92a841c1968bcbb08c081fa2df12d16e4a8011a49600c501cc49ffbe9360e8d5

General

Target

odeme SWIFT.exe
Size

1.6MB
MD5

586e761b6f03a2ea904ca2b3c8ad24e2
SHA1

34893070fbd5fa441bdff1313c20793c25d1e7c0
SHA256

199533f77cb4331908a90346f24610888ef42d6dd2f9866b733752426702e737
SHA512

67058f6f9932d17bffefa2c6780b85f4c7fc731addbf15df4cff694e0067d29833103e23315a5c767f0cd4a6bd5ac810519b86760142caf78c49e21d47013a9e

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

odeme SWIFTmgr.exe

pid process

1420 odeme SWIFTmgr.exe

pid	process
1420	odeme SWIFTmgr.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\odeme SWIFTmgr.exe	upx
C:\Users\Admin\AppData\Local\Temp\odeme SWIFTmgr.exe	upx

Drops startup file 1 IoCs

Processes:

odeme SWIFT.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\lpremove.url	odeme SWIFT.exe

Suspicious behavior: MapViewOfSection 64 IoCs

Processes:

odeme SWIFT.exe

pid	process
3756	odeme SWIFT.exe
3756	odeme SWIFT.exe
3756	odeme SWIFT.exe
3756	odeme SWIFT.exe
3756	odeme SWIFT.exe
3756	odeme SWIFT.exe
3756	odeme SWIFT.exe
3756	odeme SWIFT.exe
3756	odeme SWIFT.exe
3756	odeme SWIFT.exe
3756	odeme SWIFT.exe
3756	odeme SWIFT.exe
3756	odeme SWIFT.exe
3756	odeme SWIFT.exe
3756	odeme SWIFT.exe
3756	odeme SWIFT.exe
3756	odeme SWIFT.exe
3756	odeme SWIFT.exe
3756	odeme SWIFT.exe
3756	odeme SWIFT.exe
3756	odeme SWIFT.exe
3756	odeme SWIFT.exe
3756	odeme SWIFT.exe
3756	odeme SWIFT.exe
3756	odeme SWIFT.exe
3756	odeme SWIFT.exe
3756	odeme SWIFT.exe
3756	odeme SWIFT.exe
3756	odeme SWIFT.exe
3756	odeme SWIFT.exe
3756	odeme SWIFT.exe
3756	odeme SWIFT.exe
3756	odeme SWIFT.exe
3756	odeme SWIFT.exe
3756	odeme SWIFT.exe
3756	odeme SWIFT.exe
3756	odeme SWIFT.exe
3756	odeme SWIFT.exe
3756	odeme SWIFT.exe
3756	odeme SWIFT.exe
3756	odeme SWIFT.exe
3756	odeme SWIFT.exe
3756	odeme SWIFT.exe
3756	odeme SWIFT.exe
3756	odeme SWIFT.exe
3756	odeme SWIFT.exe
3756	odeme SWIFT.exe
3756	odeme SWIFT.exe
3756	odeme SWIFT.exe
3756	odeme SWIFT.exe
3756	odeme SWIFT.exe
3756	odeme SWIFT.exe
3756	odeme SWIFT.exe
3756	odeme SWIFT.exe
3756	odeme SWIFT.exe
3756	odeme SWIFT.exe
3756	odeme SWIFT.exe
3756	odeme SWIFT.exe
3756	odeme SWIFT.exe
3756	odeme SWIFT.exe
3756	odeme SWIFT.exe
3756	odeme SWIFT.exe
3756	odeme SWIFT.exe
3756	odeme SWIFT.exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

odeme SWIFT.exe

pid process

3756 odeme SWIFT.exe
3756 odeme SWIFT.exe
3756 odeme SWIFT.exe
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

odeme SWIFT.exe

pid process

3756 odeme SWIFT.exe
3756 odeme SWIFT.exe
3756 odeme SWIFT.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

odeme SWIFT.exe

description	pid	process	target process
PID 3756 wrote to memory of 1420	3756	odeme SWIFT.exe	odeme SWIFTmgr.exe
PID 3756 wrote to memory of 1420	3756	odeme SWIFT.exe	odeme SWIFTmgr.exe
PID 3756 wrote to memory of 1420	3756	odeme SWIFT.exe	odeme SWIFTmgr.exe
PID 3756 wrote to memory of 4864	3756	odeme SWIFT.exe	odeme SWIFT.exe
PID 3756 wrote to memory of 4864	3756	odeme SWIFT.exe	odeme SWIFT.exe
PID 3756 wrote to memory of 4864	3756	odeme SWIFT.exe	odeme SWIFT.exe
PID 3756 wrote to memory of 4356	3756	odeme SWIFT.exe	odeme SWIFT.exe
PID 3756 wrote to memory of 4356	3756	odeme SWIFT.exe	odeme SWIFT.exe
PID 3756 wrote to memory of 4356	3756	odeme SWIFT.exe	odeme SWIFT.exe
PID 3756 wrote to memory of 4340	3756	odeme SWIFT.exe	odeme SWIFT.exe
PID 3756 wrote to memory of 4340	3756	odeme SWIFT.exe	odeme SWIFT.exe
PID 3756 wrote to memory of 4340	3756	odeme SWIFT.exe	odeme SWIFT.exe
PID 3756 wrote to memory of 2908	3756	odeme SWIFT.exe	odeme SWIFT.exe
PID 3756 wrote to memory of 2908	3756	odeme SWIFT.exe	odeme SWIFT.exe
PID 3756 wrote to memory of 2908	3756	odeme SWIFT.exe	odeme SWIFT.exe
PID 3756 wrote to memory of 3712	3756	odeme SWIFT.exe	odeme SWIFT.exe
PID 3756 wrote to memory of 3712	3756	odeme SWIFT.exe	odeme SWIFT.exe
PID 3756 wrote to memory of 3712	3756	odeme SWIFT.exe	odeme SWIFT.exe
PID 3756 wrote to memory of 1804	3756	odeme SWIFT.exe	odeme SWIFT.exe
PID 3756 wrote to memory of 1804	3756	odeme SWIFT.exe	odeme SWIFT.exe
PID 3756 wrote to memory of 1804	3756	odeme SWIFT.exe	odeme SWIFT.exe
PID 3756 wrote to memory of 4272	3756	odeme SWIFT.exe	odeme SWIFT.exe
PID 3756 wrote to memory of 4272	3756	odeme SWIFT.exe	odeme SWIFT.exe
PID 3756 wrote to memory of 4272	3756	odeme SWIFT.exe	odeme SWIFT.exe
PID 3756 wrote to memory of 4304	3756	odeme SWIFT.exe	odeme SWIFT.exe
PID 3756 wrote to memory of 4304	3756	odeme SWIFT.exe	odeme SWIFT.exe
PID 3756 wrote to memory of 4304	3756	odeme SWIFT.exe	odeme SWIFT.exe
PID 3756 wrote to memory of 4316	3756	odeme SWIFT.exe	odeme SWIFT.exe
PID 3756 wrote to memory of 4316	3756	odeme SWIFT.exe	odeme SWIFT.exe
PID 3756 wrote to memory of 4316	3756	odeme SWIFT.exe	odeme SWIFT.exe
PID 3756 wrote to memory of 4232	3756	odeme SWIFT.exe	odeme SWIFT.exe
PID 3756 wrote to memory of 4232	3756	odeme SWIFT.exe	odeme SWIFT.exe
PID 3756 wrote to memory of 4232	3756	odeme SWIFT.exe	odeme SWIFT.exe
PID 3756 wrote to memory of 4248	3756	odeme SWIFT.exe	odeme SWIFT.exe
PID 3756 wrote to memory of 4248	3756	odeme SWIFT.exe	odeme SWIFT.exe
PID 3756 wrote to memory of 4248	3756	odeme SWIFT.exe	odeme SWIFT.exe
PID 3756 wrote to memory of 4216	3756	odeme SWIFT.exe	odeme SWIFT.exe
PID 3756 wrote to memory of 4216	3756	odeme SWIFT.exe	odeme SWIFT.exe
PID 3756 wrote to memory of 4216	3756	odeme SWIFT.exe	odeme SWIFT.exe
PID 3756 wrote to memory of 4328	3756	odeme SWIFT.exe	odeme SWIFT.exe
PID 3756 wrote to memory of 4328	3756	odeme SWIFT.exe	odeme SWIFT.exe
PID 3756 wrote to memory of 4328	3756	odeme SWIFT.exe	odeme SWIFT.exe
PID 3756 wrote to memory of 4212	3756	odeme SWIFT.exe	odeme SWIFT.exe
PID 3756 wrote to memory of 4212	3756	odeme SWIFT.exe	odeme SWIFT.exe
PID 3756 wrote to memory of 4212	3756	odeme SWIFT.exe	odeme SWIFT.exe
PID 3756 wrote to memory of 4556	3756	odeme SWIFT.exe	odeme SWIFT.exe
PID 3756 wrote to memory of 4556	3756	odeme SWIFT.exe	odeme SWIFT.exe
PID 3756 wrote to memory of 4556	3756	odeme SWIFT.exe	odeme SWIFT.exe
PID 3756 wrote to memory of 1368	3756	odeme SWIFT.exe	odeme SWIFT.exe
PID 3756 wrote to memory of 1368	3756	odeme SWIFT.exe	odeme SWIFT.exe
PID 3756 wrote to memory of 1368	3756	odeme SWIFT.exe	odeme SWIFT.exe
PID 3756 wrote to memory of 4636	3756	odeme SWIFT.exe	odeme SWIFT.exe
PID 3756 wrote to memory of 4636	3756	odeme SWIFT.exe	odeme SWIFT.exe
PID 3756 wrote to memory of 4636	3756	odeme SWIFT.exe	odeme SWIFT.exe
PID 3756 wrote to memory of 2732	3756	odeme SWIFT.exe	odeme SWIFT.exe
PID 3756 wrote to memory of 2732	3756	odeme SWIFT.exe	odeme SWIFT.exe
PID 3756 wrote to memory of 2732	3756	odeme SWIFT.exe	odeme SWIFT.exe
PID 3756 wrote to memory of 888	3756	odeme SWIFT.exe	odeme SWIFT.exe
PID 3756 wrote to memory of 888	3756	odeme SWIFT.exe	odeme SWIFT.exe
PID 3756 wrote to memory of 888	3756	odeme SWIFT.exe	odeme SWIFT.exe
PID 3756 wrote to memory of 4428	3756	odeme SWIFT.exe	odeme SWIFT.exe
PID 3756 wrote to memory of 4428	3756	odeme SWIFT.exe	odeme SWIFT.exe
PID 3756 wrote to memory of 4428	3756	odeme SWIFT.exe	odeme SWIFT.exe
PID 3756 wrote to memory of 4604	3756	odeme SWIFT.exe	odeme SWIFT.exe

C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe
"C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe"
1⤵
- Drops startup file
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3756

C:\Users\Admin\AppData\Local\Temp\odeme SWIFTmgr.exe
"C:\Users\Admin\AppData\Local\Temp\odeme SWIFTmgr.exe"
2⤵
- Executes dropped EXE
PID:1420

C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe
"C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe"
2⤵
PID:3712

C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe
"C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe"
2⤵
PID:2908

C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe
"C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe"
2⤵
PID:4340

C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe
"C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe"
2⤵
PID:4356

C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe
"C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe"
2⤵
PID:4864

C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe
"C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe"
2⤵
PID:4272

C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe
"C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe"
2⤵
PID:1804

C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe
"C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe"
2⤵
PID:4304

C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe
"C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe"
2⤵
PID:4316

C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe
"C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe"
2⤵
PID:4232

C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe
"C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe"
2⤵
PID:4248

C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe
"C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe"
2⤵
PID:4556

C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe
"C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe"
2⤵
PID:4212

C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe
"C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe"
2⤵
PID:4328

C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe
"C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe"
2⤵
PID:4216

C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe
"C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe"
2⤵
PID:1368

C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe
"C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe"
2⤵
PID:4636

C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe
"C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe"
2⤵
PID:888

C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe
"C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe"
2⤵
PID:2732

C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe
"C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe"
2⤵
PID:4428

C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe
"C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe"
2⤵
PID:4604

C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe
"C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe"
2⤵
PID:1204

C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe
"C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe"
2⤵
PID:1416

C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe
"C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe"
2⤵
PID:1552

C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe
"C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe"
2⤵
PID:1532

C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe
"C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe"
2⤵
PID:796

C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe
"C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe"
2⤵
PID:1564

C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe
"C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe"
2⤵
PID:3436

C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe
"C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe"
2⤵
PID:4688

C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe
"C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe"
2⤵
PID:2884

C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe
"C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe"
2⤵
PID:5024

C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe
"C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe"
2⤵
PID:3320

C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe
"C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe"
2⤵
PID:5064

C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe
"C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe"
2⤵
PID:4976

C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe
"C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe"
2⤵
PID:4668

C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe
"C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe"
2⤵
PID:2088

C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe
"C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe"
2⤵
PID:3920

C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe
"C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe"
2⤵
PID:2364

C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe
"C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe"
2⤵
PID:3960

C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe
"C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe"
2⤵
PID:4856

C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe
"C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe"
2⤵
PID:4760

C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe
"C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe"
2⤵
PID:4796

C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe
"C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe"
2⤵
PID:4200

C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe
"C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe"
2⤵
PID:2016

C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe
"C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe"
2⤵
PID:3412

C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe
"C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe"
2⤵
PID:4192

C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe
"C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe"
2⤵
PID:2644

C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe
"C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe"
2⤵
PID:4444

C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe
"C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe"
2⤵
PID:3752

C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe
"C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe"
2⤵
PID:220

C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe
"C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe"
2⤵
PID:216

C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe
"C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe"
2⤵
PID:116

C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe
"C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe"
2⤵
PID:4656

C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe
"C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe"
2⤵
PID:3748

C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe
"C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe"
2⤵
PID:2920

C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe
"C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe"
2⤵
PID:4252

C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe
"C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe"
2⤵
PID:3400

C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe
"C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe"
2⤵
PID:4488

C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe
"C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe"
2⤵
PID:4112

C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe
"C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe"
2⤵
PID:3192

C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe
"C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe"
2⤵
PID:2516

C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe
"C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe"
2⤵
PID:4628

C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe
"C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe"
2⤵
PID:4568

C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe
"C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe"
2⤵
PID:3820

C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe
"C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe"
2⤵
PID:3260

C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe
"C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe"
2⤵
PID:3868

C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe
"C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe"
2⤵
PID:3640

C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe
"C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe"
2⤵
PID:3728

C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe
"C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe"
2⤵
PID:3732

C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe
"C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe"
2⤵
PID:3504

C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe
"C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe"
2⤵
PID:2296

C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe
"C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe"
2⤵
PID:3656

C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe
"C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe"
2⤵
PID:3488

C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe
"C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe"
2⤵
PID:4076

C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe
"C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe"
2⤵
PID:984

C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe
"C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe"
2⤵
PID:3540

C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe
"C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe"
2⤵
PID:3416

C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe
"C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe"
2⤵
PID:4980

C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe
"C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe"
2⤵
PID:2980

C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe
"C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe"
2⤵
PID:5008

C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe
"C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe"
2⤵
PID:1600

C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe
"C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe"
2⤵
PID:4968

C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe
"C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe"
2⤵
PID:3496

C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe
"C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe"
2⤵
PID:1316

C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe
"C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe"
2⤵
PID:1256

C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe
"C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe"
2⤵
PID:1248

C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe
"C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe"
2⤵
PID:912

C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe
"C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe"
2⤵
PID:5096

C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe
"C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe"
2⤵
PID:1608

C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe
"C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe"
2⤵
PID:4820

C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe
"C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe"
2⤵
PID:4768

C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe
"C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe"
2⤵
PID:4812

C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe
"C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe"
2⤵
PID:4608

C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe
"C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe"
2⤵
PID:5092

C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe
"C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe"
2⤵
PID:1704

C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe
"C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe"
2⤵
PID:3840

C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe
"C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe"
2⤵
PID:1852

C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe
"C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe"
2⤵
PID:384

C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe
"C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe"
2⤵
PID:2724

C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe
"C:\Users\Admin\AppData\Local\Temp\odeme SWIFT.exe"
2⤵
PID:2072

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\odeme SWIFTmgr.exe
Filesize
105KB

MD5
d5ca6e1f080abc64bbb11e098acbeabb

SHA1
1849634bf5a65e1baddddd4452c99dfa003e2647

SHA256
30193b5ccf8a1834eac3502ef165350ab74b107451145f3d2937fdf24b9eceae

SHA512
aa57ce51de38af6212d7339c4baac543a54b0f527621b0ef9e78eca5e5699e8508a154f54f8ac04135527d8417275eeee72a502a362547575699330cc756b161

Download Submit
C:\Users\Admin\AppData\Local\Temp\odeme SWIFTmgr.exe
Filesize
105KB

MD5
d5ca6e1f080abc64bbb11e098acbeabb

SHA1
1849634bf5a65e1baddddd4452c99dfa003e2647

SHA256
30193b5ccf8a1834eac3502ef165350ab74b107451145f3d2937fdf24b9eceae

SHA512
aa57ce51de38af6212d7339c4baac543a54b0f527621b0ef9e78eca5e5699e8508a154f54f8ac04135527d8417275eeee72a502a362547575699330cc756b161

Download Submit
memory/1420-130-0x0000000000000000-mapping.dmp

Download
memory/3756-133-0x0000000001850000-0x000000000187D000-memory.dmp

Filesize
180KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads