864b531c5f5a397b3fd2a8aa91c83f956d93300db9c986bfa7ae4744d7cb732f

General

Target

Documento de envio.exe
Size

982KB
MD5

0fcc784f9400be0d78104a0043ee4479
SHA1

65cac3bdb71487d6e14480ade6397347289e047b
SHA256

864b531c5f5a397b3fd2a8aa91c83f956d93300db9c986bfa7ae4744d7cb732f
SHA512

b32a5475f7ec76dc88201383616e712d867757de39525ac5cda21536c5144e82fb3fe4b08f5024678823e8e1ca7bd8ffea0cbbeab8845636adb6e11e1fd1c975

Score

3^/10

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

652 588 WerFault.exe mshta.exe
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

WerFault.exe

pid process

652 WerFault.exe
652 WerFault.exe
652 WerFault.exe
652 WerFault.exe
652 WerFault.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

WerFault.exe

pid process

652 WerFault.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

WerFault.exe

description pid process

Token: SeDebugPrivilege 652 WerFault.exe

pid	pid_target	process	target process
652	588	WerFault.exe	mshta.exe

pid	process
652	WerFault.exe

description	pid	process
Token: SeDebugPrivilege	652	WerFault.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

Documento de envio.exemshta.exe

description	pid	process	target process
PID 1100 wrote to memory of 588	1100	Documento de envio.exe	mshta.exe
PID 1100 wrote to memory of 588	1100	Documento de envio.exe	mshta.exe
PID 1100 wrote to memory of 588	1100	Documento de envio.exe	mshta.exe
PID 1100 wrote to memory of 588	1100	Documento de envio.exe	mshta.exe
PID 1100 wrote to memory of 588	1100	Documento de envio.exe	mshta.exe
PID 1100 wrote to memory of 588	1100	Documento de envio.exe	mshta.exe
PID 1100 wrote to memory of 588	1100	Documento de envio.exe	mshta.exe
PID 1100 wrote to memory of 588	1100	Documento de envio.exe	mshta.exe
PID 1100 wrote to memory of 588	1100	Documento de envio.exe	mshta.exe
PID 1100 wrote to memory of 588	1100	Documento de envio.exe	mshta.exe
PID 1100 wrote to memory of 588	1100	Documento de envio.exe	mshta.exe
PID 1100 wrote to memory of 588	1100	Documento de envio.exe	mshta.exe
PID 1100 wrote to memory of 588	1100	Documento de envio.exe	mshta.exe
PID 1100 wrote to memory of 588	1100	Documento de envio.exe	mshta.exe
PID 1100 wrote to memory of 588	1100	Documento de envio.exe	mshta.exe
PID 1100 wrote to memory of 588	1100	Documento de envio.exe	mshta.exe
PID 588 wrote to memory of 652	588	mshta.exe	WerFault.exe
PID 588 wrote to memory of 652	588	mshta.exe	WerFault.exe
PID 588 wrote to memory of 652	588	mshta.exe	WerFault.exe
PID 588 wrote to memory of 652	588	mshta.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\Documento de envio.exe
"C:\Users\Admin\AppData\Local\Temp\Documento de envio.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1100

C:\Windows\SysWOW64\mshta.exe
C:\Windows\System32\mshta.exe
2⤵
- Suspicious use of WriteProcessMemory
PID:588

memory/588-66-0x0000000000000000-mapping.dmp

Download
memory/588-70-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download
memory/588-71-0x00000000000C0000-0x00000000000C1000-memory.dmp

Filesize
4KB

Download
memory/588-72-0x0000000000130000-0x0000000000131000-memory.dmp

Filesize
4KB

Download
memory/588-73-0x0000000010670000-0x00000000107D0000-memory.dmp

Filesize
1.4MB

Download
memory/652-68-0x0000000000000000-mapping.dmp

Download
memory/652-74-0x0000000000BE0000-0x0000000000BE1000-memory.dmp

Filesize
4KB

Download
memory/1100-60-0x00000000757D1000-0x00000000757D3000-memory.dmp

Filesize
8KB

Download
memory/1100-61-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1100-63-0x00000000046C0000-0x0000000004704000-memory.dmp

Filesize
272KB

Download