Malware analysis Swift Exploit_37393402(1).exe Malicious activity

Add for printing

File name:	Swift Exploit_37393402(1).exe
Full analysis:	https://app.any.run/tasks/1bc46048-0049-46ad-a503-d13afd5741a7
Verdict:	Malicious activity
Threats:	Adware is a form of malware that targets users with unwanted advertisements, often disrupting their browsing experience. It typically infiltrates systems through software bundling, malicious websites, or deceptive downloads. Once installed, it may track user activity, collect sensitive data, and display intrusive ads, including pop-ups or banners. Some advanced adware variants can bypass security measures and establish persistence on devices, making removal challenging. Additionally, adware can create vulnerabilities that other malware can exploit, posing a significant risk to user privacy and system security. Stealers are a group of malicious software that are intended for gaining unauthorized access to users’ information and transferring it to the attacker. The stealer malware category includes various types of programs that focus on their particular kind of data, including files, passwords, and cryptocurrency. Stealers are capable of spying on their targets by recording their keystrokes and taking screenshots. This type of malware is primarily distributed as part of phishing campaigns. Malware Trends Tracker >>>
Analysis date:	December 28, 2024, 08:23:09
OS:	Windows 10 Professional (build: 19045, 64 bit)
Tags:	stealer pua ossproxy adware
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386, for MS Windows, 5 sections
MD5:	15D1C495FF66BF7CEA8A6D14BFDF0A20
SHA1:	942814521FA406A225522F208AC67F90DBDE0AE7
SHA256:	61C2C4A5D7C14F77EE88871DED4CC7F1E49DAE3E4EF209504C66FEDF4D22DE42
SSDEEP:	98304:DtjM+LgnHM8mNLNpOmMGl2p9tjIQh+1GHp8PGmDFzMVv3kdcpR41TBN14BC6SkPT:Kw8

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 300 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: 240 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: off
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- Application was injected by another process
  - svchost.exe (PID: 1276)
- Runs injected code in another process
  - rundll32.exe (PID: 6800)
- Actions looks like stealing of personal data
  - pmropn.exe (PID: 5864)
  - opera.exe (PID: 1020)
- Change Internet Settings
  - pmropn.exe (PID: 5864)
- Changes the autorun value in the registry
  - opera.exe (PID: 1020)
- Steals credentials from Web Browsers
  - opera.exe (PID: 1020)
- OSSPROXY has been detected (SURICATA)
  - pmropn.exe (PID: 5864)
- ADWARE has been detected (SURICATA)
  - pmropn.exe (PID: 5864)
SUSPICIOUS
- Reads security settings of Internet Explorer
  - Swift Exploit_37393402(1).exe (PID: 6616)
  - setup.exe (PID: 4824)
  - ContentI3.exe (PID: 5916)
  - pmropn.exe (PID: 6732)
  - pmropn.exe (PID: 5864)
  - installer.exe (PID: 6476)
  - opera.exe (PID: 8628)
  - pmropn.exe (PID: 5256)
- Executable content was dropped or overwritten
  - setup.exe (PID: 5880)
  - OperaGX.exe (PID: 644)
  - Swift Exploit_37393402(1).exe (PID: 6616)
  - setup.exe (PID: 4052)
  - setup.exe (PID: 5548)
  - setup.exe (PID: 4824)
  - setup.exe (PID: 5544)
  - ContentI3.exe (PID: 5916)
  - pmropn.exe (PID: 6732)
  - Opera_GX_assistant_73.0.3856.382_Setup.exe_sfx.exe (PID: 1804)
  - installer.exe (PID: 1760)
  - installer.exe (PID: 6476)
- Checks Windows Trust Settings
  - Swift Exploit_37393402(1).exe (PID: 6616)
  - setup.exe (PID: 4824)
  - pmropn.exe (PID: 6732)
  - pmropn.exe (PID: 5864)
- Application launched itself
  - setup.exe (PID: 4824)
  - setup.exe (PID: 4052)
  - assistant_installer.exe (PID: 6792)
  - installer.exe (PID: 6476)
  - opera.exe (PID: 1020)
  - opera_autoupdate.exe (PID: 8556)
  - installer.exe (PID: 8380)
  - opera_autoupdate.exe (PID: 7464)
  - opera_autoupdate.exe (PID: 8908)
- Starts itself from another location
  - setup.exe (PID: 4824)
- Start notepad (likely ransomware note)
  - Swift Exploit_37393402(1).exe (PID: 6616)
- Searches for installed software
  - pmropn.exe (PID: 6732)
  - svchost.exe (PID: 1276)
  - rundll32.exe (PID: 6800)
  - reg.exe (PID: 2996)
  - pmservice.exe (PID: 6328)
  - ContentI3.exe (PID: 5916)
  - pmropn.exe (PID: 5864)
  - pmropn.exe (PID: 4360)
  - Opera_GX_assistant_73.0.3856.382_Setup.exe_sfx.exe (PID: 1804)
  - pmropn64.exe (PID: 6632)
  - pmropn32.exe (PID: 6256)
  - notepad.exe (PID: 4548)
  - unsecapp.exe (PID: 1348)
  - assistant_installer.exe (PID: 3640)
  - assistant_installer.exe (PID: 6792)
  - installer.exe (PID: 6476)
  - installer.exe (PID: 1760)
  - dllhost.exe (PID: 6680)
  - Swift Exploit_37393402(1).exe (PID: 6616)
  - setup.exe (PID: 5880)
  - setup.exe (PID: 5544)
  - setup.exe (PID: 4052)
  - setup.exe (PID: 4824)
  - opera_crashreporter.exe (PID: 6624)
  - opera.exe (PID: 7008)
  - opera.exe (PID: 1020)
  - opera.exe (PID: 4976)
  - opera.exe (PID: 3552)
  - opera_crashreporter.exe (PID: 6260)
  - opera_gx_splash.exe (PID: 2356)
  - opera.exe (PID: 6232)
  - opera.exe (PID: 7032)
  - opera.exe (PID: 7036)
  - opera.exe (PID: 5920)
  - opera.exe (PID: 624)
  - CompPkgSrv.exe (PID: 8080)
  - opera_autoupdate.exe (PID: 8592)
  - installer.exe (PID: 8648)
  - opera_autoupdate.exe (PID: 8556)
  - installer.exe (PID: 8380)
  - opera_autoupdate.exe (PID: 7464)
  - opera_autoupdate.exe (PID: 8876)
  - opera.exe (PID: 8628)
  - pmropn.exe (PID: 5256)
  - opera_autoupdate.exe (PID: 9116)
  - opera_autoupdate.exe (PID: 8908)
- Creates a software uninstall entry
  - pmropn.exe (PID: 6732)
  - pmservice.exe (PID: 6328)
  - ContentI3.exe (PID: 5916)
  - pmropn.exe (PID: 5864)
  - installer.exe (PID: 6476)
- Adds/modifies Windows certificates
  - pmropn.exe (PID: 6732)
  - pmservice.exe (PID: 6328)
- Executes as Windows Service
  - pmservice.exe (PID: 6328)
- Uses RUNDLL32.EXE to load library
  - pmservice.exe (PID: 6328)
- Starts CMD.EXE for commands execution
  - pmservice.exe (PID: 6328)
- Reads the date of Windows installation
  - installer.exe (PID: 6476)
  - opera.exe (PID: 1020)
  - pmropn.exe (PID: 5864)
- The process checks if it is being run in the virtual environment
  - opera.exe (PID: 1020)
- The process executes via Task Scheduler
  - opera_autoupdate.exe (PID: 7464)
- Reads Microsoft Outlook installation path
  - pmropn.exe (PID: 5864)
- Reads Mozilla Firefox installation path
  - opera.exe (PID: 1020)
- Reads Internet Explorer settings
  - pmropn.exe (PID: 5864)
- Starts POWERSHELL.EXE for commands execution
  - pmropn.exe (PID: 5864)
- Reads the Windows owner or organization settings
  - pmropn.exe (PID: 5864)
- Potential Corporate Privacy Violation
  - pmropn.exe (PID: 5864)
- Connects to unusual port
  - pmropn.exe (PID: 5864)
INFO
- The sample compiled with english language support
  - Swift Exploit_37393402(1).exe (PID: 6616)
  - setup.exe (PID: 5880)
  - OperaGX.exe (PID: 644)
  - setup.exe (PID: 5548)
  - setup.exe (PID: 4052)
  - setup.exe (PID: 4824)
  - setup.exe (PID: 5544)
  - ContentI3.exe (PID: 5916)
  - pmropn.exe (PID: 6732)
  - Opera_GX_assistant_73.0.3856.382_Setup.exe_sfx.exe (PID: 1804)
  - installer.exe (PID: 1760)
  - installer.exe (PID: 6476)
- Reads the computer name
  - Swift Exploit_37393402(1).exe (PID: 6616)
  - setup.exe (PID: 4824)
  - setup.exe (PID: 4052)
  - ContentI3.exe (PID: 5916)
  - pmropn.exe (PID: 6732)
  - pmservice.exe (PID: 6328)
  - pmropn.exe (PID: 5864)
  - assistant_installer.exe (PID: 6792)
  - installer.exe (PID: 6476)
  - opera.exe (PID: 7008)
  - opera.exe (PID: 1020)
  - opera.exe (PID: 4976)
  - opera.exe (PID: 3552)
  - opera_gx_splash.exe (PID: 2356)
  - opera.exe (PID: 6484)
  - opera.exe (PID: 5920)
  - opera_autoupdate.exe (PID: 8556)
  - installer.exe (PID: 8380)
  - opera_autoupdate.exe (PID: 7464)
  - opera.exe (PID: 8628)
  - pmropn.exe (PID: 5256)
  - opera_autoupdate.exe (PID: 8908)
- Reads the machine GUID from the registry
  - Swift Exploit_37393402(1).exe (PID: 6616)
  - setup.exe (PID: 4824)
  - pmropn.exe (PID: 6732)
  - pmservice.exe (PID: 6328)
  - pmropn.exe (PID: 5864)
  - opera.exe (PID: 1020)
  - opera_autoupdate.exe (PID: 8556)
  - opera_autoupdate.exe (PID: 8592)
  - opera_autoupdate.exe (PID: 7464)
  - opera_autoupdate.exe (PID: 8876)
  - opera_autoupdate.exe (PID: 8908)
  - opera_autoupdate.exe (PID: 9116)
- Checks proxy server information
  - Swift Exploit_37393402(1).exe (PID: 6616)
  - setup.exe (PID: 4824)
  - pmropn.exe (PID: 6732)
  - pmropn.exe (PID: 5864)
  - opera_autoupdate.exe (PID: 8556)
  - opera_autoupdate.exe (PID: 7464)
  - opera.exe (PID: 8628)
  - opera_autoupdate.exe (PID: 8908)
- Checks supported languages
  - Swift Exploit_37393402(1).exe (PID: 6616)
  - OperaGX.exe (PID: 644)
  - setup.exe (PID: 4824)
  - setup.exe (PID: 5880)
  - setup.exe (PID: 4052)
  - setup.exe (PID: 5548)
  - ContentI3.exe (PID: 5916)
  - pmropn.exe (PID: 6732)
  - setup.exe (PID: 5544)
  - pmservice.exe (PID: 6328)
  - pmropn.exe (PID: 5864)
  - pmropn.exe (PID: 4360)
  - Opera_GX_assistant_73.0.3856.382_Setup.exe_sfx.exe (PID: 1804)
  - pmropn64.exe (PID: 6632)
  - pmropn32.exe (PID: 6256)
  - assistant_installer.exe (PID: 6792)
  - assistant_installer.exe (PID: 3640)
  - installer.exe (PID: 6476)
  - installer.exe (PID: 1760)
  - opera.exe (PID: 7008)
  - opera_crashreporter.exe (PID: 6624)
  - opera_crashreporter.exe (PID: 6260)
  - opera.exe (PID: 3552)
  - opera.exe (PID: 4976)
  - opera.exe (PID: 5404)
  - opera.exe (PID: 1020)
  - opera.exe (PID: 3540)
  - opera.exe (PID: 2076)
  - opera_gx_splash.exe (PID: 2356)
  - opera.exe (PID: 3828)
  - opera.exe (PID: 6840)
  - opera.exe (PID: 6056)
  - opera.exe (PID: 7032)
  - opera.exe (PID: 6908)
  - opera.exe (PID: 6956)
  - opera.exe (PID: 7016)
  - opera.exe (PID: 244)
  - opera.exe (PID: 6088)
  - opera.exe (PID: 3632)
  - opera.exe (PID: 7036)
  - opera.exe (PID: 624)
  - opera.exe (PID: 6484)
  - opera.exe (PID: 3656)
  - opera.exe (PID: 7176)
  - opera.exe (PID: 7420)
  - opera.exe (PID: 7204)
  - opera.exe (PID: 6232)
  - opera.exe (PID: 5920)
  - opera.exe (PID: 7216)
  - opera.exe (PID: 8016)
  - opera.exe (PID: 7980)
  - opera.exe (PID: 7996)
  - opera.exe (PID: 8048)
  - opera.exe (PID: 8040)
  - opera.exe (PID: 7988)
  - opera.exe (PID: 8024)
  - opera.exe (PID: 8056)
  - opera.exe (PID: 7972)
  - opera.exe (PID: 8072)
  - opera.exe (PID: 8096)
  - opera.exe (PID: 8008)
  - opera.exe (PID: 8156)
  - opera.exe (PID: 8228)
  - opera.exe (PID: 8020)
  - installer.exe (PID: 8380)
  - opera_autoupdate.exe (PID: 8556)
  - opera_autoupdate.exe (PID: 8592)
  - opera.exe (PID: 8580)
  - opera.exe (PID: 7948)
  - opera.exe (PID: 8076)
  - opera.exe (PID: 7596)
  - installer.exe (PID: 8648)
  - opera.exe (PID: 8688)
  - opera_autoupdate.exe (PID: 7464)
  - opera_autoupdate.exe (PID: 8876)
  - opera.exe (PID: 9076)
  - opera.exe (PID: 7600)
  - opera.exe (PID: 9160)
  - opera.exe (PID: 8904)
  - installer.exe (PID: 7644)
  - opera.exe (PID: 6876)
  - opera.exe (PID: 5616)
  - opera.exe (PID: 2928)
  - opera.exe (PID: 8388)
  - opera.exe (PID: 8852)
  - opera.exe (PID: 8168)
  - opera.exe (PID: 9116)
  - opera.exe (PID: 4244)
  - opera.exe (PID: 7632)
  - opera.exe (PID: 8588)
  - opera.exe (PID: 8628)
  - opera.exe (PID: 8956)
  - opera.exe (PID: 7840)
  - opera.exe (PID: 7224)
  - opera_autoupdate.exe (PID: 8908)
  - opera_autoupdate.exe (PID: 9116)
  - opera.exe (PID: 2800)
  - opera.exe (PID: 8008)
  - pmropn.exe (PID: 5256)
- Sends debugging messages
  - Swift Exploit_37393402(1).exe (PID: 6616)
  - assistant_installer.exe (PID: 6792)
- Creates files or folders in the user directory
  - Swift Exploit_37393402(1).exe (PID: 6616)
  - setup.exe (PID: 4824)
  - setup.exe (PID: 5880)
  - ContentI3.exe (PID: 5916)
  - pmropn.exe (PID: 6732)
  - pmropn.exe (PID: 5864)
  - setup.exe (PID: 4052)
  - installer.exe (PID: 6476)
  - opera.exe (PID: 1020)
  - opera.exe (PID: 4976)
  - opera_autoupdate.exe (PID: 7464)
  - opera.exe (PID: 8628)
- Create files in a temporary directory
  - OperaGX.exe (PID: 644)
  - setup.exe (PID: 4824)
  - setup.exe (PID: 5880)
  - setup.exe (PID: 5548)
  - setup.exe (PID: 4052)
  - setup.exe (PID: 5544)
  - ContentI3.exe (PID: 5916)
  - Swift Exploit_37393402(1).exe (PID: 6616)
  - Opera_GX_assistant_73.0.3856.382_Setup.exe_sfx.exe (PID: 1804)
  - installer.exe (PID: 1760)
  - installer.exe (PID: 6476)
  - opera.exe (PID: 1020)
  - installer.exe (PID: 8380)
  - installer.exe (PID: 8648)
  - opera_autoupdate.exe (PID: 7464)
  - installer.exe (PID: 7644)
- Reads the software policy settings
  - Swift Exploit_37393402(1).exe (PID: 6616)
  - setup.exe (PID: 4824)
  - pmropn.exe (PID: 6732)
  - pmservice.exe (PID: 6328)
  - pmropn.exe (PID: 5864)
- Process checks computer location settings
  - Swift Exploit_37393402(1).exe (PID: 6616)
  - opera.exe (PID: 1020)
  - opera.exe (PID: 6088)
  - opera.exe (PID: 6956)
  - opera.exe (PID: 3828)
  - opera.exe (PID: 6840)
  - opera.exe (PID: 6908)
  - opera.exe (PID: 6056)
  - opera.exe (PID: 7016)
  - opera.exe (PID: 3656)
  - opera.exe (PID: 7420)
  - opera.exe (PID: 7204)
  - opera.exe (PID: 7176)
  - opera.exe (PID: 7216)
  - opera.exe (PID: 7596)
  - opera.exe (PID: 7600)
  - opera.exe (PID: 9160)
  - opera.exe (PID: 8904)
  - opera.exe (PID: 8588)
  - opera.exe (PID: 7840)
  - opera.exe (PID: 7224)
- The process uses the downloaded file
  - Swift Exploit_37393402(1).exe (PID: 6616)
  - cmd.exe (PID: 1216)
  - cmd.exe (PID: 2428)
  - opera.exe (PID: 8628)
  - opera.exe (PID: 1020)
  - powershell.exe (PID: 8020)
- Reads security settings of Internet Explorer
  - notepad.exe (PID: 4548)
  - cmd.exe (PID: 1216)
  - cmd.exe (PID: 2428)
- Creates files in the program directory
  - ContentI3.exe (PID: 5916)
  - pmropn.exe (PID: 6732)
  - pmservice.exe (PID: 6328)
  - reg.exe (PID: 2996)
  - pmropn.exe (PID: 5864)
  - pmropn.exe (PID: 5256)
- Disables trace logs
  - pmropn.exe (PID: 5864)
- Manual execution by a user
  - opera.exe (PID: 1020)
- Drops encrypted VBS script (Microsoft Script Encoder)
  - pmropn.exe (PID: 5864)
- Reads Microsoft Office registry keys
  - pmropn.exe (PID: 5864)
- Reads Windows Product ID
  - pmropn.exe (PID: 5864)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.exe	\|	Win64 Executable (generic) (76.4)
.exe	\|	Win32 Executable (generic) (12.4)
.exe	\|	Generic Win/DOS Executable (5.5)
.exe	\|	DOS Executable Generic (5.5)

EXIF

EXE

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2024:10:18 17:00:18+00:00
ImageFileCharacteristics:	Executable, 32-bit
PEType:	PE32
LinkerVersion:	14.22
CodeSize:	4353024
InitializedDataSize:	1675776
UninitializedDataSize:	-
EntryPoint:	0x398c98
OSVersion:	6
ImageVersion:	-
SubsystemVersion:	6
Subsystem:	Windows GUI
FileVersionNumber:	1.0.0.0
ProductVersionNumber:	1.0.0.0
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Unknown (0)
ObjectFileType:	Unknown
FileSubtype:	-
LanguageCode:	English (U.S.)
CharacterSet:	Unicode
FileDescription:	Download Manager
FileVersion:	1
InternalName:	Download Manager
LegalCopyright:	Download Manager
OriginalFileName:	Download Manager
ProductName:	Download Manager
ProductVersion:	1

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

376

Monitored processes

242

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

"C:\PROGRA~2\PREMIE~1\pmropn32.exe" 5864

C:\Program Files (x86)\PremierOpinion\pmropn32.exe

—

cmd.exe

User:

SYSTEM

Company:

VoiceFive, Inc.

Integrity Level:

HIGH

Description:

PremierOpinion

Exit code:

3221226540

Version:

1.0.14.10 (Build 14.10)

Modules

Images
c:\program files (x86)\premieropinion\pmropn32.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll

244

CheckNetIsolation.exe LoopbackExempt -a -n=microsoft.windows.contentdeliverymanager_cw5n1h2txyewy

C:\Windows\SysWOW64\CheckNetIsolation.exe

—

pmropn.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

AppContainer Network Isolation Diagnostic Tool

Exit code:

Version:

10.0.19041.3636 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\checknetisolation.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\sechost.dll

244

"C:\Users\admin\AppData\Local\Programs\Opera GX\opera.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --enable-quic --with-feature:cashback-assistant=on --with-feature:address-bar-dropdown-autocompleted-domains=on --with-feature:address-bar-dropdown-unfiltered-full=off --with-feature:amazon-new-ids=on --with-feature:cashback-assistant=on --with-feature:continue-on-booking=on --with-feature:continue-on-shopping-via-amp=off --with-feature:continue-shopping=on --with-feature:continue-shopping-2=on --with-feature:continue-shopping-5=on --with-feature:continue-shopping-cms-configuration=on --with-feature:continue-shopping-explore=off --with-feature:continue-shopping-structured-partners=on --with-feature:feature-remote-disable-updates-testing-flag=off --with-feature:feature-remote-updates-testing-flag=on --with-feature:game-servers=off --with-feature:gx-post-mortem=on --with-feature:gx-reactinator=on --with-feature:gx-spotlight=on --with-feature:gx-video-to-phone=on --with-feature:hide-navigations-from-extensions=on --with-feature:lucid-mode-hide-text=on --with-feature:panic-button=on --with-feature:password-generator=off --with-feature:play-again=on --with-feature:realtime-impressions-reporting=on --with-feature:run-at-startup-default=on --with-feature:sd-suggestions-external=on --with-feature:session-restore-attribution=on --with-feature:side-profiles=on --with-feature:sitecheck-age=on --with-feature:tiktok-panel=on --with-feature:ui-compositor-multithreaded=on --with-feature:installer-experiment-test=off --ab_tests=GXCTest25-ref:DNA-99214_GXCTest25 --field-trial-handle=3232,i,10705159733703816815,960788927905882224,262144 --disable-features=CertificateTransparencyAskBeforeEnabling --variations-seed-version --mojo-platform-channel-handle=3500 /prefetch:8

C:\Users\admin\AppData\Local\Programs\Opera GX\opera.exe

—

opera.exe

User:

admin

Company:

Opera Software

Integrity Level:

LOW

Description:

Opera GX Internet Browser

Exit code:

Version:

115.0.5322.124

Modules

Images
c:\users\admin\appdata\local\programs\opera gx\opera.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\users\admin\appdata\local\programs\opera gx\115.0.5322.124\opera_elf.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\winmm.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shcore.dll

448

CheckNetIsolation.exe LoopbackExempt -a -n=microsoft.xboxgamingoverlay_8wekyb3d8bbwe

C:\Windows\SysWOW64\CheckNetIsolation.exe

—

pmropn.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

AppContainer Network Isolation Diagnostic Tool

Exit code:

Version:

10.0.19041.3636 (WinBuild.160101.0800)

Modules

Images
c:\windows\syswow64\checknetisolation.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\msvcrt.dll
c:\windows\syswow64\sechost.dll

488

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

CheckNetIsolation.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

520

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

CheckNetIsolation.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

524

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

CheckNetIsolation.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

624

"C:\Users\admin\AppData\Local\Programs\Opera GX\opera.exe" --type=utility --utility-sub-type=opera.lights.mojom.Asus --lang=en-US --service-sandbox-type=none --enable-quic --with-feature:cashback-assistant=on --with-feature:address-bar-dropdown-autocompleted-domains=on --with-feature:address-bar-dropdown-unfiltered-full=off --with-feature:amazon-new-ids=on --with-feature:cashback-assistant=on --with-feature:continue-on-booking=on --with-feature:continue-on-shopping-via-amp=off --with-feature:continue-shopping=on --with-feature:continue-shopping-2=on --with-feature:continue-shopping-5=on --with-feature:continue-shopping-cms-configuration=on --with-feature:continue-shopping-explore=off --with-feature:continue-shopping-structured-partners=on --with-feature:feature-remote-disable-updates-testing-flag=off --with-feature:feature-remote-updates-testing-flag=on --with-feature:game-servers=off --with-feature:gx-post-mortem=on --with-feature:gx-reactinator=on --with-feature:gx-spotlight=on --with-feature:gx-video-to-phone=on --with-feature:hide-navigations-from-extensions=on --with-feature:lucid-mode-hide-text=on --with-feature:panic-button=on --with-feature:password-generator=off --with-feature:play-again=on --with-feature:realtime-impressions-reporting=on --with-feature:run-at-startup-default=on --with-feature:sd-suggestions-external=on --with-feature:session-restore-attribution=on --with-feature:side-profiles=on --with-feature:sitecheck-age=on --with-feature:tiktok-panel=on --with-feature:ui-compositor-multithreaded=on --with-feature:installer-experiment-test=off --ab_tests=GXCTest25-ref:DNA-99214_GXCTest25 --field-trial-handle=4996,i,10705159733703816815,960788927905882224,262144 --disable-features=CertificateTransparencyAskBeforeEnabling --variations-seed-version --mojo-platform-channel-handle=5412 /prefetch:8

C:\Users\admin\AppData\Local\Programs\Opera GX\opera.exe

—

opera.exe

User:

admin

Company:

Opera Software

Integrity Level:

MEDIUM

Description:

Opera GX Internet Browser

Exit code:

Version:

115.0.5322.124

Modules

Images
c:\users\admin\appdata\local\programs\opera gx\opera.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\users\admin\appdata\local\programs\opera gx\115.0.5322.124\opera_elf.dll
c:\windows\system32\bcryptprimitives.dll
c:\windows\system32\winmm.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\shcore.dll

644

C:\Users\admin\AppData\Local\OperaGX.exe --silent --allusers=0

C:\Users\admin\AppData\Local\OperaGX.exe

Swift Exploit_37393402(1).exe

User:

admin

Integrity Level:

HIGH

Description:

Opera installer SFX

Exit code:

Version:

115.0.5322.124

Modules

Images
c:\users\admin\appdata\local\operagx.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\user32.dll

716

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

CheckNetIsolation.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

Add for printing

Total events

74 297

Read events

72 878

Write events

1 240

Delete events

179

Modification events


(PID) Process:	(1276) svchost.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\UpdateOrchestrator
Operation:	write	Name:	SD
Value: 0100049C5C000000680000000000000014000000020048000300000000001400FF011F0001010000000000051200000000001400A900120001010000000000051300000000001800A900120001020000000000052000000020020000010100000000000512000000010100000000000512000000
(PID) Process:	(1276) svchost.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\UpdateOrchestrator\Schedule Work
Operation:	write	Name:	Index
Value: 3
(PID) Process:	(1276) svchost.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{2ABBBFFC-6D6B-4B2E-8A8A-41ECCF29EE97}
Operation:	write	Name:	Hash
Value: 3B6EE4045D97AA11A9FAE50DB375B526D55466B9856CF232E0B3DDF845CC6602
(PID) Process:	(1276) svchost.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{2ABBBFFC-6D6B-4B2E-8A8A-41ECCF29EE97}
Operation:	write	Name:	Schema
Value: 65538
(PID) Process:	(1276) svchost.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{2ABBBFFC-6D6B-4B2E-8A8A-41ECCF29EE97}
Operation:	delete value	Name:	Version
Value:
(PID) Process:	(1276) svchost.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{2ABBBFFC-6D6B-4B2E-8A8A-41ECCF29EE97}
Operation:	delete value	Name:	Date
Value:
(PID) Process:	(1276) svchost.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{2ABBBFFC-6D6B-4B2E-8A8A-41ECCF29EE97}
Operation:	write	Name:	SecurityDescriptor
Value: D:P(A;;FA;;;SY)(A;;FRFX;;;LS)(A;;FRFX;;;BA)
(PID) Process:	(1276) svchost.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{2ABBBFFC-6D6B-4B2E-8A8A-41ECCF29EE97}
Operation:	delete value	Name:	Source
Value:
(PID) Process:	(1276) svchost.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{2ABBBFFC-6D6B-4B2E-8A8A-41ECCF29EE97}
Operation:	delete value	Name:	Author
Value:
(PID) Process:	(1276) svchost.exe	Key:	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{2ABBBFFC-6D6B-4B2E-8A8A-41ECCF29EE97}
Operation:	delete value	Name:	Description
Value:

Add for printing

Executable files

Suspicious files

684

Text files

284

Unknown types

Dropped files

PID	Process	Filename		Type
1276	svchost.exe	C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Work		xml
		MD5:5FADF13CCFBDCC5DD728380F7A615B28	SHA256:FF1F73395F6B5B22D5FDA367521FE0DCC31FF252849B7FA85FA346B953A40451
6616	Swift Exploit_37393402(1).exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F44F0D8080C8C3429C5AB2379F33E907_9F640C49FF73611C0D8CAD8C0D537F4B		der
		MD5:4B1CC75668F2C8DF3E2A6F300E7BE5EE	SHA256:1C561FF37D9B038A4DB80EA616F75C08B4FC8A9DE07698AC21966E19BB22A928
6616	Swift Exploit_37393402(1).exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA		der
		MD5:3758F028479A284265CCAEF1DDD3DA8E	SHA256:4896D9C5CB2EA9F3EF19FCFA25A6C22AA9159765616BC283EDBED39BE51AD61A
6616	Swift Exploit_37393402(1).exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\05DDC6AA91765AACACDB0A5F96DF8199		binary
		MD5:7B460CB2F731112C619BAFA1C7D8117F	SHA256:E8780A493161ED25FA1E345DD073246131742C5730F18A44ACA60706C458E36C
6616	Swift Exploit_37393402(1).exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA		binary
		MD5:894C5CD5189FF208E9D3A5A068798871	SHA256:DB3529E1996FC399861D2D389000CB5646B64B91C333DF6F584DC73CE034B249
6616	Swift Exploit_37393402(1).exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8		binary
		MD5:648C8969647A3FA8828FF50BF60788E8	SHA256:95A6E9513CBE79870D8AA9A3398960DF5103FC6D8EC03FBDB249EE6D56F2E726
6616	Swift Exploit_37393402(1).exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\05DDC6AA91765AACACDB0A5F96DF8199		der
		MD5:E935BC5762068CAF3E24A2683B1B8A88	SHA256:A8ACCFCFEB51BD73DF23B91F4D89FF1A9EB7438EF5B12E8AFDA1A6FF1769E89D
1276	svchost.exe	C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance Work		xml
		MD5:4838EE953DAB2C7A1BF57E0C6620A79D	SHA256:22C798E00C4793749EAC39CFB6EA3DD75112FD4453A3706E839038A64504D45D
6616	Swift Exploit_37393402(1).exe	C:\Users\admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F44F0D8080C8C3429C5AB2379F33E907_9F640C49FF73611C0D8CAD8C0D537F4B		binary
		MD5:C2271044BE2C9E71397B8CECE5D610A5	SHA256:A2B1D56E0BA9CAC1CA431504707C17F151EC719BE3D5939D2C6EDE34579B9C71
6616	Swift Exploit_37393402(1).exe	C:\Users\admin\AppData\Local\Microsoft\Windows\INetCache\IE\KCV3KQBA\service[1].htm		text
		MD5:897A23E303574DA7D6F1DB7F93133052	SHA256:777BC6FDAA527DA231F61EF8C0728BA9FC47B635B9E6982009F341E32DA8A133

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

290

DNS requests

116

Threats

HTTP requests

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
4536	svchost.exe	GET	200	23.48.23.143:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
4712	MoUsoCoreWorker.exe	GET	200	23.48.23.143:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
4536	svchost.exe	GET	200	23.38.73.129:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
4712	MoUsoCoreWorker.exe	GET	200	23.38.73.129:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
—	—	GET	200	23.38.73.129:80	http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl	unknown	—	—	whitelisted
5064	SearchApp.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTrjrydRyt%2BApF3GSPypfHBxR5XtQQUs9tIpPmhxdiuNkHMEWNpYim8S8YCEAI5PUjXAkJafLQcAAsO18o%3D	unknown	—	—	whitelisted
1176	svchost.exe	GET	200	192.229.221.95:80	http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSAUQYBMq2awn1Rh6Doh%2FsBYgFV7gQUA95QNVbRTLtm8KPiGxvDl7I90VUCEAJ0LqoXyo4hxxe7H%2Fz9DKA%3D	unknown	—	—	whitelisted
6616	Swift Exploit_37393402(1).exe	GET	200	142.250.185.67:80	http://ocsp.pki.goog/gsr1/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS3V7W2nAf4FiMTjpDJKg6%2BMgGqMQQUYHtmGkUNl8qJUC99BM00qP%2F8%2FUsCEHe9DWzbNvka6iEPxPBY0w0%3D	unknown	—	—	whitelisted
6616	Swift Exploit_37393402(1).exe	GET	200	142.250.185.67:80	http://o.pki.goog/s/wr3/0Yg/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBQSq0i5t2Pafi2Gw9uzwnc7KTctWgQUx4H1%2FY6I2QA8TWOiUDEkoM4j%2FiMCEQDRiI70rSJu9AnH4wvTqQA5	unknown	—	—	whitelisted
6616	Swift Exploit_37393402(1).exe	GET	200	142.250.185.67:80	http://o.pki.goog/s/wr3/mIQ/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBQSq0i5t2Pafi2Gw9uzwnc7KTctWgQUx4H1%2FY6I2QA8TWOiUDEkoM4j%2FiMCEQCYhEVCcN07HQqhx9tAqom5	unknown	—	—	whitelisted

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	whitelisted
—	—	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4712	MoUsoCoreWorker.exe	23.48.23.143:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
4536	svchost.exe	23.48.23.143:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
4712	MoUsoCoreWorker.exe	23.38.73.129:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
4536	svchost.exe	23.38.73.129:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
—	—	23.38.73.129:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
5064	SearchApp.exe	2.19.80.24:443	www.bing.com	Akamai International B.V.	DE	whitelisted
5064	SearchApp.exe	192.229.221.95:80	ocsp.digicert.com	EDGECAST	US	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted

DNS requests

Domain	IP	Reputation
settings-win.data.microsoft.com	51.124.78.146 20.73.194.208	whitelisted
crl.microsoft.com	23.48.23.143 23.48.23.156	whitelisted
www.microsoft.com	23.38.73.129 95.101.149.131	whitelisted
www.bing.com	2.19.80.24 2.19.80.35 2.19.80.88 2.19.80.75 2.19.80.89 2.19.80.80 2.19.80.17 2.19.80.50 2.19.80.56 2.19.80.27 2.19.80.99	whitelisted
google.com	142.250.184.206	whitelisted
ocsp.digicert.com	192.229.221.95	whitelisted
login.live.com	20.190.159.23 20.190.159.2 40.126.31.71 20.190.159.64 20.190.159.73 20.190.159.68 20.190.159.75 40.126.31.73	whitelisted
go.microsoft.com	23.218.210.69	whitelisted
www.dlsft.com	35.190.60.70	unknown
ocsp.pki.goog	142.250.185.67	whitelisted

Threats

PID	Process	Class	Message
5864	pmropn.exe	Potential Corporate Privacy Violation	ET ADWARE_PUP Suspected PUP/PUA User-Agent (OSSProxy)
5864	pmropn.exe	Potential Corporate Privacy Violation	ET ADWARE_PUP PUP/PUA OSSProxy HTTP Header
5864	pmropn.exe	Potential Corporate Privacy Violation	ET ADWARE_PUP Suspected PUP/PUA User-Agent (OSSProxy)
5864	pmropn.exe	Potential Corporate Privacy Violation	ET ADWARE_PUP PUP/PUA OSSProxy HTTP Header
5864	pmropn.exe	Potential Corporate Privacy Violation	ET ADWARE_PUP PUP/PUA OSSProxy HTTP Header
5864	pmropn.exe	Potential Corporate Privacy Violation	ET ADWARE_PUP PUP/PUA OSSProxy HTTP Header
5864	pmropn.exe	Potential Corporate Privacy Violation	ET ADWARE_PUP PUP/PUA OSSProxy HTTP Header

Add for printing

Process	Message
Swift Exploit_37393402(1).exe	Error: (undefined) has no property - value
Swift Exploit_37393402(1).exe
Swift Exploit_37393402(1).exe
Swift Exploit_37393402(1).exe	at initializeDynamicVariables (this://app/main.html(351))
Swift Exploit_37393402(1).exe	at getFileInfo.@307@46 (this://app/main.html(329))
Swift Exploit_37393402(1).exe	scanning node question /questions/question
Swift Exploit_37393402(1).exe	scanning node question /questions/question
Swift Exploit_37393402(1).exe	scanning node question /questions/question
Swift Exploit_37393402(1).exe	scanning node question /questions/question
Swift Exploit_37393402(1).exe	scanning node questions /questions

General Info

Swift Exploit_37393402(1).exe

15D1C495FF66BF7CEA8A6D14BFDF0A20

942814521FA406A225522F208AC67F90DBDE0AE7

61C2C4A5D7C14F77EE88871DED4CC7F1E49DAE3E4EF209504C66FEDF4D22DE42

98304:DtjM+LgnHM8mNLNpOmMGl2p9tjIQh+1GHp8PGmDFzMVv3kdcpR41TBN14BC6SkPT:Kw8

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Application was injected by another process

Runs injected code in another process

Actions looks like stealing of personal data

Change Internet Settings

Changes the autorun value in the registry

Steals credentials from Web Browsers

OSSPROXY has been detected (SURICATA)

ADWARE has been detected (SURICATA)

SUSPICIOUS

Reads security settings of Internet Explorer

Executable content was dropped or overwritten

Checks Windows Trust Settings

Application launched itself

Starts itself from another location

Start notepad (likely ransomware note)

Searches for installed software

Creates a software uninstall entry

Adds/modifies Windows certificates

Executes as Windows Service

Uses RUNDLL32.EXE to load library

Starts CMD.EXE for commands execution

Reads the date of Windows installation

The process checks if it is being run in the virtual environment

The process executes via Task Scheduler

Reads Microsoft Outlook installation path

Reads Mozilla Firefox installation path

Reads Internet Explorer settings

Starts POWERSHELL.EXE for commands execution

Reads the Windows owner or organization settings

Potential Corporate Privacy Violation

Connects to unusual port

INFO

The sample compiled with english language support

Reads the computer name

Reads the machine GUID from the registry

Checks proxy server information

Checks supported languages

Sends debugging messages

Creates files or folders in the user directory

Create files in a temporary directory

Reads the software policy settings

Process checks computer location settings

The process uses the downloaded file

Reads security settings of Internet Explorer

Creates files in the program directory

Disables trace logs

Manual execution by a user

Drops encrypted VBS script (Microsoft Script Encoder)

Reads Microsoft Office registry keys

Reads Windows Product ID

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules