File name:

Swift Exploit_03588786.exe

Full analysis: https://app.any.run/tasks/7e085b4c-4200-4268-a574-c0549115d482
Verdict: Malicious activity
Threats:

Adware is a form of malware that targets users with unwanted advertisements, often disrupting their browsing experience. It typically infiltrates systems through software bundling, malicious websites, or deceptive downloads. Once installed, it may track user activity, collect sensitive data, and display intrusive ads, including pop-ups or banners. Some advanced adware variants can bypass security measures and establish persistence on devices, making removal challenging. Additionally, adware can create vulnerabilities that other malware can exploit, posing a significant risk to user privacy and system security.

Malware Trends Tracker     >>>
Analysis date: May 23, 2025, 21:35:01
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
premieropinion
adware
ossproxy
relevantknowledge
stealer
auto
generic
loader
pua
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 5 sections
MD5:

52313A18825ED48281038C0049BE6ECE

SHA1:

AF4EFBE470E24203B1B41CE67695ABD5071F3211

SHA256:

52B106B997FE8682E14C1D5EEDBF60F7410C4AA6AAA5E82BC802762C69179AC9

SSDEEP:

98304:C1JiKeESTPY06jUjvotnAqzmC9jm1Ore4SWhqn/Q/qX0fhgPdJqm4CCWhKuu6v/u:5K3f

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • PREMIEROPINION mutex has been found

      • ContentI3.exe (PID: 8124)
      • ContentI3.exe (PID: 8116)
      • pmropn.exe (PID: 4180)
      • pmropn.exe (PID: 1228)

    • OSSPROXY mutex has been found

      • pmropn.exe (PID: 4180)
      • pmropn.exe (PID: 1228)

    • RELEVANTKNOWLEDGE mutex has been found

      • rundll32.exe (PID: 7020)
      • pmropn.exe (PID: 4180)
      • pmropn.exe (PID: 1228)
      • pmropn32.exe (PID: 7368)

    • Application was injected by another process

      • svchost.exe (PID: 1260)

    • Runs injected code in another process

      • rundll32.exe (PID: 7020)

    • GENERIC has been found (auto)

      • firefox.exe (PID: 5972)

    • Change Internet Settings

      • pmropn.exe (PID: 1228)

    • Actions looks like stealing of personal data

      • pmropn.exe (PID: 1228)

    • ADWARE has been detected (SURICATA)

      • pmropn.exe (PID: 1228)

    • OSSPROXY has been detected (SURICATA)

      • pmropn.exe (PID: 1228)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • Swift Exploit_03588786.exe (PID: 7196)
      • ContentI3.exe (PID: 8116)
      • pmropn.exe (PID: 4180)

    • Reads security settings of Internet Explorer

      • Swift Exploit_03588786.exe (PID: 7196)
      • ContentI3.exe (PID: 8116)
      • ContentI3.exe (PID: 8124)
      • pmropn.exe (PID: 4180)
      • pmropn.exe (PID: 1228)

    • There is functionality for taking screenshot (YARA)

      • Swift Exploit_03588786.exe (PID: 7196)

    • Start notepad (likely ransomware note)

      • Swift Exploit_03588786.exe (PID: 7196)

    • Executes as Windows Service

      • pmservice.exe (PID: 4980)

    • Adds/modifies Windows certificates

      • pmropn.exe (PID: 4180)
      • pmservice.exe (PID: 4980)

    • Uses RUNDLL32.EXE to load library

      • pmservice.exe (PID: 4980)

    • Searches for installed software

      • pmservice.exe (PID: 4980)
      • svchost.exe (PID: 1260)
      • rundll32.exe (PID: 7020)
      • reg.exe (PID: 1312)
      • pmropn.exe (PID: 4180)
      • ContentI3.exe (PID: 8116)
      • pmropn.exe (PID: 1228)
      • pmropn32.exe (PID: 7368)
      • unsecapp.exe (PID: 4192)
      • pmropn64.exe (PID: 7248)

    • Creates a software uninstall entry

      • pmropn.exe (PID: 4180)
      • pmservice.exe (PID: 4980)
      • ContentI3.exe (PID: 8116)
      • pmropn.exe (PID: 1228)

    • Potential Corporate Privacy Violation

      • firefox.exe (PID: 5972)
      • pmropn.exe (PID: 1228)

    • Starts CMD.EXE for commands execution

      • pmservice.exe (PID: 4980)

    • Starts POWERSHELL.EXE for commands execution

      • pmropn.exe (PID: 1228)

    • Connects to unusual port

      • pmropn.exe (PID: 1228)

  • INFO

    • Reads the computer name

      • ContentI3.exe (PID: 8116)
      • Swift Exploit_03588786.exe (PID: 7196)
      • ContentI3.exe (PID: 8124)
      • pmropn.exe (PID: 4180)
      • pmservice.exe (PID: 4980)
      • pmropn.exe (PID: 1228)

    • The sample compiled with english language support

      • Swift Exploit_03588786.exe (PID: 7196)
      • ContentI3.exe (PID: 8116)
      • pmropn.exe (PID: 4180)

    • Checks supported languages

      • Swift Exploit_03588786.exe (PID: 7196)
      • ContentI3.exe (PID: 8124)
      • ContentI3.exe (PID: 8116)
      • pmropn.exe (PID: 4180)
      • pmservice.exe (PID: 4980)
      • pmropn.exe (PID: 1228)
      • pmropn64.exe (PID: 7248)
      • pmropn32.exe (PID: 7368)

    • Creates files or folders in the user directory

      • Swift Exploit_03588786.exe (PID: 7196)
      • ContentI3.exe (PID: 8124)
      • ContentI3.exe (PID: 8116)
      • pmropn.exe (PID: 4180)
      • pmropn.exe (PID: 1228)

    • Reads the software policy settings

      • Swift Exploit_03588786.exe (PID: 7196)
      • pmropn.exe (PID: 4180)
      • pmservice.exe (PID: 4980)
      • slui.exe (PID: 7384)
      • pmropn.exe (PID: 1228)

    • Reads the machine GUID from the registry

      • Swift Exploit_03588786.exe (PID: 7196)
      • pmropn.exe (PID: 4180)
      • pmservice.exe (PID: 4980)
      • pmropn.exe (PID: 1228)

    • Create files in a temporary directory

      • Swift Exploit_03588786.exe (PID: 7196)
      • ContentI3.exe (PID: 8116)

    • Process checks computer location settings

      • Swift Exploit_03588786.exe (PID: 7196)

    • Checks proxy server information

      • Swift Exploit_03588786.exe (PID: 7196)
      • pmropn.exe (PID: 4180)
      • pmropn.exe (PID: 1228)

    • Reads security settings of Internet Explorer

      • notepad.exe (PID: 7152)
      • cmd.exe (PID: 7148)
      • cmd.exe (PID: 7596)

    • OSSPROXY has been detected

      • ContentI3.exe (PID: 8116)
      • pmservice.exe (PID: 4980)
      • cmd.exe (PID: 7596)
      • cmd.exe (PID: 7148)

    • Creates files in the program directory

      • reg.exe (PID: 1312)
      • ContentI3.exe (PID: 8116)
      • pmservice.exe (PID: 4980)
      • pmropn.exe (PID: 4180)
      • pmropn.exe (PID: 1228)

    • Manual execution by a user

      • firefox.exe (PID: 4220)

    • Application launched itself

      • firefox.exe (PID: 4220)
      • firefox.exe (PID: 5972)

    • Executable content was dropped or overwritten

      • firefox.exe (PID: 5972)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win64 Executable (generic) (76.4)
.exe | Win32 Executable (generic) (12.4)
.exe | Generic Win/DOS Executable (5.5)
.exe | DOS Executable Generic (5.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2025:05:20 17:21:47+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 14.22
CodeSize: 4353024
InitializedDataSize: 1676800
UninitializedDataSize: -
EntryPoint: 0x398d2a
OSVersion: 6
ImageVersion: -
SubsystemVersion: 6
Subsystem: Windows GUI
FileVersionNumber: 1.0.0.0
ProductVersionNumber: 1.0.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Unknown (0)
ObjectFileType: Unknown
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
FileDescription: Download Manager
FileVersion: 1
InternalName: Download Manager
LegalCopyright: Download Manager
OriginalFileName: Download Manager
ProductName: Download Manager
ProductVersion: 1
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
302
Monitored processes
167
Malicious processes
10
Suspicious processes
3

Behavior graph

Click at the process to see the details
start swift exploit_03588786.exe sppextcomobj.exe no specs slui.exe #PREMIEROPINION contenti3.exe #PREMIEROPINION contenti3.exe notepad.exe no specs #RELEVANTKNOWLEDGE pmropn.exe pmservice.exe no specs #RELEVANTKNOWLEDGE rundll32.exe no specs reg.exe no specs conhost.exe no specs firefox.exe no specs #GENERIC firefox.exe firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs firefox.exe no specs #PREMIEROPINION pmropn.exe slui.exe unsecapp.exe no specs cmd.exe no specs cmd.exe no specs pmropn64.exe no specs pmropn32.exe no specs pmropn64.exe no specs pmropn32.exe no specs pmropn64.exe no specs #RELEVANTKNOWLEDGE pmropn32.exe no specs firefox.exe no specs checknetisolation.exe no specs conhost.exe no specs pmropn.exe no specs checknetisolation.exe no specs conhost.exe no specs checknetisolation.exe no specs conhost.exe no specs checknetisolation.exe no specs conhost.exe no specs checknetisolation.exe no specs conhost.exe no specs checknetisolation.exe no specs conhost.exe no specs checknetisolation.exe no specs conhost.exe no specs checknetisolation.exe no specs conhost.exe no specs checknetisolation.exe no specs conhost.exe no specs checknetisolation.exe no specs conhost.exe no specs checknetisolation.exe no specs conhost.exe no specs checknetisolation.exe no specs conhost.exe no specs checknetisolation.exe no specs conhost.exe no specs checknetisolation.exe no specs conhost.exe no specs checknetisolation.exe no specs conhost.exe no specs checknetisolation.exe no specs conhost.exe no specs checknetisolation.exe no specs conhost.exe no specs checknetisolation.exe no specs conhost.exe no specs checknetisolation.exe no specs conhost.exe no specs checknetisolation.exe no specs conhost.exe no specs checknetisolation.exe no specs conhost.exe no specs checknetisolation.exe no specs conhost.exe no specs checknetisolation.exe no specs conhost.exe no specs checknetisolation.exe no specs conhost.exe no specs checknetisolation.exe no specs conhost.exe no specs checknetisolation.exe no specs conhost.exe no specs checknetisolation.exe no specs conhost.exe no specs checknetisolation.exe no specs conhost.exe no specs checknetisolation.exe no specs conhost.exe no specs checknetisolation.exe no specs conhost.exe no specs checknetisolation.exe no specs conhost.exe no specs checknetisolation.exe no specs conhost.exe no specs checknetisolation.exe no specs conhost.exe no specs checknetisolation.exe no specs conhost.exe no specs checknetisolation.exe no specs conhost.exe no specs checknetisolation.exe no specs conhost.exe no specs checknetisolation.exe no specs conhost.exe no specs checknetisolation.exe no specs conhost.exe no specs checknetisolation.exe no specs conhost.exe no specs checknetisolation.exe no specs conhost.exe no specs checknetisolation.exe no specs conhost.exe no specs checknetisolation.exe no specs conhost.exe no specs checknetisolation.exe no specs conhost.exe no specs checknetisolation.exe no specs conhost.exe no specs checknetisolation.exe no specs conhost.exe no specs checknetisolation.exe no specs conhost.exe no specs checknetisolation.exe no specs conhost.exe no specs checknetisolation.exe no specs conhost.exe no specs checknetisolation.exe no specs conhost.exe no specs checknetisolation.exe no specs conhost.exe no specs checknetisolation.exe no specs conhost.exe no specs checknetisolation.exe no specs conhost.exe no specs checknetisolation.exe no specs conhost.exe no specs checknetisolation.exe no specs conhost.exe no specs checknetisolation.exe no specs conhost.exe no specs checknetisolation.exe no specs conhost.exe no specs checknetisolation.exe no specs conhost.exe no specs checknetisolation.exe no specs conhost.exe no specs checknetisolation.exe no specs conhost.exe no specs checknetisolation.exe no specs conhost.exe no specs checknetisolation.exe no specs conhost.exe no specs checknetisolation.exe no specs conhost.exe no specs firefox.exe no specs firefox.exe no specs rundll32.exe no specs pmropn.exe powershell.exe no specs conhost.exe no specs svchost.exe svchost.exe swift exploit_03588786.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
516CheckNetIsolation.exe LoopbackExempt -a -n=microsoft.549981c3f5f10_8wekyb3d8bbweC:\Windows\SysWOW64\CheckNetIsolation.exepmropn.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
AppContainer Network Isolation Diagnostic Tool
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\checknetisolation.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\sechost.dll
660CheckNetIsolation.exe LoopbackExempt -a -n=1527c705-839a-4832-9118-54d4bd6a0c89_cw5n1h2txyewyC:\Windows\SysWOW64\CheckNetIsolation.exepmropn.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
AppContainer Network Isolation Diagnostic Tool
Exit code:
0
Version:
10.0.19041.3636 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\checknetisolation.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\sechost.dll
672"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5044 -childID 3 -isForBrowser -prefsHandle 5000 -prefMapHandle 4852 -prefsLen 31243 -prefMapSize 244583 -jsInitHandle 1528 -jsInitLen 235124 -parentBuildID 20240213221259 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2bd56f47-f723-43db-bc5f-4bf1771170d4} 5972 "\\.\pipe\gecko-crash-server-pipe.5972" 27656068690 tabC:\Program Files\Mozilla Firefox\firefox.exefirefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Version:
123.0
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\vcruntime140_1.dll
1228"c:\program files (x86)\premieropinion\pmropn.exe" -bootC:\Program Files (x86)\PremierOpinion\pmropn.exe
pmservice.exe
User:
admin
Company:
VoiceFive, Inc.
Integrity Level:
MEDIUM
Description:
PremierOpinion
Version:
1.3.340.310 (Build 340.310)
Modules
Images
c:\program files (x86)\premieropinion\pmropn.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\rpcrt4.dll
c:\windows\syswow64\setupapi.dll
1260C:\WINDOWS\system32\svchost.exe -k netsvcs -p -s ScheduleC:\Windows\System32\svchost.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
1312reg.exe EXPORT "HKLM\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\{eeb86aef-4a5d-4b75-9d74-f16d438fc286}" C:\PROGRA~2\PREMIE~1\RData.reg /yC:\Windows\SysWOW64\reg.exepmservice.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Registry Console Tool
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\syswow64\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\advapi32.dll
1560\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeCheckNetIsolation.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
1560\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1C:\Windows\System32\conhost.exeCheckNetIsolation.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Console Window Host
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
2196C:\WINDOWS\system32\svchost.exe -k NetworkService -p -s DnscacheC:\Windows\System32\svchost.exe
services.exe
User:
NETWORK SERVICE
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Host Process for Windows Services
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\kernel.appcore.dll
2392"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5504 -childID 6 -isForBrowser -prefsHandle 5500 -prefMapHandle 6068 -prefsLen 31324 -prefMapSize 244583 -jsInitHandle 1528 -jsInitLen 235124 -parentBuildID 20240213221259 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b32f7ad7-b986-4596-b2aa-ae4a0633f90f} 5972 "\\.\pipe\gecko-crash-server-pipe.5972" 27656270f50 tabC:\Program Files\Mozilla Firefox\firefox.exefirefox.exe
User:
admin
Company:
Mozilla Corporation
Integrity Level:
MEDIUM
Description:
Firefox
Version:
123.0
Modules
Images
c:\program files\mozilla firefox\firefox.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\program files\mozilla firefox\mozglue.dll
c:\windows\system32\crypt32.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\msvcp140.dll
c:\windows\system32\vcruntime140.dll
Total events
80 418
Read events
80 142
Write events
181
Delete events
95

Modification events

(PID) Process:(1260) svchost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{C2AF3602-9179-4BAE-85B3-74A4EF5CF51F}
Operation:writeName:DynamicInfo
Value:
03000000BDCB09F80A59DA01118B7D8B2ACCDB0100000000000000009365988D2ACCDB01
(PID) Process:(7196) Swift Exploit_03588786.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content
Operation:writeName:CachePrefix
Value:
(PID) Process:(7196) Swift Exploit_03588786.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies
Operation:writeName:CachePrefix
Value:
Cookie:
(PID) Process:(7196) Swift Exploit_03588786.exeKey:HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History
Operation:writeName:CachePrefix
Value:
Visited:
(PID) Process:(1260) svchost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{F93AD50A-2FB2-4A34-88EF-786903C710ED}
Operation:writeName:DynamicInfo
Value:
03000000C09775A51C59DA01118B7D8B2ACCDB01000000000540008013DF69912ACCDB01
(PID) Process:(1260) svchost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{4671B5C1-A383-4428-A45A-8D348E4CB873}
Operation:writeName:DynamicInfo
Value:
030000009F7DFD23AAB7D801118B7D8B2ACCDB0100000000000000005F37B6912ACCDB01
(PID) Process:(1260) svchost.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{0CEC0B91-4AE9-4E8A-ACB2-3B4C811F442C}
Operation:writeName:DynamicInfo
Value:
0300000059EDC123AAB7D801118B7D8B2ACCDB010000000000000000BDCA3A932ACCDB01
(PID) Process:(7196) Swift Exploit_03588786.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\InstallUnion\1538
Operation:writeName:BundleOfferActionUid
Value:
OI00a2TdQqRV_ahRY55555
(PID) Process:(7196) Swift Exploit_03588786.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\InstallUnion\1538
Operation:writeName:dt_age
Value:
1
(PID) Process:(7196) Swift Exploit_03588786.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\InstallUnion\1538
Operation:writeName:dt_gender
Value:
f
Executable files
20
Suspicious files
230
Text files
122
Unknown types
0

Dropped files

PID
Process
Filename
Type
1260svchost.exeC:\Windows\System32\Tasks\Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTaskNetworkxml
MD5:18E755C987BFC19E9243E2297F9E5973
SHA256:28A47DB050051049E35249EA57B389E3946003173806D02064ADFCC5F46E0880
1260svchost.exeC:\Windows\System32\Tasks\Microsoft\Windows\SoftwareProtectionPlatform\SvcRestartTaskLogonxml
MD5:8CBC84881481158749FD559D1D305C46
SHA256:F4902BEF1E82CDAB34A23A43A7F15C0D1C0A0B86E5DD187CACB75E3DF4024153
7196Swift Exploit_03588786.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\05DDC6AA91765AACACDB0A5F96DF8199binary
MD5:C22301B5245B697AA0D960E7D3A2D560
SHA256:8E63BB9D833DDFF90DB225799A6B20821540B2A10AB3764EE07767259765DA0E
7196Swift Exploit_03588786.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\25D1DB4656094BF561303C5B3B7F5405_08BC28CA85E37FE0965621B0733DE32Ebinary
MD5:EE03D96B3794C62B8AB9CB0960B0C487
SHA256:DDC5A6619FF1711FAD12ED54866AB7C2166ABA9E3939D4472A771E1F4F82C5F5
7196Swift Exploit_03588786.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E7A1EFBE05B12DE86593547A5FC0E236_E4D806264EAC942B529552B576410380binary
MD5:D04DF14CC2516384440B10C601275FDA
SHA256:F6A3B2DFBE09BF95FEBC78D90F6FDE5C2CC6CCBB34ED5541E05EED37849DD9A1
7196Swift Exploit_03588786.exeC:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\RR3E01RZ\geo[1].htmtext
MD5:309A15F0263A69E63ECF64C81F62B949
SHA256:1CFD456BBF4638323141765DE947B0AA62837897BFFD166B437668E7D9C2EC82
7196Swift Exploit_03588786.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B46811C17859FFB409CF0E904A4AA8F8binary
MD5:1FBB37F79B317A9A248E7C4CE4F5BAC5
SHA256:9BF639C595FE335B6F694EE35990BEFD2123F5E07FD1973FF619E3FC88F5F49F
7196Swift Exploit_03588786.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12binary
MD5:F36ED9462B2E29E6C3A172672A596E0D
SHA256:3031D5600B27C96EAB1FE3E0347E3C22850D7FD1B43274867058B5BE811EE6ED
7196Swift Exploit_03588786.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8binary
MD5:96C78184A68065A0021500B965B3AE47
SHA256:09193D51031C150B07610B447053E1B29C5E1ED2A10681EE9018BBFC2EC4E5F5
7196Swift Exploit_03588786.exeC:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EAbinary
MD5:BD48627ED4BAB9614EEA20ADE1F093D7
SHA256:7A58533F1323DB6469E502202C72E219C9C3117E50D1F4C7E3B626DF29D7FA38
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
69
TCP/UDP connections
232
DNS requests
177
Threats
36

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
200
23.216.77.20:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl
unknown
whitelisted
7196
Swift Exploit_03588786.exe
GET
200
142.250.186.163:80
http://ocsp.pki.goog/gsr1/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS3V7W2nAf4FiMTjpDJKg6%2BMgGqMQQUYHtmGkUNl8qJUC99BM00qP%2F8%2FUsCEHe9DWzbNvka6iEPxPBY0w0%3D
unknown
whitelisted
7196
Swift Exploit_03588786.exe
GET
200
142.250.186.163:80
http://c.pki.goog/r/r1.crl
unknown
whitelisted
7196
Swift Exploit_03588786.exe
GET
200
142.250.186.163:80
http://o.pki.goog/s/wr3/7DM/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBQSq0i5t2Pafi2Gw9uzwnc7KTctWgQUx4H1%2FY6I2QA8TWOiUDEkoM4j%2FiMCEQDsM1CuTUMozAlVORf8Ight
unknown
whitelisted
7196
Swift Exploit_03588786.exe
GET
200
142.250.186.163:80
http://o.pki.goog/s/wr3/Llw/MFEwTzBNMEswSTAJBgUrDgMCGgUABBQSq0i5t2Pafi2Gw9uzwnc7KTctWgQUx4H1%2FY6I2QA8TWOiUDEkoM4j%2FiMCEC5cnWKHoYQVCnAzKuFJaMg%3D
unknown
whitelisted
7196
Swift Exploit_03588786.exe
GET
200
142.250.186.163:80
http://c.pki.goog/r/gsr1.crl
unknown
whitelisted
7196
Swift Exploit_03588786.exe
GET
200
142.250.186.163:80
http://c.pki.goog/r/r4.crl
unknown
whitelisted
7196
Swift Exploit_03588786.exe
GET
200
18.66.181.160:80
http://ocsp.rootca1.amazontrust.com/MFQwUjBQME4wTDAJBgUrDgMCGgUABBRPWaOUU8%2B5VZ5%2Fa9jFTaU9pkK3FAQUhBjMhTTsvAyUlC4IWZzHshBOCggCEwdzEkzUBtJnwJkc3SmanzgxeYU%3D
unknown
whitelisted
6544
svchost.exe
GET
200
2.17.190.73:80
http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
5796
svchost.exe
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
4
System
192.168.100.255:137
whitelisted
51.124.78.146:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
23.216.77.20:80
crl.microsoft.com
Akamai International B.V.
DE
whitelisted
23.35.229.160:80
www.microsoft.com
AKAMAI-AS
DE
whitelisted
4
System
192.168.100.255:138
whitelisted
7196
Swift Exploit_03588786.exe
35.190.60.70:443
www.dlsft.com
GOOGLE
US
whitelisted
7196
Swift Exploit_03588786.exe
142.250.186.163:80
ocsp.pki.goog
GOOGLE
US
whitelisted
7196
Swift Exploit_03588786.exe
104.21.32.1:443
filedm.com
CLOUDFLARENET
malicious
3216
svchost.exe
172.211.123.249:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 51.124.78.146
  • 4.231.128.59
whitelisted
crl.microsoft.com
  • 23.216.77.20
  • 23.216.77.27
  • 23.216.77.25
  • 23.216.77.15
  • 23.216.77.16
  • 23.216.77.28
  • 23.216.77.17
  • 23.216.77.21
  • 23.216.77.30
whitelisted
www.microsoft.com
  • 23.35.229.160
whitelisted
google.com
  • 142.250.181.238
whitelisted
www.dlsft.com
  • 35.190.60.70
unknown
ocsp.pki.goog
  • 142.250.186.163
whitelisted
c.pki.goog
  • 142.250.186.163
whitelisted
o.pki.goog
  • 142.250.186.163
whitelisted
dlsft.com
  • 35.190.60.70
unknown
filedm.com
  • 104.21.32.1
  • 104.21.48.1
  • 104.21.80.1
  • 104.21.64.1
  • 104.21.96.1
  • 104.21.16.1
  • 104.21.112.1
malicious

Threats

PID
Process
Class
Message
5972
firefox.exe
Potential Corporate Privacy Violation
ET INFO PE EXE or DLL Windows file download HTTP
5972
firefox.exe
Misc activity
ET INFO EXE - Served Attached HTTP
2196
svchost.exe
Potentially Bad Traffic
ET FILE_SHARING Online File Storage Domain in DNS Lookup (gofile .io)
2196
svchost.exe
Potentially Bad Traffic
ET FILE_SHARING Online File Storage Domain in DNS Lookup (gofile .io)
2196
svchost.exe
Potentially Bad Traffic
ET FILE_SHARING Online File Storage Domain in DNS Lookup (gofile .io)
5972
firefox.exe
Misc activity
ET FILE_SHARING File Sharing Related Domain in TLS SNI (gofile .io)
5972
firefox.exe
Misc activity
ET FILE_SHARING File Sharing Related Domain in TLS SNI (gofile .io)
2196
svchost.exe
Potentially Bad Traffic
ET FILE_SHARING Online File Storage Domain in DNS Lookup (gofile .io)
2196
svchost.exe
Potentially Bad Traffic
ET FILE_SHARING Online File Storage Domain in DNS Lookup (gofile .io)
5972
firefox.exe
Misc activity
ET FILE_SHARING File Sharing Related Domain in TLS SNI (gofile .io)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
Swift Exploit_03588786.exe