File name:

.exe

Full analysis: https://app.any.run/tasks/d049a62a-9f90-4627-9528-f3af29660dd5
Verdict: Malicious activity
Analysis date: June 21, 2025, 18:34:50
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
crypto-regex
clipper
diamotrix
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (GUI) x86-64, for MS Windows, 5 sections
MD5:

5941D0550CA95007DEFA7DD2542F3D87

SHA1:

3074B38531B1DCA2E822FCE46492B828E10C8C06

SHA256:

2D20E8C7EC69A445479656870236715088B17B495206A102AB7ECE00F5B135DE

SSDEEP:

24576:WilbsHTGz18+hm9mnYP5MpATf+0EzFnRbsQ4DW9ionote/+Zh7wfBjwPQjkj:WilbsHTGz18Wm9MYPqpATf+0EzFnRbsb

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was injected by another process

      • svchost.exe (PID: 4204)
      • sihost.exe (PID: 4180)
      • StartMenuExperienceHost.exe (PID: 5160)
      • svchost.exe (PID: 4248)
      • RuntimeBroker.exe (PID: 5448)
      • explorer.exe (PID: 4772)
      • RuntimeBroker.exe (PID: 5224)
      • svchost.exe (PID: 5048)
      • dllhost.exe (PID: 5604)
      • SearchApp.exe (PID: 5328)
      • RuntimeBroker.exe (PID: 4376)
      • ApplicationFrameHost.exe (PID: 5096)
      • UserOOBEBroker.exe (PID: 5936)
      • svchost.exe (PID: 6984)
      • dllhost.exe (PID: 2484)
      • TextInputHost.exe (PID: 2772)

    • Runs injected code in another process

      • d049a62a-9f90-4627-9528-f3af29660dd5.exe (PID: 6004)

    • Changes the autorun value in the registry

      • explorer.exe (PID: 4772)
      • d049a62a-9f90-4627-9528-f3af29660dd5.exe (PID: 6004)
      • explorer.exe (PID: 4968)
      • explorer.exe (PID: 6584)
      • explorer.exe (PID: 2132)
      • explorer.exe (PID: 4348)
      • explorer.exe (PID: 1180)

    • DIAMOTRIX has been detected (SURICATA)

      • explorer.exe (PID: 4772)
      • explorer.exe (PID: 1180)
      • explorer.exe (PID: 6584)
      • explorer.exe (PID: 2132)
      • explorer.exe (PID: 4348)

  • SUSPICIOUS

    • Found regular expressions for crypto-addresses (YARA)

      • d049a62a-9f90-4627-9528-f3af29660dd5.exe (PID: 6004)
      • explorer.exe (PID: 5724)

    • Executable content was dropped or overwritten

      • d049a62a-9f90-4627-9528-f3af29660dd5.exe (PID: 6004)

    • Creates file in the systems drive root

      • explorer.exe (PID: 4968)
      • explorer.exe (PID: 1180)
      • explorer.exe (PID: 6584)
      • explorer.exe (PID: 2132)
      • explorer.exe (PID: 4348)

    • Connects to the server without a host name

      • explorer.exe (PID: 4772)
      • explorer.exe (PID: 4968)
      • explorer.exe (PID: 1180)
      • explorer.exe (PID: 6584)
      • explorer.exe (PID: 2132)
      • explorer.exe (PID: 4348)

    • Application launched itself

      • explorer.exe (PID: 4968)
      • explorer.exe (PID: 2132)
      • explorer.exe (PID: 4348)

    • Reads security settings of Internet Explorer

      • StartMenuExperienceHost.exe (PID: 1984)
      • StartMenuExperienceHost.exe (PID: 5316)
      • StartMenuExperienceHost.exe (PID: 7072)

    • Reads the date of Windows installation

      • StartMenuExperienceHost.exe (PID: 1984)
      • SearchApp.exe (PID: 4276)
      • StartMenuExperienceHost.exe (PID: 5316)
      • SearchApp.exe (PID: 1984)
      • StartMenuExperienceHost.exe (PID: 7072)
      • SearchApp.exe (PID: 3640)

  • INFO

    • Checks supported languages

      • d049a62a-9f90-4627-9528-f3af29660dd5.exe (PID: 6004)
      • TextInputHost.exe (PID: 6620)
      • StartMenuExperienceHost.exe (PID: 1984)
      • SearchApp.exe (PID: 4276)
      • StartMenuExperienceHost.exe (PID: 5316)
      • TextInputHost.exe (PID: 3504)
      • SearchApp.exe (PID: 1984)
      • StartMenuExperienceHost.exe (PID: 7072)
      • TextInputHost.exe (PID: 2708)
      • SearchApp.exe (PID: 3640)

    • Reads the machine GUID from the registry

      • d049a62a-9f90-4627-9528-f3af29660dd5.exe (PID: 6004)
      • StartMenuExperienceHost.exe (PID: 5160)
      • TextInputHost.exe (PID: 2772)
      • SearchApp.exe (PID: 4276)
      • SearchApp.exe (PID: 1984)
      • SearchApp.exe (PID: 3640)

    • Reads the computer name

      • d049a62a-9f90-4627-9528-f3af29660dd5.exe (PID: 6004)
      • TextInputHost.exe (PID: 6620)
      • StartMenuExperienceHost.exe (PID: 1984)
      • SearchApp.exe (PID: 4276)
      • StartMenuExperienceHost.exe (PID: 5316)
      • TextInputHost.exe (PID: 3504)
      • SearchApp.exe (PID: 1984)
      • StartMenuExperienceHost.exe (PID: 7072)
      • TextInputHost.exe (PID: 2708)
      • SearchApp.exe (PID: 3640)

    • Reads security settings of Internet Explorer

      • explorer.exe (PID: 4772)
      • Taskmgr.exe (PID: 6360)
      • explorer.exe (PID: 4968)
      • explorer.exe (PID: 5724)
      • RuntimeBroker.exe (PID: 5224)
      • explorer.exe (PID: 1180)
      • explorer.exe (PID: 6584)
      • explorer.exe (PID: 2132)
      • explorer.exe (PID: 2140)
      • explorer.exe (PID: 1012)
      • explorer.exe (PID: 4348)
      • RuntimeBroker.exe (PID: 5448)

    • Manual execution by a user

      • Taskmgr.exe (PID: 1644)
      • Taskmgr.exe (PID: 6360)

    • Launching a file from a Registry key

      • explorer.exe (PID: 4772)
      • d049a62a-9f90-4627-9528-f3af29660dd5.exe (PID: 6004)
      • explorer.exe (PID: 4968)
      • explorer.exe (PID: 6584)
      • explorer.exe (PID: 1180)
      • explorer.exe (PID: 2132)
      • explorer.exe (PID: 4348)

    • Creates files in the program directory

      • d049a62a-9f90-4627-9528-f3af29660dd5.exe (PID: 6004)

    • Checks proxy server information

      • explorer.exe (PID: 4772)
      • explorer.exe (PID: 4968)
      • explorer.exe (PID: 5724)
      • SearchApp.exe (PID: 4276)
      • explorer.exe (PID: 1180)
      • slui.exe (PID: 1740)
      • explorer.exe (PID: 6584)
      • SearchApp.exe (PID: 1984)
      • explorer.exe (PID: 2140)
      • explorer.exe (PID: 4348)
      • SearchApp.exe (PID: 3640)
      • explorer.exe (PID: 1012)
      • explorer.exe (PID: 2132)

    • Process checks computer location settings

      • StartMenuExperienceHost.exe (PID: 1984)
      • StartMenuExperienceHost.exe (PID: 5316)
      • SearchApp.exe (PID: 1984)
      • SearchApp.exe (PID: 3640)
      • SearchApp.exe (PID: 4276)
      • StartMenuExperienceHost.exe (PID: 7072)

    • Creates files or folders in the user directory

      • dllhost.exe (PID: 5604)
      • explorer.exe (PID: 5724)
      • explorer.exe (PID: 2140)

    • Reads the software policy settings

      • SearchApp.exe (PID: 4276)
      • slui.exe (PID: 1740)
      • SearchApp.exe (PID: 1984)
      • SearchApp.exe (PID: 3640)

    • Reads Environment values

      • SearchApp.exe (PID: 4276)
      • SearchApp.exe (PID: 1984)
      • SearchApp.exe (PID: 3640)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (87.3)
.exe | Generic Win/DOS Executable (6.3)
.exe | DOS Executable Generic (6.3)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2025:06:21 18:36:12+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 14.4
CodeSize: 55808
InitializedDataSize: 541184
UninitializedDataSize: -
EntryPoint: 0x1e78
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
169
Monitored processes
44
Malicious processes
8
Suspicious processes
15

Behavior graph

Click at the process to see the details
start d049a62a-9f90-4627-9528-f3af29660dd5.exe taskmgr.exe no specs taskmgr.exe #DIAMOTRIX explorer.exe slui.exe rundll32.exe no specs explorer.exe rundll32.exe no specs rundll32.exe no specs explorer.exe no specs textinputhost.exe no specs startmenuexperiencehost.exe no specs tiworker.exe no specs searchapp.exe mobsync.exe no specs #DIAMOTRIX explorer.exe #DIAMOTRIX explorer.exe #DIAMOTRIX explorer.exe explorer.exe no specs startmenuexperiencehost.exe no specs textinputhost.exe no specs searchapp.exe mobsync.exe no specs #DIAMOTRIX explorer.exe explorer.exe no specs startmenuexperiencehost.exe no specs textinputhost.exe no specs searchapp.exe mobsync.exe no specs dllhost.exe textinputhost.exe sihost.exe svchost.exe svchost.exe runtimebroker.exe svchost.exe applicationframehost.exe startmenuexperiencehost.exe runtimebroker.exe searchapp.exe runtimebroker.exe dllhost.exe useroobebroker.exe svchost.exe

Process information

PID
CMD
Path
Indicators
Parent process
1012"C:\Windows\explorer.exe" C:\Windows\explorer.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Version:
10.0.19041.3758 (WinBuild.160101.0800)
Modules
Images
c:\windows\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\shcore.dll
1180C:\WINDOWS\explorer.exe /factory,{682159d9-c321-47ca-b3f1-30e36b2ec8b9} -EmbeddingC:\Windows\explorer.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
1
Version:
10.0.19041.3758 (WinBuild.160101.0800)
Modules
Images
c:\windows\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\shcore.dll
1204C:\WINDOWS\System32\mobsync.exe -EmbeddingC:\Windows\System32\mobsync.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Sync Center
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\mobsync.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
1208C:\WINDOWS\System32\rundll32.exe C:\WINDOWS\System32\shell32.dll,SHCreateLocalServerRunDll {3eef301f-b596-4c0b-bd92-013beafce793} -EmbeddingC:\Windows\System32\rundll32.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shcore.dll
c:\windows\system32\imagehlp.dll
1644"C:\WINDOWS\system32\taskmgr.exe" /4C:\Windows\System32\Taskmgr.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Task Manager
Exit code:
3221226540
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\taskmgr.exe
c:\windows\system32\ntdll.dll
1740C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
1984"C:\WINDOWS\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mcaC:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exesvchost.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\windows\systemapps\microsoft.windows.startmenuexperiencehost_cw5n1h2txyewy\startmenuexperiencehost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\wincorlib.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
1984"C:\WINDOWS\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mcaC:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Search application
Exit code:
1
Version:
10.0.19041.3996 (WinBuild.160101.0800)
Modules
Images
c:\windows\systemapps\microsoft.windows.search_cw5n1h2txyewy\searchapp.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ntmarta.dll
2132C:\WINDOWS\explorer.exe /factory,{682159d9-c321-47ca-b3f1-30e36b2ec8b9} -EmbeddingC:\Windows\explorer.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
1
Version:
10.0.19041.3758 (WinBuild.160101.0800)
Modules
Images
c:\windows\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\shcore.dll
2140"C:\Windows\explorer.exe" C:\Windows\explorer.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
1
Version:
10.0.19041.3758 (WinBuild.160101.0800)
Modules
Images
c:\windows\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\twinapi.dll
c:\windows\system32\aepic.dll
Total events
148 734
Read events
147 640
Write events
1 030
Delete events
64

Modification events

(PID) Process:(4772) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:0000000000040302
Operation:writeName:VirtualDesktop
Value:
10000000303044563096AFED4A643448A750FA41CFC7F708
(PID) Process:(4772) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\OneDrive\Accounts
Operation:writeName:LastUpdate
Value:
58FB566800000000
(PID) Process:(4772) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\ShellNew
Operation:delete keyName:(default)
Value:
(PID) Process:(4772) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\ShellNew
Operation:writeName:Classes
Value:
.accdb
(PID) Process:(4772) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\ShellNew
Operation:writeName:~reserved~
Value:
0800000000000600
(PID) Process:(4772) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Shell\Bags\1\Desktop
Operation:writeName:Mode
Value:
1
(PID) Process:(4772) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Shell\Bags\1\Desktop
Operation:writeName:LogicalViewMode
Value:
3
(PID) Process:(4772) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Shell\Bags\1\Desktop
Operation:writeName:FFlags
Value:
(PID) Process:(4772) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Shell\Bags\1\Desktop
Operation:writeName:IconSize
Value:
48
(PID) Process:(4772) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Shell\Bags\1\Desktop
Operation:writeName:Sort
Value:
0000000000000000000000000000000000000000
Executable files
5
Suspicious files
51
Text files
124
Unknown types
0

Dropped files

PID
Process
Filename
Type
4276SearchApp.exeC:\Users\admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\ZWUI0EBX\www.bing[1].xmltext
MD5:E94E94EE341E842F4BF5A9B0B72A1CC7
SHA256:361BE048702D2711E5A76B8C6AA6EC3FC6E29642028890B5CC02C7E60A22D4B5
4276SearchApp.exeC:\Users\admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\TokenBroker\Cache\fbaf94e759052658216786bfbabcdced1b67a5c2.tbresbinary
MD5:5814FB3283BA2E87B2905F398EC4820F
SHA256:327AF313367DC72913A0386E74F1BA9A86F479E9DAA551E48C75533EDAC3C3C2
6152TiWorker.exeC:\Windows\Logs\CBS\CBS.logtext
MD5:59D5770636F1223E5B79500C44F9FC17
SHA256:615F688CA513445D2274DF6D86773EA4F969FE70D0C3078DB8F913615959EAC2
4276SearchApp.exeC:\Users\admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\INetCache\Q84V0JUH\6hU_LneafI_NFLeDvM367ebFaKQ[1].jsbinary
MD5:C6C21B7634D82C53FB86080014D86E66
SHA256:D39E9BA92B07F4D50B11A49965E9B162452D7B9C9F26D9DCB07825727E31057E
6004d049a62a-9f90-4627-9528-f3af29660dd5.exeC:\ProgramData\bbeecafdaeec.exeexecutable
MD5:5941D0550CA95007DEFA7DD2542F3D87
SHA256:2D20E8C7EC69A445479656870236715088B17B495206A102AB7ECE00F5B135DE
4772explorer.exeC:\Users\admin\AppData\Local\Microsoft\PenWorkspace\DiscoverCacheData.datbinary
MD5:E49C56350AEDF784BFE00E444B879672
SHA256:A8BD235303668981563DFB5AAE338CB802817C4060E2C199B7C84901D57B7E1E
5604dllhost.exeC:\Users\admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\5Y734AMR\77\appcache[1].mantext
MD5:15F8A83AE8EE49313779C8A2A461FDFD
SHA256:46E6B38B3605545995D0C888227BA22938943604AB967272FF739D40E7D292C5
4276SearchApp.exeC:\Users\admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\CryptnetUrlCache\MetaData\26C212D9399727259664BDFCA073966E_F9F7D6A7ECE73106D2A8C63168CDA10Dbinary
MD5:A72BDB1261261EC4655905F43861E5BA
SHA256:D99075553AB5222D1917682D4D2F948842E9391D40331AB79B52F3E7CEC34F85
4276SearchApp.exeC:\Users\admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\CryptnetUrlCache\Content\26C212D9399727259664BDFCA073966E_F9F7D6A7ECE73106D2A8C63168CDA10Dbinary
MD5:DF367B9525354CC5543C9247210072ED
SHA256:68511E58CC309F2895652008EF4A7C0B18C023D5EDBC435BCE4E83F8BE640D09
4276SearchApp.exeC:\Users\admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\5Y734AMR\77\NajusmjIqB4kdLn9FmVxeS4xi2o[1].csstext
MD5:73D1CEBD8E3B6C7246F422D624EDF803
SHA256:0674786CF9978A1F9065F57D98E986070C7CBB5177F154F40E8A924C0E0C13F2
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
14
TCP/UDP connections
49
DNS requests
23
Threats
6

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3608
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
4968
explorer.exe
POST
200
185.156.72.89:80
http://185.156.72.89/nzcwzue/pqrfxn.php
unknown
unknown
4276
SearchApp.exe
GET
200
2.23.77.188:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
5944
MoUsoCoreWorker.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
1180
explorer.exe
POST
200
185.156.72.89:80
http://185.156.72.89/nzcwzue/pqrfxn.php
unknown
unknown
2940
svchost.exe
GET
200
23.209.209.135:80
http://x1.c.lencr.org/
unknown
whitelisted
2132
explorer.exe
POST
200
185.156.72.89:80
http://185.156.72.89/nzcwzue/pqrfxn.php
unknown
unknown
4348
explorer.exe
POST
200
185.156.72.89:80
http://185.156.72.89/nzcwzue/pqrfxn.php
unknown
unknown
4348
explorer.exe
POST
200
185.156.72.89:80
http://185.156.72.89/nzcwzue/pqrfxn.php
unknown
unknown
4772
explorer.exe
POST
200
185.156.72.89:80
http://185.156.72.89/nzcwzue/pqrfxn.php
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
1268
svchost.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5944
MoUsoCoreWorker.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1512
RUXIMICS.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
2292
svchost.exe
20.190.160.3:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2292
svchost.exe
2.17.190.73:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted
5944
MoUsoCoreWorker.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
5944
MoUsoCoreWorker.exe
23.55.104.190:80
crl.microsoft.com
Akamai International B.V.
US
whitelisted
5944
MoUsoCoreWorker.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.104.136.2
  • 51.124.78.146
whitelisted
google.com
  • 142.250.186.110
whitelisted
login.live.com
  • 20.190.160.3
  • 20.190.160.65
  • 40.126.32.136
  • 40.126.32.138
  • 20.190.160.67
  • 20.190.160.22
  • 20.190.160.17
  • 40.126.32.134
  • 40.126.31.3
  • 40.126.31.0
  • 40.126.31.129
  • 40.126.31.67
  • 40.126.31.1
  • 20.190.159.130
  • 40.126.31.2
  • 20.190.159.23
whitelisted
ocsp.digicert.com
  • 2.17.190.73
  • 2.23.77.188
whitelisted
nexusrules.officeapps.live.com
  • 52.111.227.11
whitelisted
crl.microsoft.com
  • 23.55.104.190
  • 23.55.104.172
whitelisted
www.microsoft.com
  • 95.101.149.131
whitelisted
client.wns.windows.com
  • 172.211.123.249
whitelisted
slscr.update.microsoft.com
  • 4.245.163.56
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 20.3.187.198
whitelisted

Threats

PID
Process
Class
Message
4772
explorer.exe
A Network Trojan was detected
ET MALWARE Diamotrix POST Request M3
1180
explorer.exe
A Network Trojan was detected
ET MALWARE Diamotrix POST Request M3
6584
explorer.exe
A Network Trojan was detected
ET MALWARE Diamotrix POST Request M3
2132
explorer.exe
A Network Trojan was detected
ET MALWARE Diamotrix POST Request M3
4348
explorer.exe
A Network Trojan was detected
ET MALWARE Diamotrix POST Request M3
4348
explorer.exe
A Network Trojan was detected
ET MALWARE Diamotrix POST Request M3
No debug info