File name:

.exe

Full analysis: https://app.any.run/tasks/ed7b275f-7e7b-4fa9-9abf-676847530890
Verdict: Malicious activity
Analysis date: June 21, 2025, 18:07:01
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
crypto-regex
clipper
diamotrix
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32+ executable (GUI) x86-64, for MS Windows, 5 sections
MD5:

946E3834E36523E8AE07CB2FEEA9B734

SHA1:

C6CA80816B8E1DF667C5D49F60C554B6622C5522

SHA256:

F224739A2013952F37140737874E91777EBED4E12354260856F703BDCDF22AF4

SSDEEP:

24576:VilbG5ebt9nXzuCH/BiuKkICXYYB1Yctp7VGLVmhqC4:VilbG5ebzXzuCH/Biu3IoYYB1Yctp7Ve

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was injected by another process

      • svchost.exe (PID: 4204)
      • sihost.exe (PID: 4180)
      • explorer.exe (PID: 4772)
      • svchost.exe (PID: 4248)
      • StartMenuExperienceHost.exe (PID: 5160)
      • SearchApp.exe (PID: 5328)
      • RuntimeBroker.exe (PID: 5224)
      • dllhost.exe (PID: 5604)
      • RuntimeBroker.exe (PID: 4376)
      • svchost.exe (PID: 6984)
      • ApplicationFrameHost.exe (PID: 5096)
      • dllhost.exe (PID: 2484)
      • UserOOBEBroker.exe (PID: 5936)
      • svchost.exe (PID: 5048)
      • RuntimeBroker.exe (PID: 5448)
      • TextInputHost.exe (PID: 2772)
      • taskhostw.exe (PID: 5528)

    • Runs injected code in another process

      • ed7b275f-7e7b-4fa9-9abf-676847530890.exe (PID: 2760)

    • Changes the autorun value in the registry

      • explorer.exe (PID: 4772)
      • explorer.exe (PID: 1232)
      • ed7b275f-7e7b-4fa9-9abf-676847530890.exe (PID: 2760)
      • explorer.exe (PID: 4036)
      • explorer.exe (PID: 6420)

    • DIAMOTRIX has been detected (SURICATA)

      • explorer.exe (PID: 4772)
      • explorer.exe (PID: 1232)
      • explorer.exe (PID: 4036)
      • explorer.exe (PID: 6420)

  • SUSPICIOUS

    • Found regular expressions for crypto-addresses (YARA)

      • ed7b275f-7e7b-4fa9-9abf-676847530890.exe (PID: 2760)
      • explorer.exe (PID: 4760)
      • explorer.exe (PID: 1388)

    • Executable content was dropped or overwritten

      • ed7b275f-7e7b-4fa9-9abf-676847530890.exe (PID: 2760)

    • Connects to the server without a host name

      • explorer.exe (PID: 4772)
      • explorer.exe (PID: 1232)
      • explorer.exe (PID: 4036)
      • explorer.exe (PID: 6420)

    • Creates file in the systems drive root

      • explorer.exe (PID: 1232)
      • explorer.exe (PID: 4036)
      • explorer.exe (PID: 3380)
      • explorer.exe (PID: 6420)

    • Application launched itself

      • explorer.exe (PID: 1232)
      • explorer.exe (PID: 4036)
      • explorer.exe (PID: 6420)

    • Reads the date of Windows installation

      • StartMenuExperienceHost.exe (PID: 4288)
      • SearchApp.exe (PID: 3644)
      • StartMenuExperienceHost.exe (PID: 3864)
      • SearchApp.exe (PID: 5308)
      • StartMenuExperienceHost.exe (PID: 2552)

    • Reads security settings of Internet Explorer

      • StartMenuExperienceHost.exe (PID: 4288)
      • StartMenuExperienceHost.exe (PID: 3864)
      • StartMenuExperienceHost.exe (PID: 2552)

  • INFO

    • Checks supported languages

      • ed7b275f-7e7b-4fa9-9abf-676847530890.exe (PID: 2760)
      • TextInputHost.exe (PID: 5248)
      • SearchApp.exe (PID: 3644)
      • StartMenuExperienceHost.exe (PID: 4288)
      • TextInputHost.exe (PID: 1056)
      • StartMenuExperienceHost.exe (PID: 3864)
      • SearchApp.exe (PID: 5308)
      • TextInputHost.exe (PID: 3872)
      • StartMenuExperienceHost.exe (PID: 2552)
      • SearchApp.exe (PID: 6604)

    • Reads the computer name

      • ed7b275f-7e7b-4fa9-9abf-676847530890.exe (PID: 2760)
      • StartMenuExperienceHost.exe (PID: 4288)
      • SearchApp.exe (PID: 3644)
      • TextInputHost.exe (PID: 5248)
      • TextInputHost.exe (PID: 1056)
      • StartMenuExperienceHost.exe (PID: 3864)
      • SearchApp.exe (PID: 5308)
      • TextInputHost.exe (PID: 3872)
      • StartMenuExperienceHost.exe (PID: 2552)
      • SearchApp.exe (PID: 6604)

    • Reads security settings of Internet Explorer

      • explorer.exe (PID: 4772)
      • Taskmgr.exe (PID: 2220)
      • explorer.exe (PID: 1232)
      • explorer.exe (PID: 4760)
      • RuntimeBroker.exe (PID: 5224)
      • explorer.exe (PID: 4036)
      • explorer.exe (PID: 1388)
      • explorer.exe (PID: 3380)
      • RuntimeBroker.exe (PID: 5448)
      • explorer.exe (PID: 6420)
      • explorer.exe (PID: 2044)

    • Manual execution by a user

      • Taskmgr.exe (PID: 6704)
      • Taskmgr.exe (PID: 2220)

    • Reads the machine GUID from the registry

      • ed7b275f-7e7b-4fa9-9abf-676847530890.exe (PID: 2760)
      • StartMenuExperienceHost.exe (PID: 5160)
      • TextInputHost.exe (PID: 2772)
      • SearchApp.exe (PID: 3644)
      • SearchApp.exe (PID: 5308)
      • SearchApp.exe (PID: 6604)

    • Launching a file from a Registry key

      • ed7b275f-7e7b-4fa9-9abf-676847530890.exe (PID: 2760)
      • explorer.exe (PID: 4772)
      • explorer.exe (PID: 1232)
      • explorer.exe (PID: 4036)
      • explorer.exe (PID: 6420)

    • Creates files in the program directory

      • ed7b275f-7e7b-4fa9-9abf-676847530890.exe (PID: 2760)

    • Checks proxy server information

      • explorer.exe (PID: 4772)
      • explorer.exe (PID: 1232)
      • SearchApp.exe (PID: 3644)
      • explorer.exe (PID: 4760)
      • explorer.exe (PID: 4036)
      • explorer.exe (PID: 1388)
      • SearchApp.exe (PID: 5308)
      • slui.exe (PID: 5708)
      • explorer.exe (PID: 6420)
      • explorer.exe (PID: 2044)
      • SearchApp.exe (PID: 6604)

    • Process checks computer location settings

      • StartMenuExperienceHost.exe (PID: 4288)
      • SearchApp.exe (PID: 3644)
      • StartMenuExperienceHost.exe (PID: 3864)
      • SearchApp.exe (PID: 5308)
      • StartMenuExperienceHost.exe (PID: 2552)
      • SearchApp.exe (PID: 6604)

    • Creates files or folders in the user directory

      • explorer.exe (PID: 4760)
      • dllhost.exe (PID: 5604)
      • explorer.exe (PID: 1388)

    • Reads the software policy settings

      • SearchApp.exe (PID: 3644)
      • SearchApp.exe (PID: 5308)
      • slui.exe (PID: 5708)
      • SearchApp.exe (PID: 6604)

    • Reads Environment values

      • SearchApp.exe (PID: 3644)
      • SearchApp.exe (PID: 5308)
      • SearchApp.exe (PID: 6604)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (87.3)
.exe | Generic Win/DOS Executable (6.3)
.exe | DOS Executable Generic (6.3)

EXIF

EXE

MachineType: AMD AMD64
TimeStamp: 2025:06:21 18:08:52+00:00
ImageFileCharacteristics: Executable, Large address aware
PEType: PE32+
LinkerVersion: 14.4
CodeSize: 55808
InitializedDataSize: 541184
UninitializedDataSize: -
EntryPoint: 0x1e78
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
177
Monitored processes
45
Malicious processes
7
Suspicious processes
16

Behavior graph

Click at the process to see the details
start ed7b275f-7e7b-4fa9-9abf-676847530890.exe taskmgr.exe no specs taskmgr.exe #DIAMOTRIX explorer.exe slui.exe rundll32.exe no specs #DIAMOTRIX explorer.exe rundll32.exe no specs rundll32.exe no specs explorer.exe no specs textinputhost.exe no specs startmenuexperiencehost.exe no specs tiworker.exe no specs searchapp.exe mobsync.exe no specs #DIAMOTRIX explorer.exe explorer.exe no specs textinputhost.exe no specs startmenuexperiencehost.exe no specs searchapp.exe mobsync.exe no specs explorer.exe no specs #DIAMOTRIX explorer.exe explorer.exe no specs textinputhost.exe no specs startmenuexperiencehost.exe no specs tiworker.exe no specs searchapp.exe mobsync.exe no specs dllhost.exe textinputhost.exe sihost.exe svchost.exe svchost.exe runtimebroker.exe svchost.exe applicationframehost.exe startmenuexperiencehost.exe runtimebroker.exe searchapp.exe runtimebroker.exe taskhostw.exe dllhost.exe useroobebroker.exe svchost.exe

Process information

PID
CMD
Path
Indicators
Parent process
1056"C:\WINDOWS\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXjd5de1g66v206tj52m9d0dtpppx4cgpn.mcaC:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Exit code:
1
Version:
123.26505.0.0
Modules
Images
c:\windows\systemapps\microsoftwindows.client.cbs_cw5n1h2txyewy\textinputhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\systemapps\microsoftwindows.client.cbs_cw5n1h2txyewy\vcruntime140_app.dll
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\msvcrt.dll
1232C:\WINDOWS\explorer.exe /factory,{682159d9-c321-47ca-b3f1-30e36b2ec8b9} -EmbeddingC:\Windows\explorer.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
1
Version:
10.0.19041.3758 (WinBuild.160101.0800)
Modules
Images
c:\windows\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\twinapi.dll
1380C:\WINDOWS\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.3989_none_7ddb45627cb30e03\TiWorker.exe -EmbeddingC:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.3989_none_7ddb45627cb30e03\TiWorker.exesvchost.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows Modules Installer Worker
Version:
10.0.19041.3989 (WinBuild.160101.0800)
Modules
Images
c:\windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.3989_none_7ddb45627cb30e03\tiworker.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
1388"C:\Windows\explorer.exe" C:\Windows\explorer.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
1
Version:
10.0.19041.3758 (WinBuild.160101.0800)
Modules
Images
c:\windows\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\aepic.dll
2044"C:\Windows\explorer.exe" C:\Windows\explorer.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Version:
10.0.19041.3758 (WinBuild.160101.0800)
Modules
Images
c:\windows\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\shcore.dll
2220"C:\WINDOWS\system32\taskmgr.exe" /4C:\Windows\System32\Taskmgr.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Task Manager
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\taskmgr.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll
2468C:\WINDOWS\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {9BA05972-F6A8-11CF-A442-00A0C90A8F39} -EmbeddingC:\Windows\System32\rundll32.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows host process (Rundll32)
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\rundll32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\shcore.dll
c:\windows\system32\imagehlp.dll
2484C:\WINDOWS\system32\DllHost.exe /Processid:{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}C:\Windows\System32\dllhost.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
COM Surrogate
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\dllhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\kernel.appcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\bcryptprimitives.dll
2552"C:\WINDOWS\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mcaC:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exesvchost.exe
User:
admin
Integrity Level:
MEDIUM
Modules
Images
c:\windows\systemapps\microsoft.windows.startmenuexperiencehost_cw5n1h2txyewy\startmenuexperiencehost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\wincorlib.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
2760"C:\Users\admin\AppData\Local\Temp\ed7b275f-7e7b-4fa9-9abf-676847530890.exe" C:\Users\admin\AppData\Local\Temp\ed7b275f-7e7b-4fa9-9abf-676847530890.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\appdata\local\temp\ed7b275f-7e7b-4fa9-9abf-676847530890.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
Total events
140 183
Read events
139 192
Write events
934
Delete events
57

Modification events

(PID) Process:(4772) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SessionInfo\1\ApplicationViewManagement\W32:0000000000050266
Operation:writeName:VirtualDesktop
Value:
10000000303044563096AFED4A643448A750FA41CFC7F708
(PID) Process:(4772) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\ShellNew
Operation:delete keyName:(default)
Value:
(PID) Process:(4772) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\ShellNew
Operation:writeName:Classes
Value:
.accdb
(PID) Process:(4772) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Discardable\PostSetup\ShellNew
Operation:writeName:~reserved~
Value:
0800000000000600
(PID) Process:(4772) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\OneDrive\Accounts
Operation:writeName:LastUpdate
Value:
CFF4566800000000
(PID) Process:(4772) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Shell\Bags\1\Desktop
Operation:writeName:Mode
Value:
1
(PID) Process:(4772) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Shell\Bags\1\Desktop
Operation:writeName:LogicalViewMode
Value:
3
(PID) Process:(4772) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Shell\Bags\1\Desktop
Operation:writeName:FFlags
Value:
(PID) Process:(4772) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Shell\Bags\1\Desktop
Operation:writeName:IconSize
Value:
48
(PID) Process:(4772) explorer.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Shell\Bags\1\Desktop
Operation:writeName:Sort
Value:
0000000000000000000000000000000000000000
Executable files
4
Suspicious files
51
Text files
103
Unknown types
0

Dropped files

PID
Process
Filename
Type
4772explorer.exeC:\Users\admin\AppData\Local\Microsoft\PenWorkspace\DiscoverCacheData.datbinary
MD5:E49C56350AEDF784BFE00E444B879672
SHA256:A8BD235303668981563DFB5AAE338CB802817C4060E2C199B7C84901D57B7E1E
2220Taskmgr.exeC:\Users\admin\AppData\Local\D3DSCache\3534848bb9f4cb71\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.locktext
MD5:F49655F856ACB8884CC0ACE29216F511
SHA256:7852FCE59C67DDF1D6B8B997EAA1ADFAC004A9F3A91C37295DE9223674011FBA
3644SearchApp.exeC:\Users\admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\TokenBroker\Cache\fbaf94e759052658216786bfbabcdced1b67a5c2.tbresbinary
MD5:9CD065248911FD8247645EA696B6233B
SHA256:6DC526B582DCE5EE66FFEE5F6FD6070767158B5523753DD3565569A714FBB452
5604dllhost.exeC:\Users\admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\5Y734AMR\77\appcache[1].mantext
MD5:15F8A83AE8EE49313779C8A2A461FDFD
SHA256:46E6B38B3605545995D0C888227BA22938943604AB967272FF739D40E7D292C5
2760ed7b275f-7e7b-4fa9-9abf-676847530890.exeC:\ProgramData\bbeecafdaeec.exeexecutable
MD5:946E3834E36523E8AE07CB2FEEA9B734
SHA256:F224739A2013952F37140737874E91777EBED4E12354260856F703BDCDF22AF4
3644SearchApp.exeC:\Users\admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\CryptnetUrlCache\Content\26C212D9399727259664BDFCA073966E_F9F7D6A7ECE73106D2A8C63168CDA10Dbinary
MD5:DF367B9525354CC5543C9247210072ED
SHA256:68511E58CC309F2895652008EF4A7C0B18C023D5EDBC435BCE4E83F8BE640D09
3644SearchApp.exeC:\Users\admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\ZWUI0EBX\www.bing[1].xmltext
MD5:005B11370D533753ABDD07CF8C86D54F
SHA256:E12B84F7FEBA0CD1F3DC42A0E6E2C274A5050206CC614B5F22B4FED79D2D63F6
3644SearchApp.exeC:\Users\admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\5Y734AMR\77\4BpQ1bD8vX1mXuJObN-gg9RqkyQ.br[1].jsbinary
MD5:8465A334065673EB6A6487C8D87539DB
SHA256:84ED6C495B322B0F2213CC33EC6C652D84D82E010C928B1141DB2290D4365F3D
3644SearchApp.exeC:\Users\admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\5Y734AMR\77\LJVpDXTkWDgGwVlLgxLZkLutWKw[1].csstext
MD5:D97A40CB7E09B965775AFEFCCCF44EA3
SHA256:31D3034E93E33A0EB4421A86EC07D83801B3E47B9EB1D119DF2FE65679D0B458
3644SearchApp.exeC:\Users\admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\AppCache\5Y734AMR\77\tUCiVcVWZ-go7BLlq95YW6bKHZE[1].csstext
MD5:445D78544E0CFC11EFC1E172DA3ECBBC
SHA256:76EFEBABB82AE8342985C99A498137C04B3E46BC59D78191F0DA44C660B980F5
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
13
TCP/UDP connections
48
DNS requests
27
Threats
5

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
6796
backgroundTaskHost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEA77flR%2B3w%2FxBpruV2lte6A%3D
unknown
whitelisted
2288
svchost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
1268
svchost.exe
GET
200
23.55.104.190:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
1268
svchost.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
4512
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
4512
SIHClient.exe
GET
200
95.101.149.131:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Secure%20Server%20CA%202.1.crl
unknown
whitelisted
4772
explorer.exe
POST
200
185.156.72.89:80
http://185.156.72.89/nzcwzue/pqrfxn.php
unknown
unknown
3644
SearchApp.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D
unknown
whitelisted
4036
explorer.exe
POST
200
185.156.72.89:80
http://185.156.72.89/nzcwzue/pqrfxn.php
unknown
unknown
1232
explorer.exe
POST
200
185.156.72.89:80
http://185.156.72.89/nzcwzue/pqrfxn.php
unknown
unknown
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
5944
MoUsoCoreWorker.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
3956
RUXIMICS.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
1268
svchost.exe
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
2288
svchost.exe
20.190.159.2:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2288
svchost.exe
2.17.190.73:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted
2336
svchost.exe
172.211.123.248:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
1268
svchost.exe
23.55.104.190:80
crl.microsoft.com
Akamai International B.V.
US
whitelisted
1268
svchost.exe
95.101.149.131:80
www.microsoft.com
Akamai International B.V.
NL
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.186.78
whitelisted
login.live.com
  • 20.190.159.2
  • 40.126.31.130
  • 20.190.159.71
  • 20.190.159.128
  • 40.126.31.73
  • 40.126.31.129
  • 20.190.159.75
  • 40.126.31.71
whitelisted
ocsp.digicert.com
  • 2.17.190.73
whitelisted
settings-win.data.microsoft.com
  • 40.127.240.158
  • 51.124.78.146
whitelisted
client.wns.windows.com
  • 172.211.123.248
  • 172.211.123.250
whitelisted
crl.microsoft.com
  • 23.55.104.190
  • 23.55.104.172
whitelisted
www.microsoft.com
  • 95.101.149.131
whitelisted
nexusrules.officeapps.live.com
  • 52.111.243.29
whitelisted
slscr.update.microsoft.com
  • 4.175.87.197
whitelisted
fe3cr.delivery.mp.microsoft.com
  • 40.69.42.241
whitelisted

Threats

PID
Process
Class
Message
4772
explorer.exe
A Network Trojan was detected
ET MALWARE Diamotrix POST Request M3
1232
explorer.exe
A Network Trojan was detected
ET MALWARE Diamotrix POST Request M3
4036
explorer.exe
A Network Trojan was detected
ET MALWARE Diamotrix POST Request M3
4036
explorer.exe
A Network Trojan was detected
ET MALWARE Diamotrix POST Request M3
6420
explorer.exe
A Network Trojan was detected
ET MALWARE Diamotrix POST Request M3
No debug info