe
GET
200
23.55.104.190:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1268
svchost.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
3908
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
3908
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
4772
explorer.exe
POST
200
194.38.21.76:80
http://194.38.21.76/diamo/post.php
unknown
malicious
1896
SearchApp.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
4944
svchost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
2940
svchost.exe
GET
200
23.209.209.135:80
http://x1.c.lencr.org/
unknown
whitelisted
1044
explorer.exe
POST
200
194.38.21.76:80
http://194.38.21.76/diamo/post.php
unknown
malicious
1568
explorer.exe
POST
200
194.38.21.76:80
http://194.38.21.76/diamo/post.php
unknown
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
5944
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1268
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3924
RUXIMICS.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
1268
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1268
svchost.exe
23.55.104.190:80
crl.microsoft.com
Akamai International B.V.
US
whitelisted
1268
svchost.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted
5944
MoUsoCoreWorker.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4772
explorer.exe
185.156.72.89:80
Tov Vaiz Partner
RU
unknown

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
  • 51.104.136.2
whitelisted
google.com
  • 142.250.184.238
whitelisted
crl.microsoft.com
  • 23.55.104.190
  • 23.55.104.172
whitelisted
www.microsoft.com
  • 95.101.149.131
whitelisted
slscr.update.microsoft.com
  • 172.202.163.200
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 20.3.187.198
whitelisted
login.live.com
  • 20.190.159.64
  • 20.190.159.23
  • 40.126.31.130
  • 40.126.31.69
  • 40.126.31.73
  • 20.190.159.128
  • 40.126.31.1
  • 40.126.31.67
whitelisted
ocsp.digicert.com
  • 2.17.190.73
whitelisted
client.wns.windows.com
  • 172.211.123.248
whitelisted
activation-v2.sls.microsoft.com
  • 40.91.76.224
whitelisted

Threats

PID
Process
Class
Message
4772
explorer.exe
A Network Trojan was detected
ET MALWARE Diamotrix Clipper POST Request M1
4772
explorer.exe
A Network Trojan was detected
ET MALWARE Diamotrix POST Request M3
1044
explorer.exe
A Network Trojan was detected
ET MALWARE Diamotrix Clipper POST Request M1
1044
explorer.exe
A Network Trojan was detected
ET MALWARE Diamotrix POST Request M3
1568
explorer.exe
A Network Trojan was detected
ET MALWARE Diamotrix Clipper POST Request M1
1568
explorer.exe
A Network Trojan was detected
ET MALWARE Diamotrix POST Request M3
1564
explorer.exe
A Network Trojan was detected
ET MALWARE Diamotrix Clipper POST Request M1
1564
explorer.exe
A Network Trojan was detected
ET MALWARE Diamotrix POST Request M3
1564
explorer.exe
A Network Trojan was detected
ET MALWARE Diamotrix Clipper POST Request M1
1564
explorer.exe
A Network Trojan was detected
ET MALWARE Diamotrix POST Request M3
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
d049a62a-9f90-4627-9528-f3af29660dd5