File name:

324.exe

Full analysis: https://app.any.run/tasks/cb35122e-8d51-414a-ad3d-0b21bf2a2dc8
Verdict: Malicious activity
Threats:

Adware is a form of malware that targets users with unwanted advertisements, often disrupting their browsing experience. It typically infiltrates systems through software bundling, malicious websites, or deceptive downloads. Once installed, it may track user activity, collect sensitive data, and display intrusive ads, including pop-ups or banners. Some advanced adware variants can bypass security measures and establish persistence on devices, making removal challenging. Additionally, adware can create vulnerabilities that other malware can exploit, posing a significant risk to user privacy and system security.

Malware Trends Tracker     >>>
Analysis date: February 21, 2025, 14:21:50
OS: Windows 10 Professional (build: 19045, 64 bit)
Tags:
auto
generic
premieropinion
adware
ossproxy
relevantknowledge
stealer
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 5 sections
MD5:

15D1C495FF66BF7CEA8A6D14BFDF0A20

SHA1:

942814521FA406A225522F208AC67F90DBDE0AE7

SHA256:

61C2C4A5D7C14F77EE88871DED4CC7F1E49DAE3E4EF209504C66FEDF4D22DE42

SSDEEP:

98304:DtjM+LgnHM8mNLNpOmMGl2p9tjIQh+1GHp8PGmDFzMVv3kdcpR41TBN14BC6SkPT:Kw8

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Executing a file with an untrusted certificate

      • 324.exe (PID: 6484)
      • 324.exe (PID: 6332)
      • 324.exe (PID: 7120)
      • 324.exe (PID: 5080)

    • GENERIC has been found (auto)

      • 324.exe (PID: 6484)

    • OSSPROXY mutex has been found

      • ContentI3.exe (PID: 1704)
      • ContentI3.exe (PID: 4388)
      • ContentI3.exe (PID: 4576)
      • ContentI3.exe (PID: 5236)
      • pmropn.exe (PID: 6560)
      • pmropn.exe (PID: 4932)
      • pmropn32.exe (PID: 3828)
      • pmropn64.exe (PID: 6280)
      • pmropn.exe (PID: 6768)

    • PREMIEROPINION mutex has been found

      • ContentI3.exe (PID: 4388)
      • ContentI3.exe (PID: 4576)
      • ContentI3.exe (PID: 5236)
      • ContentI3.exe (PID: 1704)
      • pmropn.exe (PID: 6560)
      • pmropn.exe (PID: 4932)
      • pmropn.exe (PID: 6768)

    • RELEVANTKNOWLEDGE mutex has been found

      • rundll32.exe (PID: 6920)
      • pmropn.exe (PID: 6560)
      • pmropn.exe (PID: 4932)
      • pmropn32.exe (PID: 3828)
      • 324.exe (PID: 5080)

    • Runs injected code in another process

      • rundll32.exe (PID: 6920)

    • Application was injected by another process

      • svchost.exe (PID: 1276)

    • Actions looks like stealing of personal data

      • pmropn.exe (PID: 4932)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • 324.exe (PID: 6484)
      • ContentI3.exe (PID: 5236)
      • ContentI3.exe (PID: 4388)
      • ContentI3.exe (PID: 1704)
      • ContentI3.exe (PID: 4576)
      • pmropn.exe (PID: 6560)
      • pmropn.exe (PID: 4932)
      • 324.exe (PID: 5080)

    • There is functionality for taking screenshot (YARA)

      • 324.exe (PID: 6484)

    • Executable content was dropped or overwritten

      • 324.exe (PID: 6484)
      • ContentI3.exe (PID: 5236)
      • ContentI3.exe (PID: 1704)
      • ContentI3.exe (PID: 4576)
      • Steam.exe (PID: 6640)
      • pmropn.exe (PID: 6560)

    • Checks Windows Trust Settings

      • 324.exe (PID: 6484)
      • pmropn.exe (PID: 6560)
      • 324.exe (PID: 5080)
      • pmropn.exe (PID: 4932)

    • Malware-specific behavior (creating "System.dll" in Temp)

      • Steam.exe (PID: 6640)

    • The process creates files with name similar to system file names

      • Steam.exe (PID: 6640)

    • Creates a software uninstall entry

      • pmropn.exe (PID: 6560)
      • ContentI3.exe (PID: 4576)
      • pmservice.exe (PID: 6916)
      • ContentI3.exe (PID: 1704)
      • pmropn.exe (PID: 4932)

    • Adds/modifies Windows certificates

      • pmropn.exe (PID: 6560)
      • pmservice.exe (PID: 6916)

    • Executes as Windows Service

      • pmservice.exe (PID: 6916)

    • Searches for installed software

      • pmservice.exe (PID: 6916)
      • rundll32.exe (PID: 6920)
      • svchost.exe (PID: 1276)
      • reg.exe (PID: 7128)
      • pmropn.exe (PID: 6560)
      • ContentI3.exe (PID: 4576)
      • ContentI3.exe (PID: 1704)
      • pmropn.exe (PID: 4932)
      • pmropn32.exe (PID: 3828)
      • 324.exe (PID: 5080)
      • unsecapp.exe (PID: 1620)

    • Uses RUNDLL32.EXE to load library

      • pmservice.exe (PID: 6916)

    • Starts CMD.EXE for commands execution

      • pmservice.exe (PID: 6916)

  • INFO

    • Checks supported languages

      • 324.exe (PID: 6484)
      • ContentI3.exe (PID: 4576)
      • ContentI3.exe (PID: 5236)
      • ContentI3.exe (PID: 1704)
      • ContentI3.exe (PID: 4388)
      • Steam.exe (PID: 6640)
      • pmropn.exe (PID: 6560)
      • pmservice.exe (PID: 6916)
      • 324.exe (PID: 5080)
      • pmropn.exe (PID: 4932)
      • pmropn32.exe (PID: 3828)

    • The sample compiled with english language support

      • 324.exe (PID: 6484)
      • ContentI3.exe (PID: 1704)
      • ContentI3.exe (PID: 5236)
      • ContentI3.exe (PID: 4576)
      • pmropn.exe (PID: 6560)

    • Creates files or folders in the user directory

      • 324.exe (PID: 6484)
      • ContentI3.exe (PID: 5236)
      • ContentI3.exe (PID: 4388)
      • ContentI3.exe (PID: 1704)
      • ContentI3.exe (PID: 4576)
      • pmropn.exe (PID: 6560)
      • 324.exe (PID: 5080)
      • pmropn.exe (PID: 4932)

    • Checks proxy server information

      • 324.exe (PID: 6484)
      • 324.exe (PID: 5080)
      • pmropn.exe (PID: 6560)
      • pmropn.exe (PID: 4932)

    • Reads the computer name

      • 324.exe (PID: 6484)
      • ContentI3.exe (PID: 4388)
      • ContentI3.exe (PID: 4576)
      • ContentI3.exe (PID: 5236)
      • ContentI3.exe (PID: 1704)
      • Steam.exe (PID: 6640)
      • pmropn.exe (PID: 6560)
      • pmservice.exe (PID: 6916)
      • 324.exe (PID: 5080)
      • pmropn.exe (PID: 4932)

    • Reads the machine GUID from the registry

      • 324.exe (PID: 6484)
      • pmropn.exe (PID: 6560)
      • pmservice.exe (PID: 6916)
      • 324.exe (PID: 5080)
      • pmropn.exe (PID: 4932)

    • Process checks computer location settings

      • 324.exe (PID: 6484)

    • Create files in a temporary directory

      • 324.exe (PID: 6484)
      • ContentI3.exe (PID: 5236)
      • ContentI3.exe (PID: 1704)
      • ContentI3.exe (PID: 4576)
      • Steam.exe (PID: 6640)

    • Reads the software policy settings

      • 324.exe (PID: 6484)
      • pmropn.exe (PID: 6560)
      • pmropn.exe (PID: 4932)
      • pmservice.exe (PID: 6916)
      • 324.exe (PID: 5080)

    • The sample compiled with bulgarian language support

      • 324.exe (PID: 6484)

    • Creates files in the program directory

      • ContentI3.exe (PID: 5236)
      • ContentI3.exe (PID: 4576)
      • reg.exe (PID: 7128)
      • pmropn.exe (PID: 6560)
      • pmservice.exe (PID: 6916)
      • pmropn.exe (PID: 4932)

    • OSSPROXY has been detected

      • ContentI3.exe (PID: 1704)
      • pmservice.exe (PID: 6916)
      • cmd.exe (PID: 1220)
      • cmd.exe (PID: 7020)

    • Manual execution by a user

      • 324.exe (PID: 7120)
      • 324.exe (PID: 5080)

    • Reads security settings of Internet Explorer

      • cmd.exe (PID: 7020)
      • cmd.exe (PID: 1220)

    • Disables trace logs

      • pmropn.exe (PID: 4932)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (76.4)
.exe | Win32 Executable (generic) (12.4)
.exe | Generic Win/DOS Executable (5.5)
.exe | DOS Executable Generic (5.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2024:10:18 17:00:18+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 14.22
CodeSize: 4353024
InitializedDataSize: 1675776
UninitializedDataSize: -
EntryPoint: 0x398c98
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 1.0.0.0
ProductVersionNumber: 1.0.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Unknown (0)
ObjectFileType: Unknown
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
FileDescription: Download Manager
FileVersion: 1
InternalName: Download Manager
LegalCopyright: Download Manager
OriginalFileName: Download Manager
ProductName: Download Manager
ProductVersion: 1
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
286
Monitored processes
151
Malicious processes
15
Suspicious processes
5

Behavior graph

Click at the process to see the details
start 324.exe #PREMIEROPINION contenti3.exe #PREMIEROPINION contenti3.exe #PREMIEROPINION contenti3.exe #PREMIEROPINION contenti3.exe steam.exe #PREMIEROPINION pmropn.exe pmservice.exe no specs #RELEVANTKNOWLEDGE rundll32.exe no specs reg.exe no specs conhost.exe no specs 324.exe no specs #RELEVANTKNOWLEDGE 324.exe #PREMIEROPINION pmropn.exe unsecapp.exe no specs cmd.exe no specs cmd.exe no specs pmropn64.exe no specs pmropn32.exe no specs pmropn64.exe no specs pmropn32.exe no specs #RELEVANTKNOWLEDGE pmropn32.exe no specs pmropn64.exe no specs checknetisolation.exe no specs conhost.exe no specs #PREMIEROPINION pmropn.exe no specs checknetisolation.exe no specs conhost.exe no specs checknetisolation.exe no specs conhost.exe no specs checknetisolation.exe no specs conhost.exe no specs checknetisolation.exe no specs conhost.exe no specs checknetisolation.exe no specs conhost.exe no specs checknetisolation.exe no specs conhost.exe no specs checknetisolation.exe no specs conhost.exe no specs checknetisolation.exe no specs conhost.exe no specs checknetisolation.exe no specs conhost.exe no specs checknetisolation.exe no specs conhost.exe no specs checknetisolation.exe no specs conhost.exe no specs checknetisolation.exe no specs conhost.exe no specs checknetisolation.exe no specs conhost.exe no specs checknetisolation.exe no specs conhost.exe no specs checknetisolation.exe no specs conhost.exe no specs checknetisolation.exe no specs conhost.exe no specs checknetisolation.exe no specs conhost.exe no specs checknetisolation.exe no specs conhost.exe no specs checknetisolation.exe no specs conhost.exe no specs checknetisolation.exe no specs conhost.exe no specs checknetisolation.exe no specs conhost.exe no specs checknetisolation.exe no specs conhost.exe no specs checknetisolation.exe no specs conhost.exe no specs checknetisolation.exe no specs conhost.exe no specs checknetisolation.exe no specs conhost.exe no specs checknetisolation.exe no specs conhost.exe no specs checknetisolation.exe no specs conhost.exe no specs checknetisolation.exe no specs conhost.exe no specs checknetisolation.exe no specs conhost.exe no specs checknetisolation.exe no specs conhost.exe no specs checknetisolation.exe no specs conhost.exe no specs checknetisolation.exe no specs conhost.exe no specs checknetisolation.exe no specs conhost.exe no specs checknetisolation.exe no specs conhost.exe no specs checknetisolation.exe no specs conhost.exe no specs checknetisolation.exe no specs conhost.exe no specs checknetisolation.exe no specs conhost.exe no specs checknetisolation.exe no specs conhost.exe no specs checknetisolation.exe no specs conhost.exe no specs checknetisolation.exe no specs conhost.exe no specs checknetisolation.exe no specs conhost.exe no specs checknetisolation.exe no specs conhost.exe no specs checknetisolation.exe no specs conhost.exe no specs checknetisolation.exe no specs conhost.exe no specs checknetisolation.exe no specs conhost.exe no specs checknetisolation.exe no specs conhost.exe no specs checknetisolation.exe no specs conhost.exe no specs checknetisolation.exe no specs conhost.exe no specs checknetisolation.exe no specs conhost.exe no specs checknetisolation.exe no specs conhost.exe no specs checknetisolation.exe no specs conhost.exe no specs checknetisolation.exe no specs conhost.exe no specs checknetisolation.exe no specs conhost.exe no specs checknetisolation.exe no specs conhost.exe no specs checknetisolation.exe no specs conhost.exe no specs checknetisolation.exe no specs conhost.exe no specs checknetisolation.exe no specs conhost.exe no specs checknetisolation.exe no specs conhost.exe no specs checknetisolation.exe no specs conhost.exe no specs checknetisolation.exe no specs conhost.exe no specs checknetisolation.exe no specs conhost.exe no specs svchost.exe svchost.exe 324.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
432CheckNetIsolation.exe LoopbackExempt -a -n=microsoft.gethelp_8wekyb3d8bbweC:\Windows\SysWOW64\CheckNetIsolation.exepmropn.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
AppContainer Network Isolation Diagnostic Tool
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\checknetisolation.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\sechost.dll
432\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeCheckNetIsolation.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
436"C:\PROGRA~2\PREMIE~1\pmropn64.exe" 4932C:\Program Files (x86)\PremierOpinion\pmropn64.execmd.exe
User:
SYSTEM
Company:
VoiceFive, Inc.
Integrity Level:
HIGH
Description:
PremierOpinion
Exit code:
3221226540
Version:
1.0.14.10 (Build 14.10)
Modules
Images
c:\program files (x86)\premieropinion\pmropn64.exe
c:\windows\system32\ntdll.dll
640CheckNetIsolation.exe LoopbackExempt -a -n=microsoft.windows.apprep.chxapp_cw5n1h2txyewyC:\Windows\SysWOW64\CheckNetIsolation.exepmropn.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
AppContainer Network Isolation Diagnostic Tool
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\checknetisolation.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\sechost.dll
880CheckNetIsolation.exe LoopbackExempt -a -n=microsoft.heifimageextension_8wekyb3d8bbweC:\Windows\SysWOW64\CheckNetIsolation.exepmropn.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
AppContainer Network Isolation Diagnostic Tool
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\checknetisolation.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\sechost.dll
900CheckNetIsolation.exe LoopbackExempt -a -n=microsoft.windows.peopleexperiencehost_cw5n1h2txyewyC:\Windows\SysWOW64\CheckNetIsolation.exepmropn.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
AppContainer Network Isolation Diagnostic Tool
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\checknetisolation.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\sechost.dll
1064CheckNetIsolation.exe LoopbackExempt -a -n=windows.cbspreview_cw5n1h2txyewyC:\Windows\SysWOW64\CheckNetIsolation.exepmropn.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
AppContainer Network Isolation Diagnostic Tool
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\checknetisolation.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\sechost.dll
1076C:\PROGRA~2\PREMIE~1\pmropn32.exe 4932C:\Program Files (x86)\PremierOpinion\pmropn32.execmd.exe
User:
SYSTEM
Company:
VoiceFive, Inc.
Integrity Level:
HIGH
Description:
PremierOpinion
Exit code:
3221226540
Version:
1.0.14.10 (Build 14.10)
Modules
Images
c:\program files (x86)\premieropinion\pmropn32.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
1076CheckNetIsolation.exe LoopbackExempt -a -n=microsoft.windows.contentdeliverymanager_cw5n1h2txyewyC:\Windows\SysWOW64\CheckNetIsolation.exepmropn.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
AppContainer Network Isolation Diagnostic Tool
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\checknetisolation.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\sechost.dll
1144CheckNetIsolation.exe LoopbackExempt -a -n=microsoft.vp9videoextensions_8wekyb3d8bbweC:\Windows\SysWOW64\CheckNetIsolation.exepmropn.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
AppContainer Network Isolation Diagnostic Tool
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\checknetisolation.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\sechost.dll
Total events
29 540
Read events
28 910
Write events
346
Delete events
284

Modification events

(PID) Process:(6484) 324.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(6484) 324.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(6484) 324.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(1276) svchost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{C2AF3602-9179-4BAE-85B3-74A4EF5CF51F}
Operation:writeName:DynamicInfo
Value:
03000000BDCB09F80A59DA01F7324AF46B84DB0100000000000000003365ABFA6B84DB01
(PID) Process:(1276) svchost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\WindowsUpdate\RUXIM
Operation:writeName:SD
Value:
0100049C5C000000680000000000000014000000020048000300000000001400FF011F0001010000000000051200000000001400A900120001010000000000051300000000001800A900120001020000000000052000000020020000010100000000000512000000010100000000000512000000
(PID) Process:(1276) svchost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\WindowsUpdate\RUXIM\PLUGScheduler
Operation:writeName:Index
Value:
2
(PID) Process:(1276) svchost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{6C5B5846-5719-4E9F-A370-765D876DB0EF}
Operation:writeName:Hash
Value:
616EF862EC8F7E8ED858D89898FB22EF900ABC366B1E9928E10AF3530ADF5430
(PID) Process:(1276) svchost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{6C5B5846-5719-4E9F-A370-765D876DB0EF}
Operation:writeName:Schema
Value:
65540
(PID) Process:(1276) svchost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{6C5B5846-5719-4E9F-A370-765D876DB0EF}
Operation:writeName:Version
Value:
1.0
(PID) Process:(1276) svchost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{6C5B5846-5719-4E9F-A370-765D876DB0EF}
Operation:delete valueName:Date
Value:
Executable files
37
Suspicious files
36
Text files
61
Unknown types
0

Dropped files

PID
Process
Filename
Type
6484324.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EAbinary
MD5:3EAB03A3B959BE4EEDC904C4BE8AFB61
SHA256:D17A393C42922263A3C001EF8AE14414D375784687BE0BD7D255F36DE07E8977
6484324.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EAder
MD5:300BAD160CE7505B400B0706919A3EE1
SHA256:AECC299B9EA086D582D984442DDC39C5150756582C22C332807E380C8E1AD056
6484324.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\05DDC6AA91765AACACDB0A5F96DF8199binary
MD5:E935BC5762068CAF3E24A2683B1B8A88
SHA256:A8ACCFCFEB51BD73DF23B91F4D89FF1A9EB7438EF5B12E8AFDA1A6FF1769E89D
1276svchost.exeC:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Workxml
MD5:5FADF13CCFBDCC5DD728380F7A615B28
SHA256:FF1F73395F6B5B22D5FDA367521FE0DCC31FF252849B7FA85FA346B953A40451
1276svchost.exeC:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To Workxml
MD5:C6086D02F8CE044F5FA07A98303DC7EB
SHA256:8901D9C9AEA465DA4EA7AA874610A90B8CF0A71EBA0E321CF9675FCEEE0B54A0
6484324.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B46811C17859FFB409CF0E904A4AA8F8binary
MD5:971C514F84BBA0785F80AA1C23EDFD79
SHA256:F157ED17FCAF8837FA82F8B69973848C9B10A02636848F995698212A08F31895
6484324.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\05DDC6AA91765AACACDB0A5F96DF8199binary
MD5:824CE0F3E5205C44BFEAB89E8C809E4F
SHA256:252DC82035FC332D35E6429B4B1F25E33D6DA40F7C4B660838D7DF3DD64079AE
6484324.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\KCV3KQBA\service[1].htmtext
MD5:CB5E100E5A9A3E7F6D1FD97512215282
SHA256:CA00FCCFB408989EDDC401062C4D1219A6ACEB6B9B55412357F1790862E8F178
6484324.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C2C9D7FCC58B6FD9BF152E66809C1BBE_9962014287DF49023620C3F0C27B8ACEbinary
MD5:BBE63CBA274D24848BD5F76671A059AA
SHA256:98F72CC12225ECB69813A950B3DF909E709432FD4F6FA27F1EBB25E353F0EB8A
6484324.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\E4DJRUXW\logo[1].pngimage
MD5:2D4E9E8198F0C3EADE53C619CD1FE4EA
SHA256:C97E703578120C1F7A570ACAC3B461178A5E051CE16BE9E266C1789C1D610AC0
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
24
TCP/UDP connections
105
DNS requests
35
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
6484
324.exe
GET
200
216.58.206.35:80
http://o.pki.goog/s/wr3/fgA/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQSq0i5t2Pafi2Gw9uzwnc7KTctWgQUx4H1%2FY6I2QA8TWOiUDEkoM4j%2FiMCEH4AzC8CtsuHCuCmoKpV7Vk%3D
unknown
whitelisted
2456
svchost.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
6484
324.exe
GET
200
172.217.18.99:80
http://ocsp.pki.goog/gsr1/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS3V7W2nAf4FiMTjpDJKg6%2BMgGqMQQUYHtmGkUNl8qJUC99BM00qP%2F8%2FUsCEHe9DWzbNvka6iEPxPBY0w0%3D
unknown
whitelisted
2456
svchost.exe
GET
200
23.32.238.107:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
6484
324.exe
POST
200
165.193.78.234:80
http://post.securestudies.com/TapAction.aspx?campaign_id=1538&tpi=InstallUnion&action_id=17&uid=Da0AsTaRAdrHleJqf55555
unknown
malicious
6484
324.exe
POST
200
165.193.78.234:80
http://post.securestudies.com/TapAction.aspx?campaign_id=1538&tpi=InstallUnion&action_id=1&uid=Da0AsTaRAdrHleJqf55555
unknown
malicious
6484
324.exe
POST
200
165.193.78.234:80
http://post.securestudies.com/TapAction.aspx?campaign_id=1538&tpi=InstallUnion&action_id=4&uid=Da0AsTaRAdrHleJqf55555
unknown
malicious
6484
324.exe
GET
200
104.18.38.233:80
http://ocsp.comodoca.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRTtU9uFqgVGHhJwXZyWCNXmVR5ngQUoBEKIz6W8Qfs4q8p74Klf9AwpLQCEDlyRDr5IrdR19NsEN0xNZU%3D
unknown
whitelisted
6484
324.exe
GET
200
172.64.149.23:80
http://ocsp.usertrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTNMNJMNDqCqx8FcBWK16EHdimS6QQUU3m%2FWqorSs9UgOHYm8Cd8rIDZssCEBN9U5yqfDGppDNwGWiEeo0%3D
unknown
whitelisted
6484
324.exe
GET
200
216.58.206.35:80
http://o.pki.goog/s/wr3/URM/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQSq0i5t2Pafi2Gw9uzwnc7KTctWgQUx4H1%2FY6I2QA8TWOiUDEkoM4j%2FiMCEFET1OsgXJOMCsceBPevDRA%3D
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
104.126.37.185:443
www.bing.com
Akamai International B.V.
DE
whitelisted
4712
MoUsoCoreWorker.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
2456
svchost.exe
23.32.238.107:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
4
System
192.168.100.255:138
whitelisted
2456
svchost.exe
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
6136
RUXIMICS.exe
51.104.136.2:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
6484
324.exe
35.190.60.70:443
www.dlsft.com
GOOGLE
US
whitelisted
6484
324.exe
172.217.18.99:80
ocsp.pki.goog
GOOGLE
US
whitelisted
6484
324.exe
142.250.184.227:80
c.pki.goog
GOOGLE
US
whitelisted

DNS requests

Domain
IP
Reputation
www.bing.com
  • 104.126.37.185
  • 104.126.37.163
  • 104.126.37.178
  • 104.126.37.176
  • 104.126.37.170
  • 104.126.37.130
  • 104.126.37.171
  • 104.126.37.131
  • 104.126.37.123
  • 92.123.104.26
  • 92.123.104.13
  • 92.123.104.18
  • 92.123.104.21
  • 92.123.104.23
  • 92.123.104.15
  • 92.123.104.27
  • 92.123.104.22
  • 92.123.104.19
whitelisted
settings-win.data.microsoft.com
  • 51.104.136.2
whitelisted
crl.microsoft.com
  • 23.32.238.107
  • 23.32.238.112
whitelisted
google.com
  • 216.58.212.142
whitelisted
www.microsoft.com
  • 23.35.229.160
whitelisted
www.dlsft.com
  • 35.190.60.70
unknown
ocsp.pki.goog
  • 172.217.18.99
whitelisted
c.pki.goog
  • 142.250.184.227
whitelisted
o.pki.goog
  • 216.58.206.35
whitelisted
dlsft.com
  • 35.190.60.70
unknown

Threats

No threats detected
Process
Message
324.exe
324.exe
at initializeDynamicVariables (this://app/main.html(351))
324.exe
Error: (undefined) has no property - value
324.exe
324.exe
at getFileInfo.@307@46 (this://app/main.html(329))
324.exe
scanning node question /questions/question
324.exe
scanning node question /questions/question
324.exe
scanning node question /questions/question
324.exe
scanning node questions /questions
324.exe
scanning node question /questions/question
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
324.exe