URL:

https://boosterx.org/en/

Full analysis: https://app.any.run/tasks/3b24a4e9-de01-49ae-b9cf-3d9b7de6295b
Verdict: Malicious activity
Analysis date: March 29, 2025, 00:45:23
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
evasion
upx
menorah
Indicators:
MD5:

DB8D1DCC756227449D23021431778E4D

SHA1:

F99D7D191C6BE568E38DEFDDF213F80DC78A5F49

SHA256:

8DC26F2D579785B9274D568ACA7A78148C8DA2F77AFD768A54F454F118EFF200

SSDEEP:

3:N8KY6:2KY6

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • MENORAH has been detected (YARA)

      • BoosterX.exe (PID: 7916)

    • Changes the Windows auto-update feature

      • BoosterX.exe (PID: 7916)
      • BoosterX.exe (PID: 2644)

    • Application was injected by another process

      • cmd.exe (PID: 5416)
      • reg.exe (PID: 6112)
      • cmd.exe (PID: 7180)
      • cmd.exe (PID: 6136)

    • Runs injected code in another process

      • BoosterX.exe (PID: 7916)
      • BoosterX.exe (PID: 2644)

    • Changes firewall settings

      • reg.exe (PID: 516)
      • reg.exe (PID: 7972)
      • reg.exe (PID: 3976)

    • Disables Windows firewall

      • reg.exe (PID: 516)
      • reg.exe (PID: 7972)
      • reg.exe (PID: 3976)

    • Changes Windows Defender settings

      • cmd.exe (PID: 5416)
      • cmd.exe (PID: 6136)

    • UAC/LUA settings modification

      • reg.exe (PID: 7300)

    • Uses NET.EXE to stop Windows Update service

      • cmd.exe (PID: 7180)

    • Starts NET.EXE for service management

      • cmd.exe (PID: 7180)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • BoosterX.exe (PID: 7916)
      • cmd.exe (PID: 7180)

    • Uses WEVTUTIL.EXE to change log configuration

      • BoosterX.exe (PID: 7916)
      • BoosterX.exe (PID: 2644)

    • Uses WEVTUTIL.EXE to get log configuration information

      • BoosterX.exe (PID: 7916)
      • BoosterX.exe (PID: 2644)

    • Starts CMD.EXE for commands execution

      • BoosterX.exe (PID: 7916)
      • cmd.exe (PID: 5416)
      • BoosterX.exe (PID: 2644)
      • cmd.exe (PID: 6136)

    • Checks for external IP

      • BoosterX.exe (PID: 7916)

    • Starts application with an unusual extension

      • cmd.exe (PID: 7644)
      • cmd.exe (PID: 2516)
      • cmd.exe (PID: 1748)
      • cmd.exe (PID: 5624)
      • cmd.exe (PID: 4508)

    • Reads the date of Windows installation

      • BoosterX.exe (PID: 7916)
      • BoosterX.exe (PID: 2644)

    • There is functionality for taking screenshot (YARA)

      • BoosterX.exe (PID: 7916)

    • Adds/modifies Windows certificates

      • BoosterX.exe (PID: 7916)

    • Reads security settings of Internet Explorer

      • BoosterX.exe (PID: 7916)
      • ShellExperienceHost.exe (PID: 7584)
      • BoosterX.exe (PID: 2644)

    • Connects to the server without a host name

      • BoosterX.exe (PID: 7916)

    • Uses TASKKILL.EXE to kill process

      • cmd.exe (PID: 7784)
      • cmd.exe (PID: 5944)

    • Uses powercfg.exe to modify the power settings

      • cmd.exe (PID: 7704)

    • Uses REG/REGEDIT.EXE to modify registry

      • cmd.exe (PID: 2332)
      • cmd.exe (PID: 8864)
      • cmd.exe (PID: 8016)
      • cmd.exe (PID: 3132)
      • cmd.exe (PID: 8532)
      • cmd.exe (PID: 8924)
      • cmd.exe (PID: 4212)
      • cmd.exe (PID: 5416)
      • cmd.exe (PID: 7548)
      • cmd.exe (PID: 5384)
      • cmd.exe (PID: 3800)
      • cmd.exe (PID: 1276)
      • cmd.exe (PID: 3804)
      • cmd.exe (PID: 8020)
      • cmd.exe (PID: 5036)
      • cmd.exe (PID: 3032)
      • cmd.exe (PID: 1128)
      • cmd.exe (PID: 8984)
      • cmd.exe (PID: 744)
      • cmd.exe (PID: 8464)
      • cmd.exe (PID: 4244)
      • cmd.exe (PID: 8500)
      • cmd.exe (PID: 300)
      • cmd.exe (PID: 7180)
      • cmd.exe (PID: 8584)
      • cmd.exe (PID: 5892)
      • cmd.exe (PID: 7280)
      • cmd.exe (PID: 8692)
      • cmd.exe (PID: 8900)
      • cmd.exe (PID: 6620)
      • cmd.exe (PID: 8556)
      • cmd.exe (PID: 6768)
      • cmd.exe (PID: 2064)
      • cmd.exe (PID: 6208)
      • cmd.exe (PID: 2332)
      • cmd.exe (PID: 5748)
      • cmd.exe (PID: 6740)
      • cmd.exe (PID: 4196)
      • cmd.exe (PID: 8596)
      • cmd.exe (PID: 8032)
      • cmd.exe (PID: 7328)
      • cmd.exe (PID: 8372)
      • cmd.exe (PID: 2112)
      • cmd.exe (PID: 7760)
      • cmd.exe (PID: 648)
      • cmd.exe (PID: 240)
      • cmd.exe (PID: 5980)
      • cmd.exe (PID: 6136)

    • Found strings related to reading or modifying Windows Defender settings

      • BoosterX.exe (PID: 7916)

    • Starts POWERSHELL.EXE for commands execution

      • cmd.exe (PID: 5416)
      • cmd.exe (PID: 7180)
      • cmd.exe (PID: 6136)

    • Script disables Windows Defender's real-time protection

      • cmd.exe (PID: 5416)
      • cmd.exe (PID: 6136)

    • Creates or modifies Windows services

      • reg.exe (PID: 4164)
      • reg.exe (PID: 4932)
      • reg.exe (PID: 7208)

    • Uses ICACLS.EXE to modify access control lists

      • cmd.exe (PID: 7180)

    • Takes ownership (TAKEOWN.EXE)

      • cmd.exe (PID: 7180)

    • Process drops legitimate windows executable

      • cmd.exe (PID: 7180)

    • Starts SC.EXE for service management

      • cmd.exe (PID: 7180)
      • cmd.exe (PID: 8824)
      • cmd.exe (PID: 8940)
      • cmd.exe (PID: 5072)
      • cmd.exe (PID: 904)
      • cmd.exe (PID: 7244)

    • Windows service management via SC.EXE

      • sc.exe (PID: 8976)
      • sc.exe (PID: 7988)

    • Stops a currently running service

      • sc.exe (PID: 8484)
      • sc.exe (PID: 5384)
      • sc.exe (PID: 7680)

    • Deletes scheduled task without confirmation

      • schtasks.exe (PID: 5180)

    • The process executes via Task Scheduler

      • BoosterX.exe (PID: 2644)

  • INFO

    • Executable content was dropped or overwritten

      • msedge.exe (PID: 7768)
      • msedge.exe (PID: 7508)

    • Checks supported languages

      • identity_helper.exe (PID: 8792)
      • identity_helper.exe (PID: 9000)
      • chcp.com (PID: 7672)
      • BoosterX.exe (PID: 7916)
      • ShellExperienceHost.exe (PID: 7584)
      • chcp.com (PID: 8960)
      • chcp.com (PID: 2416)
      • BoosterX.exe (PID: 2644)
      • chcp.com (PID: 1044)
      • chcp.com (PID: 4404)

    • Reads the computer name

      • identity_helper.exe (PID: 8792)
      • identity_helper.exe (PID: 9000)
      • BoosterX.exe (PID: 7916)
      • ShellExperienceHost.exe (PID: 7584)
      • BoosterX.exe (PID: 2644)

    • Reads Environment values

      • identity_helper.exe (PID: 8792)
      • identity_helper.exe (PID: 9000)
      • BoosterX.exe (PID: 7916)
      • BoosterX.exe (PID: 2644)

    • Application launched itself

      • msedge.exe (PID: 7508)
      • msedge.exe (PID: 6512)

    • Autorun file from Downloads

      • msedge.exe (PID: 9048)
      • msedge.exe (PID: 7508)

    • Reads security settings of Internet Explorer

      • BackgroundTransferHost.exe (PID: 8300)
      • BackgroundTransferHost.exe (PID: 8372)
      • BackgroundTransferHost.exe (PID: 7552)
      • BackgroundTransferHost.exe (PID: 9036)
      • BackgroundTransferHost.exe (PID: 6344)

    • Checks proxy server information

      • BackgroundTransferHost.exe (PID: 8372)
      • BoosterX.exe (PID: 7916)
      • slui.exe (PID: 7836)

    • Creates files or folders in the user directory

      • BackgroundTransferHost.exe (PID: 8372)
      • BoosterX.exe (PID: 7916)
      • powercfg.exe (PID: 8172)
      • BoosterX.exe (PID: 2644)

    • Reads the software policy settings

      • BackgroundTransferHost.exe (PID: 8372)
      • slui.exe (PID: 8648)
      • BoosterX.exe (PID: 7916)
      • slui.exe (PID: 7836)
      • BoosterX.exe (PID: 2644)

    • Manual execution by a user

      • BoosterX.exe (PID: 7916)
      • BoosterX.exe (PID: 8960)

    • Create files in a temporary directory

      • BoosterX.exe (PID: 7916)
      • BoosterX.exe (PID: 2644)

    • Reads the machine GUID from the registry

      • BoosterX.exe (PID: 7916)
      • BoosterX.exe (PID: 2644)

    • Creates files in the program directory

      • BoosterX.exe (PID: 7916)

    • Disables trace logs

      • BoosterX.exe (PID: 7916)

    • Process checks whether UAC notifications are on

      • BoosterX.exe (PID: 7916)
      • BoosterX.exe (PID: 2644)

    • Changes the display of characters in the console

      • cmd.exe (PID: 7644)
      • cmd.exe (PID: 1748)
      • cmd.exe (PID: 2516)
      • cmd.exe (PID: 5624)
      • cmd.exe (PID: 4508)

    • UPX packer has been detected

      • BoosterX.exe (PID: 7916)

    • Reads mouse settings

      • BoosterX.exe (PID: 7916)
      • reg.exe (PID: 5780)
      • reg.exe (PID: 8252)
      • reg.exe (PID: 8556)
      • BoosterX.exe (PID: 2644)

    • Reads CPU info

      • BoosterX.exe (PID: 7916)
      • BoosterX.exe (PID: 2644)

    • Process checks computer location settings

      • BoosterX.exe (PID: 7916)
      • BoosterX.exe (PID: 2644)

    • The sample compiled with english language support

      • cmd.exe (PID: 7180)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
759
Monitored processes
284
Malicious processes
8
Suspicious processes
4

Behavior graph

Click at the process to see the details
start iexplore.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs sppextcomobj.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs slui.exe identity_helper.exe no specs identity_helper.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs rundll32.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs identity_helper.exe no specs identity_helper.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs backgroundtransferhost.exe no specs backgroundtransferhost.exe backgroundtransferhost.exe no specs backgroundtransferhost.exe no specs backgroundtransferhost.exe no specs boosterx.exe no specs #MENORAH boosterx.exe wevtutil.exe no specs conhost.exe no specs wevtutil.exe no specs conhost.exe no specs wevtutil.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs chcp.com no specs pnputil.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs slui.exe msedge.exe no specs cmd.exe no specs conhost.exe no specs taskkill.exe no specs cmd.exe no specs conhost.exe no specs powercfg.exe no specs msedge.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe shellexperiencehost.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs reg.exe cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe msedge.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs cmd.exe no specs conhost.exe no specs reg.exe no specs msedge.exe no specs wevtutil.exe no specs conhost.exe no specs wevtutil.exe no specs conhost.exe no specs wevtutil.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs chcp.com no specs chcp.com no specs pnputil.exe no specs pnputil.exe no specs msedge.exe no specs msedge.exe no specs msedge.exe no specs cmd.exe no specs cmd.exe no specs conhost.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs sc.exe no specs sc.exe no specs sc.exe no specs sc.exe no specs sc.exe no specs boosterx.exe no specs cmd.exe no specs conhost.exe no specs schtasks.exe no specs wevtutil.exe no specs conhost.exe no specs wevtutil.exe no specs conhost.exe no specs wevtutil.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs taskkill.exe no specs cmd.exe wevtutil.exe no specs conhost.exe no specs wevtutil.exe no specs conhost.exe no specs wevtutil.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs cmd.exe no specs conhost.exe no specs chcp.com no specs chcp.com no specs pnputil.exe no specs pnputil.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
132\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
240"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\SYSTEM\Maps" /v "AutoUpdateEnabled" /t reg_dword /d "0" /fC:\Windows\System32\cmd.exeBoosterX.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
300"C:\Windows\System32\cmd.exe" /c reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\DriverSearching" /v "SearchOrderConfig" /t reg_dword /d "3" /fC:\Windows\System32\cmd.exeBoosterX.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
516reg add "HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\PublicProfile" /v "EnableFirewall" /t reg_dword /d "0" /fC:\Windows\System32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
516\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
632\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exewevtutil.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
648"C:\Windows\System32\cmd.exe" /c reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\GameDVR" /v "AppCaptureEnabled" /t reg_dword /d "0" /fC:\Windows\System32\cmd.exeBoosterX.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
744"C:\Windows\System32\cmd.exe" /c reg add "HKCU\Software\Microsoft\Windows\CurrentVersion\Search" /v "BackgroundAppGlobalToggle" /t reg_dword /d "0" /fC:\Windows\System32\cmd.exeBoosterX.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
864reg add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "PromptOnSecureDesktop" /t reg_dword /d "0" /fC:\Windows\System32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
900\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
Total events
56 541
Read events
55 479
Write events
674
Delete events
388

Modification events

(PID) Process:(7508) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon
Operation:writeName:failed_count
Value:
0
(PID) Process:(7508) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon
Operation:writeName:state
Value:
2
(PID) Process:(7508) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\BLBeacon
Operation:writeName:state
Value:
1
(PID) Process:(7376) iexplore.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(7376) iexplore.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(7376) iexplore.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(7376) iexplore.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main
Operation:writeName:CompatibilityFlags
Value:
0
(PID) Process:(7376) iexplore.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones
Operation:writeName:SecuritySafe
Value:
1
(PID) Process:(7376) iexplore.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main
Operation:writeName:DisableFirstRunCustomize
Value:
1
(PID) Process:(7508) msedge.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Edge\StabilityMetrics
Operation:writeName:user_experience_metrics.stability.exited_cleanly
Value:
0
Executable files
20
Suspicious files
389
Text files
108
Unknown types
1

Dropped files

PID
Process
Filename
Type
7508msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\parcel_tracking_db\LOG.old~RF10bb14.TMP
MD5:
SHA256:
7508msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\parcel_tracking_db\LOG.old
MD5:
SHA256:
7508msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\commerce_subscription_db\LOG.old~RF10bb24.TMP
MD5:
SHA256:
7508msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\discounts_db\LOG.old~RF10bb24.TMP
MD5:
SHA256:
7508msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\discounts_db\LOG.old
MD5:
SHA256:
7508msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\PersistentOriginTrials\LOG.old~RF10bb24.TMP
MD5:
SHA256:
7508msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\PersistentOriginTrials\LOG.old
MD5:
SHA256:
7508msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\commerce_subscription_db\LOG.old
MD5:
SHA256:
7508msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\EdgePushStorageWithConnectTokenAndKey\LOG.old~RF10bb34.TMP
MD5:
SHA256:
7508msedge.exeC:\Users\admin\AppData\Local\Microsoft\Edge\User Data\Default\EdgePushStorageWithConnectTokenAndKey\LOG.old
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
39
TCP/UDP connections
152
DNS requests
89
Threats
4

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
2.16.164.49:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
6544
svchost.exe
GET
200
184.30.131.245:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
7916
BoosterX.exe
GET
200
104.18.20.226:80
http://ocsp.globalsign.com/gsgccr45codesignca2020/ME0wSzBJMEcwRTAJBgUrDgMCGgUABBTLuA3ygnKW%2F7xuSx%2F09F%2BhHVuEUQQU2rONwCSQo2t30wygWd0hZ2R2C3gCDCA%2Bm9pn2L4BUkZvtw%3D%3D
unknown
whitelisted
7916
BoosterX.exe
GET
200
104.18.20.226:80
http://ocsp.globalsign.com/codesigningrootr45/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQVFZP5vqhCrtRN5SWf40Rn6NM1IAQUHwC%2FRoAK%2FHg5t6W0Q9lWULvOljsCEHe9DgOhtwj4VKsGchDZBEc%3D
unknown
whitelisted
8056
svchost.exe
HEAD
200
2.19.11.120:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/0b4faaeb-74fe-4e17-9566-1ecd360a5757?P1=1743755863&P2=404&P3=2&P4=VmgjmUGPZGiu2awMHikZOox%2bYuDPq15hTrHnaoDHDa%2bxRL3b%2falhT6PjuHkHKV4v8CBZxCE8lDpeUtgH8U8PHA%3d%3d
unknown
whitelisted
8056
svchost.exe
GET
206
2.19.11.120:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/0b4faaeb-74fe-4e17-9566-1ecd360a5757?P1=1743755863&P2=404&P3=2&P4=VmgjmUGPZGiu2awMHikZOox%2bYuDPq15hTrHnaoDHDa%2bxRL3b%2falhT6PjuHkHKV4v8CBZxCE8lDpeUtgH8U8PHA%3d%3d
unknown
whitelisted
7916
BoosterX.exe
GET
200
139.196.166.96:80
http://139.196.166.96/_health
unknown
unknown
7916
BoosterX.exe
GET
200
139.162.165.156:80
http://reserve.boosterx.org/_health
unknown
unknown
7916
BoosterX.exe
GET
200
104.26.13.205:80
http://api.ipify.org/
unknown
malicious
8056
svchost.exe
GET
206
2.19.11.120:80
http://msedge.b.tlu.dl.delivery.mp.microsoft.com/filestreamingservice/files/0b4faaeb-74fe-4e17-9566-1ecd360a5757?P1=1743755863&P2=404&P3=2&P4=VmgjmUGPZGiu2awMHikZOox%2bYuDPq15hTrHnaoDHDa%2bxRL3b%2falhT6PjuHkHKV4v8CBZxCE8lDpeUtgH8U8PHA%3d%3d
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
2104
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
2.16.164.49:80
crl.microsoft.com
Akamai International B.V.
NL
whitelisted
7508
msedge.exe
239.255.255.250:1900
whitelisted
7768
msedge.exe
172.67.146.209:443
boosterx.org
unknown
7768
msedge.exe
13.107.42.16:443
config.edge.skype.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
7768
msedge.exe
142.250.185.170:443
fonts.googleapis.com
GOOGLE
US
whitelisted
7768
msedge.exe
13.107.246.45:443
edge-mobile-static.azureedge.net
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted
7768
msedge.exe
150.171.27.11:443
edge.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
US
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 20.73.194.208
  • 40.127.240.158
  • 4.231.128.59
whitelisted
crl.microsoft.com
  • 2.16.164.49
  • 2.16.164.120
whitelisted
google.com
  • 142.250.185.174
whitelisted
boosterx.org
  • 172.67.146.209
  • 104.21.81.207
unknown
config.edge.skype.com
  • 13.107.42.16
whitelisted
edge.microsoft.com
  • 150.171.27.11
  • 150.171.28.11
whitelisted
edge-mobile-static.azureedge.net
  • 13.107.246.45
whitelisted
business.bing.com
  • 13.107.6.158
whitelisted
bzib.nelreports.net
  • 2.22.242.105
  • 2.22.242.11
whitelisted
www.bing.com
  • 2.23.227.208
  • 2.23.227.215
  • 2.19.122.26
  • 2.19.122.33
  • 2.19.122.30
  • 2.19.122.12
  • 2.19.122.31
  • 2.16.241.218
  • 2.16.241.201
whitelisted

Threats

PID
Process
Class
Message
7916
BoosterX.exe
Device Retrieving External IP Address Detected
ET INFO External IP Lookup api.ipify.org
7916
BoosterX.exe
Device Retrieving External IP Address Detected
POLICY [ANY.RUN] External IP Lookup by HTTP (api .ipify .org)
2196
svchost.exe
Misc activity
ET INFO External IP Lookup Domain (ipify .org) in DNS Lookup
7916
BoosterX.exe
Device Retrieving External IP Address Detected
SUSPICIOUS [ANY.RUN] An IP address was received from the server as a result of an HTTP request
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
https://boosterx.org/en/