Analysis
-
max time kernel
119s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
10-07-2024 08:21
Static task
static1
Behavioral task
behavioral1
Sample
SWIFT.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
SWIFT.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240704-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240709-en
Behavioral task
behavioral5
Sample
$PLUGINSDIR/nsExec.dll
Resource
win7-20240704-en
Behavioral task
behavioral6
Sample
$PLUGINSDIR/nsExec.dll
Resource
win10v2004-20240709-en
General
-
Target
SWIFT.exe
-
Size
775KB
-
MD5
0d0f944239a7dd07826e28edf9647185
-
SHA1
3911f09935fb37f9f6cc3ff990e12e6143282d8a
-
SHA256
c58de5f40be8fd760fc08b1ef7ae5a3f5771dbc214426156e3a21a89bb8303fc
-
SHA512
e5077fa3179d7082587d606b8c8c6b5c0d74794225394522d92a06295e962a1cdb9868ac415720e3908222cc6c55312d24868be8d8ec2e52ef81243080fe5b7e
-
SSDEEP
12288:7akAv7gfFvt8pjs0p1cvxM/r9RKGqHmIdD+c:+kiext2Y0QMz9RKHHF9D
Malware Config
Extracted
snakekeylogger
https://api.telegram.org/bot7377884885:AAGDE6_d9hXHQkXeQnXVnXZia5CIJu4gajM/sendMessage?chat_id=7161549085
Signatures
-
Snake Keylogger
Keylogger and Infostealer first seen in November 2020.
-
Snake Keylogger payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/2304-991-0x00000000004A0000-0x0000000001502000-memory.dmp family_snakekeylogger behavioral1/memory/2304-992-0x00000000004A0000-0x00000000004C6000-memory.dmp family_snakekeylogger -
Loads dropped DLL 64 IoCs
Processes:
SWIFT.exepid process 3008 SWIFT.exe 3008 SWIFT.exe 3008 SWIFT.exe 3008 SWIFT.exe 3008 SWIFT.exe 3008 SWIFT.exe 3008 SWIFT.exe 3008 SWIFT.exe 3008 SWIFT.exe 3008 SWIFT.exe 3008 SWIFT.exe 3008 SWIFT.exe 3008 SWIFT.exe 3008 SWIFT.exe 3008 SWIFT.exe 3008 SWIFT.exe 3008 SWIFT.exe 3008 SWIFT.exe 3008 SWIFT.exe 3008 SWIFT.exe 3008 SWIFT.exe 3008 SWIFT.exe 3008 SWIFT.exe 3008 SWIFT.exe 3008 SWIFT.exe 3008 SWIFT.exe 3008 SWIFT.exe 3008 SWIFT.exe 3008 SWIFT.exe 3008 SWIFT.exe 3008 SWIFT.exe 3008 SWIFT.exe 3008 SWIFT.exe 3008 SWIFT.exe 3008 SWIFT.exe 3008 SWIFT.exe 3008 SWIFT.exe 3008 SWIFT.exe 3008 SWIFT.exe 3008 SWIFT.exe 3008 SWIFT.exe 3008 SWIFT.exe 3008 SWIFT.exe 3008 SWIFT.exe 3008 SWIFT.exe 3008 SWIFT.exe 3008 SWIFT.exe 3008 SWIFT.exe 3008 SWIFT.exe 3008 SWIFT.exe 3008 SWIFT.exe 3008 SWIFT.exe 3008 SWIFT.exe 3008 SWIFT.exe 3008 SWIFT.exe 3008 SWIFT.exe 3008 SWIFT.exe 3008 SWIFT.exe 3008 SWIFT.exe 3008 SWIFT.exe 3008 SWIFT.exe 3008 SWIFT.exe 3008 SWIFT.exe 3008 SWIFT.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
Processes:
SWIFT.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 SWIFT.exe Key opened \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 SWIFT.exe Key opened \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 SWIFT.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 14 checkip.dyndns.org -
Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
Processes:
SWIFT.exepid process 2304 SWIFT.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
SWIFT.exeSWIFT.exepid process 3008 SWIFT.exe 2304 SWIFT.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
SWIFT.exedescription pid process target process PID 3008 set thread context of 2304 3008 SWIFT.exe SWIFT.exe -
Drops file in Program Files directory 2 IoCs
Processes:
SWIFT.exedescription ioc process File created C:\Program Files (x86)\Common Files\rampire.lnk SWIFT.exe File opened for modification C:\Program Files (x86)\breplanerne\Pist.ini SWIFT.exe -
Drops file in Windows directory 2 IoCs
Processes:
SWIFT.exedescription ioc process File opened for modification C:\Windows\Fonts\sysselstter\Complexer.ini SWIFT.exe File opened for modification C:\Windows\resources\0409\Markazes\Sprtter.Dem SWIFT.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
SWIFT.exepid process 2304 SWIFT.exe 2304 SWIFT.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
SWIFT.exepid process 3008 SWIFT.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
SWIFT.exedescription pid process Token: SeDebugPrivilege 2304 SWIFT.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
SWIFT.exedescription pid process target process PID 3008 wrote to memory of 2912 3008 SWIFT.exe cmd.exe PID 3008 wrote to memory of 2912 3008 SWIFT.exe cmd.exe PID 3008 wrote to memory of 2912 3008 SWIFT.exe cmd.exe PID 3008 wrote to memory of 2912 3008 SWIFT.exe cmd.exe PID 3008 wrote to memory of 2468 3008 SWIFT.exe cmd.exe PID 3008 wrote to memory of 2468 3008 SWIFT.exe cmd.exe PID 3008 wrote to memory of 2468 3008 SWIFT.exe cmd.exe PID 3008 wrote to memory of 2468 3008 SWIFT.exe cmd.exe PID 3008 wrote to memory of 2820 3008 SWIFT.exe cmd.exe PID 3008 wrote to memory of 2820 3008 SWIFT.exe cmd.exe PID 3008 wrote to memory of 2820 3008 SWIFT.exe cmd.exe PID 3008 wrote to memory of 2820 3008 SWIFT.exe cmd.exe PID 3008 wrote to memory of 2624 3008 SWIFT.exe cmd.exe PID 3008 wrote to memory of 2624 3008 SWIFT.exe cmd.exe PID 3008 wrote to memory of 2624 3008 SWIFT.exe cmd.exe PID 3008 wrote to memory of 2624 3008 SWIFT.exe cmd.exe PID 3008 wrote to memory of 2456 3008 SWIFT.exe cmd.exe PID 3008 wrote to memory of 2456 3008 SWIFT.exe cmd.exe PID 3008 wrote to memory of 2456 3008 SWIFT.exe cmd.exe PID 3008 wrote to memory of 2456 3008 SWIFT.exe cmd.exe PID 3008 wrote to memory of 2976 3008 SWIFT.exe cmd.exe PID 3008 wrote to memory of 2976 3008 SWIFT.exe cmd.exe PID 3008 wrote to memory of 2976 3008 SWIFT.exe cmd.exe PID 3008 wrote to memory of 2976 3008 SWIFT.exe cmd.exe PID 3008 wrote to memory of 1684 3008 SWIFT.exe cmd.exe PID 3008 wrote to memory of 1684 3008 SWIFT.exe cmd.exe PID 3008 wrote to memory of 1684 3008 SWIFT.exe cmd.exe PID 3008 wrote to memory of 1684 3008 SWIFT.exe cmd.exe PID 3008 wrote to memory of 332 3008 SWIFT.exe cmd.exe PID 3008 wrote to memory of 332 3008 SWIFT.exe cmd.exe PID 3008 wrote to memory of 332 3008 SWIFT.exe cmd.exe PID 3008 wrote to memory of 332 3008 SWIFT.exe cmd.exe PID 3008 wrote to memory of 2636 3008 SWIFT.exe cmd.exe PID 3008 wrote to memory of 2636 3008 SWIFT.exe cmd.exe PID 3008 wrote to memory of 2636 3008 SWIFT.exe cmd.exe PID 3008 wrote to memory of 2636 3008 SWIFT.exe cmd.exe PID 3008 wrote to memory of 476 3008 SWIFT.exe cmd.exe PID 3008 wrote to memory of 476 3008 SWIFT.exe cmd.exe PID 3008 wrote to memory of 476 3008 SWIFT.exe cmd.exe PID 3008 wrote to memory of 476 3008 SWIFT.exe cmd.exe PID 3008 wrote to memory of 1816 3008 SWIFT.exe cmd.exe PID 3008 wrote to memory of 1816 3008 SWIFT.exe cmd.exe PID 3008 wrote to memory of 1816 3008 SWIFT.exe cmd.exe PID 3008 wrote to memory of 1816 3008 SWIFT.exe cmd.exe PID 3008 wrote to memory of 444 3008 SWIFT.exe cmd.exe PID 3008 wrote to memory of 444 3008 SWIFT.exe cmd.exe PID 3008 wrote to memory of 444 3008 SWIFT.exe cmd.exe PID 3008 wrote to memory of 444 3008 SWIFT.exe cmd.exe PID 3008 wrote to memory of 1072 3008 SWIFT.exe cmd.exe PID 3008 wrote to memory of 1072 3008 SWIFT.exe cmd.exe PID 3008 wrote to memory of 1072 3008 SWIFT.exe cmd.exe PID 3008 wrote to memory of 1072 3008 SWIFT.exe cmd.exe PID 3008 wrote to memory of 1404 3008 SWIFT.exe cmd.exe PID 3008 wrote to memory of 1404 3008 SWIFT.exe cmd.exe PID 3008 wrote to memory of 1404 3008 SWIFT.exe cmd.exe PID 3008 wrote to memory of 1404 3008 SWIFT.exe cmd.exe PID 3008 wrote to memory of 1900 3008 SWIFT.exe cmd.exe PID 3008 wrote to memory of 1900 3008 SWIFT.exe cmd.exe PID 3008 wrote to memory of 1900 3008 SWIFT.exe cmd.exe PID 3008 wrote to memory of 1900 3008 SWIFT.exe cmd.exe PID 3008 wrote to memory of 1920 3008 SWIFT.exe cmd.exe PID 3008 wrote to memory of 1920 3008 SWIFT.exe cmd.exe PID 3008 wrote to memory of 1920 3008 SWIFT.exe cmd.exe PID 3008 wrote to memory of 1920 3008 SWIFT.exe cmd.exe -
outlook_office_path 1 IoCs
Processes:
SWIFT.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 SWIFT.exe -
outlook_win_path 1 IoCs
Processes:
SWIFT.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2172136094-3310281978-782691160-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 SWIFT.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\SWIFT.exe"C:\Users\Admin\AppData\Local\Temp\SWIFT.exe"1⤵
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3008 -
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "250^177"2⤵PID:2912
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "244^177"2⤵PID:2468
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "227^177"2⤵PID:2820
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "255^177"2⤵PID:2624
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "244^177"2⤵PID:2456
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "253^177"2⤵PID:2976
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "130^177"2⤵PID:1684
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "131^177"2⤵PID:332
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "139^177"2⤵PID:2636
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "139^177"2⤵PID:476
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "242^177"2⤵PID:1816
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "195^177"2⤵PID:444
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "212^177"2⤵PID:1072
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "208^177"2⤵PID:1404
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "197^177"2⤵PID:1900
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "212^177"2⤵PID:1920
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "247^177"2⤵PID:1860
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "216^177"2⤵PID:2088
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "221^177"2⤵PID:548
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "212^177"2⤵PID:600
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "240^177"2⤵PID:1848
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "153^177"2⤵PID:2364
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "220^177"2⤵PID:3068
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "145^177"2⤵PID:1808
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "195^177"2⤵PID:1252
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "133^177"2⤵PID:2240
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "145^177"2⤵PID:2424
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "157^177"2⤵PID:2752
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "145^177"2⤵PID:1348
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "216^177"2⤵PID:1784
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "145^177"2⤵PID:3000
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "129^177"2⤵PID:2368
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "201^177"2⤵PID:2676
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "137^177"2⤵PID:2904
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "129^177"2⤵PID:2620
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "129^177"2⤵PID:2820
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "129^177"2⤵PID:2624
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "129^177"2⤵PID:2456
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "129^177"2⤵PID:2976
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "129^177"2⤵PID:1684
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "129^177"2⤵PID:1284
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "157^177"2⤵PID:2804
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "145^177"2⤵PID:1288
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "216^177"2⤵PID:1816
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "145^177"2⤵PID:444
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "129^177"2⤵PID:1072
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "157^177"2⤵PID:1404
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "145^177"2⤵PID:1900
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "193^177"2⤵PID:1920
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "145^177"2⤵PID:1860
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "129^177"2⤵PID:2088
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "157^177"2⤵PID:548
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "145^177"2⤵PID:600
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "216^177"2⤵PID:1848
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "145^177"2⤵PID:1840
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "133^177"2⤵PID:1540
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "157^177"2⤵PID:2028
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "145^177"2⤵PID:1928
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "216^177"2⤵PID:2884
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "145^177"2⤵PID:972
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "129^177"2⤵PID:2360
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "201^177"2⤵PID:2380
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "137^177"2⤵PID:1784
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "129^177"2⤵PID:2756
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "157^177"2⤵PID:2568
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "145^177"2⤵PID:2684
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "216^177"2⤵PID:2592
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "145^177"2⤵PID:1936
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "129^177"2⤵PID:3016
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "152^177"2⤵PID:2632
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "216^177"2⤵PID:2472
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "159^177"2⤵PID:3060
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "195^177"2⤵PID:2528
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "132^177"2⤵PID:1216
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "141^177"2⤵PID:1284
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "250^177"2⤵PID:2804
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "244^177"2⤵PID:476
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "227^177"2⤵PID:2780
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "255^177"2⤵PID:1972
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "244^177"2⤵PID:2656
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "253^177"2⤵PID:2444
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "130^177"2⤵PID:1756
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "131^177"2⤵PID:2348
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "139^177"2⤵PID:1976
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "139^177"2⤵PID:2328
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "231^177"2⤵PID:2204
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "216^177"2⤵PID:548
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "195^177"2⤵PID:1644
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "197^177"2⤵PID:1940
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "196^177"2⤵PID:328
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "208^177"2⤵PID:1144
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "221^177"2⤵PID:1908
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "240^177"2⤵PID:3036
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "221^177"2⤵PID:2240
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "221^177"2⤵PID:2424
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "222^177"2⤵PID:1192
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "210^177"2⤵PID:1504
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "153^177"2⤵PID:1968
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "216^177"2⤵PID:1596
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "145^177"2⤵PID:2616
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "129^177"2⤵PID:2732
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "157^177"2⤵PID:3064
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "216^177"2⤵PID:2748
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "145^177"2⤵PID:2836
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "133^177"2⤵PID:2628
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "132^177"2⤵PID:2492
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "135^177"2⤵PID:2980
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "128^177"2⤵PID:588
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "134^177"2⤵PID:1684
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "128^177"2⤵PID:332
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "132^177"2⤵PID:2636
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "131^177"2⤵PID:1472
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "157^177"2⤵PID:2768
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "145^177"2⤵PID:1132
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "216^177"2⤵PID:2448
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "145^177"2⤵PID:1780
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "129^177"2⤵PID:1672
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "201^177"2⤵PID:2796
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "130^177"2⤵PID:1984
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "129^177"2⤵PID:2104
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "129^177"2⤵PID:2088
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "129^177"2⤵PID:944
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "157^177"2⤵PID:308
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "145^177"2⤵PID:2376
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "216^177"2⤵PID:2092
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "145^177"2⤵PID:2076
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "129^177"2⤵PID:1808
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "201^177"2⤵PID:1252
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "133^177"2⤵PID:1732
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "129^177"2⤵PID:1916
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "152^177"2⤵PID:972
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "193^177"2⤵PID:1028
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "159^177"2⤵PID:2280
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "195^177"2⤵PID:1968
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "128^177"2⤵PID:2596
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "141^177"2⤵PID:2680
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "250^177"2⤵PID:2664
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "244^177"2⤵PID:2640
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "227^177"2⤵PID:1304
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "255^177"2⤵PID:2516
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "244^177"2⤵PID:2480
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "253^177"2⤵PID:2456
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "130^177"2⤵PID:2084
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "131^177"2⤵PID:2556
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "139^177"2⤵PID:532
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "139^177"2⤵PID:2036
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "226^177"2⤵PID:2856
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "212^177"2⤵PID:1264
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "197^177"2⤵PID:436
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "247^177"2⤵PID:304
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "216^177"2⤵PID:852
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "221^177"2⤵PID:2200
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "212^177"2⤵PID:2332
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "225^177"2⤵PID:1920
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "222^177"2⤵PID:2096
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "216^177"2⤵PID:2068
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "223^177"2⤵PID:1612
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "197^177"2⤵PID:2428
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "212^177"2⤵PID:1528
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "195^177"2⤵PID:2320
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "153^177"2⤵PID:2784
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "216^177"2⤵PID:1796
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "145^177"2⤵PID:2252
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "195^177"2⤵PID:2260
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "132^177"2⤵PID:2408
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "157^177"2⤵PID:1792
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "145^177"2⤵PID:2752
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "216^177"2⤵PID:876
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "145^177"2⤵PID:1592
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "135^177"2⤵PID:1968
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "134^177"2⤵PID:2736
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "134^177"2⤵PID:2684
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "145^177"2⤵PID:3064
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "157^177"2⤵PID:2484
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "145^177"2⤵PID:3016
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "216^177"2⤵PID:2632
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "145^177"2⤵PID:2492
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "129^177"2⤵PID:2244
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "157^177"2⤵PID:764
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "216^177"2⤵PID:1688
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "145^177"2⤵PID:332
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "129^177"2⤵PID:680
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "152^177"2⤵PID:2760
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "216^177"2⤵PID:1148
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "159^177"2⤵PID:1972
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "195^177"2⤵PID:2400
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "130^177"2⤵PID:2000
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "141^177"2⤵PID:1932
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "250^177"2⤵PID:2348
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "244^177"2⤵PID:2184
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "227^177"2⤵PID:1852
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "255^177"2⤵PID:1948
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "244^177"2⤵PID:1320
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "253^177"2⤵PID:1536
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "130^177"2⤵PID:2956
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "131^177"2⤵PID:1756
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "139^177"2⤵PID:1540
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "139^177"2⤵PID:2028
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "227^177"2⤵PID:2284
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "212^177"2⤵PID:1332
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "208^177"2⤵PID:2040
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "213^177"2⤵PID:1716
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "247^177"2⤵PID:1508
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "216^177"2⤵PID:2380
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "221^177"2⤵PID:3000
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "212^177"2⤵PID:340
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "153^177"2⤵PID:2276
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "216^177"2⤵PID:2912
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "145^177"2⤵PID:2336
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "195^177"2⤵PID:2832
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "132^177"2⤵PID:2688
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "157^177"2⤵PID:2624
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "145^177"2⤵PID:2492
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "216^177"2⤵PID:3060
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "145^177"2⤵PID:2528
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "195^177"2⤵PID:1216
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "128^177"2⤵PID:1484
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "157^177"2⤵PID:2804
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "145^177"2⤵PID:476
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "216^177"2⤵PID:2780
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "145^177"2⤵PID:1132
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "133^177"2⤵PID:2656
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "132^177"2⤵PID:2444
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "135^177"2⤵PID:2440
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "128^177"2⤵PID:2796
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "134^177"2⤵PID:1976
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "128^177"2⤵PID:2328
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "132^177"2⤵PID:2204
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "131^177"2⤵PID:944
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "157^177"2⤵PID:308
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "155^177"2⤵PID:1940
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "216^177"2⤵PID:2092
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "145^177"2⤵PID:2076
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "129^177"2⤵PID:1996
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "157^177"2⤵PID:2300
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "145^177"2⤵PID:1732
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "216^177"2⤵PID:1916
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "145^177"2⤵PID:972
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "129^177"2⤵PID:1028
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "152^177"2⤵PID:2280
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "216^177"2⤵PID:1084
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "159^177"2⤵PID:2596
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "195^177"2⤵PID:2600
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "130^177"2⤵PID:2704
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "141^177"2⤵PID:3064
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "196^177"2⤵PID:1696
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "194^177"2⤵PID:2572
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "212^177"2⤵PID:2504
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "195^177"2⤵PID:2456
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "130^177"2⤵PID:2244
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "131^177"2⤵PID:764
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "139^177"2⤵PID:1688
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "139^177"2⤵PID:332
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "242^177"2⤵PID:680
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "208^177"2⤵PID:1472
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "221^177"2⤵PID:1148
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "221^177"2⤵PID:1972
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "230^177"2⤵PID:2400
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "216^177"2⤵PID:2000
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "223^177"2⤵PID:1932
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "213^177"2⤵PID:2348
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "222^177"2⤵PID:2184
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "198^177"2⤵PID:1852
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "225^177"2⤵PID:1948
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "195^177"2⤵PID:1856
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "222^177"2⤵PID:744
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "210^177"2⤵PID:2956
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "240^177"2⤵PID:1756
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "153^177"2⤵PID:1540
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "216^177"2⤵PID:2288
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "145^177"2⤵PID:2284
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "195^177"2⤵PID:1332
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "128^177"2⤵PID:2040
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "145^177"2⤵PID:1716
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "157^177"2⤵PID:2360
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "216^177"2⤵PID:880
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "145^177"2⤵PID:1796
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "129^177"2⤵PID:340
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "157^177"2⤵PID:2276
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "216^177"2⤵PID:2872
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "145^177"2⤵PID:2820
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "129^177"2⤵PID:2832
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "157^177"2⤵PID:2688
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "145^177"2⤵PID:2624
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "216^177"2⤵PID:2492
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "145^177"2⤵PID:2584
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "129^177"2⤵PID:2912
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "157^177"2⤵PID:1216
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "145^177"2⤵PID:1484
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "216^177"2⤵PID:2804
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "145^177"2⤵PID:2136
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "129^177"2⤵PID:2780
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "152^177"2⤵PID:1132
-
C:\Windows\SysWOW64\cmd.execmd.exe /c set /a "141^177"2⤵PID:2656
-
C:\Users\Admin\AppData\Local\Temp\SWIFT.exe"C:\Users\Admin\AppData\Local\Temp\SWIFT.exe"2⤵
- Accesses Microsoft Outlook profiles
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:2304
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
11KB
MD54d3b19a81bd51f8ce44b93643a4e3a99
SHA135f8b00e85577b014080df98bd2c378351d9b3e9
SHA256fda0018ab182ac6025d2fc9a2efcce3745d1da21ce5141859f8286cf319a52ce
SHA512b2ba9c961c0e1617f802990587a9000979ab5cc493ae2f8ca852eb43eeaf24916b0b29057dbff7d41a1797dfb2dce3db41990e8639b8f205771dbec3fd80f622
-
Filesize
6KB
MD53eb4cd50dcb9f5981f5408578cb7fb70
SHA113b38cc104ba6ee22dc4dfa6e480e36587f4bc71
SHA2561c2f19e57dc72587aa00800a498c5f581b7d6761dc13b24bcf287ea7bd5ca2bf
SHA5125a0c9d28df7a77e157046dce876282c48f434a441ee34e12b88f55be31be536eff676f580adbe4586da3f1519f94b5793ccbb3068b4b009eee286c0c5135d324