File name:	AntiPublic_.exe
Full analysis:	https://app.any.run/tasks/5ca1e397-db88-48e8-b8c5-e0614bca240a
Verdict:	Malicious activity
Threats:	A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. Malware Trends Tracker >>>
Analysis date:	June 21, 2025, 14:46:08
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	clipper diamotrix python auto-reg loader arch-doc yero worm pyinstaller crypto-regex
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32+ executable (GUI) x86-64, for MS Windows, 6 sections
MD5:	BE450F415E14569788D93BC0AF8785A3
SHA1:	81D8967701E110AD72427C59E30797836E7C10D1
SHA256:	64D6B1E9814F0AE28468C8A27EFDFA1B9E2071129D1B52FF9FDC27C552EC5608
SSDEEP:	98304:l0BkU6AyTXOkOM860tXNmfZg8k5O5tmScZNd9bGQ7wHRQY0WCF0G8psqoM60Q6zL:lrl6Da1C6m1

.exe	\|	InstallShield setup (36.8)
.exe	\|	Win32 Executable MS Visual C++ (generic) (26.6)
.exe	\|	Win64 Executable (generic) (23.6)
.dll	\|	Win32 Dynamic Link Library (generic) (5.6)
.exe	\|	Win32 Executable (generic) (3.8)

MachineType:	AMD AMD64
TimeStamp:	2025:06:20 18:51:34+00:00
ImageFileCharacteristics:	Executable, Large address aware
PEType:	PE32+
LinkerVersion:	14.4
CodeSize:	55808
InitializedDataSize:	9199616
UninitializedDataSize:	-
EntryPoint:	0x1dfc
OSVersion:	6
ImageVersion:	-
SubsystemVersion:	6
Subsystem:	Windows GUI
FileVersionNumber:	1.2.1.1
ProductVersionNumber:	3.1.1.1
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Windows NT 32-bit
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	English (U.S.)
CharacterSet:	Unicode
FileDescription:	Ioxcv
FileVersion:	6.0.0.0
InternalName:	Ioxcv.exe
LegalCopyright:	(C) 2026
OriginalFileName:	Ioxcv.exe
ProductName:	Ioxcv
ProductVersion:	2.2.2.2


(PID) Process:	(2604) fgsdfgerds.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:	write	Name:	Systmdrv
Value: C:\Users\admin\AppData\Roaming\systmdrv.exe
(PID) Process:	(5496) vbcvgfdgdf.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\bbeecafdaeec
Operation:	write	Name:	CurrentPath
Value: C:\Users\admin\AppData\Roaming\vbcvgfdgdf.exe
(PID) Process:	(5496) vbcvgfdgdf.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:	write	Name:	bbeecafdaeec
Value: "C:\ProgramData\bbeecafdaeec.exe"
(PID) Process:	(4748) AntiPublic_.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
Operation:	write	Name:	SlowContextMenuEntries
Value: 6024B221EA3A6910A2DC08002B30309D0A010000BD0E0C47735D584D9CEDE91E22E23282770100000114020000000000C0000000000000468D0000006078A409B011A54DAFA526D86198A780390100009AD298B2EDA6DE11BA8CA68E55D895936E000000
(PID) Process:	(4772) explorer.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:00000000000A032A
Operation:	write	Name:	VirtualDesktop
Value: 10000000303044563096AFED4A643448A750FA41CFC7F708
(PID) Process:	(4772) explorer.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:	write	Name:	bbeecafdaeec
Value: "C:\Users\admin\AppData\Roaming\vbcvgfdgdf.exe"
(PID) Process:	(4772) explorer.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\bbeecafdaeec
Operation:	write	Name:	CurrentPath
Value: C:\Users\admin\AppData\Roaming\vbcvgfdgdf.exe
(PID) Process:	(4772) explorer.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run
Operation:	delete key	Name:	(default)
Value:
(PID) Process:	(4772) explorer.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\StartupFolder
Operation:	delete key	Name:	(default)
Value:
(PID) Process:	(4772) explorer.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Operation:	write	Name:	bbeecafdaeec
Value: "C:\ProgramData\bbeecafdaeec.exe"

PID	Process	Filename		Type
4748	AntiPublic_.exe	C:\Users\admin\AppData\Roaming\fgsdfgerds.exe		executable
		MD5:E9C28F27DDC04C563B80B013A2140B4C	SHA256:82ABA7497BE6CC024E37E74DE4DA89E6EC7E7A0EB3A447546AAEE762E159BA2A
4748	AntiPublic_.exe	C:\Users\admin\AppData\Roaming\sdgfxcvxc.exe		executable
		MD5:97CEAEF859A4B1640E7AB16D854BD669	SHA256:0B0E8348D188292067CA0E53D7266AAC83042D38B3DD00F02BB2BD8C26F2519E
2148	sdgfxcvxc.exe	C:\ProgramData\{65b178c1-239c-11ed-b4aa-806e6f6e6963}\Software_Info.txt		text
		MD5:AAB1B59AF386F4F63F9007EF79B3D07A	SHA256:1EB2569F1A69183A48F7D93B4AFB8BFF9D7972FB160D3649EEBD67B2C986ED1F
2148	sdgfxcvxc.exe	C:\ProgramData\{65b178c1-239c-11ed-b4aa-806e6f6e6963}\Browsers\Chrome_History.txt		—
		MD5:—	SHA256:—
4748	AntiPublic_.exe	C:\Users\admin\AppData\Roaming\vbcvgfdgdf.exe		executable
		MD5:7E340F84D63615BABF925884F25190A4	SHA256:CEE697C61780F010768937F57FE8D32E658471951936C7AC6AAE5B2FAF86CC2A
2148	sdgfxcvxc.exe	C:\ProgramData\{65b178c1-239c-11ed-b4aa-806e6f6e6963}\Browsers\Edge_History.txt		—
		MD5:—	SHA256:—
2148	sdgfxcvxc.exe	C:\ProgramData\{65b178c1-239c-11ed-b4aa-806e6f6e6963}\Browsers\Chrome_Downloads.txt		—
		MD5:—	SHA256:—
2148	sdgfxcvxc.exe	C:\ProgramData\{65b178c1-239c-11ed-b4aa-806e6f6e6963}\Browsers\Edge_Downloads.txt		—
		MD5:—	SHA256:—
4772	explorer.exe	C:\Users\admin\AppData\Local\Microsoft\PenWorkspace\DiscoverCacheData.dat		binary
		MD5:E49C56350AEDF784BFE00E444B879672	SHA256:A8BD235303668981563DFB5AAE338CB802817C4060E2C199B7C84901D57B7E1E
2604	fgsdfgerds.exe	C:\Users\admin\AppData\Roaming\systmdrv.exe		executable
		MD5:E9C28F27DDC04C563B80B013A2140B4C	SHA256:82ABA7497BE6CC024E37E74DE4DA89E6EC7E7A0EB3A447546AAEE762E159BA2A

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
1268	svchost.exe	GET	200	2.18.121.139:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
1268	svchost.exe	GET	200	95.101.149.131:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
2228	RUXIMICS.exe	GET	200	2.18.121.139:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
5944	MoUsoCoreWorker.exe	GET	200	2.18.121.139:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
5944	MoUsoCoreWorker.exe	GET	200	95.101.149.131:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
2228	RUXIMICS.exe	GET	200	95.101.149.131:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
—	—	POST	200	185.156.72.89:80	http://185.156.72.89/nzcwzue/pqrfxn.php	unknown	—	—	unknown
—	—	POST	200	40.126.32.72:443	https://login.live.com/RST2.srf	unknown	xml	1.24 Kb	whitelisted
—	—	POST	200	20.190.160.131:443	https://login.live.com/ppsecure/deviceaddcredential.srf	unknown	text	16.7 Kb	whitelisted
6664	systmdrv.exe	GET	200	185.156.72.8:80	http://185.156.72.8/1.exe	unknown	—	—	malicious

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	whitelisted
—	—	51.104.136.2:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
5944	MoUsoCoreWorker.exe	51.104.136.2:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
1268	svchost.exe	51.104.136.2:443	—	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
1268	svchost.exe	2.18.121.139:80	crl.microsoft.com	AKAMAI-AS	FR	whitelisted
2228	RUXIMICS.exe	2.18.121.139:80	crl.microsoft.com	AKAMAI-AS	FR	whitelisted
5944	MoUsoCoreWorker.exe	2.18.121.139:80	crl.microsoft.com	AKAMAI-AS	FR	whitelisted
1268	svchost.exe	95.101.149.131:80	www.microsoft.com	Akamai International B.V.	NL	whitelisted
5944	MoUsoCoreWorker.exe	95.101.149.131:80	www.microsoft.com	Akamai International B.V.	NL	whitelisted

Domain	IP	Reputation
google.com	216.58.206.78	whitelisted
crl.microsoft.com	2.18.121.139 2.18.121.147 23.55.104.172 23.55.104.190	whitelisted
www.microsoft.com	95.101.149.131	whitelisted
settings-win.data.microsoft.com	51.124.78.146	whitelisted
client.wns.windows.com	172.211.123.249	whitelisted
login.live.com	20.190.160.64 40.126.32.136 40.126.32.74 20.190.160.66 20.190.160.131 20.190.160.5 40.126.32.138 20.190.160.132	whitelisted
nexusrules.officeapps.live.com	52.111.227.11 52.111.243.31	whitelisted
officeclient.microsoft.com	52.109.89.18	whitelisted
roaming.officeapps.live.com	52.109.28.47	whitelisted
omex.cdn.office.net	23.200.87.23 23.200.86.240	whitelisted

PID	Process	Class	Message
6664	systmdrv.exe	A Network Trojan was detected	ET MALWARE Diamotrix POST Request M3
6664	systmdrv.exe	A Network Trojan was detected	ET MALWARE Single char EXE direct download likely trojan (multiple families)
6664	systmdrv.exe	Misc activity	INFO [ANY.RUN] USER_AGENTS Suspicious User-Agent (Mozilla/5.0)
6664	systmdrv.exe	Potentially Bad Traffic	ET INFO Executable Download from dotted-quad Host
6664	systmdrv.exe	Potential Corporate Privacy Violation	ET INFO PE EXE or DLL Windows file download HTTP
6664	systmdrv.exe	Potentially Bad Traffic	ET HUNTING SUSPICIOUS Dotted Quad Host MZ Response
6664	systmdrv.exe	A Network Trojan was detected	ET MALWARE Single char EXE direct download likely trojan (multiple families)
6664	systmdrv.exe	Misc activity	INFO [ANY.RUN] USER_AGENTS Suspicious User-Agent (Mozilla/5.0)
6664	systmdrv.exe	Potentially Bad Traffic	ET INFO Executable Download from dotted-quad Host
6664	systmdrv.exe	Potential Corporate Privacy Violation	ET INFO PE EXE or DLL Windows file download HTTP

Process	Message
WINWORD.EXE	WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.
WINWORD.EXE	WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.
WINWORD.EXE	WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.

General Info

AntiPublic_.exe

BE450F415E14569788D93BC0AF8785A3

81D8967701E110AD72427C59E30797836E7C10D1

64D6B1E9814F0AE28468C8A27EFDFA1B9E2071129D1B52FF9FDC27C552EC5608

98304:l0BkU6AyTXOkOM860tXNmfZg8k5O5tmScZNd9bGQ7wHRQY0WCF0G8psqoM60Q6zL:lrl6Da1C6m1

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Changes the autorun value in the registry

Runs injected code in another process

Application was injected by another process

YERO has been detected

Loads dropped or rewritten executable

DIAMOTRIX has been detected (SURICATA)

Connects to the CnC server

SUSPICIOUS

Process drops legitimate windows executable

Executable content was dropped or overwritten

Reads security settings of Internet Explorer

Reads the date of Windows installation

Starts CMD.EXE for commands execution

Starts itself from another location

Loads Python modules

Connects to unusual port

Potential Corporate Privacy Violation

Process drops python dynamic module

The process drops C-runtime libraries

Application launched itself

Process requests binary or script from the Internet

Connects to the server without a host name

Uses RUNDLL32.EXE to load library

Contacting a server suspected of hosting an CnC

Found regular expressions for crypto-addresses (YARA)

INFO

The sample compiled with english language support

Reads the computer name

Checks supported languages

Process checks computer location settings

Creates files or folders in the user directory

Launching a file from a Registry key

Creates files in the program directory

Reads the machine GUID from the registry

Reads the time zone

Checks proxy server information

Manual execution by a user

Create files in a temporary directory

Reads security settings of Internet Explorer

Reads the software policy settings

PyInstaller has been detected (YARA)

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules