URL:

https://filedm.com/sBdxw

Full analysis: https://app.any.run/tasks/cd9a3c2c-0d99-4347-af4e-654bca95204e
Verdict: Malicious activity
Threats:

Adware is a form of malware that targets users with unwanted advertisements, often disrupting their browsing experience. It typically infiltrates systems through software bundling, malicious websites, or deceptive downloads. Once installed, it may track user activity, collect sensitive data, and display intrusive ads, including pop-ups or banners. Some advanced adware variants can bypass security measures and establish persistence on devices, making removal challenging. Additionally, adware can create vulnerabilities that other malware can exploit, posing a significant risk to user privacy and system security.

Malware Trends Tracker     >>>
Analysis date: May 21, 2025, 14:29:17
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
ossproxy
premieropinion
adware
relevantknowledge
arch-exec
arch-scr
arch-html
pua
Indicators:
MD5:

0C32668F9C467CD1342FAB4E0FB4EA89

SHA1:

9D92AE6E64A8B076985D9723C13E6468CA168CB5

SHA256:

28AEE53E7803499CB7EA9116009B26A1F63E2F5C9282AFE32BADA00507F70618

SSDEEP:

3:N8/K7n:2/Q

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • PREMIEROPINION mutex has been found

      • pmropn.exe (PID: 2420)
      • ContentI3.exe (PID: 5200)
      • pmropn.exe (PID: 2332)

    • OSSPROXY mutex has been found

      • pmropn.exe (PID: 2420)
      • ContentI3.exe (PID: 5200)
      • pmropn.exe (PID: 2332)

    • Runs injected code in another process

      • rundll32.exe (PID: 8172)

    • Application was injected by another process

      • svchost.exe (PID: 1260)

    • RELEVANTKNOWLEDGE mutex has been found

      • rundll32.exe (PID: 8172)
      • pmropn.exe (PID: 2420)

    • OSSPROXY has been detected (SURICATA)

      • pmropn.exe (PID: 2332)

    • ADWARE has been detected (SURICATA)

      • pmropn.exe (PID: 2332)

  • SUSPICIOUS

    • There is functionality for taking screenshot (YARA)

      • Xeno Exploit_83776631.exe (PID: 2192)
      • GameBooster.exe (PID: 8160)
      • GameBooster.exe (PID: 4844)

    • Reads security settings of Internet Explorer

      • Xeno Exploit_83776631.exe (PID: 2192)
      • ContentI3.exe (PID: 5200)
      • pmropn.exe (PID: 2420)

    • Executable content was dropped or overwritten

      • Xeno Exploit_83776631.exe (PID: 2192)
      • ContentI3.exe (PID: 5200)
      • pmropn.exe (PID: 2420)

    • Executes as Windows Service

      • GameBooster.exe (PID: 4844)
      • pmservice.exe (PID: 7920)

    • Creates a software uninstall entry

      • GameBooster.exe (PID: 6480)
      • pmropn.exe (PID: 2420)
      • pmservice.exe (PID: 7920)
      • ContentI3.exe (PID: 5200)

    • Application launched itself

      • GameBooster.exe (PID: 4844)

    • Start notepad (likely ransomware note)

      • Xeno Exploit_83776631.exe (PID: 2192)

    • Uses RUNDLL32.EXE to load library

      • pmservice.exe (PID: 7920)

    • Searches for installed software

      • reg.exe (PID: 6760)
      • rundll32.exe (PID: 8172)
      • svchost.exe (PID: 1260)
      • pmservice.exe (PID: 7920)
      • pmropn.exe (PID: 2332)
      • ContentI3.exe (PID: 5200)
      • pmropn.exe (PID: 2420)

    • Adds/modifies Windows certificates

      • pmservice.exe (PID: 7920)
      • pmropn.exe (PID: 2420)

    • The process drops C-runtime libraries

      • msedge.exe (PID: 3008)
      • msedge.exe (PID: 7292)

    • Process drops legitimate windows executable

      • msedge.exe (PID: 7292)
      • msedge.exe (PID: 3008)
      • WinRAR.exe (PID: 7916)

    • Starts CMD.EXE for commands execution

      • pmservice.exe (PID: 7920)

    • Potential Corporate Privacy Violation

      • pmropn.exe (PID: 2332)

    • Connects to unusual port

      • pmropn.exe (PID: 2332)

    • Starts POWERSHELL.EXE for commands execution

      • pmropn.exe (PID: 2332)

  • INFO

    • Checks supported languages

      • identity_helper.exe (PID: 8168)
      • Xeno Exploit_83776631.exe (PID: 2192)
      • GameBooster.exe (PID: 8160)
      • GameBooster.exe (PID: 4844)
      • GameBooster.exe (PID: 6480)
      • ContentI3.exe (PID: 5200)
      • pmropn.exe (PID: 2420)
      • pmservice.exe (PID: 7920)
      • pmropn.exe (PID: 2332)

    • Reads Environment values

      • identity_helper.exe (PID: 8168)

    • Reads the computer name

      • identity_helper.exe (PID: 8168)
      • Xeno Exploit_83776631.exe (PID: 2192)
      • GameBooster.exe (PID: 4844)
      • GameBooster.exe (PID: 8160)
      • GameBooster.exe (PID: 6480)
      • ContentI3.exe (PID: 5200)
      • pmropn.exe (PID: 2420)
      • pmservice.exe (PID: 7920)
      • pmropn.exe (PID: 2332)

    • Application launched itself

      • msedge.exe (PID: 3008)
      • msedge.exe (PID: 4428)

    • Executable content was dropped or overwritten

      • msedge.exe (PID: 3008)
      • WinRAR.exe (PID: 7916)
      • msedge.exe (PID: 4428)

    • Checks proxy server information

      • Xeno Exploit_83776631.exe (PID: 2192)
      • pmropn.exe (PID: 2420)

    • Creates files or folders in the user directory

      • Xeno Exploit_83776631.exe (PID: 2192)
      • ContentI3.exe (PID: 5200)
      • pmropn.exe (PID: 2420)

    • Reads the machine GUID from the registry

      • Xeno Exploit_83776631.exe (PID: 2192)
      • pmropn.exe (PID: 2420)
      • pmservice.exe (PID: 7920)

    • Reads the software policy settings

      • GameBooster.exe (PID: 4844)
      • Xeno Exploit_83776631.exe (PID: 2192)
      • pmropn.exe (PID: 2420)
      • pmservice.exe (PID: 7920)
      • slui.exe (PID: 7944)

    • Process checks computer location settings

      • Xeno Exploit_83776631.exe (PID: 2192)

    • The sample compiled with english language support

      • Xeno Exploit_83776631.exe (PID: 2192)
      • ContentI3.exe (PID: 5200)
      • pmropn.exe (PID: 2420)
      • msedge.exe (PID: 3008)
      • WinRAR.exe (PID: 7916)
      • msedge.exe (PID: 7292)

    • Creates files in the program directory

      • Xeno Exploit_83776631.exe (PID: 2192)
      • ContentI3.exe (PID: 5200)
      • reg.exe (PID: 6760)
      • pmropn.exe (PID: 2420)
      • pmservice.exe (PID: 7920)

    • Create files in a temporary directory

      • Xeno Exploit_83776631.exe (PID: 2192)
      • ContentI3.exe (PID: 5200)

    • OSSPROXY has been detected

      • ContentI3.exe (PID: 5200)
      • pmservice.exe (PID: 7920)
      • cmd.exe (PID: 1676)
      • cmd.exe (PID: 2420)

    • Reads security settings of Internet Explorer

      • notepad.exe (PID: 976)

    • Manual execution by a user

      • Xeno.exe (PID: 7220)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
390
Monitored processes
245
Malicious processes
11
Suspicious processes
2

Behavior graph

Click at the process to see the details
start msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs sppextcomobj.exe no specs slui.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs identity_helper.exe no specs identity_helper.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs xeno exploit_83776631.exe no specs xeno exploit_83776631.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs gamebooster.exe no specs gamebooster.exe gamebooster.exe no specs #PREMIEROPINION contenti3.exe notepad.exe no specs #PREMIEROPINION pmropn.exe msedge.exe no specs pmservice.exe #RELEVANTKNOWLEDGE rundll32.exe no specs reg.exe no specs conhost.exe no specs msedge.exe no specs #PREMIEROPINION pmropn.exe slui.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs unsecapp.exe no specs cmd.exe no specs cmd.exe no specs pmropn64.exe no specs pmropn32.exe no specs winrar.exe pmropn64.exe no specs pmropn32.exe no specs pmropn32.exe no specs pmropn64.exe no specs checknetisolation.exe no specs conhost.exe no specs pmropn.exe no specs checknetisolation.exe no specs conhost.exe no specs checknetisolation.exe no specs conhost.exe no specs checknetisolation.exe no specs conhost.exe no specs checknetisolation.exe no specs conhost.exe no specs checknetisolation.exe no specs conhost.exe no specs checknetisolation.exe no specs conhost.exe no specs checknetisolation.exe no specs conhost.exe no specs checknetisolation.exe no specs conhost.exe no specs checknetisolation.exe no specs conhost.exe no specs checknetisolation.exe no specs conhost.exe no specs checknetisolation.exe no specs conhost.exe no specs checknetisolation.exe no specs conhost.exe no specs checknetisolation.exe no specs conhost.exe no specs checknetisolation.exe no specs conhost.exe no specs checknetisolation.exe no specs conhost.exe no specs checknetisolation.exe no specs conhost.exe no specs checknetisolation.exe no specs conhost.exe no specs checknetisolation.exe no specs conhost.exe no specs checknetisolation.exe no specs conhost.exe no specs checknetisolation.exe no specs conhost.exe no specs checknetisolation.exe no specs conhost.exe no specs checknetisolation.exe no specs conhost.exe no specs checknetisolation.exe no specs conhost.exe no specs checknetisolation.exe no specs conhost.exe no specs checknetisolation.exe no specs conhost.exe no specs checknetisolation.exe no specs conhost.exe no specs checknetisolation.exe no specs conhost.exe no specs checknetisolation.exe no specs conhost.exe no specs checknetisolation.exe no specs conhost.exe no specs checknetisolation.exe no specs conhost.exe no specs checknetisolation.exe no specs conhost.exe no specs checknetisolation.exe no specs conhost.exe no specs checknetisolation.exe no specs conhost.exe no specs checknetisolation.exe no specs conhost.exe no specs checknetisolation.exe no specs conhost.exe no specs checknetisolation.exe no specs conhost.exe no specs checknetisolation.exe no specs conhost.exe no specs checknetisolation.exe no specs conhost.exe no specs checknetisolation.exe no specs conhost.exe no specs checknetisolation.exe no specs conhost.exe no specs checknetisolation.exe no specs conhost.exe no specs checknetisolation.exe no specs conhost.exe no specs checknetisolation.exe no specs conhost.exe no specs checknetisolation.exe no specs conhost.exe no specs checknetisolation.exe no specs conhost.exe no specs checknetisolation.exe no specs conhost.exe no specs checknetisolation.exe no specs conhost.exe no specs checknetisolation.exe no specs conhost.exe no specs checknetisolation.exe no specs conhost.exe no specs checknetisolation.exe no specs conhost.exe no specs checknetisolation.exe no specs conhost.exe no specs checknetisolation.exe no specs conhost.exe no specs checknetisolation.exe no specs conhost.exe no specs checknetisolation.exe no specs conhost.exe no specs checknetisolation.exe no specs conhost.exe no specs checknetisolation.exe no specs conhost.exe no specs checknetisolation.exe no specs conhost.exe no specs checknetisolation.exe no specs conhost.exe no specs msedge.exe no specs checknetisolation.exe no specs conhost.exe no specs checknetisolation.exe no specs conhost.exe no specs checknetisolation.exe no specs conhost.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs identity_helper.exe no specs identity_helper.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs rundll32.exe no specs xeno.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs pmropn.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs powershell.exe no specs conhost.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs svchost.exe svchost.exe

Process information

PID
CMD
Path
Indicators
Parent process
232\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeCheckNetIsolation.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
232\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeCheckNetIsolation.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
232\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeCheckNetIsolation.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
232CheckNetIsolation.exe LoopbackExempt -a -n=microsoft.windows.startmenuexperiencehost_cw5n1h2txyewyC:\Windows\SysWOW64\CheckNetIsolation.exepmropn.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
AppContainer Network Isolation Diagnostic Tool
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\checknetisolation.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\sechost.dll
644"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=6884 --field-trial-handle=2708,i,1821589074766645890,12250660792829335567,262144 --variations-seed-version /prefetch:8C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
644"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=20 --mojo-platform-channel-handle=3408 --field-trial-handle=2448,i,8094545820933266003,15310967151844698731,262144 --variations-seed-version /prefetch:1C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exemsedge.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Microsoft Edge
Exit code:
0
Version:
122.0.2365.59
Modules
Images
c:\program files (x86)\microsoft\edge\application\msedge.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files (x86)\microsoft\edge\application\122.0.2365.59\msedge_elf.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
664\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeCheckNetIsolation.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
664\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeCheckNetIsolation.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
664\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeCheckNetIsolation.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
664CheckNetIsolation.exe LoopbackExempt -a -n=microsoft.windows.parentalcontrols_cw5n1h2txyewyC:\Windows\SysWOW64\CheckNetIsolation.exepmropn.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
AppContainer Network Isolation Diagnostic Tool
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\checknetisolation.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\sechost.dll
Total events
73 280
Read events
72 533
Write events
425
Delete events
322

Modification events

(PID) Process:(1260) svchost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTaskLogon
Operation:writeName:Index
Value:
2
(PID) Process:(1260) svchost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{892625FE-213B-4B60-95ED-A1CEFCAA365D}
Operation:writeName:Hash
Value:
CDA7456BF99509A5E35E271627318ADB606F72CB542F752AFB69F292A7535F3C
(PID) Process:(1260) svchost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{892625FE-213B-4B60-95ED-A1CEFCAA365D}
Operation:delete valueName:Schema
Value:
(PID) Process:(1260) svchost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{892625FE-213B-4B60-95ED-A1CEFCAA365D}
Operation:writeName:Version
Value:
1.0
(PID) Process:(1260) svchost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{892625FE-213B-4B60-95ED-A1CEFCAA365D}
Operation:delete valueName:Date
Value:
(PID) Process:(1260) svchost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{892625FE-213B-4B60-95ED-A1CEFCAA365D}
Operation:writeName:SecurityDescriptor
Value:
D:P(A;;FA;;;SY)(A;;FA;;;BA)(A;;FRFW;;;S-1-5-80-123231216-2592883651-3715271367-3753151631-4175906628)(A;;FR;;;S-1-5-4)
(PID) Process:(1260) svchost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{892625FE-213B-4B60-95ED-A1CEFCAA365D}
Operation:writeName:Source
Value:
$(@%systemroot%\system32\sppc.dll,-200)
(PID) Process:(1260) svchost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{892625FE-213B-4B60-95ED-A1CEFCAA365D}
Operation:writeName:Author
Value:
$(@%systemroot%\system32\sppc.dll,-200)
(PID) Process:(1260) svchost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{892625FE-213B-4B60-95ED-A1CEFCAA365D}
Operation:writeName:Description
Value:
$(@%systemroot%\system32\sppc.dll,-202)
(PID) Process:(1260) svchost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{892625FE-213B-4B60-95ED-A1CEFCAA365D}
Operation:delete valueName:Documentation
Value:
Executable files
70
Suspicious files
684
Text files
232
Unknown types
0

Dropped files

PID
Process
Filename
Type
3008msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\commerce_subscription_db\LOG.old~RF10f157.TMP
MD5:
SHA256:
3008msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\commerce_subscription_db\LOG.old
MD5:
SHA256:
3008msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\discounts_db\LOG.old~RF10f167.TMP
MD5:
SHA256:
3008msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\discounts_db\LOG.old
MD5:
SHA256:
3008msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\parcel_tracking_db\LOG.old~RF10f157.TMP
MD5:
SHA256:
3008msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\parcel_tracking_db\LOG.old
MD5:
SHA256:
3008msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\PersistentOriginTrials\LOG.old~RF10f167.TMP
MD5:
SHA256:
3008msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\PersistentOriginTrials\LOG.old
MD5:
SHA256:
3008msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\EdgePushStorageWithConnectTokenAndKey\LOG.old~RF10f176.TMP
MD5:
SHA256:
3008msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\EdgePushStorageWithConnectTokenAndKey\LOG.old
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
76
TCP/UDP connections
296
DNS requests
153
Threats
15

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5496
MoUsoCoreWorker.exe
GET
200
23.48.23.179:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5496
MoUsoCoreWorker.exe
GET
200
184.30.21.171:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
6544
svchost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
2192
Xeno Exploit_83776631.exe
GET
200
142.250.186.99:80
http://o.pki.goog/s/wr3/7DM/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBQSq0i5t2Pafi2Gw9uzwnc7KTctWgQUx4H1%2FY6I2QA8TWOiUDEkoM4j%2FiMCEQDsM1CuTUMozAlVORf8Ight
unknown
whitelisted
2192
Xeno Exploit_83776631.exe
GET
200
142.250.186.99:80
http://c.pki.goog/r/r1.crl
unknown
whitelisted
2192
Xeno Exploit_83776631.exe
GET
200
142.250.186.99:80
http://ocsp.pki.goog/gsr1/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS3V7W2nAf4FiMTjpDJKg6%2BMgGqMQQUYHtmGkUNl8qJUC99BM00qP%2F8%2FUsCEHe9DWzbNvka6iEPxPBY0w0%3D
unknown
whitelisted
2192
Xeno Exploit_83776631.exe
GET
200
142.250.186.99:80
http://o.pki.goog/s/wr3/Llw/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQSq0i5t2Pafi2Gw9uzwnc7KTctWgQUx4H1%2FY6I2QA8TWOiUDEkoM4j%2FiMCEC5cnWKHoYQVCnAzKuFJaMg%3D
unknown
whitelisted
2192
Xeno Exploit_83776631.exe
GET
200
142.250.186.99:80
http://c.pki.goog/r/r4.crl
unknown
whitelisted
2192
Xeno Exploit_83776631.exe
GET
200
18.245.38.41:80
http://ocsp.rootca1.amazontrust.com/MFQwUjBQME4wTDAJBgUrDgMCGgUABBRPWaOUU8%2B5VZ5%2Fa9jFTaU9pkK3FAQUhBjMhTTsvAyUlC4IWZzHshBOCggCEwdzEkzUBtJnwJkc3SmanzgxeYU%3D
unknown
whitelisted
4112
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4.231.128.59:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5496
MoUsoCoreWorker.exe
23.48.23.179:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
6544
svchost.exe
20.190.159.73:443
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
5496
MoUsoCoreWorker.exe
184.30.21.171:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
6544
svchost.exe
2.17.190.73:80
ocsp.digicert.com
AKAMAI-AS
DE
whitelisted
4
System
192.168.100.255:137
whitelisted
3216
svchost.exe
172.211.123.250:443
MICROSOFT-CORP-MSN-AS-BLOCK
FR
unknown
3008
msedge.exe
239.255.255.250:1900
whitelisted
7292
msedge.exe
104.21.48.1:443
filedm.com
malicious
7292
msedge.exe
216.58.206.42:443
fonts.googleapis.com
GOOGLE
US
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 216.58.206.46
whitelisted
crl.microsoft.com
  • 23.48.23.179
  • 23.48.23.183
  • 23.48.23.176
  • 23.48.23.181
  • 23.48.23.191
  • 23.48.23.138
  • 23.48.23.193
  • 23.48.23.190
  • 23.48.23.145
whitelisted
www.microsoft.com
  • 184.30.21.171
  • 23.35.229.160
whitelisted
ocsp.digicert.com
  • 2.17.190.73
whitelisted
config.edge.skype.com
  • 13.107.42.16
whitelisted
edge.microsoft.com
  • 150.171.29.11
  • 150.171.30.11
  • 150.171.28.11
  • 150.171.27.11
whitelisted
edge-mobile-static.azureedge.net
  • 13.107.253.45
whitelisted
filedm.com
  • 104.21.48.1
  • 104.21.80.1
  • 104.21.16.1
  • 104.21.96.1
  • 104.21.64.1
  • 104.21.112.1
  • 104.21.32.1
malicious
business.bing.com
  • 13.107.6.158
whitelisted
www.bing.com
  • 92.123.104.65
  • 92.123.104.61
  • 92.123.104.67
  • 92.123.104.13
  • 92.123.104.18
  • 92.123.104.22
  • 92.123.104.19
  • 92.123.104.5
  • 92.123.104.66
  • 92.123.104.62
  • 92.123.104.53
  • 92.123.104.58
  • 92.123.104.63
  • 92.123.104.59
whitelisted

Threats

PID
Process
Class
Message
7292
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] Google Tag Manager analytics (googletagmanager .com)
7292
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] Google Tag Manager analytics (googletagmanager .com)
7292
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] Google Tag Manager analytics (googletagmanager .com)
7292
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] Google Tag Manager analytics (googletagmanager .com)
7292
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] Cloudflare Network Error Logging (NEL)
7292
msedge.exe
Not Suspicious Traffic
INFO [ANY.RUN] Cloudflare Network Error Logging (NEL)
4844
GameBooster.exe
Misc activity
ET INFO Observed Cloudflare DNS over HTTPS Domain (cloudflare-dns .com in TLS SNI)
4844
GameBooster.exe
Misc activity
ET INFO Cloudflare DNS Over HTTPS Certificate Inbound
2332
pmropn.exe
Potential Corporate Privacy Violation
ET ADWARE_PUP PUP/PUA OSSProxy HTTP Header
2332
pmropn.exe
Potential Corporate Privacy Violation
ET ADWARE_PUP Suspected PUP/PUA User-Agent (OSSProxy)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
https://filedm.com/sBdxw