File name:

Swift Exploit_03588786.exe

Full analysis: https://app.any.run/tasks/7e085b4c-4200-4268-a574-c0549115d482
Verdict: Malicious activity
Threats:

Adware is a form of malware that targets users with unwanted advertisements, often disrupting their browsing experience. It typically infiltrates systems through software bundling, malicious websites, or deceptive downloads. Once installed, it may track user activity, collect sensitive data, and display intrusive ads, including pop-ups or banners. Some advanced adware variants can bypass security measures and establish persistence on devices, making removal challenging. Additionally, adware can create vulnerabilities that other malware can exploit, posing a significant risk to user privacy and system security.

Malware Trends Tracker     >>>
Analysis date: May 23, 2025, 21:35:01
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
premieropinion
adware
ossproxy
relevantknowledge
stealer
auto
generic
loader
pua
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 5 sections
MD5:

52313A18825ED48281038C0049BE6ECE

SHA1:

AF4EFBE470E24203B1B41CE67695ABD5071F3211

SHA256:

52B106B997FE8682E14C1D5EEDBF60F7410C4AA6AAA5E82BC802762C69179AC9

SSDEEP:

98304:C1JiKeESTPY06jUjvotnAqzmC9jm1Ore4SWhqn/Q/qX0fhgPdJqm4CCWhKuu6v/u:5K3f

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • PREMIEROPINION mutex has been found

      • ContentI3.exe (PID: 8124)
      • ContentI3.exe (PID: 8116)
      • pmropn.exe (PID: 4180)
      • pmropn.exe (PID: 1228)

    • OSSPROXY mutex has been found

      • pmropn.exe (PID: 4180)
      • pmropn.exe (PID: 1228)

    • RELEVANTKNOWLEDGE mutex has been found

      • rundll32.exe (PID: 7020)
      • pmropn.exe (PID: 4180)
      • pmropn.exe (PID: 1228)
      • pmropn32.exe (PID: 7368)

    • Application was injected by another process

      • svchost.exe (PID: 1260)

    • Runs injected code in another process

      • rundll32.exe (PID: 7020)

    • Change Internet Settings

      • pmropn.exe (PID: 1228)

    • Actions looks like stealing of personal data

      • pmropn.exe (PID: 1228)

    • OSSPROXY has been detected (SURICATA)

      • pmropn.exe (PID: 1228)

    • GENERIC has been found (auto)

      • firefox.exe (PID: 5972)

    • ADWARE has been detected (SURICATA)

      • pmropn.exe (PID: 1228)

  • SUSPICIOUS

    • There is functionality for taking screenshot (YARA)

      • Swift Exploit_03588786.exe (PID: 7196)

    • Reads security settings of Internet Explorer

      • Swift Exploit_03588786.exe (PID: 7196)
      • ContentI3.exe (PID: 8116)
      • ContentI3.exe (PID: 8124)
      • pmropn.exe (PID: 4180)
      • pmropn.exe (PID: 1228)

    • Start notepad (likely ransomware note)

      • Swift Exploit_03588786.exe (PID: 7196)

    • Executable content was dropped or overwritten

      • ContentI3.exe (PID: 8116)
      • Swift Exploit_03588786.exe (PID: 7196)
      • pmropn.exe (PID: 4180)

    • Creates a software uninstall entry

      • pmropn.exe (PID: 4180)
      • pmservice.exe (PID: 4980)
      • ContentI3.exe (PID: 8116)
      • pmropn.exe (PID: 1228)

    • Searches for installed software

      • pmservice.exe (PID: 4980)
      • rundll32.exe (PID: 7020)
      • reg.exe (PID: 1312)
      • pmropn.exe (PID: 4180)
      • svchost.exe (PID: 1260)
      • ContentI3.exe (PID: 8116)
      • pmropn.exe (PID: 1228)
      • pmropn64.exe (PID: 7248)
      • pmropn32.exe (PID: 7368)
      • unsecapp.exe (PID: 4192)

    • Adds/modifies Windows certificates

      • pmropn.exe (PID: 4180)
      • pmservice.exe (PID: 4980)

    • Executes as Windows Service

      • pmservice.exe (PID: 4980)

    • Uses RUNDLL32.EXE to load library

      • pmservice.exe (PID: 4980)

    • Potential Corporate Privacy Violation

      • firefox.exe (PID: 5972)
      • pmropn.exe (PID: 1228)

    • Starts CMD.EXE for commands execution

      • pmservice.exe (PID: 4980)

    • Starts POWERSHELL.EXE for commands execution

      • pmropn.exe (PID: 1228)

    • Connects to unusual port

      • pmropn.exe (PID: 1228)

  • INFO

    • Reads the computer name

      • Swift Exploit_03588786.exe (PID: 7196)
      • ContentI3.exe (PID: 8124)
      • ContentI3.exe (PID: 8116)
      • pmropn.exe (PID: 4180)
      • pmservice.exe (PID: 4980)
      • pmropn.exe (PID: 1228)

    • The sample compiled with english language support

      • Swift Exploit_03588786.exe (PID: 7196)
      • ContentI3.exe (PID: 8116)
      • pmropn.exe (PID: 4180)

    • Reads the machine GUID from the registry

      • Swift Exploit_03588786.exe (PID: 7196)
      • pmropn.exe (PID: 4180)
      • pmservice.exe (PID: 4980)
      • pmropn.exe (PID: 1228)

    • Checks supported languages

      • Swift Exploit_03588786.exe (PID: 7196)
      • ContentI3.exe (PID: 8124)
      • ContentI3.exe (PID: 8116)
      • pmservice.exe (PID: 4980)
      • pmropn.exe (PID: 1228)
      • pmropn64.exe (PID: 7248)
      • pmropn32.exe (PID: 7368)
      • pmropn.exe (PID: 4180)

    • Checks proxy server information

      • Swift Exploit_03588786.exe (PID: 7196)
      • pmropn.exe (PID: 4180)
      • pmropn.exe (PID: 1228)

    • Creates files or folders in the user directory

      • Swift Exploit_03588786.exe (PID: 7196)
      • ContentI3.exe (PID: 8124)
      • ContentI3.exe (PID: 8116)
      • pmropn.exe (PID: 4180)
      • pmropn.exe (PID: 1228)

    • Reads security settings of Internet Explorer

      • notepad.exe (PID: 7152)
      • cmd.exe (PID: 7148)
      • cmd.exe (PID: 7596)

    • Create files in a temporary directory

      • ContentI3.exe (PID: 8116)
      • Swift Exploit_03588786.exe (PID: 7196)

    • Reads the software policy settings

      • Swift Exploit_03588786.exe (PID: 7196)
      • pmservice.exe (PID: 4980)
      • pmropn.exe (PID: 1228)
      • slui.exe (PID: 7384)
      • pmropn.exe (PID: 4180)

    • Process checks computer location settings

      • Swift Exploit_03588786.exe (PID: 7196)

    • Creates files in the program directory

      • ContentI3.exe (PID: 8116)
      • reg.exe (PID: 1312)
      • pmservice.exe (PID: 4980)
      • pmropn.exe (PID: 4180)
      • pmropn.exe (PID: 1228)

    • OSSPROXY has been detected

      • ContentI3.exe (PID: 8116)
      • pmservice.exe (PID: 4980)
      • cmd.exe (PID: 7596)
      • cmd.exe (PID: 7148)

    • Application launched itself

      • firefox.exe (PID: 4220)
      • firefox.exe (PID: 5972)

    • Manual execution by a user

      • firefox.exe (PID: 4220)

    • Executable content was dropped or overwritten

      • firefox.exe (PID: 5972)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (76.4)
.exe | Win32 Executable (generic) (12.4)
.exe | Generic Win/DOS Executable (5.5)
.exe | DOS Executable Generic (5.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2025:05:20 17:21:47+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 14.22
CodeSize: 4353024
InitializedDataSize: 1676800
UninitializedDataSize: -
EntryPoint: 0x398d2a
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 1.0.0.0
ProductVersionNumber: 1.0.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Unknown (0)
ObjectFileType: Unknown
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
FileDescription: Download Manager
FileVersion: 1
InternalName: Download Manager
LegalCopyright: Download Manager
OriginalFileName: Download Manager
ProductName: Download Manager
ProductVersion: 1
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
302
Monitored processes
167
Malicious processes
10
Suspicious processes
3

Behavior graph

Click at the process to see the details
start swift exploit_03588786.exe sppextcomobj.exe no specs slui.exe #PREMIEROPINION contenti3.exe #PREMIEROPINION contenti3.exe notepad.exe no specs #RELEVANTKNOWLEDGE pmropn.exe pmservice.exe no specs #RELEVANTKNOWLEDGE rundll32.exe no specs reg.exe no specs conhost.exe no specs firefox.exe no specs #GENERIC firefox.exe firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs #PREMIEROPINION pmropn.exe slui.exe unsecapp.exe no specs cmd.exe no specs cmd.exe no specs pmropn64.exe no specs pmropn32.exe no specs pmropn64.exe no specs pmropn32.exe no specs pmropn64.exe no specs #RELEVANTKNOWLEDGE pmropn32.exe no specs firefox.exe no specs checknetisolation.exe no specs conhost.exe no specs pmropn.exe no specs checknetisolation.exe no specs conhost.exe no specs checknetisolation.exe no specs conhost.exe no specs checknetisolation.exe no specs conhost.exe no specs checknetisolation.exe no specs conhost.exe no specs checknetisolation.exe no specs conhost.exe no specs checknetisolation.exe no specs conhost.exe no specs checknetisolation.exe no specs conhost.exe no specs checknetisolation.exe no specs conhost.exe no specs checknetisolation.exe no specs conhost.exe no specs checknetisolation.exe no specs conhost.exe no specs checknetisolation.exe no specs conhost.exe no specs checknetisolation.exe no specs conhost.exe no specs checknetisolation.exe no specs conhost.exe no specs checknetisolation.exe no specs conhost.exe no specs checknetisolation.exe no specs conhost.exe no specs checknetisolation.exe no specs conhost.exe no specs checknetisolation.exe no specs conhost.exe no specs checknetisolation.exe no specs conhost.exe no specs checknetisolation.exe no specs conhost.exe no specs checknetisolation.exe no specs conhost.exe no specs checknetisolation.exe no specs conhost.exe no specs checknetisolation.exe no specs conhost.exe no specs checknetisolation.exe no specs conhost.exe no specs checknetisolation.exe no specs conhost.exe no specs checknetisolation.exe no specs conhost.exe no specs checknetisolation.exe no specs conhost.exe no specs checknetisolation.exe no specs conhost.exe no specs checknetisolation.exe no specs conhost.exe no specs checknetisolation.exe no specs conhost.exe no specs checknetisolation.exe no specs conhost.exe no specs checknetisolation.exe no specs conhost.exe no specs checknetisolation.exe no specs conhost.exe no specs checknetisolation.exe no specs conhost.exe no specs checknetisolation.exe no specs conhost.exe no specs checknetisolation.exe no specs conhost.exe no specs checknetisolation.exe no specs conhost.exe no specs checknetisolation.exe no specs conhost.exe no specs checknetisolation.exe no specs conhost.exe no specs checknetisolation.exe no specs conhost.exe no specs checknetisolation.exe no specs conhost.exe no specs checknetisolation.exe no specs conhost.exe no specs checknetisolation.exe no specs conhost.exe no specs checknetisolation.exe no specs conhost.exe no specs checknetisolation.exe no specs conhost.exe no specs checknetisolation.exe no specs conhost.exe no specs checknetisolation.exe no specs conhost.exe no specs checknetisolation.exe no specs conhost.exe no specs checknetisolation.exe no specs conhost.exe no specs checknetisolation.exe no specs conhost.exe no specs checknetisolation.exe no specs conhost.exe no specs checknetisolation.exe no specs conhost.exe no specs checknetisolation.exe no specs conhost.exe no specs checknetisolation.exe no specs conhost.exe no specs checknetisolation.exe no specs conhost.exe no specs checknetisolation.exe no specs conhost.exe no specs checknetisolation.exe no specs conhost.exe no specs checknetisolation.exe no specs conhost.exe no specs checknetisolation.exe no specs conhost.exe no specs checknetisolation.exe no specs conhost.exe no specs checknetisolation.exe no specs conhost.exe no specs checknetisolation.exe no specs conhost.exe no specs firefox.exe no specs firefox.exe no specs rundll32.exe no specs pmropn.exe powershell.exe no specs conhost.exe no specs svchost.exe svchost.exe swift exploit_03588786.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
516CheckNetIsolation.exe LoopbackExempt -a -n=microsoft.549981c3f5f10_8wekyb3d8bbweC:\Windows\SysWOW64\CheckNetIsolation.exepmropn.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
AppContainer Network Isolation Diagnostic Tool
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\checknetisolation.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\sechost.dll
660CheckNetIsolation.exe LoopbackExempt -a -n=1527c705-839a-4832-9118-54d4bd6a0c89_cw5n1h2txyewyC:\Windows\SysWOW64\CheckNetIsolation.exepmropn.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
AppContainer Network Isolation Diagnostic Tool
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\checknetisolation.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\sechost.dll
672"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5044 -childID 3 -isForBrowser -prefsHandle 5000 -prefMapHandle 4852 -prefsLen 31243 -prefMapSize 244583 -jsInitHandle 1528 -jsInitLen 235124 -parentBuildID 20240213221259 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2bd56f47-f723-43db-bc5f-4bf1771170d4} 5972 "\\.\pipe\gecko-crash-server-pipe.5972" 27656068690 tabC:\Program Files\Mozilla Firefox\firefox.exefirefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Version:
123.0
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\vcruntime140_1.dll
1228"c:\program files (x86)\premieropinion\pmropn.exe" -bootC:\Program Files (x86)\PremierOpinion\pmropn.exe
pmservice.exe
User:
admin
Company:
VoiceFive, Inc.
Integrity Level:
MEDIUM
Description:
PremierOpinion
Version:
1.3.340.310 (Build 340.310)
Modules
Images
c:\program files (x86)\premieropinion\pmropn.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\rpcrt4.dll
c:\windows\syswow64\setupapi.dll
1260C:\WINDOWS\system32\svchost.exe -k netsvcs -p -s ScheduleC:\Windows\System32\svchost.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
1312reg.exe EXPORT "HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{eeb86aef-4a5d-4b75-9d74-f16d438fc286}" C:\PROGRA~2\PREMIE~1\RData.reg /yC:\Windows\SysWOW64\reg.exepmservice.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Registry Console Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\advapi32.dll
1560\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeCheckNetIsolation.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1560\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeCheckNetIsolation.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2196C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
2392"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5504 -childID 6 -isForBrowser -prefsHandle 5500 -prefMapHandle 6068 -prefsLen 31324 -prefMapSize 244583 -jsInitHandle 1528 -jsInitLen 235124 -parentBuildID 20240213221259 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b32f7ad7-b986-4596-b2aa-ae4a0633f90f} 5972 "\\.\pipe\gecko-crash-server-pipe.5972" 27656270f50 tabC:\Program Files\Mozilla Firefox\firefox.exefirefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Version:
123.0
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\vcruntime140.dll
Total events
80 418
Read events
80 142
Write events
181
Delete events
95

Modification events

(PID) Process:(1260) svchost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{C2AF3602-9179-4BAE-85B3-74A4EF5CF51F}
Operation:writeName:DynamicInfo
Value:
03000000BDCB09F80A59DA01118B7D8B2ACCDB0100000000000000009365988D2ACCDB01
(PID) Process:(7196) Swift Exploit_03588786.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(7196) Swift Exploit_03588786.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(7196) Swift Exploit_03588786.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(1260) svchost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{F93AD50A-2FB2-4A34-88EF-786903C710ED}
Operation:writeName:DynamicInfo
Value:
03000000C09775A51C59DA01118B7D8B2ACCDB01000000000540008013DF69912ACCDB01
(PID) Process:(1260) svchost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{4671B5C1-A383-4428-A45A-8D348E4CB873}
Operation:writeName:DynamicInfo
Value:
030000009F7DFD23AAB7D801118B7D8B2ACCDB0100000000000000005F37B6912ACCDB01
(PID) Process:(1260) svchost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{0CEC0B91-4AE9-4E8A-ACB2-3B4C811F442C}
Operation:writeName:DynamicInfo
Value:
0300000059EDC123AAB7D801118B7D8B2ACCDB010000000000000000BDCA3A932ACCDB01
(PID) Process:(7196) Swift Exploit_03588786.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\InstallUnion\1538
Operation:writeName:BundleOfferActionUid
Value:
OI00a2TdQqRV_ahRY55555
(PID) Process:(7196) Swift Exploit_03588786.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\InstallUnion\1538
Operation:writeName:dt_age
Value:
1
(PID) Process:(7196) Swift Exploit_03588786.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\InstallUnion\1538
Operation:writeName:dt_gender
Value:
f
Executable files
20
Suspicious files
230
Text files
122
Unknown types
0

Dropped files

PID
Process
Filename
Type
1260svchost.exeC:\Windows\System32\Tasks\Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTaskNetworkxml
MD5:18E755C987BFC19E9243E2297F9E5973
SHA256:28A47DB050051049E35249EA57B389E3946003173806D02064ADFCC5F46E0880
1260svchost.exeC:\Windows\System32\Tasks\Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTaskLogonxml
MD5:8CBC84881481158749FD559D1D305C46
SHA256:F4902BEF1E82CDAB34A23A43A7F15C0D1C0A0B86E5DD187CACB75E3DF4024153
7196Swift Exploit_03588786.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E7A1EFBE05B12DE86593547A5FC0E236_E4D806264EAC942B529552B576410380binary
MD5:06A6072D00053EF338AB39841DB07F7C
SHA256:144640A98DAAF5C8566C9E9FB7DE9E75C35B1CF76B5A649ECFD743F27398E7F9
7196Swift Exploit_03588786.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8B2B9A00839EED1DFDCCC3BFC2F5DF12binary
MD5:4A90329071AE30B759D279CCA342B0A6
SHA256:4F544379EDA8E2653F71472AB968AEFD6B5D1F4B3CE28A5EDB14196184ED3B60
7196Swift Exploit_03588786.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E7A1EFBE05B12DE86593547A5FC0E236_E4D806264EAC942B529552B576410380binary
MD5:D04DF14CC2516384440B10C601275FDA
SHA256:F6A3B2DFBE09BF95FEBC78D90F6FDE5C2CC6CCBB34ED5541E05EED37849DD9A1
7196Swift Exploit_03588786.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\05DDC6AA91765AACACDB0A5F96DF8199binary
MD5:C22301B5245B697AA0D960E7D3A2D560
SHA256:8E63BB9D833DDFF90DB225799A6B20821540B2A10AB3764EE07767259765DA0E
7196Swift Exploit_03588786.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EAbinary
MD5:BD48627ED4BAB9614EEA20ADE1F093D7
SHA256:7A58533F1323DB6469E502202C72E219C9C3117E50D1F4C7E3B626DF29D7FA38
7196Swift Exploit_03588786.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\05DDC6AA91765AACACDB0A5F96DF8199binary
MD5:5B8249A4E39DF03D37C23862ED449E32
SHA256:64DDBE9770B0B0D9F7520FF050EF19499FF78BE2CE7F975D71D3652EB01352DE
7196Swift Exploit_03588786.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\E4DJRUXW\logo[1].pngimage
MD5:2D4E9E8198F0C3EADE53C619CD1FE4EA
SHA256:C97E703578120C1F7A570ACAC3B461178A5E051CE16BE9E266C1789C1D610AC0
7196Swift Exploit_03588786.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8binary
MD5:96C78184A68065A0021500B965B3AE47
SHA256:09193D51031C150B07610B447053E1B29C5E1ED2A10681EE9018BBFC2EC4E5F5
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
69
TCP/UDP connections
232
DNS requests
177
Threats
36

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
23.216.77.20:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
7920
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
7196
Swift Exploit_03588786.exe
GET
200
104.18.38.233:80
http://ocsp.usertrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTNMNJMNDqCqx8FcBWK16EHdimS6QQUU3m%2FWqorSs9UgOHYm8Cd8rIDZssCEBN9U5yqfDGppDNwGWiEeo0%3D
unknown
whitelisted
7196
Swift Exploit_03588786.exe
POST
200
165.193.78.234:80
http://post.securestudies.com/TapAction.aspx?campaign_id=1538&tpi=InstallUnion&action_id=0
unknown
malicious
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
7196
Swift Exploit_03588786.exe
GET
200
142.250.186.163:80
http://ocsp.pki.goog/gsr1/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS3V7W2nAf4FiMTjpDJKg6%2BMgGqMQQUYHtmGkUNl8qJUC99BM00qP%2F8%2FUsCEHe9DWzbNvka6iEPxPBY0w0%3D
unknown
whitelisted
7196
Swift Exploit_03588786.exe
GET
200
142.250.186.163:80
http://c.pki.goog/r/r1.crl
unknown
whitelisted
7196
Swift Exploit_03588786.exe
GET
200
142.250.186.163:80
http://o.pki.goog/s/wr3/7DM/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBQSq0i5t2Pafi2Gw9uzwnc7KTctWgQUx4H1%2FY6I2QA8TWOiUDEkoM4j%2FiMCEQDsM1CuTUMozAlVORf8Ight
unknown
whitelisted
7196
Swift Exploit_03588786.exe
GET
200
142.250.186.163:80
http://o.pki.goog/s/wr3/Llw/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQSq0i5t2Pafi2Gw9uzwnc7KTctWgQUx4H1%2FY6I2QA8TWOiUDEkoM4j%2FiMCEC5cnWKHoYQVCnAzKuFJaMg%3D
unknown
whitelisted
7196
Swift Exploit_03588786.exe
GET
200
142.250.186.163:80
http://c.pki.goog/r/gsr1.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
5796
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:137
whitelisted
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
23.216.77.20:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
4
System
192.168.100.255:138
whitelisted
7196
Swift Exploit_03588786.exe
35.190.60.70:443
www.dlsft.com
GOOGLE
US
whitelisted
7196
Swift Exploit_03588786.exe
142.250.186.163:80
ocsp.pki.goog
GOOGLE
US
whitelisted
7196
Swift Exploit_03588786.exe
104.21.32.1:443
filedm.com
CLOUDFLARENET
malicious
3216
svchost.exe
172.211.123.249:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
  • 4.231.128.59
whitelisted
crl.microsoft.com
  • 23.216.77.20
  • 23.216.77.27
  • 23.216.77.25
  • 23.216.77.15
  • 23.216.77.16
  • 23.216.77.28
  • 23.216.77.17
  • 23.216.77.21
  • 23.216.77.30
whitelisted
www.microsoft.com
  • 23.35.229.160
whitelisted
google.com
  • 142.250.181.238
whitelisted
www.dlsft.com
  • 35.190.60.70
unknown
ocsp.pki.goog
  • 142.250.186.163
whitelisted
c.pki.goog
  • 142.250.186.163
whitelisted
o.pki.goog
  • 142.250.186.163
whitelisted
dlsft.com
  • 35.190.60.70
unknown
filedm.com
  • 104.21.32.1
  • 104.21.48.1
  • 104.21.80.1
  • 104.21.64.1
  • 104.21.96.1
  • 104.21.16.1
  • 104.21.112.1
malicious

Threats

PID
Process
Class
Message
5972
firefox.exe
Potential Corporate Privacy Violation
ET INFO PE EXE or DLL Windows file download HTTP
5972
firefox.exe
Misc activity
ET INFO EXE - Served Attached HTTP
2196
svchost.exe
Potentially Bad Traffic
ET FILE_SHARING Online File Storage Domain in DNS Lookup (gofile .io)
2196
svchost.exe
Potentially Bad Traffic
ET FILE_SHARING Online File Storage Domain in DNS Lookup (gofile .io)
2196
svchost.exe
Potentially Bad Traffic
ET FILE_SHARING Online File Storage Domain in DNS Lookup (gofile .io)
5972
firefox.exe
Misc activity
ET FILE_SHARING File Sharing Related Domain in TLS SNI (gofile .io)
5972
firefox.exe
Misc activity
ET FILE_SHARING File Sharing Related Domain in TLS SNI (gofile .io)
2196
svchost.exe
Potentially Bad Traffic
ET FILE_SHARING Online File Storage Domain in DNS Lookup (gofile .io)
2196
svchost.exe
Potentially Bad Traffic
ET FILE_SHARING Online File Storage Domain in DNS Lookup (gofile .io)
5972
firefox.exe
Misc activity
ET FILE_SHARING File Sharing Related Domain in TLS SNI (gofile .io)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Swift Exploit_03588786.exe