744c71a523be4f651482eac7ac5556c3d2cd14f79b244ed05e10b0938848f976

General

Target

pago copia SWIFT pdf.exe
Size

1.8MB
MD5

64ce539f8167e9cc887a87f859533933
SHA1

a736ba56beb2b342468f36f63e7dce53777dbb34
SHA256

f6397532d0b859cf1b26c55f29ec9af49613ce462643d4dc31478c4f231d2833
SHA512

d5b763e6259ab3cc9955583ddf20a378de6f73d2286243ee5bb1453244321300ffb9bf274dd45ccf43575ddb83fd0fcd71267e11c4f2c44b0b868a905ff59e21

Score

7^/10

Malware Config

Signatures

Drops startup file 1 IoCs

Processes:

pago copia SWIFT pdf.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\.url	pago copia SWIFT pdf.exe

Drops file in Windows directory 6 IoCs

Processes:

svchost.exe

description	ioc	process
File opened for modification	C:\Windows\SoftwareDistribution\ReportingEvents.log	svchost.exe
File opened for modification	C:\Windows\WindowsUpdate.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.edb	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm	svchost.exe

Suspicious behavior: MapViewOfSection 64 IoCs

Processes:

pago copia SWIFT pdf.exe

pid	process
2588	pago copia SWIFT pdf.exe
2588	pago copia SWIFT pdf.exe
2588	pago copia SWIFT pdf.exe
2588	pago copia SWIFT pdf.exe
2588	pago copia SWIFT pdf.exe
2588	pago copia SWIFT pdf.exe
2588	pago copia SWIFT pdf.exe
2588	pago copia SWIFT pdf.exe
2588	pago copia SWIFT pdf.exe
2588	pago copia SWIFT pdf.exe
2588	pago copia SWIFT pdf.exe
2588	pago copia SWIFT pdf.exe
2588	pago copia SWIFT pdf.exe
2588	pago copia SWIFT pdf.exe
2588	pago copia SWIFT pdf.exe
2588	pago copia SWIFT pdf.exe
2588	pago copia SWIFT pdf.exe
2588	pago copia SWIFT pdf.exe
2588	pago copia SWIFT pdf.exe
2588	pago copia SWIFT pdf.exe
2588	pago copia SWIFT pdf.exe
2588	pago copia SWIFT pdf.exe
2588	pago copia SWIFT pdf.exe
2588	pago copia SWIFT pdf.exe
2588	pago copia SWIFT pdf.exe
2588	pago copia SWIFT pdf.exe
2588	pago copia SWIFT pdf.exe
2588	pago copia SWIFT pdf.exe
2588	pago copia SWIFT pdf.exe
2588	pago copia SWIFT pdf.exe
2588	pago copia SWIFT pdf.exe
2588	pago copia SWIFT pdf.exe
2588	pago copia SWIFT pdf.exe
2588	pago copia SWIFT pdf.exe
2588	pago copia SWIFT pdf.exe
2588	pago copia SWIFT pdf.exe
2588	pago copia SWIFT pdf.exe
2588	pago copia SWIFT pdf.exe
2588	pago copia SWIFT pdf.exe
2588	pago copia SWIFT pdf.exe
2588	pago copia SWIFT pdf.exe
2588	pago copia SWIFT pdf.exe
2588	pago copia SWIFT pdf.exe
2588	pago copia SWIFT pdf.exe
2588	pago copia SWIFT pdf.exe
2588	pago copia SWIFT pdf.exe
2588	pago copia SWIFT pdf.exe
2588	pago copia SWIFT pdf.exe
2588	pago copia SWIFT pdf.exe
2588	pago copia SWIFT pdf.exe
2588	pago copia SWIFT pdf.exe
2588	pago copia SWIFT pdf.exe
2588	pago copia SWIFT pdf.exe
2588	pago copia SWIFT pdf.exe
2588	pago copia SWIFT pdf.exe
2588	pago copia SWIFT pdf.exe
2588	pago copia SWIFT pdf.exe
2588	pago copia SWIFT pdf.exe
2588	pago copia SWIFT pdf.exe
2588	pago copia SWIFT pdf.exe
2588	pago copia SWIFT pdf.exe
2588	pago copia SWIFT pdf.exe
2588	pago copia SWIFT pdf.exe
2588	pago copia SWIFT pdf.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

svchost.exe

description	pid	process
Token: SeShutdownPrivilege	4400	svchost.exe
Token: SeCreatePagefilePrivilege	4400	svchost.exe
Token: SeShutdownPrivilege	4400	svchost.exe
Token: SeCreatePagefilePrivilege	4400	svchost.exe
Token: SeShutdownPrivilege	4400	svchost.exe
Token: SeCreatePagefilePrivilege	4400	svchost.exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

pago copia SWIFT pdf.exe

pid process

2588 pago copia SWIFT pdf.exe
2588 pago copia SWIFT pdf.exe
2588 pago copia SWIFT pdf.exe
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

pago copia SWIFT pdf.exe

pid process

2588 pago copia SWIFT pdf.exe
2588 pago copia SWIFT pdf.exe
2588 pago copia SWIFT pdf.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

pago copia SWIFT pdf.exe

description	pid	process	target process
PID 2588 wrote to memory of 5036	2588	pago copia SWIFT pdf.exe	pago copia SWIFT pdf.exe
PID 2588 wrote to memory of 5036	2588	pago copia SWIFT pdf.exe	pago copia SWIFT pdf.exe
PID 2588 wrote to memory of 5036	2588	pago copia SWIFT pdf.exe	pago copia SWIFT pdf.exe
PID 2588 wrote to memory of 360	2588	pago copia SWIFT pdf.exe	pago copia SWIFT pdf.exe
PID 2588 wrote to memory of 360	2588	pago copia SWIFT pdf.exe	pago copia SWIFT pdf.exe
PID 2588 wrote to memory of 360	2588	pago copia SWIFT pdf.exe	pago copia SWIFT pdf.exe
PID 2588 wrote to memory of 4776	2588	pago copia SWIFT pdf.exe	pago copia SWIFT pdf.exe
PID 2588 wrote to memory of 4776	2588	pago copia SWIFT pdf.exe	pago copia SWIFT pdf.exe
PID 2588 wrote to memory of 4776	2588	pago copia SWIFT pdf.exe	pago copia SWIFT pdf.exe
PID 2588 wrote to memory of 4796	2588	pago copia SWIFT pdf.exe	pago copia SWIFT pdf.exe
PID 2588 wrote to memory of 4796	2588	pago copia SWIFT pdf.exe	pago copia SWIFT pdf.exe
PID 2588 wrote to memory of 4796	2588	pago copia SWIFT pdf.exe	pago copia SWIFT pdf.exe
PID 2588 wrote to memory of 5000	2588	pago copia SWIFT pdf.exe	pago copia SWIFT pdf.exe
PID 2588 wrote to memory of 5000	2588	pago copia SWIFT pdf.exe	pago copia SWIFT pdf.exe
PID 2588 wrote to memory of 5000	2588	pago copia SWIFT pdf.exe	pago copia SWIFT pdf.exe
PID 2588 wrote to memory of 4292	2588	pago copia SWIFT pdf.exe	pago copia SWIFT pdf.exe
PID 2588 wrote to memory of 4292	2588	pago copia SWIFT pdf.exe	pago copia SWIFT pdf.exe
PID 2588 wrote to memory of 4292	2588	pago copia SWIFT pdf.exe	pago copia SWIFT pdf.exe
PID 2588 wrote to memory of 4300	2588	pago copia SWIFT pdf.exe	pago copia SWIFT pdf.exe
PID 2588 wrote to memory of 4300	2588	pago copia SWIFT pdf.exe	pago copia SWIFT pdf.exe
PID 2588 wrote to memory of 4300	2588	pago copia SWIFT pdf.exe	pago copia SWIFT pdf.exe
PID 2588 wrote to memory of 4272	2588	pago copia SWIFT pdf.exe	pago copia SWIFT pdf.exe
PID 2588 wrote to memory of 4272	2588	pago copia SWIFT pdf.exe	pago copia SWIFT pdf.exe
PID 2588 wrote to memory of 4272	2588	pago copia SWIFT pdf.exe	pago copia SWIFT pdf.exe
PID 2588 wrote to memory of 4748	2588	pago copia SWIFT pdf.exe	pago copia SWIFT pdf.exe
PID 2588 wrote to memory of 4748	2588	pago copia SWIFT pdf.exe	pago copia SWIFT pdf.exe
PID 2588 wrote to memory of 4748	2588	pago copia SWIFT pdf.exe	pago copia SWIFT pdf.exe
PID 2588 wrote to memory of 952	2588	pago copia SWIFT pdf.exe	pago copia SWIFT pdf.exe
PID 2588 wrote to memory of 952	2588	pago copia SWIFT pdf.exe	pago copia SWIFT pdf.exe
PID 2588 wrote to memory of 952	2588	pago copia SWIFT pdf.exe	pago copia SWIFT pdf.exe
PID 2588 wrote to memory of 948	2588	pago copia SWIFT pdf.exe	pago copia SWIFT pdf.exe
PID 2588 wrote to memory of 948	2588	pago copia SWIFT pdf.exe	pago copia SWIFT pdf.exe
PID 2588 wrote to memory of 948	2588	pago copia SWIFT pdf.exe	pago copia SWIFT pdf.exe
PID 2588 wrote to memory of 4296	2588	pago copia SWIFT pdf.exe	pago copia SWIFT pdf.exe
PID 2588 wrote to memory of 4296	2588	pago copia SWIFT pdf.exe	pago copia SWIFT pdf.exe
PID 2588 wrote to memory of 4296	2588	pago copia SWIFT pdf.exe	pago copia SWIFT pdf.exe
PID 2588 wrote to memory of 4312	2588	pago copia SWIFT pdf.exe	pago copia SWIFT pdf.exe
PID 2588 wrote to memory of 4312	2588	pago copia SWIFT pdf.exe	pago copia SWIFT pdf.exe
PID 2588 wrote to memory of 4312	2588	pago copia SWIFT pdf.exe	pago copia SWIFT pdf.exe
PID 2588 wrote to memory of 1236	2588	pago copia SWIFT pdf.exe	pago copia SWIFT pdf.exe
PID 2588 wrote to memory of 1236	2588	pago copia SWIFT pdf.exe	pago copia SWIFT pdf.exe
PID 2588 wrote to memory of 1236	2588	pago copia SWIFT pdf.exe	pago copia SWIFT pdf.exe
PID 2588 wrote to memory of 1240	2588	pago copia SWIFT pdf.exe	pago copia SWIFT pdf.exe
PID 2588 wrote to memory of 1240	2588	pago copia SWIFT pdf.exe	pago copia SWIFT pdf.exe
PID 2588 wrote to memory of 1240	2588	pago copia SWIFT pdf.exe	pago copia SWIFT pdf.exe
PID 2588 wrote to memory of 3120	2588	pago copia SWIFT pdf.exe	pago copia SWIFT pdf.exe
PID 2588 wrote to memory of 3120	2588	pago copia SWIFT pdf.exe	pago copia SWIFT pdf.exe
PID 2588 wrote to memory of 3120	2588	pago copia SWIFT pdf.exe	pago copia SWIFT pdf.exe
PID 2588 wrote to memory of 4664	2588	pago copia SWIFT pdf.exe	pago copia SWIFT pdf.exe
PID 2588 wrote to memory of 4664	2588	pago copia SWIFT pdf.exe	pago copia SWIFT pdf.exe
PID 2588 wrote to memory of 4664	2588	pago copia SWIFT pdf.exe	pago copia SWIFT pdf.exe
PID 2588 wrote to memory of 1296	2588	pago copia SWIFT pdf.exe	pago copia SWIFT pdf.exe
PID 2588 wrote to memory of 1296	2588	pago copia SWIFT pdf.exe	pago copia SWIFT pdf.exe
PID 2588 wrote to memory of 1296	2588	pago copia SWIFT pdf.exe	pago copia SWIFT pdf.exe
PID 2588 wrote to memory of 1396	2588	pago copia SWIFT pdf.exe	pago copia SWIFT pdf.exe
PID 2588 wrote to memory of 1396	2588	pago copia SWIFT pdf.exe	pago copia SWIFT pdf.exe
PID 2588 wrote to memory of 1396	2588	pago copia SWIFT pdf.exe	pago copia SWIFT pdf.exe
PID 2588 wrote to memory of 2308	2588	pago copia SWIFT pdf.exe	pago copia SWIFT pdf.exe
PID 2588 wrote to memory of 2308	2588	pago copia SWIFT pdf.exe	pago copia SWIFT pdf.exe
PID 2588 wrote to memory of 2308	2588	pago copia SWIFT pdf.exe	pago copia SWIFT pdf.exe
PID 2588 wrote to memory of 1556	2588	pago copia SWIFT pdf.exe	pago copia SWIFT pdf.exe
PID 2588 wrote to memory of 1556	2588	pago copia SWIFT pdf.exe	pago copia SWIFT pdf.exe
PID 2588 wrote to memory of 1556	2588	pago copia SWIFT pdf.exe	pago copia SWIFT pdf.exe
PID 2588 wrote to memory of 2240	2588	pago copia SWIFT pdf.exe	pago copia SWIFT pdf.exe

C:\Users\Admin\AppData\Local\Temp\pago copia SWIFT pdf.exe
"C:\Users\Admin\AppData\Local\Temp\pago copia SWIFT pdf.exe"
1⤵
- Drops startup file
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2588

C:\Users\Admin\AppData\Local\Temp\pago copia SWIFT pdf.exe
"C:\Users\Admin\AppData\Local\Temp\pago copia SWIFT pdf.exe"
2⤵
PID:5036

C:\Users\Admin\AppData\Local\Temp\pago copia SWIFT pdf.exe
"C:\Users\Admin\AppData\Local\Temp\pago copia SWIFT pdf.exe"
2⤵
PID:360

C:\Users\Admin\AppData\Local\Temp\pago copia SWIFT pdf.exe
"C:\Users\Admin\AppData\Local\Temp\pago copia SWIFT pdf.exe"
2⤵
PID:4776

C:\Users\Admin\AppData\Local\Temp\pago copia SWIFT pdf.exe
"C:\Users\Admin\AppData\Local\Temp\pago copia SWIFT pdf.exe"
2⤵
PID:4796

C:\Users\Admin\AppData\Local\Temp\pago copia SWIFT pdf.exe
"C:\Users\Admin\AppData\Local\Temp\pago copia SWIFT pdf.exe"
2⤵
PID:5000

C:\Users\Admin\AppData\Local\Temp\pago copia SWIFT pdf.exe
"C:\Users\Admin\AppData\Local\Temp\pago copia SWIFT pdf.exe"
2⤵
PID:4292

C:\Users\Admin\AppData\Local\Temp\pago copia SWIFT pdf.exe
"C:\Users\Admin\AppData\Local\Temp\pago copia SWIFT pdf.exe"
2⤵
PID:4300

C:\Users\Admin\AppData\Local\Temp\pago copia SWIFT pdf.exe
"C:\Users\Admin\AppData\Local\Temp\pago copia SWIFT pdf.exe"
2⤵
PID:4272

C:\Users\Admin\AppData\Local\Temp\pago copia SWIFT pdf.exe
"C:\Users\Admin\AppData\Local\Temp\pago copia SWIFT pdf.exe"
2⤵
PID:4748

C:\Users\Admin\AppData\Local\Temp\pago copia SWIFT pdf.exe
"C:\Users\Admin\AppData\Local\Temp\pago copia SWIFT pdf.exe"
2⤵
PID:952

C:\Users\Admin\AppData\Local\Temp\pago copia SWIFT pdf.exe
"C:\Users\Admin\AppData\Local\Temp\pago copia SWIFT pdf.exe"
2⤵
PID:948

C:\Users\Admin\AppData\Local\Temp\pago copia SWIFT pdf.exe
"C:\Users\Admin\AppData\Local\Temp\pago copia SWIFT pdf.exe"
2⤵
PID:4296

C:\Users\Admin\AppData\Local\Temp\pago copia SWIFT pdf.exe
"C:\Users\Admin\AppData\Local\Temp\pago copia SWIFT pdf.exe"
2⤵
PID:4312

C:\Users\Admin\AppData\Local\Temp\pago copia SWIFT pdf.exe
"C:\Users\Admin\AppData\Local\Temp\pago copia SWIFT pdf.exe"
2⤵
PID:1236

C:\Users\Admin\AppData\Local\Temp\pago copia SWIFT pdf.exe
"C:\Users\Admin\AppData\Local\Temp\pago copia SWIFT pdf.exe"
2⤵
PID:1240

C:\Users\Admin\AppData\Local\Temp\pago copia SWIFT pdf.exe
"C:\Users\Admin\AppData\Local\Temp\pago copia SWIFT pdf.exe"
2⤵
PID:4664

C:\Users\Admin\AppData\Local\Temp\pago copia SWIFT pdf.exe
"C:\Users\Admin\AppData\Local\Temp\pago copia SWIFT pdf.exe"
2⤵
PID:3120

C:\Users\Admin\AppData\Local\Temp\pago copia SWIFT pdf.exe
"C:\Users\Admin\AppData\Local\Temp\pago copia SWIFT pdf.exe"
2⤵
PID:1296

C:\Users\Admin\AppData\Local\Temp\pago copia SWIFT pdf.exe
"C:\Users\Admin\AppData\Local\Temp\pago copia SWIFT pdf.exe"
2⤵
PID:2308

C:\Users\Admin\AppData\Local\Temp\pago copia SWIFT pdf.exe
"C:\Users\Admin\AppData\Local\Temp\pago copia SWIFT pdf.exe"
2⤵
PID:1396

C:\Users\Admin\AppData\Local\Temp\pago copia SWIFT pdf.exe
"C:\Users\Admin\AppData\Local\Temp\pago copia SWIFT pdf.exe"
2⤵
PID:1556

C:\Users\Admin\AppData\Local\Temp\pago copia SWIFT pdf.exe
"C:\Users\Admin\AppData\Local\Temp\pago copia SWIFT pdf.exe"
2⤵
PID:2240

C:\Users\Admin\AppData\Local\Temp\pago copia SWIFT pdf.exe
"C:\Users\Admin\AppData\Local\Temp\pago copia SWIFT pdf.exe"
2⤵
PID:1756

C:\Users\Admin\AppData\Local\Temp\pago copia SWIFT pdf.exe
"C:\Users\Admin\AppData\Local\Temp\pago copia SWIFT pdf.exe"
2⤵
PID:1812

C:\Users\Admin\AppData\Local\Temp\pago copia SWIFT pdf.exe
"C:\Users\Admin\AppData\Local\Temp\pago copia SWIFT pdf.exe"
2⤵
PID:4064

C:\Users\Admin\AppData\Local\Temp\pago copia SWIFT pdf.exe
"C:\Users\Admin\AppData\Local\Temp\pago copia SWIFT pdf.exe"
2⤵
PID:2568

C:\Users\Admin\AppData\Local\Temp\pago copia SWIFT pdf.exe
"C:\Users\Admin\AppData\Local\Temp\pago copia SWIFT pdf.exe"
2⤵
PID:2584

C:\Users\Admin\AppData\Local\Temp\pago copia SWIFT pdf.exe
"C:\Users\Admin\AppData\Local\Temp\pago copia SWIFT pdf.exe"
2⤵
PID:2964

C:\Users\Admin\AppData\Local\Temp\pago copia SWIFT pdf.exe
"C:\Users\Admin\AppData\Local\Temp\pago copia SWIFT pdf.exe"
2⤵
PID:1880

C:\Users\Admin\AppData\Local\Temp\pago copia SWIFT pdf.exe
"C:\Users\Admin\AppData\Local\Temp\pago copia SWIFT pdf.exe"
2⤵
PID:1720

C:\Users\Admin\AppData\Local\Temp\pago copia SWIFT pdf.exe
"C:\Users\Admin\AppData\Local\Temp\pago copia SWIFT pdf.exe"
2⤵
PID:2068

C:\Users\Admin\AppData\Local\Temp\pago copia SWIFT pdf.exe
"C:\Users\Admin\AppData\Local\Temp\pago copia SWIFT pdf.exe"
2⤵
PID:1688

C:\Users\Admin\AppData\Local\Temp\pago copia SWIFT pdf.exe
"C:\Users\Admin\AppData\Local\Temp\pago copia SWIFT pdf.exe"
2⤵
PID:2436

C:\Users\Admin\AppData\Local\Temp\pago copia SWIFT pdf.exe
"C:\Users\Admin\AppData\Local\Temp\pago copia SWIFT pdf.exe"
2⤵
PID:4100

C:\Users\Admin\AppData\Local\Temp\pago copia SWIFT pdf.exe
"C:\Users\Admin\AppData\Local\Temp\pago copia SWIFT pdf.exe"
2⤵
PID:3764

C:\Users\Admin\AppData\Local\Temp\pago copia SWIFT pdf.exe
"C:\Users\Admin\AppData\Local\Temp\pago copia SWIFT pdf.exe"
2⤵
PID:3396

C:\Users\Admin\AppData\Local\Temp\pago copia SWIFT pdf.exe
"C:\Users\Admin\AppData\Local\Temp\pago copia SWIFT pdf.exe"
2⤵
PID:4276

C:\Users\Admin\AppData\Local\Temp\pago copia SWIFT pdf.exe
"C:\Users\Admin\AppData\Local\Temp\pago copia SWIFT pdf.exe"
2⤵
PID:216

C:\Users\Admin\AppData\Local\Temp\pago copia SWIFT pdf.exe
"C:\Users\Admin\AppData\Local\Temp\pago copia SWIFT pdf.exe"
2⤵
PID:260

C:\Users\Admin\AppData\Local\Temp\pago copia SWIFT pdf.exe
"C:\Users\Admin\AppData\Local\Temp\pago copia SWIFT pdf.exe"
2⤵
PID:220

C:\Users\Admin\AppData\Local\Temp\pago copia SWIFT pdf.exe
"C:\Users\Admin\AppData\Local\Temp\pago copia SWIFT pdf.exe"
2⤵
PID:3168

C:\Users\Admin\AppData\Local\Temp\pago copia SWIFT pdf.exe
"C:\Users\Admin\AppData\Local\Temp\pago copia SWIFT pdf.exe"
2⤵
PID:4028

C:\Users\Admin\AppData\Local\Temp\pago copia SWIFT pdf.exe
"C:\Users\Admin\AppData\Local\Temp\pago copia SWIFT pdf.exe"
2⤵
PID:3188

C:\Users\Admin\AppData\Local\Temp\pago copia SWIFT pdf.exe
"C:\Users\Admin\AppData\Local\Temp\pago copia SWIFT pdf.exe"
2⤵
PID:3340

C:\Users\Admin\AppData\Local\Temp\pago copia SWIFT pdf.exe
"C:\Users\Admin\AppData\Local\Temp\pago copia SWIFT pdf.exe"
2⤵
PID:1936

C:\Users\Admin\AppData\Local\Temp\pago copia SWIFT pdf.exe
"C:\Users\Admin\AppData\Local\Temp\pago copia SWIFT pdf.exe"
2⤵
PID:4684

C:\Users\Admin\AppData\Local\Temp\pago copia SWIFT pdf.exe
"C:\Users\Admin\AppData\Local\Temp\pago copia SWIFT pdf.exe"
2⤵
PID:4208

C:\Users\Admin\AppData\Local\Temp\pago copia SWIFT pdf.exe
"C:\Users\Admin\AppData\Local\Temp\pago copia SWIFT pdf.exe"
2⤵
PID:3280

C:\Users\Admin\AppData\Local\Temp\pago copia SWIFT pdf.exe
"C:\Users\Admin\AppData\Local\Temp\pago copia SWIFT pdf.exe"
2⤵
PID:3052

C:\Users\Admin\AppData\Local\Temp\pago copia SWIFT pdf.exe
"C:\Users\Admin\AppData\Local\Temp\pago copia SWIFT pdf.exe"
2⤵
PID:1012

C:\Users\Admin\AppData\Local\Temp\pago copia SWIFT pdf.exe
"C:\Users\Admin\AppData\Local\Temp\pago copia SWIFT pdf.exe"
2⤵
PID:3116

C:\Users\Admin\AppData\Local\Temp\pago copia SWIFT pdf.exe
"C:\Users\Admin\AppData\Local\Temp\pago copia SWIFT pdf.exe"
2⤵
PID:5092

C:\Users\Admin\AppData\Local\Temp\pago copia SWIFT pdf.exe
"C:\Users\Admin\AppData\Local\Temp\pago copia SWIFT pdf.exe"
2⤵
PID:4160

C:\Users\Admin\AppData\Local\Temp\pago copia SWIFT pdf.exe
"C:\Users\Admin\AppData\Local\Temp\pago copia SWIFT pdf.exe"
2⤵
PID:1852

C:\Users\Admin\AppData\Local\Temp\pago copia SWIFT pdf.exe
"C:\Users\Admin\AppData\Local\Temp\pago copia SWIFT pdf.exe"
2⤵
PID:3988

C:\Users\Admin\AppData\Local\Temp\pago copia SWIFT pdf.exe
"C:\Users\Admin\AppData\Local\Temp\pago copia SWIFT pdf.exe"
2⤵
PID:4764

C:\Users\Admin\AppData\Local\Temp\pago copia SWIFT pdf.exe
"C:\Users\Admin\AppData\Local\Temp\pago copia SWIFT pdf.exe"
2⤵
PID:4756

C:\Users\Admin\AppData\Local\Temp\pago copia SWIFT pdf.exe
"C:\Users\Admin\AppData\Local\Temp\pago copia SWIFT pdf.exe"
2⤵
PID:4236

C:\Users\Admin\AppData\Local\Temp\pago copia SWIFT pdf.exe
"C:\Users\Admin\AppData\Local\Temp\pago copia SWIFT pdf.exe"
2⤵
PID:4876

C:\Users\Admin\AppData\Local\Temp\pago copia SWIFT pdf.exe
"C:\Users\Admin\AppData\Local\Temp\pago copia SWIFT pdf.exe"
2⤵
PID:4388

C:\Users\Admin\AppData\Local\Temp\pago copia SWIFT pdf.exe
"C:\Users\Admin\AppData\Local\Temp\pago copia SWIFT pdf.exe"
2⤵
PID:4392

C:\Users\Admin\AppData\Local\Temp\pago copia SWIFT pdf.exe
"C:\Users\Admin\AppData\Local\Temp\pago copia SWIFT pdf.exe"
2⤵
PID:2504

C:\Users\Admin\AppData\Local\Temp\pago copia SWIFT pdf.exe
"C:\Users\Admin\AppData\Local\Temp\pago copia SWIFT pdf.exe"
2⤵
PID:4432

C:\Users\Admin\AppData\Local\Temp\pago copia SWIFT pdf.exe
"C:\Users\Admin\AppData\Local\Temp\pago copia SWIFT pdf.exe"
2⤵
PID:4408

C:\Users\Admin\AppData\Local\Temp\pago copia SWIFT pdf.exe
"C:\Users\Admin\AppData\Local\Temp\pago copia SWIFT pdf.exe"
2⤵
PID:4616

C:\Users\Admin\AppData\Local\Temp\pago copia SWIFT pdf.exe
"C:\Users\Admin\AppData\Local\Temp\pago copia SWIFT pdf.exe"
2⤵
PID:4416

C:\Users\Admin\AppData\Local\Temp\pago copia SWIFT pdf.exe
"C:\Users\Admin\AppData\Local\Temp\pago copia SWIFT pdf.exe"
2⤵
PID:3760

C:\Users\Admin\AppData\Local\Temp\pago copia SWIFT pdf.exe
"C:\Users\Admin\AppData\Local\Temp\pago copia SWIFT pdf.exe"
2⤵
PID:4004

C:\Users\Admin\AppData\Local\Temp\pago copia SWIFT pdf.exe
"C:\Users\Admin\AppData\Local\Temp\pago copia SWIFT pdf.exe"
2⤵
PID:3792

C:\Users\Admin\AppData\Local\Temp\pago copia SWIFT pdf.exe
"C:\Users\Admin\AppData\Local\Temp\pago copia SWIFT pdf.exe"
2⤵
PID:2236

C:\Users\Admin\AppData\Local\Temp\pago copia SWIFT pdf.exe
"C:\Users\Admin\AppData\Local\Temp\pago copia SWIFT pdf.exe"
2⤵
PID:4252

C:\Users\Admin\AppData\Local\Temp\pago copia SWIFT pdf.exe
"C:\Users\Admin\AppData\Local\Temp\pago copia SWIFT pdf.exe"
2⤵
PID:4260

C:\Users\Admin\AppData\Local\Temp\pago copia SWIFT pdf.exe
"C:\Users\Admin\AppData\Local\Temp\pago copia SWIFT pdf.exe"
2⤵
PID:4548

C:\Users\Admin\AppData\Local\Temp\pago copia SWIFT pdf.exe
"C:\Users\Admin\AppData\Local\Temp\pago copia SWIFT pdf.exe"
2⤵
PID:4464

C:\Users\Admin\AppData\Local\Temp\pago copia SWIFT pdf.exe
"C:\Users\Admin\AppData\Local\Temp\pago copia SWIFT pdf.exe"
2⤵
PID:4828

C:\Users\Admin\AppData\Local\Temp\pago copia SWIFT pdf.exe
"C:\Users\Admin\AppData\Local\Temp\pago copia SWIFT pdf.exe"
2⤵
PID:3584

C:\Users\Admin\AppData\Local\Temp\pago copia SWIFT pdf.exe
"C:\Users\Admin\AppData\Local\Temp\pago copia SWIFT pdf.exe"
2⤵
PID:3700

C:\Users\Admin\AppData\Local\Temp\pago copia SWIFT pdf.exe
"C:\Users\Admin\AppData\Local\Temp\pago copia SWIFT pdf.exe"
2⤵
PID:3540

C:\Users\Admin\AppData\Local\Temp\pago copia SWIFT pdf.exe
"C:\Users\Admin\AppData\Local\Temp\pago copia SWIFT pdf.exe"
2⤵
PID:3484

C:\Users\Admin\AppData\Local\Temp\pago copia SWIFT pdf.exe
"C:\Users\Admin\AppData\Local\Temp\pago copia SWIFT pdf.exe"
2⤵
PID:3576

C:\Users\Admin\AppData\Local\Temp\pago copia SWIFT pdf.exe
"C:\Users\Admin\AppData\Local\Temp\pago copia SWIFT pdf.exe"
2⤵
PID:3496

C:\Users\Admin\AppData\Local\Temp\pago copia SWIFT pdf.exe
"C:\Users\Admin\AppData\Local\Temp\pago copia SWIFT pdf.exe"
2⤵
PID:2844

C:\Users\Admin\AppData\Local\Temp\pago copia SWIFT pdf.exe
"C:\Users\Admin\AppData\Local\Temp\pago copia SWIFT pdf.exe"
2⤵
PID:3600

C:\Users\Admin\AppData\Local\Temp\pago copia SWIFT pdf.exe
"C:\Users\Admin\AppData\Local\Temp\pago copia SWIFT pdf.exe"
2⤵
PID:3112

C:\Users\Admin\AppData\Local\Temp\pago copia SWIFT pdf.exe
"C:\Users\Admin\AppData\Local\Temp\pago copia SWIFT pdf.exe"
2⤵
PID:3596

C:\Users\Admin\AppData\Local\Temp\pago copia SWIFT pdf.exe
"C:\Users\Admin\AppData\Local\Temp\pago copia SWIFT pdf.exe"
2⤵
PID:1876

C:\Users\Admin\AppData\Local\Temp\pago copia SWIFT pdf.exe
"C:\Users\Admin\AppData\Local\Temp\pago copia SWIFT pdf.exe"
2⤵
PID:3908

C:\Users\Admin\AppData\Local\Temp\pago copia SWIFT pdf.exe
"C:\Users\Admin\AppData\Local\Temp\pago copia SWIFT pdf.exe"
2⤵
PID:4240

C:\Users\Admin\AppData\Local\Temp\pago copia SWIFT pdf.exe
"C:\Users\Admin\AppData\Local\Temp\pago copia SWIFT pdf.exe"
2⤵
PID:3732

C:\Users\Admin\AppData\Local\Temp\pago copia SWIFT pdf.exe
"C:\Users\Admin\AppData\Local\Temp\pago copia SWIFT pdf.exe"
2⤵
PID:1500

C:\Users\Admin\AppData\Local\Temp\pago copia SWIFT pdf.exe
"C:\Users\Admin\AppData\Local\Temp\pago copia SWIFT pdf.exe"
2⤵
PID:1944

C:\Users\Admin\AppData\Local\Temp\pago copia SWIFT pdf.exe
"C:\Users\Admin\AppData\Local\Temp\pago copia SWIFT pdf.exe"
2⤵
PID:648

C:\Users\Admin\AppData\Local\Temp\pago copia SWIFT pdf.exe
"C:\Users\Admin\AppData\Local\Temp\pago copia SWIFT pdf.exe"
2⤵
PID:980

C:\Users\Admin\AppData\Local\Temp\pago copia SWIFT pdf.exe
"C:\Users\Admin\AppData\Local\Temp\pago copia SWIFT pdf.exe"
2⤵
PID:2128

C:\Users\Admin\AppData\Local\Temp\pago copia SWIFT pdf.exe
"C:\Users\Admin\AppData\Local\Temp\pago copia SWIFT pdf.exe"
2⤵
PID:1336

C:\Users\Admin\AppData\Local\Temp\pago copia SWIFT pdf.exe
"C:\Users\Admin\AppData\Local\Temp\pago copia SWIFT pdf.exe"
2⤵
PID:1204

C:\Users\Admin\AppData\Local\Temp\pago copia SWIFT pdf.exe
"C:\Users\Admin\AppData\Local\Temp\pago copia SWIFT pdf.exe"
2⤵
PID:1040

C:\Users\Admin\AppData\Local\Temp\pago copia SWIFT pdf.exe
"C:\Users\Admin\AppData\Local\Temp\pago copia SWIFT pdf.exe"
2⤵
PID:3892

C:\Users\Admin\AppData\Local\Temp\pago copia SWIFT pdf.exe
"C:\Users\Admin\AppData\Local\Temp\pago copia SWIFT pdf.exe"
2⤵
PID:1660

C:\Users\Admin\AppData\Local\Temp\pago copia SWIFT pdf.exe
"C:\Users\Admin\AppData\Local\Temp\pago copia SWIFT pdf.exe"
2⤵
PID:3924

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:4400

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2588-130-0x00000000039A0000-0x00000000039CD000-memory.dmp

Filesize
180KB

Download
memory/2588-131-0x0000000001F30000-0x0000000001F33000-memory.dmp

Filesize
12KB

Download
memory/4400-132-0x000002057F160000-0x000002057F170000-memory.dmp

Filesize
64KB

Download
memory/4400-133-0x000002057F720000-0x000002057F730000-memory.dmp

Filesize
64KB

Download
memory/4400-134-0x000002057FDE0000-0x000002057FDE4000-memory.dmp

Filesize
16KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads