File name:

.exe

Full analysis: https://app.any.run/tasks/ed7b275f-7e7b-4fa9-9abf-676847530890
Verdict: Malicious activity
Analysis date: June 21, 2025, 18:07:01
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
crypto-regex
clipper
diamotrix
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (GUI) x86-64, for MS Windows, 5 sections
MD5:

946E3834E36523E8AE07CB2FEEA9B734

SHA1:

C6CA80816B8E1DF667C5D49F60C554B6622C5522

SHA256:

F224739A2013952F37140737874E91777EBED4E12354260856F703BDCDF22AF4

SSDEEP:

24576:VilbG5ebt9nXzuCH/BiuKkICXYYB1Yctp7VGLVmhqC4:VilbG5ebzXzuCH/Biu3IoYYB1Yctp7Ve

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was injected by another process

      • sihost.exe (PID: 4180)
      • svchost.exe (PID: 4248)
      • explorer.exe (PID: 4772)
      • svchost.exe (PID: 5048)
      • RuntimeBroker.exe (PID: 5224)
      • SearchApp.exe (PID: 5328)
      • dllhost.exe (PID: 5604)
      • svchost.exe (PID: 4204)
      • StartMenuExperienceHost.exe (PID: 5160)
      • RuntimeBroker.exe (PID: 5448)
      • ApplicationFrameHost.exe (PID: 5096)
      • RuntimeBroker.exe (PID: 4376)
      • svchost.exe (PID: 6984)
      • UserOOBEBroker.exe (PID: 5936)
      • dllhost.exe (PID: 2484)
      • taskhostw.exe (PID: 5528)
      • TextInputHost.exe (PID: 2772)

    • Runs injected code in another process

      • ed7b275f-7e7b-4fa9-9abf-676847530890.exe (PID: 2760)

    • Changes the autorun value in the registry

      • ed7b275f-7e7b-4fa9-9abf-676847530890.exe (PID: 2760)
      • explorer.exe (PID: 4772)
      • explorer.exe (PID: 1232)
      • explorer.exe (PID: 4036)
      • explorer.exe (PID: 6420)

    • DIAMOTRIX has been detected (SURICATA)

      • explorer.exe (PID: 4772)
      • explorer.exe (PID: 1232)
      • explorer.exe (PID: 4036)
      • explorer.exe (PID: 6420)

  • SUSPICIOUS

    • Found regular expressions for crypto-addresses (YARA)

      • ed7b275f-7e7b-4fa9-9abf-676847530890.exe (PID: 2760)
      • explorer.exe (PID: 4760)
      • explorer.exe (PID: 1388)

    • Executable content was dropped or overwritten

      • ed7b275f-7e7b-4fa9-9abf-676847530890.exe (PID: 2760)

    • Connects to the server without a host name

      • explorer.exe (PID: 4772)
      • explorer.exe (PID: 1232)
      • explorer.exe (PID: 4036)
      • explorer.exe (PID: 6420)

    • Application launched itself

      • explorer.exe (PID: 1232)
      • explorer.exe (PID: 4036)
      • explorer.exe (PID: 6420)

    • Reads security settings of Internet Explorer

      • StartMenuExperienceHost.exe (PID: 4288)
      • StartMenuExperienceHost.exe (PID: 3864)
      • StartMenuExperienceHost.exe (PID: 2552)

    • Reads the date of Windows installation

      • StartMenuExperienceHost.exe (PID: 4288)
      • SearchApp.exe (PID: 3644)
      • StartMenuExperienceHost.exe (PID: 3864)
      • SearchApp.exe (PID: 5308)
      • StartMenuExperienceHost.exe (PID: 2552)

    • Creates file in the systems drive root

      • explorer.exe (PID: 1232)
      • explorer.exe (PID: 4036)
      • explorer.exe (PID: 3380)
      • explorer.exe (PID: 6420)

  • INFO

    • Checks supported languages

      • ed7b275f-7e7b-4fa9-9abf-676847530890.exe (PID: 2760)
      • TextInputHost.exe (PID: 5248)
      • StartMenuExperienceHost.exe (PID: 4288)
      • SearchApp.exe (PID: 3644)
      • StartMenuExperienceHost.exe (PID: 3864)
      • SearchApp.exe (PID: 5308)
      • TextInputHost.exe (PID: 1056)
      • StartMenuExperienceHost.exe (PID: 2552)
      • TextInputHost.exe (PID: 3872)
      • SearchApp.exe (PID: 6604)

    • Reads the computer name

      • ed7b275f-7e7b-4fa9-9abf-676847530890.exe (PID: 2760)
      • StartMenuExperienceHost.exe (PID: 4288)
      • TextInputHost.exe (PID: 5248)
      • SearchApp.exe (PID: 3644)
      • StartMenuExperienceHost.exe (PID: 3864)
      • TextInputHost.exe (PID: 1056)
      • SearchApp.exe (PID: 5308)
      • TextInputHost.exe (PID: 3872)
      • StartMenuExperienceHost.exe (PID: 2552)
      • SearchApp.exe (PID: 6604)

    • Manual execution by a user

      • Taskmgr.exe (PID: 2220)
      • Taskmgr.exe (PID: 6704)

    • Reads the machine GUID from the registry

      • StartMenuExperienceHost.exe (PID: 5160)
      • ed7b275f-7e7b-4fa9-9abf-676847530890.exe (PID: 2760)
      • TextInputHost.exe (PID: 2772)
      • SearchApp.exe (PID: 3644)
      • SearchApp.exe (PID: 5308)
      • SearchApp.exe (PID: 6604)

    • Reads security settings of Internet Explorer

      • explorer.exe (PID: 4772)
      • explorer.exe (PID: 4760)
      • explorer.exe (PID: 1232)
      • explorer.exe (PID: 4036)
      • RuntimeBroker.exe (PID: 5224)
      • explorer.exe (PID: 1388)
      • RuntimeBroker.exe (PID: 5448)
      • explorer.exe (PID: 3380)
      • explorer.exe (PID: 6420)
      • Taskmgr.exe (PID: 2220)
      • explorer.exe (PID: 2044)

    • Creates files in the program directory

      • ed7b275f-7e7b-4fa9-9abf-676847530890.exe (PID: 2760)

    • Checks proxy server information

      • explorer.exe (PID: 4772)
      • explorer.exe (PID: 1232)
      • explorer.exe (PID: 4036)
      • SearchApp.exe (PID: 3644)
      • explorer.exe (PID: 4760)
      • SearchApp.exe (PID: 5308)
      • explorer.exe (PID: 1388)
      • slui.exe (PID: 5708)
      • explorer.exe (PID: 6420)
      • SearchApp.exe (PID: 6604)
      • explorer.exe (PID: 2044)

    • Launching a file from a Registry key

      • explorer.exe (PID: 4772)
      • ed7b275f-7e7b-4fa9-9abf-676847530890.exe (PID: 2760)
      • explorer.exe (PID: 1232)
      • explorer.exe (PID: 4036)
      • explorer.exe (PID: 6420)

    • Process checks computer location settings

      • StartMenuExperienceHost.exe (PID: 4288)
      • SearchApp.exe (PID: 3644)
      • StartMenuExperienceHost.exe (PID: 3864)
      • SearchApp.exe (PID: 5308)
      • StartMenuExperienceHost.exe (PID: 2552)
      • SearchApp.exe (PID: 6604)

    • Reads the software policy settings

      • SearchApp.exe (PID: 3644)
      • SearchApp.exe (PID: 5308)
      • slui.exe (PID: 5708)
      • SearchApp.exe (PID: 6604)

    • Creates files or folders in the user directory

      • dllhost.exe (PID: 5604)
      • explorer.exe (PID: 4760)
      • explorer.exe (PID: 1388)

    • Reads Environment values

      • SearchApp.exe (PID: 3644)
      • SearchApp.exe (PID: 5308)
      • SearchApp.exe (PID: 6604)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (87.3)
.exe | Generic Win/DOS Executable (6.3)
.exe | DOS Executable Generic (6.3)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2025:06:21 18:08:52+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 14.4
CodeSize: 55808
InitializedDataSize: 541184
UninitializedDataSize: -
EntryPoint: 0x1e78
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
177
Monitored processes
45
Malicious processes
7
Suspicious processes
16

Behavior graph

Click at the process to see the details
start ed7b275f-7e7b-4fa9-9abf-676847530890.exe taskmgr.exe no specs taskmgr.exe #DIAMOTRIX explorer.exe slui.exe rundll32.exe no specs #DIAMOTRIX explorer.exe rundll32.exe no specs rundll32.exe no specs explorer.exe no specs textinputhost.exe no specs startmenuexperiencehost.exe no specs tiworker.exe no specs searchapp.exe mobsync.exe no specs #DIAMOTRIX explorer.exe explorer.exe no specs textinputhost.exe no specs startmenuexperiencehost.exe no specs searchapp.exe mobsync.exe no specs explorer.exe no specs #DIAMOTRIX explorer.exe explorer.exe no specs textinputhost.exe no specs startmenuexperiencehost.exe no specs tiworker.exe no specs searchapp.exe mobsync.exe no specs dllhost.exe textinputhost.exe sihost.exe svchost.exe svchost.exe runtimebroker.exe svchost.exe applicationframehost.exe startmenuexperiencehost.exe runtimebroker.exe searchapp.exe runtimebroker.exe taskhostw.exe dllhost.exe useroobebroker.exe svchost.exe

Process information

PID
CMD
Path
Indicators
Parent process
1056"C:\WINDOWS\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXjd5de1g66v206tj52m9d0dtpppx4cgpn.mcaC:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Exit code:
1
Version:
123.26505.0.0
Modules
Images
c:\windows\systemapps\microsoftwindows.client.cbs_cw5n1h2txyewy\textinputhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\systemapps\microsoftwindows.client.cbs_cw5n1h2txyewy\vcruntime140_app.dll
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\msvcrt.dll
1232C:\WINDOWS\explorer.exe /factory,{682159d9-c321-47ca-b3f1-30e36b2ec8b9} -EmbeddingC:\Windows\explorer.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
1
Version:
10.0.19041.3758 (WinBuild.160101.0800)
Modules
Images
c:\windows\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\twinapi.dll
1380C:\WINDOWS\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.3989_none_7ddb45627cb30e03\TiWorker.exe -EmbeddingC:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.3989_none_7ddb45627cb30e03\TiWorker.exesvchost.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Modules Installer Worker
Version:
10.0.19041.3989 (WinBuild.160101.0800)
Modules
Images
c:\windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.3989_none_7ddb45627cb30e03\tiworker.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
1388"C:\Windows\explorer.exe" C:\Windows\explorer.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
1
Version:
10.0.19041.3758 (WinBuild.160101.0800)
Modules
Images
c:\windows\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\aepic.dll
2044"C:\Windows\explorer.exe" C:\Windows\explorer.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Version:
10.0.19041.3758 (WinBuild.160101.0800)
Modules
Images
c:\windows\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\shcore.dll
2220"C:\WINDOWS\system32\taskmgr.exe" /4C:\Windows\System32\Taskmgr.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Task Manager
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\taskmgr.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll
2468C:\WINDOWS\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {9BA05972-F6A8-11CF-A442-00A0C90A8F39} -EmbeddingC:\Windows\System32\rundll32.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shcore.dll
c:\windows\system32\imagehlp.dll
2484C:\WINDOWS\system32\DllHost.exe /Processid:{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}C:\Windows\System32\dllhost.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
COM Surrogate
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\dllhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\bcryptprimitives.dll
2552"C:\WINDOWS\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mcaC:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exesvchost.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\windows\systemapps\microsoft.windows.startmenuexperiencehost_cw5n1h2txyewy\startmenuexperiencehost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\wincorlib.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
2760"C:\Users\admin\AppData\Local\Temp\ed7b275f-7e7b-4fa9-9abf-676847530890.exe" C:\Users\admin\AppData\Local\Temp\ed7b275f-7e7b-4fa9-9abf-676847530890.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\ed7b275f-7e7b-4fa9-9abf-676847530890.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
Total events
140 183
Read events
139 192
Write events
934
Delete events
57

Modification events

(PID) Process:(4772) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:0000000000050266
Operation:writeName:VirtualDesktop
Value:
10000000303044563096AFED4A643448A750FA41CFC7F708
(PID) Process:(4772) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\ShellNew
Operation:delete keyName:(default)
Value:
(PID) Process:(4772) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\ShellNew
Operation:writeName:Classes
Value:
.accdb
(PID) Process:(4772) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\ShellNew
Operation:writeName:~reserved~
Value:
0800000000000600
(PID) Process:(4772) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\OneDrive\Accounts
Operation:writeName:LastUpdate
Value:
CFF4566800000000
(PID) Process:(4772) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Shell\Bags\1\Desktop
Operation:writeName:Mode
Value:
1
(PID) Process:(4772) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Shell\Bags\1\Desktop
Operation:writeName:LogicalViewMode
Value:
3
(PID) Process:(4772) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Shell\Bags\1\Desktop
Operation:writeName:FFlags
Value:
(PID) Process:(4772) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Shell\Bags\1\Desktop
Operation:writeName:IconSize
Value:
48
(PID) Process:(4772) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Shell\Bags\1\Desktop
Operation:writeName:Sort
Value:
0000000000000000000000000000000000000000
Executable files
4
Suspicious files
51
Text files
103
Unknown types
0

Dropped files

PID
Process
Filename
Type
4772explorer.exeC:\Users\admin\AppData\Local\Microsoft\PenWorkspace\DiscoverCacheData.datbinary
MD5:E49C56350AEDF784BFE00E444B879672
SHA256:A8BD235303668981563DFB5AAE338CB802817C4060E2C199B7C84901D57B7E1E
2220Taskmgr.exeC:\Users\admin\AppData\Local\D3DSCache\3534848bb9f4cb71\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.locktext
MD5:F49655F856ACB8884CC0ACE29216F511
SHA256:7852FCE59C67DDF1D6B8B997EAA1ADFAC004A9F3A91C37295DE9223674011FBA
4700TiWorker.exeC:\Windows\Logs\CBS\CBS.logtext
MD5:B73CBF4FC02B0DA5B8872308559B1CC3
SHA256:DF3532846F68A16695A9742BC5914ACB15009E0E0A5ACDE775CDAE313AE09834
3644SearchApp.exeC:\Users\admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\5Y734AMR\77\Init[1].htmhtml
MD5:AA2B56F1501AC4D0A9D0505A6E3363C9
SHA256:752FCD759642C1DF729E185689CE54FCF66E00A8E3DE6614B67F6B2798AAAC89
5604dllhost.exeC:\Users\admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\5Y734AMR\77\appcache[1].mantext
MD5:15F8A83AE8EE49313779C8A2A461FDFD
SHA256:46E6B38B3605545995D0C888227BA22938943604AB967272FF739D40E7D292C5
3644SearchApp.exeC:\Users\admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\5Y734AMR\77\tUCiVcVWZ-go7BLlq95YW6bKHZE[1].csstext
MD5:445D78544E0CFC11EFC1E172DA3ECBBC
SHA256:76EFEBABB82AE8342985C99A498137C04B3E46BC59D78191F0DA44C660B980F5
3644SearchApp.exeC:\Users\admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\5Y734AMR\77\AptopUBu7_oVDubJxwvaIprW-lI[1].csstext
MD5:4E0E75684C84C0102CED12948B95609B
SHA256:4D18E491B2DE4DA34F6C15F0574911613E902F791FE72501E4404802760D1BCA
3644SearchApp.exeC:\Users\admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\CryptnetUrlCache\MetaData\26C212D9399727259664BDFCA073966E_F9F7D6A7ECE73106D2A8C63168CDA10Dbinary
MD5:3E2EDAE63A8D6558E90848D54D849C81
SHA256:513B04AEC095F153B87B63C4CB2192F8F7A09FE2CD0037FDA90C483EDC5F2584
3644SearchApp.exeC:\Users\admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\5Y734AMR\77\-M-8YWX0KlEtdAHVrkTvKQHOghs[1].jsbinary
MD5:32EE4742328DFB725F3A96641B93B344
SHA256:061E63AF37D22CCEF7FB5BB9BEABA0DF2F36B64F985BB8A408638846C895D0A7
3644SearchApp.exeC:\Users\admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\5Y734AMR\77\-iNIzuEypRdgRJ6xnyVHizZ3bpM.br[1].jsbinary
MD5:E86ABEFE45E62F7E2F865D8A344D0B6F
SHA256:5D54790C856CE13811590E18AC3B0ACEEFEFB61258852490F4C5C60748365E89
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
13
TCP/UDP connections
48
DNS requests
27
Threats
5

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
2288
svchost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
1268
svchost.exe
GET
200
23.55.104.190:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1268
svchost.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4512
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
4512
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
4772
explorer.exe
POST
200
185.156.72.89:80
http://185.156.72.89/nzcwzue/pqrfxn.php
unknown
unknown
3644
SearchApp.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
2940
svchost.exe
GET
200
23.209.209.135:80
http://x1.c.lencr.org/
unknown
whitelisted
4036
explorer.exe
POST
200
185.156.72.89:80
http://185.156.72.89/nzcwzue/pqrfxn.php
unknown
unknown
1232
explorer.exe
POST
200
185.156.72.89:80
http://185.156.72.89/nzcwzue/pqrfxn.php
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
5944
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3956
RUXIMICS.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1268
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
2288
svchost.exe
20.190.159.2:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2288
svchost.exe
2.17.190.73:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted
2336
svchost.exe
172.211.123.248:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
1268
svchost.exe
23.55.104.190:80
crl.microsoft.com
Akamai International B.V.
US
whitelisted
1268
svchost.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.186.78
whitelisted
login.live.com
  • 20.190.159.2
  • 40.126.31.130
  • 20.190.159.71
  • 20.190.159.128
  • 40.126.31.73
  • 40.126.31.129
  • 20.190.159.75
  • 40.126.31.71
whitelisted
ocsp.digicert.com
  • 2.17.190.73
whitelisted
settings-win.data.microsoft.com
  • 40.127.240.158
  • 51.124.78.146
whitelisted
client.wns.windows.com
  • 172.211.123.248
  • 172.211.123.250
whitelisted
crl.microsoft.com
  • 23.55.104.190
  • 23.55.104.172
whitelisted
www.microsoft.com
  • 95.101.149.131
whitelisted
nexusrules.officeapps.live.com
  • 52.111.243.29
whitelisted
slscr.update.microsoft.com
  • 4.175.87.197
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 40.69.42.241
whitelisted

Threats

PID
Process
Class
Message
4772
explorer.exe
A Network Trojan was detected
ET MALWARE Diamotrix POST Request M3
1232
explorer.exe
A Network Trojan was detected
ET MALWARE Diamotrix POST Request M3
4036
explorer.exe
A Network Trojan was detected
ET MALWARE Diamotrix POST Request M3
4036
explorer.exe
A Network Trojan was detected
ET MALWARE Diamotrix POST Request M3
6420
explorer.exe
A Network Trojan was detected
ET MALWARE Diamotrix POST Request M3
No debug info