File name:

Drift Exploit_92975122.exe

Full analysis: https://app.any.run/tasks/765f4f60-aa40-4fde-825c-7b478a8deb9e
Verdict: Malicious activity
Threats:

Adware is a form of malware that targets users with unwanted advertisements, often disrupting their browsing experience. It typically infiltrates systems through software bundling, malicious websites, or deceptive downloads. Once installed, it may track user activity, collect sensitive data, and display intrusive ads, including pop-ups or banners. Some advanced adware variants can bypass security measures and establish persistence on devices, making removal challenging. Additionally, adware can create vulnerabilities that other malware can exploit, posing a significant risk to user privacy and system security.

Malware Trends Tracker     >>>
Analysis date: June 14, 2025, 19:42:58
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
premieropinion
adware
ossproxy
relevantknowledge
opera
tool
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 5 sections
MD5:

688165A01A09BF0A274DF49A074CA7AF

SHA1:

BA2E194E9BD592F11913B1BEA3CA7C7BE4521F5D

SHA256:

C7791778F6329F2EE70DB33A77F9B33EDAC40E8C87E6E243405711361761A01F

SSDEEP:

98304:S4RaOF922Hz5ShkWSX9RMl3PqhUsTZiwBJ1p55DxE899NOwBHkj5vNDSTIeH9I3+:wf7e

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • PREMIEROPINION mutex has been found

      • ContentI3.exe (PID: 7056)
      • pmropn.exe (PID: 888)

    • OSSPROXY mutex has been found

      • pmropn.exe (PID: 888)

    • Runs injected code in another process

      • rundll32.exe (PID: 3624)

    • Application was injected by another process

      • svchost.exe (PID: 1304)

    • RELEVANTKNOWLEDGE mutex has been found

      • rundll32.exe (PID: 3624)
      • pmropn.exe (PID: 888)

    • Changes the autorun value in the registry

      • opera.exe (PID: 4216)

  • SUSPICIOUS

    • Reads security settings of Internet Explorer

      • Drift Exploit_92975122.exe (PID: 3652)
      • setup.exe (PID: 7048)
      • ContentI3.exe (PID: 7056)
      • installer.exe (PID: 2356)
      • pmropn.exe (PID: 888)

    • Executable content was dropped or overwritten

      • OperaGX.exe (PID: 3844)
      • Drift Exploit_92975122.exe (PID: 3652)
      • setup.exe (PID: 6620)
      • setup.exe (PID: 7048)
      • setup.exe (PID: 6228)
      • setup.exe (PID: 4012)
      • setup.exe (PID: 1180)
      • Opera_GX_assistant_73.0.3856.382_Setup.exe_sfx.exe (PID: 7052)
      • ContentI3.exe (PID: 7056)
      • installer.exe (PID: 5720)
      • installer.exe (PID: 2356)
      • pmropn.exe (PID: 888)
      • installer.exe (PID: 8460)
      • installer.exe (PID: 9532)
      • opera_autoupdate.exe (PID: 9336)
      • installer.exe (PID: 7836)

    • Application launched itself

      • setup.exe (PID: 7048)
      • assistant_installer.exe (PID: 3480)
      • setup.exe (PID: 4012)
      • installer.exe (PID: 2356)
      • opera.exe (PID: 4216)
      • installer.exe (PID: 8460)
      • opera_autoupdate.exe (PID: 9336)
      • opera_autoupdate.exe (PID: 9716)

    • Starts itself from another location

      • setup.exe (PID: 7048)

    • There is functionality for taking screenshot (YARA)

      • Drift Exploit_92975122.exe (PID: 3652)
      • setup.exe (PID: 7048)

    • Start notepad (likely ransomware note)

      • Drift Exploit_92975122.exe (PID: 3652)

    • Searches for installed software

      • installer.exe (PID: 2356)
      • pmservice.exe (PID: 2348)
      • pmropn.exe (PID: 888)
      • reg.exe (PID: 4880)
      • rundll32.exe (PID: 3624)
      • svchost.exe (PID: 1304)

    • Reads the date of Windows installation

      • installer.exe (PID: 2356)

    • Creates a software uninstall entry

      • installer.exe (PID: 2356)
      • pmropn.exe (PID: 888)
      • pmservice.exe (PID: 2348)

    • Adds/modifies Windows certificates

      • pmropn.exe (PID: 888)
      • pmservice.exe (PID: 2348)

    • Uses RUNDLL32.EXE to load library

      • pmservice.exe (PID: 2348)

    • Executes as Windows Service

      • pmservice.exe (PID: 2348)

    • The process executes via Task Scheduler

      • opera_autoupdate.exe (PID: 9336)

    • Starts CMD.EXE for commands execution

      • pmservice.exe (PID: 2348)

  • INFO

    • Checks supported languages

      • Drift Exploit_92975122.exe (PID: 3652)
      • OperaGX.exe (PID: 3844)
      • setup.exe (PID: 6620)
      • setup.exe (PID: 7048)
      • setup.exe (PID: 6228)
      • setup.exe (PID: 4012)
      • setup.exe (PID: 1180)
      • Opera_GX_assistant_73.0.3856.382_Setup.exe_sfx.exe (PID: 7052)
      • assistant_installer.exe (PID: 3480)
      • assistant_installer.exe (PID: 4880)
      • ContentI3.exe (PID: 7056)
      • pmropn.exe (PID: 888)
      • installer.exe (PID: 2356)
      • installer.exe (PID: 5720)
      • opera.exe (PID: 3196)
      • pmservice.exe (PID: 2348)
      • opera_crashreporter.exe (PID: 3100)
      • opera_crashreporter.exe (PID: 2292)
      • opera.exe (PID: 4232)
      • opera.exe (PID: 4880)
      • opera.exe (PID: 4216)
      • opera.exe (PID: 4544)
      • opera.exe (PID: 3580)
      • opera.exe (PID: 2368)
      • opera.exe (PID: 5896)
      • opera.exe (PID: 6140)
      • opera_gx_splash.exe (PID: 5556)
      • opera.exe (PID: 6732)
      • opera.exe (PID: 6528)

    • The sample compiled with english language support

      • Drift Exploit_92975122.exe (PID: 3652)
      • OperaGX.exe (PID: 3844)
      • setup.exe (PID: 6620)
      • setup.exe (PID: 7048)
      • setup.exe (PID: 6228)
      • setup.exe (PID: 4012)
      • setup.exe (PID: 1180)
      • Opera_GX_assistant_73.0.3856.382_Setup.exe_sfx.exe (PID: 7052)
      • ContentI3.exe (PID: 7056)
      • installer.exe (PID: 2356)
      • pmropn.exe (PID: 888)
      • installer.exe (PID: 8460)
      • opera_autoupdate.exe (PID: 9336)
      • installer.exe (PID: 7836)

    • Reads the computer name

      • Drift Exploit_92975122.exe (PID: 3652)
      • setup.exe (PID: 7048)
      • assistant_installer.exe (PID: 3480)
      • setup.exe (PID: 4012)
      • pmropn.exe (PID: 888)
      • ContentI3.exe (PID: 7056)
      • installer.exe (PID: 2356)
      • pmservice.exe (PID: 2348)
      • opera.exe (PID: 4216)
      • opera.exe (PID: 3196)
      • opera.exe (PID: 4880)
      • opera.exe (PID: 4232)
      • opera_gx_splash.exe (PID: 5556)

    • Creates files or folders in the user directory

      • Drift Exploit_92975122.exe (PID: 3652)
      • setup.exe (PID: 6620)
      • setup.exe (PID: 7048)
      • setup.exe (PID: 4012)
      • ContentI3.exe (PID: 7056)
      • installer.exe (PID: 2356)
      • pmropn.exe (PID: 888)
      • opera.exe (PID: 4216)

    • Reads the software policy settings

      • Drift Exploit_92975122.exe (PID: 3652)
      • setup.exe (PID: 7048)
      • pmropn.exe (PID: 888)
      • pmservice.exe (PID: 2348)

    • Reads the machine GUID from the registry

      • Drift Exploit_92975122.exe (PID: 3652)
      • setup.exe (PID: 7048)
      • pmropn.exe (PID: 888)
      • pmservice.exe (PID: 2348)
      • opera.exe (PID: 4216)

    • Checks proxy server information

      • Drift Exploit_92975122.exe (PID: 3652)
      • setup.exe (PID: 7048)
      • pmropn.exe (PID: 888)
      • opera.exe (PID: 4216)

    • Create files in a temporary directory

      • OperaGX.exe (PID: 3844)
      • setup.exe (PID: 6620)
      • setup.exe (PID: 6228)
      • setup.exe (PID: 4012)
      • setup.exe (PID: 7048)
      • setup.exe (PID: 1180)
      • Drift Exploit_92975122.exe (PID: 3652)
      • Opera_GX_assistant_73.0.3856.382_Setup.exe_sfx.exe (PID: 7052)
      • ContentI3.exe (PID: 7056)
      • installer.exe (PID: 5720)
      • installer.exe (PID: 2356)

    • Reads security settings of Internet Explorer

      • notepad.exe (PID: 6688)

    • Creates files in the program directory

      • ContentI3.exe (PID: 7056)
      • reg.exe (PID: 4880)
      • pmropn.exe (PID: 888)
      • pmservice.exe (PID: 2348)

    • OSSPROXY has been detected

      • ContentI3.exe (PID: 7056)
      • pmservice.exe (PID: 2348)
      • cmd.exe (PID: 6796)
      • cmd.exe (PID: 10176)

    • Process checks computer location settings

      • Drift Exploit_92975122.exe (PID: 3652)
      • opera.exe (PID: 4216)
      • opera.exe (PID: 6140)

    • Manual execution by a user

      • opera.exe (PID: 4216)
      • notepad.exe (PID: 4528)

    • OPERA mutex has been found

      • opera.exe (PID: 4216)

    • Launching a file from a Registry key

      • opera.exe (PID: 4216)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (52.9)
.exe | Generic Win/DOS Executable (23.5)
.exe | DOS Executable Generic (23.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2025:05:27 11:09:23+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 14.22
CodeSize: 4352000
InitializedDataSize: 1675264
UninitializedDataSize: -
EntryPoint: 0x3989ba
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 1.0.0.0
ProductVersionNumber: 1.0.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Unknown (0)
ObjectFileType: Unknown
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
FileDescription: Manager
FileVersion: 1
InternalName: Manager
LegalCopyright: Manager
OriginalFileName: Manager
ProductName: Manager
ProductVersion: 1
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
258
Monitored processes
120
Malicious processes
11
Suspicious processes
2

Behavior graph

Click at the process to see the details
start drift exploit_92975122.exe operagx.exe setup.exe setup.exe setup.exe setup.exe setup.exe opera_gx_assistant_73.0.3856.382_setup.exe_sfx.exe assistant_installer.exe assistant_installer.exe no specs #PREMIEROPINION contenti3.exe notepad.exe no specs #PREMIEROPINION pmropn.exe installer.exe installer.exe UIAutomationCrossBitnessHook32 Class no specs opera.exe no specs pmservice.exe no specs #RELEVANTKNOWLEDGE rundll32.exe no specs reg.exe no specs conhost.exe no specs opera_crashreporter.exe no specs opera.exe opera_crashreporter.exe no specs opera.exe no specs opera.exe opera.exe no specs opera.exe no specs opera.exe no specs opera.exe no specs opera.exe no specs opera.exe no specs opera.exe no specs opera_gx_splash.exe no specs pmropn.exe opera.exe no specs opera.exe no specs opera.exe no specs opera.exe no specs opera.exe no specs opera.exe no specs opera.exe no specs opera.exe no specs opera.exe no specs opera.exe no specs opera.exe no specs opera.exe no specs opera.exe no specs opera.exe no specs opera.exe no specs opera.exe no specs opera.exe no specs opera.exe no specs opera.exe no specs opera.exe no specs opera.exe no specs opera.exe no specs opera.exe no specs opera.exe no specs opera.exe no specs opera.exe no specs opera.exe no specs opera.exe no specs opera.exe no specs opera.exe no specs opera.exe no specs comppkgsrv.exe no specs opera.exe no specs opera.exe no specs installer.exe opera.exe no specs opera.exe no specs opera.exe no specs opera_autoupdate.exe opera_autoupdate.exe no specs installer.exe opera.exe no specs opera_autoupdate.exe opera_autoupdate.exe no specs opera.exe no specs opera.exe no specs slui.exe no specs opera.exe no specs opera.exe no specs opera.exe no specs opera.exe no specs opera.exe no specs opera.exe no specs opera.exe no specs opera.exe no specs rundll32.exe no specs opera.exe no specs opera.exe no specs opera.exe no specs opera.exe no specs opera.exe no specs opera.exe no specs opera.exe no specs opera.exe no specs opera.exe no specs opera.exe no specs opera.exe no specs installer.exe unsecapp.exe no specs cmd.exe no specs cmd.exe no specs pmropn64.exe no specs pmropn32.exe no specs pmropn64.exe no specs pmropn32.exe no specs notepad.exe no specs pmropn64.exe no specs pmropn32.exe no specs opera.exe no specs opera.exe no specs opera.exe no specs opera.exe no specs svchost.exe drift exploit_92975122.exe no specs svchost.exe

Process information

PID
CMD
Path
Indicators
Parent process
436C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exesvchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
888C:\Program Files (x86)\PremierOpinion\pmropn.exe -install -uninst:PremierOpinion -t:InstallUnion -bid:oXljht_CACzaWaa3VLPOPN -o:0C:\Program Files (x86)\PremierOpinion\pmropn.exe
ContentI3.exe
User:
admin
Company:
VoiceFive, Inc.
Integrity Level:
HIGH
Description:
PremierOpinion
Exit code:
0
Version:
1.3.340.310 (Build 340.310)
Modules
Images
c:\program files (x86)\premieropinion\pmropn.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\rpcrt4.dll
1128"C:\Users\admin\AppData\Local\Programs\Opera GX\opera.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --enable-quic --no-pre-read-main-dll --with-feature:cashback-assistant=on --with-feature:gx-widgets-mission=off --with-feature:address-bar-dropdown-autocompleted-domains=on --with-feature:address-bar-dropdown-cities=off --with-feature:address-bar-dropdown-keyword-ads=on --with-feature:address-bar-dropdown-unfiltered-full=off --with-feature:ai-writing-mode-in-context-menu=on --with-feature:aria-in-tab-view=on --with-feature:cashback-assistant=on --with-feature:continue-on-booking=on --with-feature:continue-on-shopping-via-amp=off --with-feature:continue-shopping=on --with-feature:continue-shopping-2=on --with-feature:continue-shopping-amazon-us-associates=off --with-feature:continue-shopping-explore=off --with-feature:continue-shopping-structured-partners=on --with-feature:feature-remote-disable-updates-testing-flag=off --with-feature:feature-remote-updates-testing-flag=on --with-feature:game-servers=off --with-feature:gx-april1st=off --with-feature:gx-post-mortem=on --with-feature:gx-reactinator=on --with-feature:gx-spotlight=on --with-feature:gx-video-to-phone=on --with-feature:hide-navigations-from-extensions=on --with-feature:panic-button=on --with-feature:play-again=on --with-feature:realtime-impressions-reporting=on --with-feature:run-at-startup-default=on --with-feature:sd-suggestions-external=on --with-feature:side-profiles=on --with-feature:sitecheck-age=on --with-feature:suggestion-redirect-handler=on --with-feature:tiktok-panel=on --with-feature:ui-compositor-multithreaded=on --with-feature:installer-experiment-test=off --ab_tests=GXCTest25-ref:DNA-99214_GXCTest25,GXCTest50-test:DNA-99214_GXCTest50,DNA-112027-gx-mission-widget-off:DNA-112027 --field-trial-handle=1936,i,13816631525478580992,12327332588452620360,262144 --disable-features=CertificateTransparencyAskBeforeEnabling,PlatformSoftwareH264EncoderInGpu,UpdatableKeyPins --variations-seed-version --mojo-platform-channel-handle=3504 /prefetch:8C:\Users\admin\AppData\Local\Programs\Opera GX\opera.exeopera.exe
User:
admin
Company:
Opera Software
Integrity Level:
LOW
Description:
Opera GX Internet Browser
Exit code:
0
Version:
119.0.5497.86
Modules
Images
c:\users\admin\appdata\local\programs\opera gx\opera.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\users\admin\appdata\local\programs\opera gx\119.0.5497.86\opera_elf.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\winmm.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shcore.dll
c:\windows\system32\combase.dll
1132"C:\Users\admin\AppData\Local\Programs\Opera GX\opera.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --enable-quic --no-pre-read-main-dll --with-feature:cashback-assistant=on --with-feature:gx-widgets-mission=off --with-feature:address-bar-dropdown-autocompleted-domains=on --with-feature:address-bar-dropdown-cities=off --with-feature:address-bar-dropdown-keyword-ads=on --with-feature:address-bar-dropdown-unfiltered-full=off --with-feature:ai-writing-mode-in-context-menu=on --with-feature:aria-in-tab-view=on --with-feature:cashback-assistant=on --with-feature:continue-on-booking=on --with-feature:continue-on-shopping-via-amp=off --with-feature:continue-shopping=on --with-feature:continue-shopping-2=on --with-feature:continue-shopping-amazon-us-associates=off --with-feature:continue-shopping-explore=off --with-feature:continue-shopping-structured-partners=on --with-feature:feature-remote-disable-updates-testing-flag=off --with-feature:feature-remote-updates-testing-flag=on --with-feature:game-servers=off --with-feature:gx-april1st=off --with-feature:gx-post-mortem=on --with-feature:gx-reactinator=on --with-feature:gx-spotlight=on --with-feature:gx-video-to-phone=on --with-feature:hide-navigations-from-extensions=on --with-feature:panic-button=on --with-feature:play-again=on --with-feature:realtime-impressions-reporting=on --with-feature:run-at-startup-default=on --with-feature:sd-suggestions-external=on --with-feature:side-profiles=on --with-feature:sitecheck-age=on --with-feature:suggestion-redirect-handler=on --with-feature:tiktok-panel=on --with-feature:ui-compositor-multithreaded=on --with-feature:installer-experiment-test=off --ab_tests=GXCTest25-ref:DNA-99214_GXCTest25,GXCTest50-test:DNA-99214_GXCTest50,DNA-112027-gx-mission-widget-off:DNA-112027 --field-trial-handle=1936,i,13816631525478580992,12327332588452620360,262144 --disable-features=CertificateTransparencyAskBeforeEnabling,PlatformSoftwareH264EncoderInGpu,UpdatableKeyPins --variations-seed-version --mojo-platform-channel-handle=3600 /prefetch:8C:\Users\admin\AppData\Local\Programs\Opera GX\opera.exeopera.exe
User:
admin
Company:
Opera Software
Integrity Level:
LOW
Description:
Opera GX Internet Browser
Exit code:
0
Version:
119.0.5497.86
Modules
Images
c:\users\admin\appdata\local\programs\opera gx\opera.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\users\admin\appdata\local\programs\opera gx\119.0.5497.86\opera_elf.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\winmm.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shcore.dll
c:\windows\system32\combase.dll
1180C:\Users\admin\AppData\Local\Temp\7zS40FBED47\setup.exe --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Roaming\Opera Software\Opera GX Stable\Crash Reports" "--crash-count-file=C:\Users\admin\AppData\Roaming\Opera Software\Opera GX Stable\crash_count.txt" --url=https://crashstats-collector-2.opera.com/ --annotation=channel=Stable --annotation=plat=Win64 --annotation=prod=OperaDesktopGX --annotation=ver=119.0.5497.92 --initial-client-data=0x28c,0x290,0x294,0x268,0x2a4,0x7ffc42deb248,0x7ffc42deb254,0x7ffc42deb260C:\Users\admin\AppData\Local\Temp\7zS40FBED47\setup.exe
setup.exe
User:
admin
Company:
Opera Software
Integrity Level:
HIGH
Description:
Opera GX Installer
Exit code:
0
Version:
119.0.5497.92
Modules
Images
c:\users\admin\appdata\local\temp\7zs40fbed47\setup.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
1304C:\WINDOWS\system32\svchost.exe -k netsvcs -p -s ScheduleC:\Windows\System32\svchost.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
2044"C:\Users\admin\AppData\Local\Temp\Drift Exploit_92975122.exe" C:\Users\admin\AppData\Local\Temp\Drift Exploit_92975122.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Manager
Exit code:
3221226540
Version:
1
Modules
Images
c:\users\admin\appdata\local\temp\drift exploit_92975122.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
2200C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
2292"C:\Users\admin\AppData\Local\Programs\Opera GX\119.0.5497.86\opera_crashreporter.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\admin\AppData\Roaming\Opera Software\Opera GX Stable\Crash Reports" "--crash-count-file=C:\Users\admin\AppData\Roaming\Opera Software\Opera GX Stable\crash_count.txt" --url=https://crashstats-collector-2.opera.com/ --annotation=channel=Stable --annotation=plat=Win64 --annotation=prod=OperaDesktopGX --annotation=ver=119.0.5497.86 --initial-client-data=0x214,0x218,0x21c,0x210,0x220,0x7ffc259a7b30,0x7ffc259a7b40,0x7ffc259a7b50C:\Users\admin\AppData\Local\Programs\Opera GX\119.0.5497.86\opera_crashreporter.exeopera.exe
User:
admin
Company:
Opera Software
Integrity Level:
HIGH
Description:
Opera GX crash-reporter
Exit code:
0
Version:
119.0.5497.86
Modules
Images
c:\users\admin\appdata\local\programs\opera gx\119.0.5497.86\opera_crashreporter.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
2348"C:\Program Files (x86)\PremierOpinion\pmservice.exe" /serviceC:\Program Files (x86)\PremierOpinion\pmservice.exeservices.exe
User:
SYSTEM
Company:
VoiceFive, Inc.
Integrity Level:
SYSTEM
Description:
PremierOpinion
Version:
1.1.26.110 (Build 26.110)
Modules
Images
c:\program files (x86)\premieropinion\pmservice.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\psapi.dll
c:\windows\syswow64\rpcrt4.dll
Total events
43 018
Read events
42 054
Write events
782
Delete events
182

Modification events

(PID) Process:(3652) Drift Exploit_92975122.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(3652) Drift Exploit_92975122.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(3652) Drift Exploit_92975122.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(3652) Drift Exploit_92975122.exeKey:HKEY_CURRENT_USER\SOFTWARE\Opera
Operation:writeName:installed
Value:
1
(PID) Process:(1304) svchost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{6A27734B-3081-4A04-8948-58FB365EEB98}
Operation:writeName:DynamicInfo
Value:
03000000047C84185092DB01DE16048A64DDDB0100000000000000006628D19164DDDB01
(PID) Process:(7048) setup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(7048) setup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(7048) setup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(4012) setup.exeKey:HKEY_CURRENT_USER\SOFTWARE\Opera Software
Operation:writeName:Last Opera GX Stable Install Path
Value:
C:\Users\admin\AppData\Local\Programs\Opera GX\
(PID) Process:(3652) Drift Exploit_92975122.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\InstallUnion\1538
Operation:writeName:BundleOfferActionUid
Value:
JAC_OkTU4r6H8qf9255555
Executable files
51
Suspicious files
895
Text files
719
Unknown types
0

Dropped files

PID
Process
Filename
Type
3652Drift Exploit_92975122.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12binary
MD5:B3AFD3BFE70A2EE9B16EEC0B011262BF
SHA256:87EC69627485298FEB9232ACF5BC40018D8877C47E1FE75AF021349E8D7FA442
3652Drift Exploit_92975122.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E7A1EFBE05B12DE86593547A5FC0E236_E4D806264EAC942B529552B576410380binary
MD5:B7B28BCCF00A548E090DA3D0027A1130
SHA256:182A289FDC6F2D8DBD8AAAF47DC2A7B502C51DDDF2183639FBAB8A6123DE6071
3652Drift Exploit_92975122.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8B2B9A00839EED1DFDCCC3BFC2F5DF12binary
MD5:4A90329071AE30B759D279CCA342B0A6
SHA256:4F544379EDA8E2653F71472AB968AEFD6B5D1F4B3CE28A5EDB14196184ED3B60
3652Drift Exploit_92975122.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E7A1EFBE05B12DE86593547A5FC0E236_E4D806264EAC942B529552B576410380binary
MD5:B634281BA1F986DCA780A158CF0579A1
SHA256:B21DA7BE1D26958CC78EFD35AC5EFFAB585D0C7A23753A0FEFE9E844F0A30CEB
3652Drift Exploit_92975122.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EAbinary
MD5:A5C31582C25FEF6AB6F1355E98FEB167
SHA256:28AB77D755A1228EA139A082EEAC574AD17E221EC25DD349291070D4DCAB69C8
3652Drift Exploit_92975122.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\KCV3KQBA\service[1].htmtext
MD5:C3DB3824B1F77AC2140152E4DB319039
SHA256:C5B617C416AEE50031F8BCAC750A65B131A923D6C6E212B5CE5E0CCC501C8FB5
3652Drift Exploit_92975122.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\05DDC6AA91765AACACDB0A5F96DF8199binary
MD5:46D22A25E354D0C4B9B9531FE308E131
SHA256:31058F22F37E8CD2DAE7E3DEE75D535137EBD8ECBF6F54D229F2470A76D9F7D3
3652Drift Exploit_92975122.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\RR3E01RZ\geo[1].htmtext
MD5:6A4E554A7DE343BF795FF596E428E108
SHA256:5D8DD717EF298F009307F170A18C788E18DEE79E47E86642D46F6E9AE31480C2
3652Drift Exploit_92975122.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\25D1DB4656094BF561303C5B3B7F5405_08BC28CA85E37FE0965621B0733DE32Ebinary
MD5:A85A71C9AAE6641AAFCBEE8057A4E760
SHA256:863F72BE84CAA8ADF664550817DC0C6AA6C89BD4574AD7AE8FE1E841CDF6D250
3652Drift Exploit_92975122.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8binary
MD5:4B8402C622DD79E8550B8F330157E07F
SHA256:2D5704D1C7E71060AFED8D0B6C3C5147CF578FB7522F7F3CD70D252860F0C8DB
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
31
TCP/UDP connections
157
DNS requests
111
Threats
18

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3652
Drift Exploit_92975122.exe
GET
200
142.250.186.163:80
http://ocsp.pki.goog/gsr1/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS3V7W2nAf4FiMTjpDJKg6%2BMgGqMQQUYHtmGkUNl8qJUC99BM00qP%2F8%2FUsCEHe9DWzbNvka6iEPxPBY0w0%3D
unknown
whitelisted
3652
Drift Exploit_92975122.exe
GET
200
216.58.206.35:80
http://c.pki.goog/r/r1.crl
unknown
whitelisted
3652
Drift Exploit_92975122.exe
GET
200
172.217.16.195:80
http://o.pki.goog/s/wr3/7DM/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBQSq0i5t2Pafi2Gw9uzwnc7KTctWgQUx4H1%2FY6I2QA8TWOiUDEkoM4j%2FiMCEQDsM1CuTUMozAlVORf8Ight
unknown
whitelisted
3652
Drift Exploit_92975122.exe
GET
200
172.217.16.195:80
http://o.pki.goog/s/wr3/Llw/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQSq0i5t2Pafi2Gw9uzwnc7KTctWgQUx4H1%2FY6I2QA8TWOiUDEkoM4j%2FiMCEC5cnWKHoYQVCnAzKuFJaMg%3D
unknown
whitelisted
3652
Drift Exploit_92975122.exe
GET
200
216.58.206.35:80
http://c.pki.goog/r/gsr1.crl
unknown
whitelisted
3652
Drift Exploit_92975122.exe
GET
200
216.58.206.35:80
http://c.pki.goog/r/r4.crl
unknown
whitelisted
3652
Drift Exploit_92975122.exe
GET
200
18.66.145.213:80
http://ocsp.rootca1.amazontrust.com/MFQwUjBQME4wTDAJBgUrDgMCGgUABBRPWaOUU8%2B5VZ5%2Fa9jFTaU9pkK3FAQUhBjMhTTsvAyUlC4IWZzHshBOCggCEwdzEkzUBtJnwJkc3SmanzgxeYU%3D
unknown
whitelisted
3652
Drift Exploit_92975122.exe
POST
200
165.193.78.234:80
http://post.securestudies.com/TapAction.aspx?campaign_id=1538&tpi=InstallUnion&action_id=0
unknown
malicious
3652
Drift Exploit_92975122.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQ50otx%2Fh0Ztl%2Bz8SiPI7wEWVxDlQQUTiJUIBiV5uNu5g%2F6%2BrkS7QYXjzkCEAz1vQYrVgL0erhQLCPM8GY%3D
unknown
whitelisted
3652
Drift Exploit_92975122.exe
POST
200
165.193.78.234:80
http://post.securestudies.com/TapAction.aspx?campaign_id=1538&tpi=InstallUnion&action_id=17&uid=JAC_OkTU4r6H8qf9255555
unknown
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
5944
MoUsoCoreWorker.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:137
whitelisted
1644
RUXIMICS.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
1268
svchost.exe
20.73.194.208:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:138
whitelisted
3652
Drift Exploit_92975122.exe
35.190.60.70:443
www.dlsft.com
GOOGLE
US
whitelisted
3652
Drift Exploit_92975122.exe
142.250.186.163:80
ocsp.pki.goog
GOOGLE
US
whitelisted
3652
Drift Exploit_92975122.exe
216.58.206.35:80
c.pki.goog
GOOGLE
US
whitelisted
3652
Drift Exploit_92975122.exe
172.217.16.195:80
o.pki.goog
GOOGLE
US
whitelisted
3652
Drift Exploit_92975122.exe
104.21.80.1:443
filedm.com
CLOUDFLARENET
malicious

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.185.110
whitelisted
www.dlsft.com
  • 35.190.60.70
unknown
ocsp.pki.goog
  • 142.250.186.163
whitelisted
c.pki.goog
  • 216.58.206.35
whitelisted
o.pki.goog
  • 172.217.16.195
whitelisted
dlsft.com
  • 35.190.60.70
unknown
filedm.com
  • 104.21.80.1
  • 104.21.32.1
  • 104.21.64.1
  • 104.21.112.1
  • 104.21.48.1
  • 104.21.96.1
  • 104.21.16.1
malicious
dpd.securestudies.com
  • 13.32.121.122
  • 13.32.121.51
  • 13.32.121.93
  • 13.32.121.27
whitelisted
ocsp.rootca1.amazontrust.com
  • 18.66.145.213
whitelisted
www.ovardu.com
  • 104.21.48.1
  • 104.21.32.1
  • 104.21.96.1
  • 104.21.80.1
  • 104.21.112.1
  • 104.21.64.1
  • 104.21.16.1
unknown

Threats

PID
Process
Class
Message
4232
opera.exe
Not Suspicious Traffic
INFO [ANY.RUN] Google Tag Manager analytics (googletagmanager .com)
4232
opera.exe
Not Suspicious Traffic
INFO [ANY.RUN] Google Tag Manager analytics (googletagmanager .com)
4232
opera.exe
Generic Protocol Command Decode
SURICATA QUIC failed decrypt
4232
opera.exe
Generic Protocol Command Decode
SURICATA QUIC failed decrypt
4232
opera.exe
Generic Protocol Command Decode
SURICATA QUIC failed decrypt
4232
opera.exe
Generic Protocol Command Decode
SURICATA QUIC failed decrypt
4232
opera.exe
Generic Protocol Command Decode
SURICATA QUIC failed decrypt
4232
opera.exe
Generic Protocol Command Decode
SURICATA QUIC failed decrypt
4232
opera.exe
Generic Protocol Command Decode
SURICATA QUIC failed decrypt
4232
opera.exe
Generic Protocol Command Decode
SURICATA QUIC failed decrypt
Process
Message
Drift Exploit_92975122.exe
Drift Exploit_92975122.exe
Drift Exploit_92975122.exe
at getFileInfo.@314@46 (this://app/main.html(340))
Drift Exploit_92975122.exe
Error: (undefined) has no property - value
Drift Exploit_92975122.exe
at initializeDynamicVariables (this://app/main.html(362))
Drift Exploit_92975122.exe
scanning node DsTitleBar /questions/DsTitleBar
Drift Exploit_92975122.exe
scanning node ESIconLink /questions/ESIconLink
Drift Exploit_92975122.exe
scanning node FsImageLink /questions/FsImageLink
Drift Exploit_92975122.exe
scanning node FsMain /questions/FsMain
Drift Exploit_92975122.exe
scanning node RegLocation /questions/RegLocation
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Drift Exploit_92975122.exe